Re: [Nanog-futures] Memberships, Bylaws and other election matters
I am joining my voice to Steve's. I view this discussion on membership as very healthy and it should continue until the community reaches a strong consensus. I think voting 'yes' is the way forward and I also pledge to do what I can with my Board vote to keep from creating any categories of members that can't easily be undone until consensus from the community is reached. Sylvie 2010/10/4 Joel Jaeggli joe...@bogus.com On 10/4/10 12:13 PM, Steve Feldman wrote: On Oct 4, 2010, at 11:54 AM, Ren Provo wrote: Hi Steve, I appreciate your input here. It was clearly stated yesterday that several folks do not want a fellows membership class but I do not recall the reasoning other than Joel's comment that fee structure should cover all. Can you clarify why you would elect not to recognize significant contributions made from an individual? Thanks! -ren I personally have nothing against the concept. But some others do, and I don't want to make any choices that would be difficult or awkward to unmake until we end up with consensus either way. Recognition is a valuable socially sustaining community activity. I don't believe that it has any business being tied to membership. Assuming that the bylaws are accepted, certainly some of those deserving of community recognition will not be members, I don't see that as a problem. [Or, what Mike said!] Steve ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Memberships, Bylaws and other election matters
An interesting exercise might be to compare the cost of a vote (thus far the only membership benefit) today and as proposed. -Today Students: Max 60/yr (20 per meeting) at $50 per (minimum $100 / 2 years) Standard: $225 (minimum 1 meeting at $450 / 2 years) Freebies: SC-approved press representatives [no max] (2 per year, maybe?) Variable PC-approved presenters/panelists/moderators (40-60 per meeting with overlap so maybe 110/year) Individuals from the hosts, sponsors and Merit staff (easily 50 per meeting, with greater overlap so maybe 100/yearn) as determined by those organizations -Proposed Students: No maximum number, $50/yr Standard: $100/year Freebies: variable board-approved (projected as a small number per year), though several board members have clearly said they won't pull the trigger while it is still a concern So students don't change, though more can participate. Regular people's cost to participate decreases by more than half, and no matter how you slice it there are tremendously fewer votes just given away by various people involved, easily offsetting a small number of projected 'lifetime' memberships. Personally, I think enfrachising a larger segment of the community isn't a Bad Thing. What's wrong with lowering the financial and meatspace* barrier to entry? Regarding concern over lifetime memberships, many nonprofits I support allow me to buy N years of membership in advance. If lifetime were merely changed to a decade pre-purchase of membership, would the folks who think it is a bad idea suddenly see it as ok? That would serve the budgetary need though I suspect there might be less people asctually choosing it. Cheers, Joe * to be pedantic, one needn't even show up, just register once within two years. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Memberships, Bylaws and other election matters
Yes, I think 'yes' is the right vote. I do have one major concern, but I will vote 'yes' on both issues, regardless. I really worry about the voter base becoming disjoint from the attendee base. I think meeting attendees should get a vote as a part of attendance. How this is handled is not clear, but I would like to see paying attendees all get to vote for any year in which they attend a meeting. Whether or not non-paying attendees should get a vote is something I'm less site of. Good speakers are rather important and allowing them a vote for their efforts seems reasonably appropriate. Whatever the details, I strongly feel that the concept that meeting attendees must continue to be, as the old T-shirts said, Official Members. Sent from my iPod On Oct 5, 2010, at 7:34, Sylvie LaPerriere laperriere.syl...@gmail.com wrote: I am joining my voice to Steve's. I view this discussion on membership as very healthy and it should continue until the community reaches a strong consensus. I think voting 'yes' is the way forward and I also pledge to do what I can with my Board vote to keep from creating any categories of members that can't easily be undone until consensus from the community is reached. Sylvie 2010/10/4 Joel Jaeggli joe...@bogus.com On 10/4/10 12:13 PM, Steve Feldman wrote: On Oct 4, 2010, at 11:54 AM, Ren Provo wrote: Hi Steve, I appreciate your input here. It was clearly stated yesterday that several folks do not want a fellows membership class but I do not recall the reasoning other than Joel's comment that fee structure should cover all. Can you clarify why you would elect not to recognize significant contributions made from an individual? Thanks! -ren I personally have nothing against the concept. But some others do, and I don't want to make any choices that would be difficult or awkward to unmake until we end up with consensus either way. Recognition is a valuable socially sustaining community activity. I don't believe that it has any business being tied to membership. Assuming that the bylaws are accepted, certainly some of those deserving of community recognition will not be members, I don't see that as a problem. [Or, what Mike said!] Steve ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: do you use SPF TXT RRs? (RFC4408)
On Oct 4, 2010, at 1:59 PM, valdis.kletni...@vt.edu wrote: On Mon, 04 Oct 2010 13:30:55 PDT, Owen DeLong said: Removing a few points probably isn't a bad idea so long as you have a list of domains for which points should be added. 140 million .coms. Throw-away domains. I do believe that Marcus Ranum had trying to enumerate badness on his list of Six stupidest security ideas. This won't scale as long as you have more spammers adding new domains faster than your NOC staff can add them to the blacklist. Yes, getting rid of domain tasting and taking some other steps to bring sanity to the domain name process would really help, IMHO. (And even centralized blacklists run by dedicated organizations haven't solved the problem yet, so I'm not holding my breath waiting for that to work out...) Fair enough. It's not a panacea, but, it can be a component of a solution. Owen
Re: RIP Justification
The knowhow for BGP in that environment is all of about 30 minutes worth of training. They should find a way to get it, IMHO. Owen On Oct 4, 2010, at 10:56 PM, Jonathon Exley wrote: It also scales better from the SP point of view. If you have 1000 L3VPN services on your PE node using OSPF to the customer that would require a lot of memory for the multiple LSDBs and a lot of CPU for the SPF calculations. BGP is nicer but the reality is that many enterprises don't have the know-how. Jonathon -Original Message- From: Heath Jones [mailto:hj1...@gmail.com] Sent: Saturday, 2 October 2010 12:39 a.m. To: Tim Franklin Cc: nanog@nanog.org Subject: Re: RIP Justification On 1 October 2010 12:19, Tim Franklin t...@pelican.org wrote: Or BGP. Why not? Of course, technically you could use almost any routing protocol. OSPF and IS-IS would require more configuration and maintenance, BGP even more still. I think this is a pretty good example though of how RIPv2 is probably the most appropriate for the job. It doesnt require further configuration from the provider side as new sites are added and is very simple to set up and maintain. This email and attachments: are confidential; may be protected by privilege and copyright; if received in error may not be used,copied, or kept; are not guaranteed to be virus-free; may not express the views of Kordia(R); do not designate an information system; and do not give rise to any liability for Kordia(R).
