Re: cooling door
On 29 Mar 2008, Paul Vixie wrote: page 10 and 11 of http://www.panduit.com/products/brochures/105309.pdf says there's a way to move 20kW of heat away from a rack if your normal CRAC is moving 10kW (it depends on that basic air flow), permitting six blade servers in a rack. panduit licensed this tech from IBM a couple of years ago. i am intrigued by the possible drop in total energy cost per delivered kW, though in practice most datacenters can't get enough utility and backup power to run at this density. if cooling doors were to take off, we'd see data centers partitioned off and converted to cubicles. Can someone please, pretty please with sugar on top, explain the point behind high power density? Raw real estate is cheap (basically, nearly free). Increasing power density per sqft will *not* decrease cost, beyond 100W/sqft, the real estate costs are a tiny portion of total cost. Moving enough air to cool 400 (or, in your case, 2000) watts per square foot is *hard*. I've started to recently price things as cost per square amp. (That is, 1A power, conditioned, delivered to the customer rack and cooled). Space is really irrelevant - to me, as colo provider, whether I have 100A going into a single rack or 5 racks, is irrelevant. In fact, my *costs* (including real estate) are likely to be lower when the load is spread over 5 racks. Similarly, to a customer, all they care about is getting their gear online, and can care less whether it needs to be in 1 rack or in 5 racks. To rephrase vijay, what is the problem being solved? [not speaking as mlc anything]
RE: rack power question
Well, seeing as that most pad mounted transformers use mineral oil as a heat transfer agent (in applications up to and exceeding 230kv), I don't suspect it is of issue. However, we've all seen nice transformer fires. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Shore Sent: Tuesday, March 25, 2008 10:20 AM To: Dorn Hetzel Cc: nanog list Subject: Re: rack power question Dorn Hetzel wrote: Of course, my chemistry is a little rusty, so I'm not sure about the prospects for a non-toxic, non-flammable, non-conductive substance with workable fluid flow and heat transfer properties :) Mineral oil? I'm not sure about the non-flammable part though. Not all oils burn but I'm not sure if mineral oil is one of them. It is used for immersion cooling though. Justin
RE: rack power question
Surly we should be asking exactly is driving the demand for high density computing and in which market sectors and is this actually the best technical solution to solve them problem. I don't care if IBM, HP etc etc want to keep selling new shiny boxes each year because they are telling us we need them - do we really? ...? Perhaps not. But until projects like http://www.lesswatts.org/ show some major success stories, people will keep demanding big blade servers. Disagreed. Customers who don't run datacenters general don't understand the issues around high density computing, and most enterprises I deal with don't care about the cost. More and Faster is their vocabulary. If you move all the entreprise services onto virtual servers then you can free up space for colo/hosting services. We do quite a bit of VMWare and Xen, both our own and our customers. We have found power consumption still goes up, simply because there is always a backlog of the need of resources. In other words, it's almost if you build it they will come relates to CPU cycles as well. I have never seen a decrease in customer power consumption when they have virtualized. They still have more iron, with a lot more VM's. You can even still sell to bulk customers because few will complain that they have to deliver equipment to three dara centers, one two blocks west, and another three blocks north. X racks spread over 3 locations will work for everyone except people who need the physical proximity for clustering type applications. Send me those customers, because I haven't seen them. Especially the ones with lots of fiber channel and InfiniBand.
[admin] [summary] RE: YouTube IP Hijacking
A bit of administrativia: This thread generated over a hundred posts, many without operational relevance or by people who do not understand how operators, well, operate, or by people who really don't have any idea what's going on but feel like posting. I'd like to briefly summarize the important things that were said. If you would like to add something to the thread, make sure you read this post in entirety. Sorry if I didn't attribute every suggestion to a poster. Facts: * AS17557 announced more specific /24 to 3491, which propagated to wider internets * Chronology (by [EMAIL PROTECTED]) http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube.shtml * Things suggested to possibly address the problem: ** IRR filtering (using IRRPT http://sourceforge.net/projects/irrpt/ to generate filter lists) ** Notification when origin of a given route changes http://www.cs.ucla.edu/~mohit/cameraReady/ladSecurity06.pdf http://www.ris.ripe.net/myasn.html http://cs.unm.edu/~karlinjf/IAR/index.php (from pgBGP) ** pgBGP to depref suspicious routes http://www.nanog.org/mtg-0606/pdf/josh-karlin.pdf (unclear the number of false positives that will adversely affect connectivity) ** sbgp/sobgp - require full authentication for each IP block, and thus unlikely to be implemented until certificate chains are in place, and vendors release code that does verification, and operators are happy enough running it. Other things addressed: * Fragility of Internet: ** Nobody brought up the important point - the BGP announcement filtering are only as secure as the weakest link. No [few?] peers or transits are filtering large ISPs (ones announcing few hundred routes and up). There are a great many of them, and it takes only one of them to mess up filtering a downstream customer for the route to be propagated. ** Paul Wall brought up the fact that even obviously bogus routes (1/8 and 100/7) were accepted by 99% of internet during an experiment. Will it take someone announcing 9/11 to get us to pay attention? (ok, bad joke) ** What I'd like to see discussed: Issues of filtering your transit downstream customers, who announce thousands of routes. Does *anyone* do it? * Typos vs Malicious announcements ** Some ways of fixing the problem (such as IRR filtering) only address the typos or unintentional announcements. There's full agreement that IRR is full of junk, which is not authenticated in any sort. ** Things like PHAS won't work if hijacker keeps the origin-AS same (by getting their upstream to establish session with different ASN) ** What I'd like to see discussed: Who (ICANN/RIRs/LIRs) is actively working on implementing chain of trust of IP space allocations? * Ways to address the issue without cooperation of 3491: ** Filtering anything coming out of 17557 ** Suggestions given: ** What I'd like to see discussed: Can an network operator, *today*, filter the possibly bogus routes from their peers, without manual intervention, and without false positives? * Yelling at people who don't filter ** Per above, 3491 isn't the only one who filters. In fact, claims were made that *nobody* filters large enough downstreams. (beyond aspath/maxpref) ** *please* do not post additional comments about pccw bad, etc. * Malicious vs mistaken on part of AS17557 and 3491: ** *please* do not post speculation unless you have facts to back it up. ** Any discussions of cyber-jihad are off-topic unless you can produce the fatwa to back it up.
Re: [admin] [summary] RE: YouTube IP Hijacking
On Mon, 25 Feb 2008, Danny McPherson wrote: ** Paul Wall brought up the fact that even obviously bogus routes (1/8 and 100/7) were accepted by 99% of internet during an experiment. I'm not sure why this would surprise anyone. To me and you, it's not surprising. To public, it might be. Even the majority of nanog attendees I think would be surprised. ** What I'd like to see discussed: Issues of filtering your transit downstream customers, who announce thousands of routes. Does *anyone* do it? Lots of folks do. The interesting bit is that even then, those same providers would accept perhaps even those customer routes from their peers implicitly. Well, in this case, they *aren't* filtering! (unless I am misunderstanding what you are saying, due to repeated use of 'their'). ** Things like PHAS won't work if hijacker keeps the origin-AS same (by getting their upstream to establish session with different ASN) NO, that's not even necessary. Simple originate the route from the legit AS, and then transit it with the local AS as a transit AS. AS path manipulation is trivial. Oh yeah, d'oh! Thanks for correction. But that is also an important point against PHAS and IRRPT filtering - they are powerless against truly malicious hijacker (one that would register route in IRR, add the right origin-as to AS-SET, and use correct origin). ** What I'd like to see discussed: Who (ICANN/RIRs/LIRs) is actively working on implementing chain of trust of IP space allocations? * Ways to address the issue without cooperation of 3491: ** Filtering anything coming out of 17557 Bad idea. Obviously :) ** Suggestions given: ** What I'd like to see discussed: Can an network operator, *today*, filter the possibly bogus routes from their peers, without manual intervention, and without false positives? Sure, if they want to dedicate an engineer to it, automate policy deployment and deal with brokenness by turning steam valves. I'd hear to see who does it, and get them to present the operational lessons at the next nanog! * Yelling at people who don't filter That's been productive for over a decade now. ** Per above, 3491 isn't the only one who filters. In fact, claims were made that *nobody* filters large enough downstreams. (beyond aspath/maxpref) Wrong. Likewise, I'd like to know who does this (names) and how can we get them to present best practices at the next nanog! -alex
RE: YouTube IP Hijacking
Not if the hijackers have advertised a /24. Anything you advertise more specific than /24 will be lost on many networks' filters. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomas L. Byrnes Sent: Monday, 25 February 2008 8:49 AM To: Michael Smith; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; nanog@merit.edu Subject: RE: YouTube IP Hijacking Which means that, by advertising routes more specific than the ones they are poisoning, it may well be possible to restore universal connectivity to YouTube. -Original Message- From: Michael Smith [mailto:[EMAIL PROTECTED] Sent: Sunday, February 24, 2008 1:23 PM To: [EMAIL PROTECTED]; Tomas L. Byrnes Cc: [EMAIL PROTECTED]; nanog@merit.edu Subject: Re: YouTube IP Hijacking Exactly... They inadvertently made the details of their oppression more readily apparent... - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: Tomas L. Byrnes [EMAIL PROTECTED] Cc: Will Hargrave [EMAIL PROTECTED]; nanog@merit.edu nanog@merit.edu Sent: Sun Feb 24 16:00:35 2008 Subject: Re: YouTube IP Hijacking While they are deliberately blocking Youtube nationally, I suspect the wider issue has no malice, and is a case of poorly constructed/ implemented outbound policies on their part, and poorly constructed/ implemented inbound polices on their upstreams part. On 25/02/2008, at 9:49 AM, Tomas L. Byrnes wrote: Pakistan is deliberately blocking Youtube. http://politics.slashdot.org/article.pl?sid=08/02/24/1628213 Maybe we should all block Pakistan. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Hargrave Sent: Sunday, February 24, 2008 12:39 PM To: [EMAIL PROTECTED] Subject: Re: YouTube IP Hijacking Sargun Dhillon wrote: So, it seems that youtube's ip block has been hijacked by a more specific prefix being advertised. This is a case of IP hijacking, not case of DNS poisoning, youtube engineers doing something stupid, etc. For people that don't know. The router will try to get the most specific prefix. This is by design, not by accident. You are making the assumption of malice when the more likely cause is one of accident on the part of probably stressed NOC staff at 17557. They probably have that /24 going to a gateway walled garden box which replies with a site saying 'we have banned this', and that /24 route is leaking outside of their AS via PCCW due to dodgy filters/communities. Will Neil Fenemor FX Networks
RE: Area Social Activity
That's all they paid? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Beck Sent: Thursday, February 14, 2008 11:31 AM To: Bill Nash Cc: North American Network Operators Group Subject: RE: Area Social Activity And to celebrate my first TransAtlantic IRU, I will buy the first ten people a drink. The commission is funding it.