Re: [ncc-services-wg] RPKI Resource Certification: building features
On 4 Oct 2010, at 23:18, Randy Bush wrote: 1) We have not implemented support for this yet. We plan to go live with the fully hosted version first and extend it with support for non-hosted systems around Q2/Q3 2011. this is a significant slip from the 1q11 we were told in prague. care to explain. Let me run you through the roadmap and the motivation for our choices at RIPE61. In short, everything we do is about providing *value* for our membership and the community. This means that with the resources we have, we have to make a choice between (1) offering a solution with every feature under the sun, but contains little value and usability or (2) we choose to do a phased approach where the entry barrier into the system is low, hassle is taken away from the operator, value and user-friendlyness is high while still being standards compliant and keeping the operator in the driver's seat. Soon we'll get to the full package where all options, like running your own CA, are available. It perhaps just isn't done in the order that a purist would like to see. Let me illustrate with two examples: I've delivered full day training courses on Routing Registry and DNSSEC. With the RR course, by the time I was done explaining how to use the IRRToolset to aid in making routing decisions based on the IRR, people had given up and decided that doing it manually was easier. Like you said at RIPE60: people are voting with their feet. In the DNSSEC training, by the time I was done explaining how to do a manual key roll-over, most LIRs decided 'this is not for me, the cure is worse than the disease'. This is why I want to get back to my original point, Randy. You agreed in your first reply to me that something has to be done to create an easy way to get started with the system. We can provide a full, standards-compliant solution with up/down and every other feature, but how is that going to get all ~350,000 prefixes and ~35,000 ASs into the system with ROAs? Manually? I proposed an IRR+BGP import system as a value-added tool to help a network operator get started making ROAs. That's a pretty good starting point. Where do you suggest we go from here? Of course I appreciate everyone else's response to this thread as well! :) Cheers, -Alex
Re: A New TransAtlantic Cable System
On 04/10/2010 18:24, Heath Jones wrote: I'm not clever enough to know of some way that you could do optical regeneration without converting the signal to electrical and retransmitting back as optical.. How is that done? Wikipedia has a useful article on this: http://en.wikipedia.org/wiki/EDFA Nick
Re: [ncc-services-wg] RPKI Resource Certification: building features
alex, i am not gonna argue with you. 96% of your users will be happy for you to do everything for them, despite the fact that the wrong holder has the keys (and, as john says, the liability). but 96% of your address space, i.e. the large holders, will want to hold their own keys and talk up/down to you and deal with publication points. kinda like the irr. so write back when you have done the full job. randy
Re: A New TransAtlantic Cable System
Dorn Hetzel dhet...@gmail.com wrote on 10/04/2010 06:22:58 PM: With regards to the Wired Article, I still have my copy of that issue and would consider that article perhaps my favorite magazine article of all time. Same here. A classic.