[admin] Re: Fourth cable damaged in Middle Eest (Qatar to UAE)
This conversation is quickly spinning into discussion of politics and terrorism. Reminder to all, please stick to the *operational* aspects of this thread. -alex [NANOG MLC Chair] On Mon, 4 Feb 2008, Patrick Clochesy wrote: I disagree... I think information warfare tactic could easily be terrorism, though I can't see why this particular event could/would be terrorism. Disrupting a major network like the Internet WITHIN the US could definitely be a form of terrorism... I think anything which maliciously disrupts a huge portions of a nation's day-to-day activities would be cause for concern for many folk, especially the telecommunications infrastructure. However, I'm not sure what the mindset of the terrorist would be even if they fully succeeded what is proposed would be the terrorist's plan - even if we lost totally connectivity with the middle east, or even what's considered friendly countries... as long as the information is flowing at home, nobody's going to be filling their swimming pools full of drinking water. I imagine the mindset would be different if you were a small country loosing a substantial portion of it's communication channels with the outside world... -Patrick - Original Message - From: Mark Newton [EMAIL PROTECTED] To: Martin Hannigan [EMAIL PROTECTED] Cc: Sean Donelan [EMAIL PROTECTED], nanog@merit.edu Sent: Sunday, February 3, 2008 11:12:46 PM (GMT-0800) America/Los_Angeles Subject: Re: Fourth cable damaged in Middle Eest (Qatar to UAE) On 04/02/2008, at 4:38 PM, Martin Hannigan wrote: I agree with Rod Beck as far as the speculations go. It could be terror, Well, no, it couldn't be. Nobody is being terrorized by this. How can it possibly be a terrorist incident? If it's deliberate, it might be described as an information warfare tactic. But not terrorism. (visions of some guy sitting a in cave with a pair of wet boltcutters laughing maniacally to himself, cackling, Ha-ha! Now their daytraders will get upset, and teenagers will get their porn _slower_! Die American scum! Doesn't really work, does it?) Politicians have succeeded in watering down the definition of the word terrorism to the point where it no longer has any meaning. But we're rational adults, not politicians, right? If we can't get it right, who will? - mark
RE: Blackholes and IXs and Completing the Attack.
On Sat, 2 Feb 2008, Tomas L. Byrnes wrote: I sincerely doubt that any backbone provider will filter at a /32. That means they have to check EVERY PACKET AT FULL IP DEST against your AS advertised routes. Since most backbone routers build circuits at the /18 and above mask on MPLS, just to keep up with traffic, I sincerely doubt they are going to expend the CPU, and potentially RAM, never mind prefix table entries (you know, those things we're running out of) to have a full table of every host that every hoster says is being DDOSed. In this case, there's a clear economic cost, for no economic benefit (they do actually make money delivering that DDOS traffic). most backbone routers build circuits at the /18 and above mask on MPLS - that part is seriously funny. However: a) Yes, if such proposal was to be widely accepted, it would generate more entries in RIB/FIB. b) However, if this service was actually operated by IX's, the limits to prevent too much growth could be applied centrally (max-prefixes per ASN, automatic removal of those routes after X days, unless manually requested by host, etc). c) Since only your peers will have those :666 entries, it is less route growth than than the alternative of announcing the affected block as /24 (which you seem to suggest). A better approach would be to move your DDOS target and all the rest of its co-subnet hosts into a different /24, update the DNS RRs, and cease advertising that /24. That...is...perverted. Not to mention, you can't cease advertising /24. what you would need to do is to deaggregate your (say) /20 into /21, /22, /23 and /24. That's 3 extra entries in FIB for everyone in the world to carry. If you really want to be nice, they don't need to renumber, you just need to stop advertising the target subnet, change the DNS RR's and NAT at your borders, if you control DNS and IP. The added benefit of this is that you can swap them back when the DDOs is over, and they get to stay up while it's happening. All you need to do this is some spare, never to be allocated, IP space. That...is...perverted. -alex [not speaking as mlc anything]
RE: An Attempt at Economically Rational Pricing: Time Warner Trial
As long as the companies convince people that the cap is large enough to be essentially the same as unmetered then most people won't care and will take the savings. I don't agree. When we sold boatloads of dialup in the mid to late 90's, people did not like caps, no matter how high they were. We sold a product early on for $20/month which gave you 240 hours/month -- that was an average of 8 hours/day. However, most users never used more than 20 to 30 minutes a day -- but we often got told they were moving to other providers because they were 'unlimited.' So, we adapted. In any event, I've been watching this thread, and I'd have to say that going down the road of metered pricing will only cause other providers not to do this, and then market against TW. In fact, I'd bet on it. Am I the only one here who thinks that the major portion of the cost of having a customer is *not* the bandwidth they use?
RE: An Attempt at Economically Rational Pricing: Time Warner Trial
If we define customer to be an average user of the provided service, and bandwidth to be transit pipe cost, then no, bandwidth is not the major cost of their service. However, if you're advertising an 'unlimited' service and want to keep your promises, you can't plan your network around the average user -- there will be people who will want to hold you to your 'unlimited' promise. I don't agree again. The heavy usage customer would be included in your 'average customer base', just as they were in the dialup world. Yes, the average user was only for 20 to 30 minutes a day, but you certainly had users who logged in once a week, and some who stayed connected 24x7. In my experience in selling DSL, while what you count (bytes instead of minutes) has changed, the premise has not. If you also call 'bandwidth cost' to include all the infrastructure costs required to provide that unlimited service, then yes, bandwidth cost would be a pretty major part of that customer's cost. I dunno about that. You have to build a network either way, in any event. The incremental cost difference between building a network and building a bigger network is probably lost in the noise, somewhere around advertising, support, or your CEO going to Scores on the corporate card. Quickly scanning a reasonably sized MSO here in NJ, the numbers are that the operational cost of the network (what they call Techincal and Operating, which likely includes support) was around 42% of revenue. First, I'd bet their network is not full, or anywhere near full, and that to make their dark fiber do 10ge instead of oc48 or whatever it is they use would be tiny. I am not saying that having an unlimited product would not have an effect on their network, but the answer might be 'who cares.' (My point of view is Australia rather than the US, but I don't think 14Mbps of dedicated transit is $50/month even in the US). If it isn't, it will be. And I'd be happy to sell it.
Re: Off Topic
On Tue, 15 Jan 2008, Rod Beck wrote: At the risk of incurring Mr. Pilosoft's wrath (the Putin of NANOG?), You meant the srh of nanog. And I'm not ;) I'll looking for NANOG style ISP meetings to attend in Europe this year (France, Germany, UK, Belgium, and Netherlands). Any suggestions would be appreciated. Please bypass the list and send them directly to me. The first thing that comes to mind is RIPE. Next thing that comes to mind is UKNOF. Also, that isn't really off-topic. However, if you get off-list replies, could you please do a follow-up summary post and list the european neteng groups, that would be quite helpful. A good starting point for the search is www.euro-ix.net, which lists european IXPs. Many IXP's have annual (or more often) meetings of members, which serve similarly to NANOG. See: https://www.euro-ix.net/news/meetevent/ for starters. -alex
[admin] RE: Creating a crystal clear and pure Internet
On Tue, 27 Nov 2007, Jerry Pasker wrote: But, if it's not viewed as political then... Your analogy is flawed, because the Internet is not a pipe system and ISP's are not your local water utility. And the internet is not a big truck! It'sIt's a series of tubes! Sorry, I couldn't resist... with all these things clogging all the tubes. :-) I'd like to draw attention to nanog AUP, particularly #6: Postings of political, philosophical, and legal nature are prohibited. While the regulation of internet by filtering bad traffic is clearly political and/or legal, I do think the *technical* implication of it are very much on-topic. After all, once this happens, we as network operators will be responsible for the filtering. Given that, I'd like to ask everyone to refrain off-hand comments about tubes and dump trucks - we all hear this joke every day. Discussion of morality of such filtering is also off-topic. Discussion of implementation of such filtering and effect of it on network operations at-large is clearly on-topic. Discussion of separating traffic (by network operators) into bad and good is also on-topic. The list is about technology and operations. This is not ITU. This is not C-SPAN. This is not 'general banter among network operators' list either. Before you post to the list, think - would you want to make a presentation at NANOG-conference based on your post? If it doesn't feel appropriate, the list post is similarly inappropriate. Also, this is another reminder that MLC *will* be giving formal warnings (which will eventually lead to removal from the list) to those who continue to post off-topic messages. As usual, should you wish to discuss this post, please do so on nanog-futures (reply-to has been set accordingly). Thanks! -alex [mlc chair]
[admin] Re: unwise filtering policy from cox.net
On Tue, 20 Nov 2007 [EMAIL PROTECTED] wrote: On Tue, 20 Nov 2007 11:21:19 PST, [EMAIL PROTECTED] said: This seems a rather unwise policy on behalf of cox.net -- their customers can originate scam emails, but cox.net abuse desk apparently does not care to hear about it. Seems to be perfectly wise if you're a business and care more about making money than getting all tangled up in pesky things like morals and ethics. It's great when you can help the balance sheet by converting ongoing support costs and loss of paying customers into what economists call externalities (in other words, they make the decisions, but somebody else gets to actually pay for the choices made). This is one of the threads where posting further will not be productive. Cox abuse has been named and shamed, and hopefully, the next post we see to the thread will be from them. As a reminder, political discussions, and discussions about spam filtering (other than operational, such as abuse@ or [EMAIL PROTECTED]) are off-topic for nanog. Please keep it this way. -alex [mlc chair]
Re: Getting DSL at your datacenter for OOB
On Wed, 7 Nov 2007, David Ulevitch wrote: We had a great experience doing this with Sonic.net at PAIX in Palo Alto but have had no success at our other sites. (Sonic.net isn't a national DSL provider) Has anyone found providers who can provision DSL circuits at: EQNX ASH, the MMR at 111 8th, and the Westin in Seattle? Speakeasy, after trying valiantly, finally just gave up saying they just couldn't make it happen. It's not rocket science. You order POTS line from the LEC. Then you order DSL from your favorite shared-line DSL provider on that POTS line. Trying to get non-lineshared-dsl might be a challenge. However, I recommend POTS + DSL, for additional OOB-ness, you can plug your DSL modem into the OOB ethernet and your analog modem into OOB serial network. fwiw, we are providing dsl to 111 8th MMR, the one running the free wifi there :) -alex [not posting as mlc anything]
Re: Fwd: [nanog-admin] Vote on AUP submission to SC
On Wed, 31 Oct 2007, Sean Figgins wrote: I also think this needs additional language to ensure that it is within the realm of the authority of the MLC/NANOG. NANOG has no authority to prohibit autoresponses that result in a direct email to someone on the list. Without this language, you will have a lot of people continuing to whine about getting an autoresponse when they CC everyone in the thread and one of them is on vacation. Since this is the lists' AUP, whatever consenting adults do to their private email that has no bearing to the list is clearly OK. I already know of one case that someone that CCed nanog@ and the original poster complained when they got an autoresponder. The proposed language is vague enough that it does not make it clear if it applies only to messages send through the list, or a message to any individual that includes the list. If you all want to live in a vague world, then that's fine by me, but don't complain when you get complaints that arise out of the vagueness. Well, that's why MLC is paid big bucks to separate loony complaints from real ones ;) -alex
Re: mail operators list