Re: A New TransAtlantic Cable System
What's that quote again...? Oh, that's it: The more you know, the more you know you don't. It feels very appropriate now :) I was wondering for quite some time if there was a scientific term for that effect, since many of us seem to run into the opposite quite often. It turns out that it's the Dunning-Kruger effect: http://en.wikipedia.org/wiki/Dunning-Kruger_effect Ignorant bliss! :)
Anyone can share the Network card experience
Hi Anyone can share the Network card experience ls onborad PCI Expresscard better or Plug in slot PCI Express card good? How are their performance in Gig transfer rate? Thank you so much
Re: A New TransAtlantic Cable System
Heath, By the way, my recollection is the undersea regenerators do purely optical regeneration. There is no O-E conversions undersea, only at the landing stations and terrestrial components. I'm not clever enough to know of some way that you could do optical regeneration without converting the signal to electrical and retransmitting back as optical.. How is that done? Erbium Doped Fiber Amplifiers (EDFAs) do not re-shape or re-time the signals (the last 2 R's in 3R -- re-amplification, re-shaping, and re-timing). Raman is another popular amplification technology, widely used in long-haul WDM. Some systems have the flexibility of using EDFA and Raman amps on the same spans. EDFAs amplify a band of spectrum (C- and/or L-band, depending on the device) -- signal *and* noise. The amplified noise floor is clearly visible if you connect an optical spectrum analyzer to the output of an EDFA -- you see a big wide bump across the entire amplified band with spikes for each wavelength. An optical signal can only go through so many EDFAs before it becomes too degraded to be accurately converted back to an electrical signal by the receiver -- either due to dispersion (especially if uncompensated) or noise, tolerances of which are different for every device...(EDFAs introduce some amount of noise, so OSNR before EDFA != OSNR after EDFA :-) ) That being said, one can find examples of all-optical regeneration [1], but I do not know of any transport vendors who have integrated this capability into currently shipping products. (Some have developed various tricks like electronic dispersion compensation, but IIRC, these work by pre-distorting the signal.) Getting back to the original post from this thread -- when I first read it, I immediately wondered whether the vendor might be using coherent optical receivers which have much higher dispersion tolerances, allowing the optical signal to travel much further without OEO conversions (see [2] and [3] for some background). Unfortunately, I could not find any evidence one way or the other about what Hibernia is doing. In fact, Per Hansen from Ciena just so happens to be talking about coherent receiver technology [DP-QPSK encoding DSP analysis] as I write this e-mail... Cheers, -Chris [1] 3R optical regeneration: an all-optical solution with BER improvement, http://www.opticsinfobase.org/abstract.cfm?URI=oe-14-14-6414 [2] Coherent receivers enable next-generation transport, http://www.lightwaveonline.com/about-us/lightwave-issue-archives/issue/coherent-receivers-enable-next-generation-transport-53426202.html [3] Optical hybrid, http://en.wikipedia.org/wiki/Optical_hybrid -- Chris Tracy ctr...@es.net Energy Sciences Network (ESnet) Lawrence Berkeley National Laboratory
re: Anyone can share the Network card experience
IMHO, Nothing beats a good intel NIC. I'm a big fan of the intel pro/1000GT. In terms of performance, I think it is more determined by the card chipset. Nick Olsen Network Operations (877) 804-3001 x106 From: Deric Kwok deric.kwok2...@gmail.com Sent: Tuesday, October 05, 2010 10:01 AM To: nanog list nanog@nanog.org Subject: Anyone can share the Network card experience Hi Anyone can share the Network card experience ls onborad PCI Expresscard better or Plug in slot PCI Express card good? How are their performance in Gig transfer rate? Thank you so much
Re: Anyone can share the Network card experience
It depends on the speed of the PCI slot. In saying that, you are only trying to transfer 1Gb/s. http://en.wikipedia.org/wiki/PCI_Express Note the thoughts on there about full duplex.. PCI Express 1.0a In 2003, PCI-SIG introduced PCIe 1.0a, with a data rate of 250 MB/s and a transfer rate of 2.5 GT/s. PCI Express 2.0 PCI-SIG announced the availability of the PCI Express Base 2.0 specification on 15 January 2007.[9] The PCIe 2.0 standard doubles the per-lane throughput from the PCIe 1.0 standard's 250 MB/s to 500 MB/s. This means a 32-lane PCI connector (x32) can support throughput up to 16 GB/s aggregate. The PCIe 2.0 standard uses a base clock speed of 5.0 GHz, while the first version operates at 2.5 GHz. I can't give you practical advice, but its a good place to start your reading... Cheers Heath On 5 October 2010 15:01, Deric Kwok deric.kwok2...@gmail.com wrote: Hi Anyone can share the Network card experience ls onborad PCI Expresscard better or Plug in slot PCI Express card good? How are their performance in Gig transfer rate? Thank you so much
Rough cost for monitoring
Heya, I'm trying to quickly pull together some very rough budget numbers for purchasing a full monitoring system (network, server, security, facilities). Is there a source for rough unit costs? If not, does anyone have recent RFI pricing that they'd be willing to share? Eric :0
Re: Rough cost for monitoring
get a VAR involved, it'll be more efficient and accurate than asking here. things change weekly. -g On Oct 5, 2010, at 10:25 AM, Eric Gauthier wrote: Heya, I'm trying to quickly pull together some very rough budget numbers for purchasing a full monitoring system (network, server, security, facilities). Is there a source for rough unit costs? If not, does anyone have recent RFI pricing that they'd be willing to share? Eric :0