On Wed, 31 Oct 2007, Suresh Ramasubramanian wrote: Well, the current nanog MLC is mostly because Susan Harris was cracking down equally on discussions of anything mail / spam filtering related (operational not kooky) .. in fact, on anything that didnt involve pushing packets from A to B. And we have Marty Hannigan from the MLC telling us that operational mail / spam filtering issues are perfectly on topic. New list not particularly necessary I think .. but sure, a spam or mailops bof at nanog would be a good idea. I (or well, APCAUCE) have been running a spam conference track at APRICOT for the past few years now .. This has veered from operational discussion into the realm of meta-discussion about the list, so let's move it to nanog-futures. Reply-to has been set accordingly in this email, please respect it. MLC's position is that anything that is acceptable for the conference is acceptable on the list. Mail operations are on-topic, although tangentially. Spam filtering is definitely off-topic. -alex [mlc chair]
Re: ARPANet Co-Founder Predicts An Internet Crisis (slashdot)
On Thu, 25 Oct 2007, Paul Vixie wrote: Dr. Larry Roberts, co-founder of the ARPANET and inventor of packet switching, predicts the Internet is headed for a major crisis in an article published on the Internet Evolution web site today. Internet traffic is now growing much more quickly than the rate at which router cost is decreasing, Roberts says. At current growth levels, the cost of deploying Internet capacity to handle new services like social networking, gaming, video, VOIP, and digital entertainment will double every three years, he predicts, creating an economic crisis. Of course, Roberts has an agenda. He's now CEO of Anagran Inc., which makes a technology called flow-based routing that, Roberts claims, will solve all of the world's routing problems in one go. http://slashdot.org/article.pl?sid=07/10/25/1643248 I don't know, this is mildly offtopic (aka, not very operational) but the article made me giggle a few times. a) It resembles too much of Bob Metcalfe predicting the death of the Internet. We all remember how that went (wasn't there NANOG tshirt with Bob eating his hat?) b) In the words of Randy Bush, We tried this 10 years ago, and it didn't work then. Everyone was doing flow-based routing back in '90-95 (cat6k sup1, gsr e0, first riverstoned devices, foundry ironcore, etc). Then, everyone figured out that it does not scale (tm Vijay Gill) and went to tcam-based architectures (for hardware platforms) or cef-like based architectures for software platforms. In either case, performance doesn't depend on flows/second, but only packets/second. Huge problem with flow-based routing is susceptibility to ddos (or abnormal traffic patterns). It doesn't matter that your device can route 1mpps of normal traffic if it croaks under 10kpps of ddos (or codered/nimda/etc). -alex [not mlc anything] [mlc]
[admin] Re: Can P2P applications learn to play fair on networks? and Re: Comcast blocking p2p uploads
On Mon, 22 Oct 2007, Randy Bush wrote: actually, it would be really helpful to the masses uf us who are being liberal with our delete keys if someone would summarize the two threads, comcast p2p management and 204/4. 240/4 has been summarized before: Look for email with MLC Note in subject. However, in future, MLC emails will contain [admin] in the subject. Interestingly, the content for the p2p threads boils down to: a) Original post by Sean Donelan: Allegation that p2p software does not play well with the rest of the network users - unlike TCP-based protocols which results in more or less fair bandwidth allocation, p2p software will monopolize upstream or downstream bandwidth unfairly, resulting in attempts by network operators to control such traffic. Followup by Steve Bellovin noting that if p2p software (like bt) uses tcp-based protocols, due to use of multiple tcp streams, fairness is achieved *between* BT clients, while being unfair to the rest of the network. No relevant discussion of this subject has commenced, which is troubling, as it is, without doubt, very important for network operations. b) Discussion started by Adrian Chadd whether p2p software is aware of network topology or congestion - without apparent answer, which leads me to guess that the answer is no. c) Offtopic whining about filtering liability, MSO pricing, fairness, equality, end-user complaints about MSOs, filesharing of family photos, disk space provided by MSOs for web hosting. Note: if you find yourself to have posted something that was tossed into the category c) - please reconsider your posting habits. As usual, I apologise if I skipped over your post in this summary. -alex
[admin] Re: Can P2P applications learn to play fair on networks? and Re: Comcast blocking p2p uploads
[note that this post also relates to the thread Re: Comcast blocking p2p uploads] While both discussions started out as operational, most of the mail traffic is things that are not very much related to technology or operations. To clarify, things like these are on-topic: * Whether p2p protocols are well-behaved, and how can we help making them behave. * Filtering non-behaving applications, whether these are worms or p2p applications. * Helping p2p authors write protocols that are topology- and congestion-aware These are on-topic, but all arguments for and against have already been made. Unless you have something new and insightful to say, please avoid continuing conversations about these subjects: * ISPs should[n't] have enough capacity to accomodate any application, no matter how well or badly behaved * ISPs should[n't] charge per byte * ISPs should[n't] have bandwidth caps * Legality of blocking and filtering These are clearly off-topic: * End-user comments about their particular MSO/ISP, pricing, etc. * Morality of blocking and filtering As a guideline, if you can expect a presentation at nanog conference about something, it belongs on the list. If you can't, it doesn't. It is a clear distinction. In addition, keep in mind that this is the network operators mailing list, *not* the end-user mailing list. Marty Hannigan (MLC member) already made a post on the Comcast blocking p2p uploads asking to stick to the operational content (vs, politics and morality of blocking p2p application), but people still continue to make non-technical comments. Accordingly, to increase signal/noise (as applied to network operations) MLC (that's us, the team who moderate this mailing list) won't hesitate to warn posters who ignore the limits set by AUP and guidance set up by MLC. If you want to discuss this moderation request, please do so on nanog-futures. -alex [mlc chair]
RE: 240/4 (MLC NOTE)
Guys, this thread has gone over 50 posts, and doesn't seem to want to end. By now, everyone has had a chance to advance their argument (at least once), and we are just going in circles, increasing noise and not contributing to signal. I'd like to summarize arguments advanced - and if you don't have something new (not listed here) to say, can you please avoid posting to this thread? If you disagree with me, please take it to nanog-futures. Summary of arguments: In favor of experimental use only: Alain Durand: at your own risk, this stuff can blow up your network In favor of private use: Randy Bush: if it works for you, why mark it experimental Dillon: why shouldn't people use it if they can In favor of no use at all: Joe Greco: it doesn't work now (today) on current-generation OSes, there is no chance to get it to work in any shape of form by the time v4 space is exhausted. Steve Wilcox: it will never work Mixed: Daniel Senie: Allocate some as private, reserve rest as 'allocatable' once vendors get the gear fixed to accomodate those who use as private Additional points: David Ulevitch: If it is ever designated rfc1918, it cannot ever become public. Many: It will buy us some time before v4 address space is exhausted, and much less painful than v6 deployment Many: Old gear cannot be v6-enabled, but it can be 240-enabled Dillon: This is not our decision, this is IETF/IANA decision. -alex [mlc chair]
Re: autoresponders
On Wed, 17 Oct 2007, Lynda wrote: I'm on a couple of lists where the reply-to header is munged in just this way. I hate it. I much prefer the extra effort that says to send to the list, rather than constantly checking to make sure that a private message is not being sent to the list by accident. FWIW, IMHO, I agree 100%. Sean, not picking on you, but this touched a nerve. Out of control vacation (and other autoresponder) programs should be dealt with one at a time, as needed. There's already enough rules. As they are. I've asked [EMAIL PROTECTED] for rough number of subscribers that have 'no longer with the company' autoresponder that gets unsubscribed by her based on complaints by list subscribers - the answer is between 0.5 to 2 per month - seems low, however, if we stop doing it, a year later, you'll get between 6 and 24 autoresponder replies to each post. Which would be bad (tm). -alex
Re: NANOG Elections
Question, I wonder if we can get statistics on how many people who have registered at this nanog have voted vs those who are not physically here? This would help determine if putting a voting desktop outside of main conference room help increase voting participation? Also, possibly, instead of posting to -announce, a direct email to last-registered-email should be sent to each eligible voter reminding them to vote - Some people who attend aren't on any mailing list. (actually, it is an interesting data point, but probably impossible to gather correct data on). -alex
kill thread (Re: wanted: offshore hosting)
On Tue, 9 Oct 2007 [EMAIL PROTECTED] wrote: Hello all. Last time I asked for a hosting place, I ended up going with LayeredTech, but I can give you a list of options if you like. snip Please note that this thread is off-topic for nanog-list. Please do not contribute further to this thread. Reasons for offtopic-ness: a) not internet operational b) commercial c) end-user -alex [mlc chair]
Re: mlc files formal complaint against me
On Mon, 8 Oct 2007, vijay gill wrote: Really, reading this thread has left me stupider. I guess instead of focusing on things like the lightweight agenda, abysmal content and actual value to be had from NANOG, we are getting tied up discussing an offhand remark about a convicted felon. I submit that nanog as a whole is stupider under this formal SC/MLC/PC/whatever than when it was under the benevolent dictatorship of Susan. It takes Vijay to cut to the core of the issue and drop science like bombs. Sometimes benevolent dictatorship is much better at getting things done. Never was the old adage about people getting the government they deserve truer than it is now. We have become a legion of whiners, focused less on the work and more on the process and protocols of etiquette than building networks, though that is probably something a cisco SE can crank out from a visio template faster and in most cases, better than most participants in this trainwreck. This is something that could be on nanog tshirt, trainspotting style. I suggest with the best intention possible that marty unwad his shorts and the rest of us STFU and GBTW. I'll add others to the list, but yes, in the simplest possible terms, this thread was a ridiculous waste of time of everyone involved. -alex
New AS Number Block allocated to the RIPE NCC
Dear Colleagues, The RIPE NCC received the AS Number Block 44032 - 45055 from the IANA in September 2007. You may want to update your records accordingly. Best regards, Alex Le Heux RIPE NCC
Re: Anyone using uvlan out there?
On Fri, 14 Sep 2007, Steven Haigh wrote: From my understanding, this software is pretty much acting like a bridge, but with endpoints over a routed IP network. So its like l2tpv3 vpn. And, since its based on PC platform, I kind of have to say, in words of Vijay, It does not scale, and What problem is being solved? -alex [not mlc anything]
RE: shameful-cabling gallery of infamy - does anybody know where it went?
Alright, this is all scary familiar and bringing back bad memories. Wooden modem racks, POPs in disued bathrooms, demarcs so stuffed with At one point, we had 200 pair installed into a two family house in rural NJ. The pop was in the basement, which had dirt floors. Or, the local phone company begging us to get lines in different CO's so that we wouldn't overload inter-office trunks and tandems. Or, the custom made racks to hold USR Sportster modems (which had to be removed from their enclosure) Or, Livingston PM3's that cost $17k for two PRIs Or, full BGP between AGIS and iMCI (note the 'i') on a 2501 Or, when you had a mail server (it was monolithic, remember) fail, and you told customers, they'd say, OK, I'll check my mail tomorrow Ah, the good old days.
RE: Using Mobile Phone email addys for monitoring (summarization)
As an experiment, I wanted to try to summarize all the answers given on this question, hope this helps someone. Suggestions given: * modem and TAP gateway ** TAP numbers at http://www.avtech.com/Support/TAP/index.htm ** Software: sendpage or qpage * Mobile phone with a serial port and AT commandset ** Software: sms-tools gnokii gsmd ** Issues: not reliable because of battery drain * Purpose-made GSM/CDMA modems ** Software: same as above ** Manufacturers: Intercel, Sierra 750 (PCMCIA), Falcom Samba 75 (USB) * Purpose-made GSM-IP modems ** Manufacturers: http://www.acmesystems.it/?id=70 * Pages via DTMF ** Hylafax/asterisk -alex [for mlc]
Re: Using Mobile Phone email addys for monitoring
On Thu, 6 Sep 2007, matthew zeier wrote: Recommendations on software and modems? Couple of options: Dedicated cell phone connected via serial cable and gnokii-like software Analog modem and voice line and TAP software (like sendpage or qpage) Technically, SNPP is the appropriate solution, but might be overkill if you just have a single host sending messages. -alex [not nanog mlc blah blah]
NANOG Humour (Re: 2M today, 10M with no change in technology? An informal survey.)
On Mon, 27 Aug 2007, Hex Star wrote: On 8/27/07, Justin M. Streiner [EMAIL PROTECTED] wrote: I thought it was just a 6500 that sommeone got drunk and tipped over on it's side, like a cow... http://farm.tucows.com/images/2006/07/cow_tipping.jpg :D While its occasionally amusing, can we please keep the humour to the minimum, while sticking to the operational content? -alex (mlc chair)
Re: 2M today, 10M with no change in technology? An informal survey.
On Mon, 27 Aug 2007, Jon Lewis wrote: Though if you've kept up with the latest IOS developments, cisco is finally differentiating the platforms we've assumed for years were only different in angle and paint. 6500's won't get to run the newest 7600 code. I think Cisco is coming to their senses. SXH has *most* of SRB features, while (hopefully) more stable. At this point, imho, the rsp720 is getting the short end of the stick, because it is only limited to SRB+, while you have a choice of SX* and SRB on the sup720. But I think, imho, this discussion belongs to cisco-nsp more than to nanog-l. -alex [not speaking as mlc blah blah]
RE: question on algorithm for radius based accouting
They should yield (approximately) the same result. But, to be pedantic, you haven't accounted for latency within the network. Somebody should be whipped, either for: 2) You, for making even this aged arch-pedant wince. :-) Ding! Seriously, can I also add that RADIUS interim accounting is almost essential in this scenario. Real world accounting and session boundaries mis-match badly making it almost mandatory to use interim accounting records to get an approximation of what the figures look like from a billing perspective. I'll also add watch out for missing records - I've found RADIUS to be the lossiest network protocol per foot of cabling that I've ever used. I can't say I've seen this. Having collected hundreds of millions of radius packets in my years (hell, we were running PM-2e's in 1996), and have written several accounting collectors, I can't say I agree. If you follow the specifications properly, unless you have issues with the transmitting device (read: BUG), RADIUS accounting has always been good to me. And, I've not seen the behavior you describe that requires interim.
Kill this thread (Re: DNS not working)
I think this thread is obviously silly, so please refrain from posting further on this and feeding the troll... Thanks! On Thu, 16 Aug 2007 [EMAIL PROTECTED] wrote: Hi, I try adding google.com to my dns server to get more visitors but google.com still show search engine. Please advise how to do so more visitor in return? May the Gods be with you!
RE: question on algorithm for radius based accouting
My question is: what's the best algorithm for constrcting broadband access record from radius accouting packets? Read the RFC. No, I am being serious. Record Accouting-on packet arriving time - record Accouting-Off packet's Acct-Session-Time and Acct-Delay-Time - The Log-off time is calculated as: Accouting-on time + ( Acct-Session-Time - Acct_delay-Time) Or, take the acct record from logoff, and: (time stop acct record rec'd) - (acct-delay-time) Either will work. However, it's somewhat more common to do what I suggest. Log-on time is calculated as: Accouting-off arriving time - ( Acct-Session-Time - Acct_delay-Time) Yes. Are the two methods have the same effect on calculating result? If radius packets were sent to two accouting systems simulataneusly, while the two system takes the different algorithm, will there be any difference between the result of accouting ? They should yield (approximately) the same result. But, to be pedantic, you haven't accounted for latency within the network.
RE: [policy] When Tech Meets Policy...
Maybe marketing would learn to spell after a few costly mistakes. Any policy strategy that relies on marketing people learning to spell is flawed from the outset. Domain tasting is a real problem. 1 year domain registrations are cheap. Who then does the waiting period benefit? (hint: not grandma) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Eddings Sent: Tuesday, 14 August 2007 7:46 AM To: nanog@merit.edu Subject: RE: [policy] When Tech Meets Policy... At 4:32 PM -0400 8/13/07, Justin Scott wrote: Do people really not plan that far ahead, that they need brand new domain names to be active (not just reserved) within seconds? I can say from my experience working in a web development environment, yes. I can recall several cases where we needed to get a domain online quickly for one reason or another. Usually it revolves around the marketing department not being in-touch with the rest of the company and the wrong/misspelled domain name ends up in a print/radio/tv ad that is about to go to thousands of people and cannot be changed. We end up having to go get the name that is in the ad and get it active as quickly as possible. Been there. But it's rare enough in real life that I'd happily waive the right for full refund return for immediate domain publishing. Maybe marketing would learn to spell after a few costly mistakes. Any other domain registrations getting a 3 day wait before publishing can have a more lenient return policy, maybe with a small processing fee. That's not unreasonable, and has something for the registrars. And grandma would be able to correct her typo, and the regstrars would have time to check grandma's credit card, since she's so typo-prone. Personally I'm all for things working as quickly as possible, and I'm all for being able to return a domain within a reasonable time if needed. Perhaps it would be better to allow for domain returns, but shorten the time limit to 24 hours. That should be long enough to catch a typo, but too short to be much use for traffic tasting. -Justin Scott | GravityFree Network Administrator 1960 Stickney Point Road, Suite 210 Sarasota | FL | 34231 | 800.207.4431 941.927.7674 x115 | f 941.923.5429 www.GravityFree.com -- Ken Eddings, Hostmaster, IST, [EMAIL PROTECTED], [EMAIL PROTECTED] Work:+1 408 974-4286, Cell: +1 408 425-3639, Fax: +1 408 974-3103 Apple Computer, Inc., 1 Infinite Loop, M/S 60-MS Cupertino, CA 95014 The Prudent Mariner never relies solely on any single aid to navigation.
RE: [policy] When Tech Meets Policy...
Maybe marketing would learn to spell after a few costly mistakes. Any policy strategy that relies on marketing people learning to spell is flawed from the outset. Domain tasting is a real problem. 1 year domain registrations are very cheap. Who then does the waiting period benefit? (hint: not grandma) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Eddings Sent: Tuesday, 14 August 2007 7:46 AM To: nanog@merit.edu Subject: RE: [policy] When Tech Meets Policy... At 4:32 PM -0400 8/13/07, Justin Scott wrote: Do people really not plan that far ahead, that they need brand new domain names to be active (not just reserved) within seconds? I can say from my experience working in a web development environment, yes. I can recall several cases where we needed to get a domain online quickly for one reason or another. Usually it revolves around the marketing department not being in-touch with the rest of the company and the wrong/misspelled domain name ends up in a print/radio/tv ad that is about to go to thousands of people and cannot be changed. We end up having to go get the name that is in the ad and get it active as quickly as possible. Been there. But it's rare enough in real life that I'd happily waive the right for full refund return for immediate domain publishing. Maybe marketing would learn to spell after a few costly mistakes. Any other domain registrations getting a 3 day wait before publishing can have a more lenient return policy, maybe with a small processing fee. That's not unreasonable, and has something for the registrars. And grandma would be able to correct her typo, and the regstrars would have time to check grandma's credit card, since she's so typo-prone. Personally I'm all for things working as quickly as possible, and I'm all for being able to return a domain within a reasonable time if needed. Perhaps it would be better to allow for domain returns, but shorten the time limit to 24 hours. That should be long enough to catch a typo, but too short to be much use for traffic tasting. -Justin Scott | GravityFree Network Administrator 1960 Stickney Point Road, Suite 210 Sarasota | FL | 34231 | 800.207.4431 941.927.7674 x115 | f 941.923.5429 www.GravityFree.com -- Ken Eddings, Hostmaster, IST, [EMAIL PROTECTED], [EMAIL PROTECTED] Work:+1 408 974-4286, Cell: +1 408 425-3639, Fax: +1 408 974-3103 Apple Computer, Inc., 1 Infinite Loop, M/S 60-MS Cupertino, CA 95014 The Prudent Mariner never relies solely on any single aid to navigation.
Re: Link to wiki?
On Fri, 10 Aug 2007, Lynda wrote: Resending, using merit, since nanog.org doesn't seem to be working... fyi, I received the previous one sent through nanog.org I note that the (sadly outdated) FAQ is still listed on the web site, and that there isn't a pointer to the Wiki... I had been planning on spending a bit of time trying to reconcile the two (i.e. take some of the still useful bits from the FAQ to the Wiki), which is what made me sit up and take notice. Perhaps a link would be in order? agree. I'll ask Merit webmaster to update website. I think it should be a Wiki link below the Maling list FAQ. -alex
Please stop (Re: Gwd: crypted document)
On Thu, 2 Aug 2007, Chris Adams wrote: Once upon a time, Jon Lewis [EMAIL PROTECTED] said: If you could read the header, the question you would have asked is, What is Chris Adams doing in Korea sending virus mail to nanog? :) Especially as this particular Chris Adams is not well traveled and has never been west of the Mississippi! I think at this point, its fairly clear what happened (fake sender, reply that went to list etc) so continued discussion is rather fruitless. Lesson to be learned: You cannot protect from human factors. :( -alex (mlc chair)
New IPv4 blocks allocated to RIPE NCC
[Apologies for duplicate mails] Dear Colleagues, The RIPE NCC received the IPv4 address ranges 94/8 and 95/8 from the IANA in July 2007. We will begin allocating from these ranges in the near future. The minimum allocation size from these two /8s has been set at /21. You may wish to adjust any filters you have in place accordingly. More information on the IP space administered by the RIPE NCC can be found at: https://www.ripe.net/ripe/docs/ripe-ncc-managed-address-space.html Please also note that two pilot prefixes are being announced from each /8. These prefixes are: 95.192.0.0/16 95.255.248.0/21 They all originate in AS12654. The following pingable addresses are available in these blocks: 95.192.0.1 95.255.248.1 More information on this pilot activity is available in the document De-Bogonising New Address Blocks, which can be found at: http://www.ripe.net/ripe/docs/ripe-351.html Best regards, Alex Le Heux RIPE NCC Policy Implementation Co-ordinator
EPO/NEC (was Re: Why do we use facilities with EPO's?)