Re: do you use SPF TXT RRs? (RFC4408)
On 10/4/10 6:55 PM, Kevin Stange wrote: The most common situation where another host sends on your domain's behalf is a forwarding MTA, such as NANOG's mailing list. A lot of MTAs will only trust that the final MTA handling the message is a source host. In the case of a mailing list, that's NANOG's server. All previous headers are untrustworthy and could easily be forged. I'd bet few, if any, people have NANOG's servers listed in their SPF, and delivering a -all result in your SPF could easily cause blocked mail for anyone that drops hard failing messages. Kevin, nanog.org nor mail-abuse.org publish spf or txt records containing spf content. If your MTA expects a message's MailFrom or EHLO be confirmed using spf, then you will not receive this message, refuting a lot of MTAs This also confuses SPF with Sender-ID. SPF confirms the EHLO and MailFrom, whereas Sender-ID confirms the PRA. However, the PRA selection is flawed since it permits forged headers most consider to be the originator. To prevent Sender-ID from misleading recipients or failing lists such as nanog.org, replicate SPF version 2 records at the same node declaring mfrom. This is required but doubles the DNS payload. :^( Many consider -all to be an ideal, but this reduces delivery integrity. MailFrom local-part tagging or message id techniques can instead reject spoofed bounces without a reduction in delivery integrity. -Doug
Re: Anyone can share the Network card experience
the question of which is better, onboard vrs plug in would in part be determined by the type (make/model) of motherboard you are speaking of. How they have IRQs allocated (which is something you may be able to adjust), where it is attached to the bus etc… Also, what comes with the main board is what you get. You can purchase option NICs with extra processors (TOE for example) which offload your main CPU. For 10Gbit we use Intel cards for production service machines, and ConnextX/Intel in the HPC cluster. -g On Oct 5, 2010, at 10:01 AM, Deric Kwok wrote: Hi Anyone can share the Network card experience ls onborad PCI Expresscard better or Plug in slot PCI Express card good? How are their performance in Gig transfer rate? Thank you so much
Re: Anyone can share the Network card experience
For 10Gbit we use Intel cards for production service machines, and ConnextX/Intel in the HPC cluster. Greg - I've not been exposed to 10G on the server side.. Does the server handle the traffic load well (even with offloading) - that's a LOT of web requests / app queries per second! Or are you using 10G mainly for iSCSI / file serving / static content? Cheers
Re: Rough cost for monitoring
One would need to know a lot more about the specifics of your requirements. My suggestion would be to invest money in qualified people to watch over something like opennms or (my favorite) a combination of alienvault and opsview. Eric Gauthier e...@roxanne.org wrote: Heya, I'm trying to quickly pull together some very rough budget numbers for purchasing a full monitoring system (network, server, security, facilities). Is there a source for rough unit costs? If not, does anyone have recent RFI pricing that they'd be willing to share? Eric :0 -- from the desk of Charles wyble ceo president known element enterprises xmpp/sip/smtp: char...@knownelement.com legacy pstn: 818 280 7059
Re: Anyone can share the Network card experience
Anyone can share the Network card experience ls onborad PCI Expresscard better or Plug in slot PCI Express card good? How are their performance in Gig transfer rate? IMHO, Nothing beats a good intel NIC. I'm a big fan of the intel pro/1000GT. In terms of performance, I think it is more determined by the card chipset. The e1000 e1000e linux driver docs include READMEs which detail some of the diffs between the various chipsets used by these NICs: http://downloadcenter.intel.com/Detail_Desc.aspx?agr=YDwnldID=9180keyword=e1000lang=eng http://downloadcenter.intel.com/Detail_Desc.aspx?agr=YDwnldID=15817keyword=e1000elang=eng Some support jumbo frames, some do not. I've seen some server motherboards come with two different on-board 8257x chipsets on the same board -- one that supports jumbo and one that does not (yikes!) The driver can make a huge difference in performance. If your driver sucks, don't expect performance to be much better. e1000/e1000e in Linux has a lot of tweakables, and getting these running at line-rate in a LAN is not that difficult. You motherboard manual (bus topology) and output of 'lspci -tv' can help you determine the best PCI slot to stick the card into to avoid contention. Some cards support checksum offloading, 'ethtool -S' can often tell you whether that's working or not, etc. -Chris -- Chris Tracy ctr...@es.net Energy Sciences Network (ESnet) Lawrence Berkeley National Laboratory
Re: Anyone can share the Network card experience
Hi, most of our traffic is heading directly into memory, not hitting the local disks, on the HPC end of things. Our file servers are feeding the network with around 24 x 10Gibit (active/active clusters), and regularly run at over 80 percent on all ports during runs.. this is all HPC / file movement traffic. we have instruments which generate over 6TB of data per run, every 3 days, 7/365. we have about 20 of these instruments. so most of the data on 10Gbit is indeed static, or to/from a file server to/from HPC clusters. iSCSI we run on its own network hardware, autonomous from the 'data' network. its not in wide deployment here, only the file server is connected via 10Gbit, the hosts using iSCIS (predominately KVM and Vmware clusters) are being feed over multiple 1Gbit links for their iSCIS requirements. Our external internet servers are connected to the internet via 1Gbit links, not 10Gibt, but apparently that is coming next year. The type of traffic they'll see will not be very chatty/interactive. it'll be researchers downloading data sets ranging in size from a few hundred megs, to a few TB.. take care, -g On Oct 5, 2010, at 10:59 AM, Heath Jones wrote: For 10Gbit we use Intel cards for production service machines, and ConnextX/Intel in the HPC cluster. Greg - I've not been exposed to 10G on the server side.. Does the server handle the traffic load well (even with offloading) - that's a LOT of web requests / app queries per second! Or are you using 10G mainly for iSCSI / file serving / static content? Cheers
Re: A New TransAtlantic Cable System
Erbium Doped Fiber Amplifiers (EDFAs) do not re-shape or re-time the signals (the last 2 R's in 3R -- re-amplification, re-shaping, and re-timing) Thanks Chris - even more reading to do :) It's interesting stuff that's for sure. This is also pretty cool: http://en.wikipedia.org/wiki/Chirped-pulse_amplification I just had a thought about EFDA - please forgive my lack of terminology though, i'll try to explain: Say you have signal coming in to EFDA, the signal is just amplified (as you said, also noise - the whole source signal). Would it be possible to extract via PLL or similar the source clock and use that to modulate the amplifier power? Does it work with QPSK / whatever keying is used? Would that even help with the noise issue at all, or am I way off? Cheers
ILNP and DNS (from 2010.10.04 NANOG50 day 1 morning notes)
Michael Sinatra, UCB; what are thoughts around best practices for auth DNS server in ILNP world, and how do you handle updates for locator values to the auth servers when a link changes? A: you need DNSsec to be running, you make updates, you check authenticity of the update, etc. How will other networks know about the changes. The initial answer to my question didn't quite get the point of the question, so I followed up. I think ILNP is very interesting because it attempts to create a true I/L split via naming semantics. However, it relies on DNS to do this. Somewhere, there has to be an authoritative DNS server(s) that have the prefix list and preferences for the site. (In ILNP, each host can have its own list of preferred prefixes in the form of L64 records, or they can defer to a site-wide L64 RRset with the LP record.) I acknowledge that this requires a secure dynamic update mechanism (presumably with the border routers doing the updates), and it requires very low ttls to improve convergence. Where this becomes interesting from an operational perspective is when I think about how to address authoritative DNS servers in an ILNP world. The DNS server itself has to be reachable, and the prefix list for the DNS server must be updated when the network topology changes. Hence the question: How should I provision authoritative DNS servers, given that the prefix information is provided via DNS--including the prefix information for the DNS servers themselves--leading to a chicken-and-egg problem. In addition, I would assume that I need something similar to glue records (instead of A or glue, I need L64 or LP glue). I think one answer would be to have all of my authoritative servers in someone else's network, where they could maintain all of the L64 records completely independent of my DNS infrastructure. With the DNS servers in my network, I don't think there's an answer to the chicken-and-egg problem. Of course, if one of their upstreams dies, my DNS may suffer if I can't withdraw my partner's network's prefixes from the L64 record for my DNS server. This blends into Danny's comment about routing relying on DNS and DNS relying on routing, and to Dave's comment on the binding between the identity and locator being a critical (and difficult) component of the I/L split. I realize that the distinction between operations and protocol development in this discussion may be subject to interpretation, but I also think it's important to understand the operational implications of developing protocols early on. michael
Re: ILNP and DNS (from 2010.10.04 NANOG50 day 1 morning notes)
On Tue, 5 Oct 2010, Michael Sinatra wrote: Hence the question: How should I provision authoritative DNS servers, given that the prefix information is provided via DNS--including the prefix information for the DNS servers themselves--leading to a chicken-and-egg problem. In addition, I would assume that I need something similar to glue records (instead of A or glue, I need L64 or LP glue). Isn't glue the answer to your question? Your name servers get their prefixes from the networks they are connected to, and they do dynamic updates to their parent zone as well as their own zone's master. Then other sites can find them using the usual referral chasing. I am assuming that the name server's name is in a zone for which it is authoritative. If not, it doesn't appear in glue so it doesn't need to update the parent zone. This implies that the name a DNS server uses to refer to itself (i.e. the name for which it performs dynamic updates for its prefix) must be used by all NS records that refer to the name server, so that resolvers can find the server's up-to-date prefix recods. This is stricter than is common in the current DNS - for example, the NS records for my domain do not use the names chosen by those servers' admins. I do this because I think in-bailiwick name server names are a good idea. I don't know if or how much DNSSEC might change the balance of opinion in this area. One thing it doesn't change is the quite astounding amounts of transitive trust that can be introduced by outsourcing your DNS including the nameserver names. http://shinobi.dempsky.org/~matthew/dnstrust/graphs/ So I don't think your question is relevant for most zones. It *is* relevant for the root. ILNP will have to come up with a new scheme for the root zone hints. I haven't looked at it in enough detail to see if they already have a plan. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR ROUGH. RAIN THEN FAIR. GOOD.