On Wed, 25 Jul 2007, Leo Bicknell wrote: What I found interesting is that a single EPO is not a hard and fast rule. They walked me through a twisty maze of the national electric code, the national fire code, and local regulations. Through that journey, they left me with a rather interesting tidbit. The more urban an area the more likely it is to have strict fire codes. Typically these codes require a single EPO for the entire structure, there's no way to compartmentalize to rooms or subsystems. However in more rural areas this is often not so, and they had in fact built data centers to code WITHOUT a single building EPO in several locations. That's to say there was no EPO, but that it may only affect a single room, or even a single device. If they can be avoided, why do we put up with them? Do we really want our colo in downtown San Francisco bad enough to take the risk of having a single point of failure? How can we, as engineers, ask questions about how many generators, how much fuel, and yet take for granted that there is one button on the wall that makes it all turn off? Is it simply that having colo in the middle of the city is so convenient that it overrides the increased cost and the reduced redundancy that are necessitated by that location? This is an interesting question. National Electric Code (NEC) requires EPO. Sort of. Articles 645 and 685 deal with it. While NEC is not binding on every jurisdiction, almost every US jurisdiction bases its code on NEC with additions/subtractions. I don't know offhand if the local changes deal with EPO much, however, here's some food for thought regarding EPO and NEC. With regard to putting up with them - EPOs are designed to protect life, not property or uptime. If there's a short causing electrical fire because breaker did not open, firefighter better be sure he can cut the power *before* stepping next to it. Here's how NEC works: 1) If a room is designed to comply with Article 645, it must have EPO, *except* if it qualifies under Article 685. Being under Article 645 gives couple of things that are generally not permitted otherwise, as follows: 645.4 D) permits underfloor wiring for power, receptacles and crossconnects. 645.4 E) Power cables; comunications cables; connecting cables; interconnecting cables; and associated boxes, connectors plugs and receptacles that are listed as part of, or for, information technology equipment shall not be required to be secured in place. In other words, you can have crossconnects that are laying on the floor (or under raised floor but not otherwise secured), and that is OK, normally they'd need to be secured every X feet. 645.17) (too lazy to retype NEC language) You can have PDUs with multiple panelboards within a single cabinet - not all that clear what exactly does it permit (PDUs with multiple breaker panels essentially). My understanding is that if you are willing to forego things that Article 645 permits, you do not have to install EPO. Frankly, I don't see all that much logic in 645 requirements and linking it to EPO (except, possibly, to make operation of datacenters not in compliance with 645 to be annoying enough that everyone would opt to comply with EPO). The Article 685 exception from EPO applies if An orderly shutdown is required to minimize personnel hazard and equipment damage. It is really intented for industrial (like chemical plants control) systems where EPO shutoff can cause damage to life/property. I doubt this applies to datacenter. Above is an armchair engineer's understanding. To be sure, you should consult a real engineer who can stamp and seal your plans! -alex
RE: Why do we use facilities with EPO's?
In fact, an EPO system is a single point of failure... And, whether or not you need an EPO in your center is wholly up to you, and how you design your center. As mentioned at a recent seminar I went to: If you do not need to install non-plenum rated cable below a floor, and you require boxes under the floor to be secured, and you do not state NFPA 75 as your standard, then you do not need an EPO as defined by NEC 645. Only if you want exceptions granted in 645 (Information Technology Equipment), should you have to install an EPO. EPO = SPOF = bad. We all know this. If they can be avoided, why do we put up with them? Do we really want our colo in downtown San Francisco bad enough to take the risk of having a single point of failure? How can we, as engineers, ask questions about how many generators, how much fuel, and yet take for granted that there is one button on the wall that makes it all turn off? Is it simply that having colo in the middle of the city is so convenient that it overrides the increased cost and the reduced redundancy that are necessitated by that location? You forgot the default Single Point of Failure in anything.. HUMANS. Tuc/TBOH
Re: Software or PHP/PERL scripts for simple network management?
On Tue, 19 Jun 2007, William Allen Simpson wrote: Drew Weaver wrote: Does anyone have a recommendation of any software products either commercial or freeware which will import the ip routing table from one of my routers/switches and display it in a sorted manner? We just need an easier distributed method than logging into our Black Diamond and typing sh iproute sorted every time we need to find an available subnet. Wow, LOL! The software product is called a text editor. Look at your list of assignments in your NS .arpa. file: 1) Find a subnet that hasn't been assigned. 2) Update the text file. 3) Wait for it to propagate. 4) Tell the customer. The concomitant procedure for static host assignment is: 1) Find a number that hasn't been assigned. 2) Update the text file. 3) Wait for it to propagate. 4) Then, and only then, update the forward NS file(s). 5) Tell the customer. Of course, there is software that will automatically maintain the files, and even send a signal to bind, but I've alway found them to be weak at subnet management. Text editor is the way to go -- using subversion for distributed file management (that is, knowing who to blame for mangling the assignment commit). In words of Vijay, It does not scale. In words of Randy, I encourage my competitors to do this. Neither 'show ip route' or 'have a text file' scale beyond a hundred customers. Proper IP management is complicated. You want to have following things: a) easy IP allocation b) IP association with customer and specific service for following purposes: * future IP justification with RIR's * abuse trackback c) easy IP deallocation when customer leaves d) minimizing additional fragmentation of blocks - for example, if you need a /29 and you have a /29 and a /28 available - you want to take /29 before fragmenting /28. e) support for 'special-purpose blocks' - ie, /30 for pt-pt and /32 for loopbacks are to be assigned from blocks that are not used for any other purpose. f) (similar to above) regional/local allocations: give me a /32 out of dallas loopback blocks g) two-way sync (or at least diff) of your databases to operational data (the configs in routers) - so you can see what it *should* be vs what it actually is. Ideally, generate commands to update configs to the database. I think everyone ends up writing their own systems to manage IP space as part of general network management. Unfortunately, they end up being very specific to the network in question (for example, my stuff is very geared toward terminating a large number of vlans on a l3 switches, etc)... -- Alex Pilosov| DSL, Colocation, Hosting Services President | [EMAIL PROTECTED]877-PILOSOFT x601 Pilosoft, Inc. | http://www.pilosoft.com
Re: Software or PHP/PERL scripts for simple network management?
On Wed, 20 Jun 2007, Leigh Porter wrote: Do Pilosoft supply such a product? All the ones I tried so far suck soo much that I could never use them. Right now we manage address space with mysql and perl scripts... It is very much an internal system, designed to meet our needs, as such it is tightly integrated with the rest of the systems - billing, customer management, network mapping, etc. I've been giving some thought to cleaning it up and releasing it under some sort of a public license in hope it'll be useful to someone, but unfortunately hasn't found time yet :( I think realistically, even if you have full source, it'll be good for the ideas how to do things, it will be *very hard* to separate the IP management out of everything else. (IP management is maybe few hundred lines of perl pl/pgsql code total) hth -alex
Re: Software or PHP/PERL scripts for simple network management?
On Tue, 19 Jun 2007, William Allen Simpson wrote: [EMAIL PROTECTED] wrote: Neither 'show ip route' or 'have a text file' scale beyond a hundred customers. Hogwash. Used text file allocation for ~3,000 customers. After all, it is *REQUIRED* to exist (for bind). You need *a* canonical place that is authoritative for all others. Existing tools easily track commits. DNS should always reflect reality. Then automated tools will show human readable information. Someday, it may even be authenticated (but I've been beating that horse for a decade). I'm sick and tired of bad NS data. I agree, DNS should *reflect* reality, but I think it is very much misguided to say that DNS should be the place to have canonical information (i.e. source of all data). Canonical data is in routing/forwarding tables on routers/switches. That's the operational reality. The amount of data that you need to track IP allocations just doesn't fit well into DNS - there's no place to store customer id/service id, the length of allocation (is this IP part of a /28? /29?), etc. So you'll have to have canonical data somewhere else anyway. Yes, we used a separate database for billing, and maybe could have automatically generated the text file. Didn't want the customer service/billing folks to have access to network configuration ;-) Any time you have more than a single location for maintaining network configuration data, or allow technicians to just slap a route into a router on a whim, you are bound for future difficulties! And when the routing table doesn't match, withdraw the route, and fire the miscreant that failed to properly maintain the allocation data! Unfortunately, I'll have to say again that this doesn't scale. :) -alex
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
On Fri, 8 Jun 2007, Donald Stahl wrote: The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -Judge Louis Brandeis snip I am not willing to give up any of my own liberties to protect children. We already have laws that do that and judging by the number of people arrested they seem to work. You reach a point of diminishing returns. Hello, Before *this* thread spins out of control, I would like to draw your attention to NANOG-L AUP, available at http://www.nanog.org/aup.html , particularly #6: Postings of political, philosophical, and legal nature are discouraged. In other words, it is on-topic to discuss operational effect of filtering - what the original post started with. It is on-topic to discuss how to filter and comply with government or corporate mandates to filter. It is on-topic to discuss existing logging/filtering solutions and their operational impact. It is not so much on topic to discuss legalities of filtering, but I think most agree that it still belongs here. It is clearly off-topic to discuss lists of british colonies, or civil liberties or protection of children - there are better forums to do this. Please follow any replies to this message to [EMAIL PROTECTED] -alex (acting mlc chair)
RE: nanog-l moderation (was Re: Dead Thread was (Re: Security gain from NAT))
On Thu, 7 Jun 2007 [EMAIL PROTECTED] wrote: * More statistics on mailing list usage: ** Top posters ** Top threads The IETF discuss list does this. It's a good idea, if it is posted to the list on a weekly basis. We'll try to get this done once we have our own server in place. * Curious stats - number of unsubscriptions vs posts /day Somebody thinks that volume chases people away and looks for backup of their assertion. It would be better to provide some general churn statistics and not just static snapshots of the list then and now. Note that people do unsubscribe and resubscribe under a different email address when changing companies or when simply changing email providers, i.e. the Google mail effect. Yes, that'd be interesting to validate this assertion of correlation of unsubscription vs list traffic. The unsubscribe/resubscribe cycle would clearly not affect this correlation. * More active participation by mailing list team in guiding discussion and more aggressive moderation. I remember a presentation at ONE ISPCON back in 1996 where the presenter talked about his experience with the WELL (Whole Earth 'Lectronic Link) and Prodigy (the IBM and Sears joint venture). These services were both based on the concept of discussion forums, not unlike the NANOG list. They ran hundreds, maybe thousands of such forums, so they were able to learn something about what makes forums thrive and survive. This fellow said that the key element was a good sysop (moderator) who intervened to guide the discussion, steer things back onto topic, and introduce new topics (threads) when things got too quite. Otherwise, a new forums would slowly grow, then suddenly mushroom with excited discussions, and fade away after the few hot issues were dealt with. Yes, if only we had enough volunteer time to do this. With amount of traffic nanog-list has, it is a challenge just to *read* all of messages, much less try to understand, validate, collate and guide the discussion. I believe that the only reason NANOG continues to exist and thrive is because there are several list members who do tend to fill that type of informal moderator role guiding the discussion and keeping things moving. These people tend to be domain experts with an interest in some specific area. No single person is around all the time; they fade away when they are busy and come back when they have time. Some examples are William Leibzon, Sean Donelan, and Gadi Evron. I know Gadi is controversial but he is a domain expert, and when he posts, it generates a lot of discussion, some of which indicates that a certain subset of the list is interested in what he says. I agree with you that the informal moderation is a good idea. I won't comment on the rest of this paragraph. :) The secret is NOT trying to please all of the people all of the time, but trying to regularly please some of the people, some of the time. I want to point out an important thing, the list has a very specific charter: our constituency are network operators and the focus of the list is Internet operational issues. We are not trying to please all people - only network operators. The rest can eat dirt. :) The biggest single thing that the MLC could do to improve the list would be to try and cultivate more such contributors. Perhaps some of the people who complain about list content could be persuaded to contribute more of the kind of stuff they would like to see. Maybe we need more questions to be posted in order to guide the discussion. Or, at the meetings, encourage a presenter to actively follow through on the list with their topic. Only a small percentage of the 10,000 list members are present at any given meeting. Or maybe try and get summaries in the style of Stan Olan Barber posted to the list. I was thinking more in style of kerneltraffic.org but yes, that's generally the idea. If you (or anyone else) is volunteering to write weekly nanog-list summary, that certainly could be welcome! * Possibly more editorial activity by mailing list team. That's exactly what I mean. A good editor shepherds their publication, choosing focal themes and soliciting writers. We may be going that direction. Are you volunteering? -alex
nanog-l moderation (was Re: Dead Thread was (Re: Security gain from NAT))
On Wed, 6 Jun 2007, william(at)elan.net wrote: On Wed, 6 Jun 2007 [EMAIL PROTECTED] wrote: I think at this point, everything that could possibly be said about NAT and security has been said. Unless you have something profound to add which hasn't been mentioned in this thread before, please refrain from adding to this thread. -Alex (for the mailing list team) Was this message sent because one or more members of mail admin team expressed their own opinion and wanted thread to end or because others (presumably more then one person to act on it) have complained? Well, since you have asked: This is really following feedback from community meeting. The thread on NAT was mentioned as example of things that bring down the signal/noise ratio. We've had a productive (if sparsely attended) community meeting. If you didn't watch it remotely, slides from MLC report are here: http://www.pilosoft.com/MLCreport.ppt Even though there weren't that many people, there were certainly a large number of suggestions: (sorry if I'm not mentioning some ideas, it is because I don't remember them offhand and I need to recheck my notes, not because I didn't like them). Even if you weren't there, its not too late to make some suggestions - this is what nanog-futures is all about. * Suggestions from community meeting: * More statistics on mailing list usage: ** Top posters ** Top threads * Curious stats - number of unsubscriptions vs posts /day * More active participation by mailing list team in guiding discussion and more aggressive moderation. * Possibly more editorial activity by mailing list team. I think the overall feeling was that mailing list team has become too passive/conservative in moderation. So we'll try to do better :) -alex [acting mlc chair]
Dead Thread (Re: Security gain from NAT)
I think at this point, everything that could possibly be said about NAT and security has been said. Unless you have something profound to add which hasn't been mentioned in this thread before, please refrain from adding to this thread. -Alex (for the mailing list team)
IPv6 Training?