Level3 filter updates
Hey guys, Anyone knows how often does Level3 update their filters? I have a prefix in Europe which has a route-obj from Sunday, it's accepted in Level3 Europe from Monday, but in the US it's still not accepted. Thanks, Florin
RE: Level3 filter updates
Normally it's done every night (overnight)... that's been our experience... Paul -Original Message- From: Florin Veres [mailto:flo...@futurefreedom.ro] Sent: Tuesday, October 05, 2010 12:42 PM To: nanog@nanog.org Subject: Level3 filter updates Hey guys, Anyone knows how often does Level3 update their filters? I have a prefix in Europe which has a route-obj from Sunday, it's accepted in Level3 Europe from Monday, but in the US it's still not accepted. Thanks, Florin
Re: ILNP and DNS (from 2010.10.04 NANOG50 day 1 morning notes)
On Tue, Oct 5, 2010 at 12:18 PM, Tony Finch d...@dotat.at wrote: On Tue, 5 Oct 2010, Michael Sinatra wrote: Hence the question: How should I provision authoritative DNS servers, given that the prefix information is provided via DNS--including the prefix information for the DNS servers themselves--leading to a chicken-and-egg problem. In addition, I would assume that I need something similar to glue records (instead of A or glue, I need L64 or LP glue). Isn't glue the answer to your question? Your name servers get their prefixes from the networks they are connected to, and they do dynamic If i have my NS in my network, which is 'ILNP enabled' (if there would be such a thing), I think Michael's question is ... how do I tell DNS where my NS is if my NS is moving and doesn't have a single long-lived stable address ? Some of the answer may be: Don't do that!, or plan your moves properly, follow rfc which shows steps and timing to migrate an NS device/pair/set from network attachment point to network attachment point. -chris
Re: Level3 filter updates
I was told every 48 hours when I recently dealt with Level3 on a similar thing about a month ago. On 10/05/2010 12:50 PM, Paul Stewart wrote: Normally it's done every night (overnight)... that's been our experience... Paul -Original Message- From: Florin Veres [mailto:flo...@futurefreedom.ro] Sent: Tuesday, October 05, 2010 12:42 PM To: nanog@nanog.org Subject: Level3 filter updates Hey guys, Anyone knows how often does Level3 update their filters? I have a prefix in Europe which has a route-obj from Sunday, it's accepted in Level3 Europe from Monday, but in the US it's still not accepted. Thanks, Florin
Re: A New TransAtlantic Cable System
Heath, I just had a thought about EFDA - please forgive my lack of terminology though, i'll try to explain: Say you have signal coming in to EFDA, the signal is just amplified (as you said, also noise - the whole source signal). Would it be possible to extract via PLL or similar the source clock and use that to modulate the amplifier power? Does it work with QPSK / whatever keying is used? Would that even help with the noise issue at all, or am I way off? Although you can amplify just a single wavelength with an EDFA (has to be in the 1550nm range, not 1310nm), most deployments are using EDFAs in a DWDM environment. The C-band alone consists of ~5THz (5000GHz) of spectrum between 191.00-195.95 Thz. Some systems pack 40 wavelengths into this space at 100GHz spacing, some 80 channels @ 50GHz spacing, others 160 @ 25GHz. Each of these signals is independent, they can each be using different modulation/bitrate/etc. The amplifiers are completely ignorant to what is going on with each channel, only the devices performing conversion back to the electrical domain need to care about these details (after the incoming light has been demultiplexed into individual signals, of course). Re: amplifier power... Amplifier gain should really stay constant unless new wavelengths are added/removed from the fiber. There are fixed-gain and variable-gain amps. VGAs have the advantage that engineers do not need to manually re-balance power levels whenever a large number of wavelengths are added or removed from a span, they adjust automatically. Newer DWDM systems should all have VGAs whereas a lot of earlier generation DWDM systems still use fixed-gain amps. With the older fixed-gain amps, you had to have the input power just right -- hence the need to re-balance if your aggregate signal changes a lot -- too low and the EDFA would not kick on at all, too high and you'd saturate the amp. -Chris -- Chris Tracy ctr...@es.net Energy Sciences Network (ESnet) Lawrence Berkeley National Laboratory
2010.10.05 NANOG50 Tuesday morning notes
Notes from NANOG50 day 2 (Tuesday) morning session are now posted at http://kestrel3.netflight.com/2010.10.05-NANOG50-morning-notes.txt Again, apologies for misspelled names, typos, etc. I'm dashing to lunch now, but can fix things when I get back. ^_^;; Matt
Re: A New TransAtlantic Cable System
Would it be possible to extract via PLL or similar the source clock and use that to modulate the amplifier power? Although you can amplify just a single wavelength with an EDFA (has to be in the 1550nm range, not 1310nm), most deployments are using EDFAs in a DWDM environment. The C-band alone consists of ~5THz (5000GHz) of spectrum between 191.00-195.95 Thz. Some systems pack 40 wavelengths into this space at 100GHz spacing, some 80 channels @ 50GHz spacing, others 160 @ 25GHz. Each of these signals is independent, they can each be using different modulation/bitrate/etc. The amplifiers are completely ignorant to what is going on with each channel, only the devices performing conversion back to the electrical domain need to care about these details (after the incoming light has been demultiplexed into individual signals, of course). I'm wondering if it could be done per wavelength? I guess that would be pretty ridiculous having demux + 160 * decoder + 160 * efda + mux.. Just wondering if the theory works though?
RE: Level3 filter updates
Level 3 updates their filters every night. I used to work @ level3
Re: ILNP and DNS (from 2010.10.04 NANOG50 day 1 morning notes)
On 10/5/10 9:18 AM, Tony Finch wrote: On Tue, 5 Oct 2010, Michael Sinatra wrote: Hence the question: How should I provision authoritative DNS servers, given that the prefix information is provided via DNS--including the prefix information for the DNS servers themselves--leading to a chicken-and-egg problem. In addition, I would assume that I need something similar to glue records (instead of A or glue, I need L64 or LP glue). Isn't glue the answer to your question? Your name servers get their prefixes from the networks they are connected to, and they do dynamic updates to their parent zone as well as their own zone's master. Then other sites can find them using the usual referral chasing. Which then implies that parent zones must use DDNS, and must enable secure updates from the child (from wherever the child's DDNS updates are sourced). In addition, the LP and/or L64 records must have very low TTLs, which is very different from the way we do glue today. I am assuming that the name server's name is in a zone for which it is authoritative. If not, it doesn't appear in glue so it doesn't need to update the parent zone. Yes. That's what I was implying. [snip] So I don't think your question is relevant for most zones. It *is* relevant for the root. ILNP will have to come up with a new scheme for the root zone hints. I haven't looked at it in enough detail to see if they already have a plan. My question was essentially whether this has been thought out from the DNS perspective. The root hints are one issue. Having (for example) .com able to accept dynamic updates from foo.com's BGP-speaking border router whenever foo.com's routing changes (i.e. dropping an upstream because a link went down), having very low ttls (60sec) on L64 glue records which must be queried in order to reach the authoritative nameserver, and having the infrastructure be able to keep up with such queries may also be an issue. Does ILNP have a solution/recommendation for this?
Re: ILNP and DNS (from 2010.10.04 NANOG50 day 1 morning notes)
On Tue, 5 Oct 2010, Michael Sinatra wrote: Which then implies that parent zones must use DDNS, and must enable secure updates from the child (from wherever the child's DDNS updates are sourced). Yes, well if the authentication can be sorted out this would be much better than having to mess around with a registrar's crappy web interface. Authoritative nameservers could automatically ensure that their glue is in sync. In addition, the LP and/or L64 records must have very low TTLs, which is very different from the way we do glue today. It's likely that if you have fairly static connectivity you can leave longish TTLS in your DNS, on the knowledge that if there is an outage things will come back with the same setup as before. This will work for multihoming but not mobility. However this requires that higher level protocols have good connection setup code that can try multiple paths concurrently (so you don't have to wait for a timeout if one is down) and good failover support (SCTP?). Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR ROUGH. RAIN THEN FAIR. GOOD.
Re: ILNP and DNS (from 2010.10.04 NANOG50 day 1 morning notes)
On 10/5/2010 2:03 PM, Michael Sinatra wrote: The issue is how should I deal with the situation that you need to know the correct L64 record to get to my network (without waiting for a timeout if you try the broken prefix first) and the way to know what the correct prefixes are is to query a nameserver that's in my network. But to get to my network, you need to know the correct L64 record...etc. So I need to keep nameservers out of my network or have the ability to update an L64 glue record on-the-fly in the parent (which also implies a very low ttl on the parent L64 glue record). My recommendation is that you assign multiple networks. I realize this will possibly take the nameservers out of the ILNP space, but it is the effective method. Then you can reference the nameservers by both addresses, and one timing out will still get you to the other. I'm not up to speed on ILNP, but I'd presume that dual addressing would be required for this to handle failures (if you wanted all nameservers to respond at all times). Jack
2010.10.05 NANOG50 Tuesday afternoon notes
I've posted the Tuesday afternoon notes at http://kestrel3.netflight.com/2010.10.05-NANOG50-afternoon-notes.txt and now I'm dashing to the social, because they're turning out the lights on me in the hall here. ^_^;; Matt
Re: 2010.10.05 NANOG50 Tuesday afternoon notes
On Oct 5, 2010, at 4:15 PM, Matthew Petach wrote: I've posted the Tuesday afternoon notes at http://kestrel3.netflight.com/2010.10.05-NANOG50-afternoon-notes.txt and now I'm dashing to the social, because they're turning out the lights on me in the hall here. ^_^;; Thanks Matt, your notes during NANOG are always appreciated! -- kris
Facebook down!! Alert!
At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. ~SmithwaySecurity Sent from my iPhone
Re: Facebook down!! Alert!
Same here in SF Bay Area On Tue, Oct 5, 2010 at 9:44 PM, James Smith ja...@smithwaysecurity.comwrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. ~SmithwaySecurity Sent from my iPhone
Re: Facebook down!! Alert!
Down here in Denver CO On Tue, Oct 5, 2010 at 10:44 PM, James Smith ja...@smithwaysecurity.comwrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. ~SmithwaySecurity Sent from my iPhone
Re: Facebook down!! Alert!
Hi James, On 6 okt 2010, at 06:44, James Smith wrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. No reason to panic over here (.nl) --- Michiel Muhlenbaumer Atrato IP Networks
Re: Facebook down!! Alert!
On Oct 6, 2010, at 12:44 AM, James Smith wrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. http://downforeveryoneorjustme.com/facebook.com looks like it isn't just you .. Down from here as well. Looks like a productive night of hacking awaits me ... -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Please send all spam to my main address, r...@localhost
Re: Facebook down!! Alert!
Ditto In AU and from other reports US. Guess productivity will go up ;-) On 06/10/2010, at 15:46, James Smith ja...@smithwaysecurity.com wrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. ~SmithwaySecurity Sent from my iPhone
Re: Facebook down!! Alert!
Down , down, down in NYC. On Wed, Oct 6, 2010 at 12:46 AM, Mike Lyon mike.l...@gmail.com wrote: Same here in SF Bay Area On Tue, Oct 5, 2010 at 9:44 PM, James Smith ja...@smithwaysecurity.com wrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. ~SmithwaySecurity Sent from my iPhone -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com Secretary - ISOC-NY - http://isoc-ny.org ---
Re: Facebook down!! Alert!