Does anyone know of any good IPv6 training resources (classroom, or self-guided)? Looking to send several 1st and 2nd tier guys, for some platform/vendor-agnostic training. Any clues? Thanks.. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: How many others are nullrouting BT?
On Fri, 11 May 2007, Jo Rhett wrote: We've long been aware that BT *never* deals with spammers or DoS attacks that originate from their network, but a new issue has come to light. BT has a number of users who are apparently testing out stolen credit card numbers from their network against stores of all flavors. 3 months of attempts by US banks, US police departments, FBI, etc to get any action taken on these issues has gone nowhere. BT is protecting the interests of their users. Meanwhile the stolen credit card attempts continue unabated. We're considering null-routing all BT netblocks. I'm wondering how many others have already come to the same conclusion? To paraphrase bandy rush: I encourage my competitors to do that. -alex
New AS Number Block allocated to the RIPE NCC
Dear Colleagues, The RIPE NCC received the AS Number Block 43008 - 44031 from the IANA in April 2007. You may want to update your records accordingly. Best regards, Alex Le Heux RIPE NCC
Re: UK ISP threatens security researcher
On Fri, 20 Apr 2007, Gadi Evron wrote: On Fri, 20 Apr 2007, Simon Lyall wrote: On Thu, 19 Apr 2007, Gadi Evron wrote: Looking at the lack of security response and seriousness from this ISP, I personally, in hindsight (although it was impossible to see back then) would not waste time with reporting issues to them, now. These days there is almost never any reason to report a security issue unless you are a professional security researcher who is looking for publicity/work. [1] Now, that is off-topic to NANOG. Just because you disagree with someone's opinion, doesn't make it offtopic. One comment: just because they are not reported does not mean they are not used. Proved beyond doubt this past year with all the 0day attacks and targeted attacks going on. I'm not sure if Simon's comment was tongue-in-cheek. I think if you are referring to public disclosure, yes, I think there's little point of doing this, unless you are seeking attention. Of course, reporting a problem to vendor privately always makes sense. I'm not sure the debate on public disclosure vs private falls under NANOG AUP. -alex
Re: UK ISP threatens security researcher
On Fri, 20 Apr 2007, J. Oquendo wrote: [EMAIL PROTECTED] wrote: I'm not sure if Simon's comment was tongue-in-cheek. I think if you are referring to public disclosure, yes, I think there's little point of doing this, unless you are seeking attention. Of course, reporting a problem to vendor privately always makes sense. I'm not sure the debate on public disclosure vs private falls under NANOG AUP. I beg to differ here on a few points... 1) Reporting to vendors... I don't know how many vendors from Microsoft on down I've reported issues to... Sometimes it works sometimes it doesn't. For the heavy hitters (MS, IBM, etc.) they should acknowledge and take responsibility for their issues, else have the issues publicly disclosed. This is getting into the discussion on whether public disclosure (and attendant attention of script kiddies, public embarassment of vendor, and glory to the reporter) is better way to get the bug fixed than working with your vendor (who, presumably, receives $$$ from you on maintenance contract or hopes to receive $$$ from you on the upgrade to next version). How would you feel if you used a product a company KNOWS lacks fundamental security controls and does little to fix it. How would you feel if AFTER the fact someone leveraged a method to affect you. How would you feel AFTER the fact, finding out they were told and did nothing for eons. Vote with your wallet, use a vendor that is responsive to customer needs. I've disclosed a pretty bad denial of service bug. Tested not only by me, but by about six other individuals one in one of the world's biggest insurance agencies... Confirmed... Another in academia land... Confirmed... A professional pentester with a DoD contract... Confirmed... Sent it to MS... Well it doesn't work said the MS team... I didn't even bother disclosing it out after that. Not because it didn't work but because the last thing I wanted to see was something akin to another Smurf like attack on MS being part of my own shop where I work is MS based. I gave up. On occasion I will take a few minutes to find something stupid to break because I fiddle with things. Sometimes I release things publicly, sometimes I don't depending on what I perceive to be a level of severity. If its minor, it gets released and this is only because I've gotten tired of dealing with the idiotic policies these companies use to shoot themselves in their own foot. It's your choice, it is not the only way. snip From Cisco, to Microsoft, to open source vendors (Asterisk), whomever, most times I will contact the necessary party... They fail to respond, it goes public. Same happened way back when with Computrace (LoJack for Laptops)... Where I contacted them over and over... They told me You're wrong... After proving my points repeatedly... Finally I ended up pulling their card and posting their entire email transcription... I still have an NDA they wanted me to sign which is summarized as We will pay you x amount of what you spend if you just... well shut up. Right I see nothing wrong with responsible public disclosure. Responsible is the key word. There's been much discussion on the mailing lists that are *more appropriate* to discuss full-disclosure what constitutes responsible. Note that those mailing lists are not NANOG, where this subject is tangential. -alex
RE: Question on 7.0.0.0/8
On Sun, 15 Apr 2007 [EMAIL PROTECTED] wrote: As a result, most people consider William Leibzon and the Bogon project to be, collectively, the authoritative source for information on whose IP address that is. ^ If that's the case, all hope has been lost. That's because William and the Bogon project, act authoritative, and take some pains to provide comprehensive data. At the same time, IANA and the RIRs just keep doing the same old thing as their data and systems slowly rot away. Why doesn't IANA operate a whois server? Why should they? What will it produce? Why don't they publish a more detailled explanation field in each IANA allocation record so that they can explain the precise status of each block? Why should they? Why doesn't IANA and the RIRs collectively get off their butts and actually make an authoritative IP address allocation directory one of their goals? And why don't they do all this with some 21st century technology? Why doesn't vwl help by giving ARIN his changelog, if any? -alex
New RIPE NCC IPv4 blocks pingable addresses
[Apologies for duplicate emails] Dear Colleages, The IANA recently allocated the IPv4 address ranges 92/8 and 93/8 to the RIPE NCC. The following pingable addresses are now available in these blocks: 92.192.0.1 92.255.248.1 93.192.0.1 93.255.248.1 More information regarding the debogonising project can be found here: http://www.ris.ripe.net/debogon/ Best regards, Alex Le Heux RIPE NCC IP Resource Analyst
Re: On-going Internet Emergency and Domain Names
On Fri, 30 Mar 2007, Gadi Evron wrote: There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated. Before the readers of the list think that the world is about to end, please read Gadi's previous predictions here: http://www.securityfocus.com/archive/1/354200/30/0/threaded Eventually, crying wolf will get tiring. This past February, I sent an email to the Reg-Ops (Registrar Operations) mailing list. The email, which is quoted below, states how DNS abuse (not the DNS infrastructure) is the biggest unmitigated current vulnerability in day-to-day Internet security operations, not to mention abuse. This isn't 0-day by any measure. Low-ttl, changing-nameserver domains were in vogue back in 2002 or so. These botnets use DNS as central registry. Yes, it'd be nice to hit the CC using our control of DNS, and yes, it'd be nice if registrars/registries were cooperating. However, DNS isn't the root of the problem here - tomorrow, they'll use some p2p tracker[less] protocol to distribute this information. While we argue about this or that TLD, there are operational issues of the highest importance that are not being addressed. I do not think that this reaches 'operational' just yet, unless you are operating a registry or registrar. snip This is the weakest link online today in Internet security, which we in most cases can't mitigate, and the only mitigation route is the domain name. I dare to say, that's not the weakest link, and that's not the only mitigation route. snip We need to be able to get rid of domain names, at the very least during real emergencies. I am aware how it isn't always easy to distinguish what is good and what is bad. Still, we need to find a way. OK, so, do you officially declare the emergency? Should we all block the domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got revoked. Similarly, alexa.com. There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol. -alex
Re: On-going Internet Emergency and Domain Names
On Sat, 31 Mar 2007, Gadi Evron wrote: domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got revoked. Similarly, alexa.com. There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol. YOu shouldn't confuse TCP/IP for the control channel of the botnets which is IRC, HTTP, etc. I'm not sure I understand your point. Intarweb Storm Center listed a number of domain names involved in these attacks, presumably so the registrars/registries pull the DNS records. I am pointing out that at least two of the ones listed are innocent. What does TCP/IP or IRC or HTTP have to do with anything? DNS is not going anywhere, patch for the hosts file or not. Glad you understand that.
RE: PGE on data centre cooling..
(beware, weekend engineering and number pulling here) If you have 250 fixtures, which are each (2) 4' T8 fluorescent bulbs, which would make for (500) 32 watt bulbs, that would be 16 kw, or at $0.13 cpkwhr, would be $1,497/month. But, don't forget, you'd have to cool the heat load generated by the bulbs. 250 fixtures would probably be around a 16 kft datacenter (perhaps smaller). 16 kft in todays datacenters would be about 1.5 mw of usage, between power consumption and HVAC. That'd be $140,400/month. Lighting would account for 1.0% or so. We use a combination of LED and CF (compact fluorescent) for lighting, which with reduced bulb changes (and the associated labor) because of longer live, and the significantly less energy usage, the savings do add up over time. I mean, it adds up in absolute dollars, but perhaps not relative. In our town, the fire folks do not require the emergency lighting to be battery-backed, so long as it is on generator and will not be off for more than 15 seconds. We use an Edison-base style LED fixture, something like http://www.superbrightleds.com/specs/E27-x24_narrow.htm It provides about 15 to 20 watts of equivalent incandescent light, using only 3 watts. Has a neat look too. http://www.nac.net/nac_mmu.jpg John(damn I've been in a DC with clear floor tiles...why didn't I think of this then?) How about the concept used in movie theatres? Line the walkways with white LEDs so that people can walk safely. Far less power, easy to run from small UPS, and use LED exit lights to keep the fire marshalls happy. Even mark the location of fire extinguishers in LEDs. Customers would be encourages to bring their own florescent panel lamps; rentals would be available for the forgetful.