Works fine here, Northern Colorado. -- Sincerely, Mikhail Strizhov mailto:striz...@cs.colostate.edu On 10/05/2010 10:47 PM, Patrick Muldoon wrote: On Oct 6, 2010, at 12:44 AM, James Smith wrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. http://downforeveryoneorjustme.com/facebook.com looks like it isn't just you .. Down from here as well. Looks like a productive night of hacking awaits me ... -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Please send all spam to my main address, r...@localhost
Re: Facebook down!! Alert!
I think the Outages mailing list is more appropriate for this. On 10/5/10 9:46 PM, Mike Lyon mike.l...@gmail.com wrote: Same here in SF Bay Area On Tue, Oct 5, 2010 at 9:44 PM, James Smith ja...@smithwaysecurity.comwrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. ~SmithwaySecurity Sent from my iPhone
Re: Facebook down!! Alert!
Seems to be working just fine here in Toronto. On Wed, Oct 6, 2010 at 12:49 AM, Mark Hofman mhof...@shearwater.com.auwrote: Ditto In AU and from other reports US. Guess productivity will go up ;-) On 06/10/2010, at 15:46, James Smith ja...@smithwaysecurity.com wrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. ~SmithwaySecurity Sent from my iPhone -- James Smith
Re: Facebook down!! Alert!
It's back up. There goes that short burst of productivity. On Oct 6, 2010, at 12:49 PM, Mark Hofman wrote: Ditto In AU and from other reports US. Guess productivity will go up ;-) On 06/10/2010, at 15:46, James Smith ja...@smithwaysecurity.com wrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. ~SmithwaySecurity Sent from my iPhone
Re: Facebook down!! Alert!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James Smith wrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. ~SmithwaySecurity Sent from my iPhone We need Alert and ! in the subject? seriously? Sorry, but I don't see a reason to get all excited. FB is down, omg, alert the media. geez -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJMrAOfAAoJEPXCUD/44PWqa2sP/AuUU0WnM4UUtAO3mazyRPIa gJ/xuguEgYWNbl7j/EZgHEu7fSYgkbo+Y/H+T2F5nl0PO3UqJz5sjyfD654OSy0h FAERgpR2syfRFM17EaLai4VgHsiVdm82Fzqs8xXwumu9OVfQAbk/eWsg6d0wOzp8 cuO7OUmb06i66VHbmWrSSJKmJKkhYvxf89o3NbPI6i0eIqr0wADJLIRbDQLLTt1i YnCj1urxClGnw9ChoCe0meNITllKx9nluzKEDy6P1eRWxTMGCn9xOnWlKHW2/6Rs sW/klZeOFxLDFEkufNLPr6w9vWxee648j0fjkCU6PGn6GRxaS6Qq0je1e/15f8cI MlfA1CCO/hNvSA07EBbpz9th2wyx69ninnv7Y3mjly//YB0EY/9H2j21wCDsDoJ4 SY/ttYOKQEZ3XoTAKa0RLzRmkR/GQwVsnGUfa//kA1Msf541VG8i98dYF6tpqFVt RJ0SDEHv53XSP+tuT4HdCyj8BtgwqIQTlughqynPM74kbYc6jYrZ6mxHxfhJkeXD wsYoJmHVcUgg/WKsa0eGk7sPhHEgR1alW5KnBYAjBtsStO9sLmESSTculvEQ7VXS OvuYUTfqgl3mkRtW0ttJvB/b5VvCQ70eUIkcmRUEvrX30WJldjupFxkyCaJtB3s4 Cq0MnisvbZZcpLoAJ0Qp =HLWx -END PGP SIGNATURE-
Re: Facebook down!! Alert!
Still up here in Massachusetts over v4 and v6. Since 11:45am (that is PST, I believe) there is still an ongoing issue with real-time updates according to the Live Status page. http://developers.facebook.com/live_status Visiting that page just now, the latest API response time graphs are definitely indicative of what looks like serious new problems. Also, Facebook is hosting an event Wednesday where they're rumored to be rolling out a large update-- coincidence?!? http://techcrunch.com/2010/10/05/facebook-redesign-lockdown/ -Matt Dodd On Oct 6, 2010, at 12:56 AM, Mikhail Strizhov wrote: Works fine here, Northern Colorado. -- Sincerely, Mikhail Strizhov mailto:striz...@cs.colostate.edu On 10/05/2010 10:47 PM, Patrick Muldoon wrote: On Oct 6, 2010, at 12:44 AM, James Smith wrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. http://downforeveryoneorjustme.com/facebook.com looks like it isn't just you .. Down from here as well. Looks like a productive night of hacking awaits me ... -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Please send all spam to my main address, r...@localhost
Re: Facebook down!! Alert!
Yeah it's back. On Wed, Oct 6, 2010 at 12:56 AM, Mikhail Strizhov striz...@cs.colostate.edu wrote: Works fine here, Northern Colorado. -- Sincerely, Mikhail Strizhov mailto:striz...@cs.colostate.edu On 10/05/2010 10:47 PM, Patrick Muldoon wrote: On Oct 6, 2010, at 12:44 AM, James Smith wrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. http://downforeveryoneorjustme.com/facebook.com looks like it isn't just you .. Down from here as well. Looks like a productive night of hacking awaits me ... -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon http://www.inoc.net/%7Edoon) Key ID: 0x370D752C Please send all spam to my main address, r...@localhost -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com Secretary - ISOC-NY - http://isoc-ny.org ---