New IPv4 blocks allocated to RIPE NCC
[Apologies for duplicate mails] Dear Colleagues, The RIPE NCC received the IPv4 address ranges 92/8 and 93/8 from the IANA in March 2007. We will begin allocating from these ranges in the near future. The minimum allocation size for these two /8s has been set at /21. You may wish to adjust any filters you have in place accordingly. More information on the IP space administered by the RIPE NCC can be found on our web site at: https://www.ripe.net/ripe/docs/ripe-ncc-managed-address-space.html Additionally, please note that two pilot prefixes will be announced from each /8. The prefixes are: 92.192.0.0/16 93.192.0.0/16 92.255.248.0/21 93.255.248.0/21 They all originate in AS12654. More information on this pilot activity is available in the draft document De-Bogonising New Address Blocks which can be found at: http://www.ripe.net/ripe/draft-documents/deboganising-draft.html Best regards, Alex Le Heux RIPE NCC IP Resource Analyst
RE: [funsec] Not so fast, broadband providers tell big users (fwd)
And on-demand DVR-type things which I believe will grow in popularity. Of course, most of those are overlays which the SPs themselves don't offer; when they wish to do so, it'll become an issue, IMHO. Which, by the way, is hitting main stream. Amazon Unbox. http://www.amazon.com/b/?node=16261631 Watch movies on demand on your Tivo in (almost) real time over your internet connection.
Re: meeting in the Dominican Republic
On Mon, 26 Feb 2007, Etaoin Shrdlu wrote: On the one hand, I have to say that if it's my own money, it's not going to happen. It's just too far away (for me). Not considering the plane fare, though, I don't think it's necessarily a bad suggestion. I *do* wonder where all the attendees will be coming from (the local ones, I mean). I know how shockingly impoverished Jamaica is, and we can't even talk about Haiti. I know far less about the Dominican Republic, other than that it's far better off than either of the other two. Flights to DR don't seem to be much more expensive than coast-to-coast tickets. And I imagine hotels/food/etc is probably going to be quite a bit cheaper than LA/SFO/etc. -alex
RE: GBLX issues?
this morning around 3 am, effecting 2 connections in that You mean 'affecting.' -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: Curious question on hop identity...
On Thu, 14 Dec 2006, Fergie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This may be far afield insofar as topic fodder, but I am curious if anyone knows exactly what these two hops [9] [10] below, actually are? Wouldn't you like to know? -- Alex Pilosov| DSL, Colocation, Hosting Services President | [EMAIL PROTECTED]877-PILOSOFT x601 Pilosoft, Inc. | http://www.pilosoft.com
Re: CWDM equipment (current favorites) (fwd)
On Thu, 2 Nov 2006, Deepak Jain wrote: We need to place a new order for some new fiber builds and were considering some other vendors. Especially in the nx2.5G and nx10G (are CWDM x-cievers even available in 10G yet?) range. Anyone have any new favorites? 2.5G are only slightly more expensive than 1G - if you have OC48 gear that is SFP-capable, by all means, use that. 10G CWDM is *rumoured* to exist, but I don't think there are any production ones yet. Feel free to correct me. 10G is all DWDM, and so far very pricy. I think this is the rub (regarding multirate optics). What I'd love to be able to do is take a multirate optic and shove it into some 1U type switch or router that takes several gigabits of a IP or Ethernet frames and load balances them PPP or CEF style across a few 2.5/2.7G lambdas. So say 10 gigabits of traffic over 4 lambdas. I don't need to replicate Well, that's how LX4 actually works internally - but you can't plug in your own optics for those 4 cwdm channels :( Why not just do 10G natively? (LX4 or DWDM or whatever?) GE signaling or SONET signaling... just move the bits. I know this is very easy (trivial even) at 1G signaling rates, I never understood [other than for markup purposes] why the vendors don't let those uplink ports be 2.5G capable. You *have* to deal with signaling somehow, because of regeneration of the signal, so you have to have your own kind of signaling (whether sonet or ethernet or ...) on these lambdas. -alex
Re: CWDM equipment (current favorites) (fwd)
On Mon, 30 Oct 2006, Deepak Jain wrote: A few years ago, NANOG had a discussion regarding various CWDM vendors. Repeatedly MRV was brought up as a good option for metro-area LAN type applications. There's been some discussions more recently, such as (coauthored by yours truly): http://www.nanog.org/mtg-0606/pdf/lightning-talks/4-pilosov.pdf http://www.nanog.org/mtg-0610/presenter-pdfs/pilosov.pdf Since then, I have actually touched some of the MRV product line personally and found it (and their customer support)... less than ideal. (not comparing to anyone else, and no one is really ideal). The bigger problem was that the devices seem to be less than intuitive, but rock solid once they are working. (which is what everyone praised them for). Passive CWDM gear is pretty much all created equal as far as intuitiveness in how to connect it (assuming gear is non-broken). You have muxes, you have SFPs/GBICs, and you plug GBIC output into the mux input. :) As far as the SFP/GBIC quality, I think MRV is very good. At one point, (maybe even still) Cisco OEM'd MRV gbics under their brand (and with attendant 1000% markup). You can also look at cubo and infineon optics, good quality at reasonable price. Be wary about chiwanese vendors - quality is questionable: high DOA rate, output light level and input sensitivity vary from one module to another. Pricewise, you might find that cubo isn't *that* much more expensive than chiwanese gear. Also, there's market (like, again, from yours truly) of the new-in-box MRV gear, which may also be an option. We need to place a new order for some new fiber builds and were considering some other vendors. Especially in the nx2.5G and nx10G (are CWDM x-cievers even available in 10G yet?) range. Anyone have any new favorites? 2.5G are only slightly more expensive than 1G - if you have OC48 gear that is SFP-capable, by all means, use that. 10G CWDM is *rumoured* to exist, but I don't think there are any production ones yet. Feel free to correct me. 10G is all DWDM, and so far very pricy.
Re: CWDM equipment (current favorites)
On Mon, 30 Oct 2006, Deepak Jain wrote: A few years ago, NANOG had a discussion regarding various CWDM vendors. Repeatedly MRV was brought up as a good option for metro-area LAN type applications. There's been some discussions more recently, such as (coauthored by yours truly): http://www.nanog.org/mtg-0606/pdf/lightning-talks/4-pilosov.pdf http://www.nanog.org/mtg-0610/presenter-pdfs/pilosov.pdf Since then, I have actually touched some of the MRV product line personally and found it (and their customer support)... less than ideal. (not comparing to anyone else, and no one is really ideal). The bigger problem was that the devices seem to be less than intuitive, but rock solid once they are working. (which is what everyone praised them for). Passive CWDM gear is pretty much all created equal as far as intuitiveness in how to connect it (assuming gear is non-broken). You have muxes, you have SFPs/GBICs, and you plug GBIC output into the mux input. :) As far as the SFP/GBIC quality, I think MRV is very good. At one point, (maybe even still) Cisco OEM'd MRV gbics under their brand (and with attendant 1000% markup). You can also look at cubo and infineon optics, good quality at reasonable price. Be wary about chiwanese vendors - quality is questionable: high DOA rate, output light level and input sensitivity vary from one module to another. Pricewise, you might find that cubo isn't *that* much more expensive than chiwanese gear. Also, there's market (like, again, from yours truly) of the new-in-box MRV gear, which may also be an option. We need to place a new order for some new fiber builds and were considering some other vendors. Especially in the nx2.5G and nx10G (are CWDM x-cievers even available in 10G yet?) range. Anyone have any new favorites? 2.5G are only slightly more expensive than 1G - if you have OC48 gear that is SFP-capable, by all means, use that. 10G CWDM is *rumoured* to exist, but I don't think there are any production ones yet. Feel free to correct me. 10G is all DWDM, and so far very pricy.
re: passports for NANOG-39, Toronto
You may have heard that the US and Canada are going to start requiring passports for air travel between them beginning soon. That date is currently set as 8 Jan 2007, which is before February NANOG. MERIT has noted this on the web site, but a cursory check of my list archives didn't turn up mention of it (sorry if I overlooked it; the last couple of weeks have been hectic), so I figured I'd include the pointer: FYI, this date only applies to air or sea (which I imagine is the bulk of people going). However, for land crossings: http://travel.state.gov/travel/tips/regional/regional_1170.html The Intelligence Reform and Terrorism Prevention Act of 2004 requires that, by January 1, 2008, travelers to and from the Caribbean, Bermuda, Panama, Mexico and Canada have a passport or other secure, accepted document to enter or re-enter the United States. [...] The travel initiative requirements will be rolled out in phases. The proposed implementation timeline is as follows: December 31, 2006 - Passport required for all air and sea travel to or from Canada, Mexico, Central and South America, the Caribbean, and Bermuda. December 31, 2007 - Passport required for all land border crossings, as well as air and sea travel.
register.com down sev0?
I'm seeing *.register.com down (including ns*) from everywhere. Just a heads-up. Would be interesting to see the RFO for that one, including the why we didn't have any DNS servers offsite or used anycast to at least limit amount of damage. -alex
Re: register.com down sev0?
On Wed, 25 Oct 2006, Matt Ghali wrote: On Wed, 25 Oct 2006, [EMAIL PROTECTED] wrote: I'm seeing *.register.com down (including ns*) from everywhere. Just a heads-up. I'll take your word on exhaustively checking every possible address. BTW, do you mean nameservers down, webservers down, or something else? Did the Internet break? *.register.com means nameservers, webservers, whois servers, etc. Of course, Internet does not break, but we've received quite a number of calls about internet is down - given that register.com serves a large number of domains, yes, this is operationally affecting. Would be interesting to see the RFO for that one, including the why we didn't have any DNS servers offsite They colo in more than a half-dozen facilities around the world. or used anycast to at least limit amount of damage. I also have information from a pretty good source that they actually do quite a bit of anycast. Not that I can see - possibly that depends on a specific domain's webservers. The glue servers for register.com themselves: Name: ns1.register.com Address: 216.21.234.96 Name: ns2.register.com Address: 216.21.226.96 Name: ns3.register.com Address: 216.21.234.97 Name: ns4.register.com Address: 216.21.226.97 (note just two different /24s) Both of those /24s were down/down about 30 minutes ago, and are flapping/flapping now. route-views.oregon-ix.netshow ip bgp 216.21.234.73 ... BGP routing table entry for 216.21.234.0/24, version 5214460 701 7018 4264 13910, (suppressed due to dampening) 157.130.10.233 from 157.130.10.233 (137.39.3.60) Origin IGP, localpref 100, valid, external Dampinfo: penalty 898, flapped 5 times in 00:35:15, reuse in 00:03:50 route-views.oregon-ix.netshow ip bgp 216.21.226.97 BGP routing table entry for 216.21.226.0/24, version 5214460 ... 701 7018 4264 13910, (suppressed due to dampening) 157.130.10.233 (inaccessible) from 157.130.10.233 (137.39.3.60) Origin IGP, localpref 100, valid, external Dampinfo: penalty 861, flapped 5 times in 00:36:13, reuse in 00:03:00 From various vantage points, both /24s are routed exactly the same (7018 in NYC). -alex
Re: register.com down sev0?
On Wed, 25 Oct 2006, Matt Ghali wrote: On Wed, 25 Oct 2006, [EMAIL PROTECTED] wrote: I'm seeing *.register.com down (including ns*) from everywhere. They are apparently under a multi-gbps ddos of biblical proportions. As pointed out by Rob Seastrom in private email, RFC2182 addresses things of biblical proportions - such as dispersion of nameservers geographically and topologically. Having 3 secondaries, only one of them on separate /24, and none of them on topologically different network does not qualify. Given that register.com is/was public (I think?) - I wonder what are their sarbox auditors saying about it now ;) Compliance of icann-accredited gtld-registrars with rfc2182 might be a good subject for research (again, thanks to rs for idea) -alex
Re: register.com down sev0?
On 26 Oct 2006, Paul Vixie wrote: I'm seeing *.register.com down (including ns*) from everywhere. They are apparently under a multi-gbps ddos of biblical proportions. i wonder if that's due to the spam they've been sending out? Paul, this isn't nanae. Let's not sling accusations like that wildly. As pointed out by Rob Seastrom in private email, RFC2182 addresses things of biblical proportions - no. really, not. such as dispersion of nameservers geographically and topologically. Having 3 secondaries, only one of them on separate /24, and none of them on topologically different network does not qualify. there is no zone anywhere, including COM, the root zone, or any other, that is immune from worst-case DDoS. anycast all you want. diversify. build a name service infrastructure larger than the earth's moon. none of that will matter as long as OPNs (the scourge of internet robustness) still exist. This isn't 2001, and, I will argue that it *is*, in fact, possible to be protected from a worst case ddos, and not at obscene price. However, even if you argue that point, there's no excuse for not being prepared at all, and not following the BCP. While we all may be guilty of not having topologically/geographically diverse DNS - for someone whose core business is DNS, that's unexcusable. Given that register.com is/was public (I think?) - I wonder what are their sarbox auditors saying about it now ;) that's an easy but catty criticism, and baseless. i'm sure that some way could be found to improve register.com's infrastructure, and i don't just mean by stopping the spamming they've been doing. but it's not trivial and in the face of well-tuned worst-case DDoS, nothing will help. Well, let's talk about worst-case ddos. Let's say, 50mpps (I have not heard of ddos larger that that number). Let's say, you can sink/filter 100kpps on each box (not unreasonable on higher-end box with nsd). That means, you should be able to filter this attack with ~500 servers, appropriately place. Say, because you don't know where the attack will come in, you need 4 times more the estimated number of servers, that's 2000 servers. That's not entirely unreasonable number for a large enough company. I know that the above was just rough back-of-the-envelope, and things are far more complicated than that, but this discussion does not really belong to nanog-l. Compliance of icann-accredited gtld-registrars with rfc2182 might be a good subject for research (again, thanks to rs for idea) i've been wondering if ICANN's accredidation could be revoked for spammers, and register.com has indeed been spamming. and it may also be that they are out of compliance with RFC 2182. but that would be like catching al capone for income tax evasion just because you couldn't pin murder on him. Things like that, and accusations like that, I don't think really belong to nanog-l. (speaking for myself only)
Re: register.com down sev0?
On Thu, 26 Oct 2006, Patrick W. Gilmore wrote: There is no single appropriately[sic] place which can absorb 50Mpps. If you meant appropriately placed (as in topologically dispersed locations), a well crafted attack could still guarantee _at least_ a partial DoS from an end user PoV. It is essentially impossible to distinguish end-user requests from (im)properly created DoS packets (especially until BCP38 is widely adopted - i.e. probably never). Since there is no single place - no 13 places - which can withstand a well crafted DoS, you are guaranteed that some users will not be able to reach any of your listed authorities. Yeah - I know it hard-to-impossible to do that, and it is a tug-of-war between worm writers (to generate queries indistinguishable from real client-resolver-generated queries) and trying-to-detect-malformed-queries (such as duplicated qid, or from IP space that shouldn't be hitting this specific node). You probably dealt with more ddos than rest of us combined, so I bow to your superior knowledge. I know that the above was just rough back-of-the-envelope, and things are far more complicated than that, but this discussion does not really belong to nanog-l. We disagree. Keeping large name servers running is _absolutely_ a network operations topic. Not only is the defense mostly network based (since the network is the most likely thing to break), network operators are the people who get the phone calls when DNS does break. Sorry - I meant that discussion whether or not register.com is spamming isn't somewhat offtopic. Of course, DNS operations (and particularly dealing with biblical scale ddos) is very much on-topic. -alex
Re: Blogger.com posts still fails when posting to the NANOG list!
Hi, Apparently there is still some silly [f|s]oul who has to forward NANOG to blogger and blogger still doesn't handle multipart/signed and thus very nicely and totally anonymously reports that it fails. snip Google seems to say that this might be the one: http://www.gossamer-threads.com/lists/nanog/users/ No, this isn't us. We don't forward any mail to blogger or anyone else. Cheers, Alex -- Alex Krohn [EMAIL PROTECTED]
RE: Collocation Access
Is this some new trend or have I just gotten lucky in the past? Wouldn't someone like ATT be better served by giving their employees some company issued ID that they can submit to secure facilities? I know it wouldn't be government I am shocked that the ATT employee did not have an ATT ID. In our facilities, we require all visiting telcos to produce company identification, and between telcove/level 3, Verizon, MCI, and several others, we have never had an issue. I'd be a bit more suspicious that he didn't have ATT ID. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
RE: Collocation Access
(They let me in eventually with a passport. But if they're going to trust a foreign-issued passport as photo id, it's not really that obvious to me why they wouldn't trust a foreign-issued driving licence. It's not like they can really tell whether either of them are forged.) What I've never understood is, that, how a gov't issue ID (for the purposes of allowing entry) is of any use whatsoever. It's not as if someone is doing a instand background check to know if the person is a criminal, or wanted, or whatever. It's trivial to forge a gov't ID. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
RE: 200K prefixes - Weekly Routing Table Report
Maybe reboot all our routers at once or something? Who wants to go first...? Then again, maybe better not... philip -- I suspect if we do this, when things 'come back up', we'll be under 200k. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: WSJ: Big tech firms seeking power
On Fri, 16 Jun 2006, Matthew Crocker wrote: I wonder just how much power it takes to cool 450,000 servers. 450,000 servers * 100 Watts/Server = 45,000,000 watts / 3.413 watts/BTU = 13.1 Million BTU / 12000 BTU/Ton = 1100 Tons of cooling Error: you MULTIPLY 3.413 to go from watts to BTU, not divide. It's be more like 154,000,000 BTU, /12000 or 12,798 tons. Also at 100 watts, you are assuming Celerons with single hard drives. We see more like 120 to 240 depending on config. 100 would be low. A 30 Ton Liebert system runs about 80 amps @ 480 volts or 38400 watts, you'll need at least 40 or them to cool 1100 tons which is 1536 Kw * 24 hours * 7 days * 4.3 weeks = 1,110,000 KwH/month * $0.10/KwH = $111,000 /month in cooling. 80 amps @ 480 is 80 * 480 * 1.73, or 66 kw. However, they don't draw that much. A 30 ton unit, worst case (115 degrees outside across the condensor) will be about 50 kw, assuming you do not have humidification or reheats turned on. Second issue: you are assuming 100% cooling efficiency, or, in other words, that you'd have perfect airflow, perfect air return, etc. Never happens, especially when you have customers who are idiots. Third issue: you are assuming there is no heat loss or gain in the structure of the building. This could be very significant. Let's assume it's not. It's likely in an environment like this, you'd have more like 14000 tons. 14000 / 30 = 466 units, @ 50 kw/unit, 23,300,000 watts, / 1000 * 24 * 30.4375 (avg days in a month) = 17,020,000 kw-hrs, @ $0.12 (more likely with todays fuel prices unless you are in Kentucky) $2,042,400/month. Also, don't forget the original 450,000 servers at 100 watts (45 mw) would be $3,944,700/month in power. Also, 450,000 1U servers at 40/rack would be 11,250 racks, which at 10 sq-ft a rack would be 112,000 sq-ft of datacenter floor space (triple or, more likely, quadruple that for space for HVAC, generators, switchgear, UPSs, etc). That'd be 500,000 sq-ft at minimum. Total is $5,987,000/mon, but you haven't ROIed the millions in electrical gear (think big: this is about 68 megawatts; $250k/each for a 2 mw generator (you'd need 40, $10 mm), $50k/each for a 500 kva UPS (you'd need 80 $4mm), millions in panels, breakers, piping, copper wire (700% increase in copper pricing in the last 24 months, people), etc. Oh, and 466 liebert 30 ton HVAC's, probably $25 to $40k/ea installed ($11 million). Oh, and no one has installed it yet, and you haven't paid rent on the facility that will take 2 years to build with probably 100's of workers saleries. Take $6mm/month, divide by 450,000 servers, $13.33/month/server. Oh, and 68 Megawatts over 112k ft of floor space is 607 watts/ft. Thats about 6 times what most centers built in the last couple years are built at. But wait, there is more. Just a point of comparison -- Oyster Creek Nuclear Power generation plant, located here on the Jersey Shore, produces 636 megawatts. You'd take one-tenth of that capacity -- in a bulding that would sit on a 10 or 20 acre chunk of land. I put this into the 'unlikely' category. The substation alone to handle stepping 68 mwatts from transmission to 480v would be probably 4 acres. And, 68 megawatts of power at 480 volts 81,888 amps. A typicall 200,000 sq-ft multi-tenant office building has 1600 amps of service; this would be the equivalent of 50 buildings. Having fun yet? A 30 ton liebert takes about 30 sq-ft of floor space; 466 of them would be 13,980 sq-ft. If you use a drycooler system, they are about 100 sq-ft, and youd need 233 of them (60 ton DDNT940's), 23,300 sq-ft of roof space. Each of those weighs 2,640 pounds, for a total of 615,000 pounds, or 308 tons (of weight, not HVAC capacity). I won't even spend the CPU cycles figuring out how many gallons of glycol this would bem but probably a good guess would be about 50,000 gallons. That'd be about a quarter-million dollars in glycol. I'm tired now, time to climb back in my hole. In other words, don't get me started on the datacenter density issue. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: WSJ: Big tech firms seeking power
On Fri, 16 Jun 2006, Crist Clark wrote: Error: you MULTIPLY 3.413 to go from watts to BTU, not divide. It's be more like 154,000,000 BTU, /12000 or 12,798 tons. Well, the bigger problem here is that a watt is a measure of power (engergy/time) and a BTU is a unit of energy. There is no dimensionless conversion factor between the two. Huh? A Watt has no time constant. A watt is an amount of energy consumed at a moment (ie, a 60 watt light bulb), not an amount of energy over time (like a watt-hour; for instance, a 60 watt light bulb uses 60 watt-hours of power every hour, or 1.44 kwatt-hrs per day). There is a direct correlation between watts and btu's, and that is: watts * 3.413 = btu -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: WSJ: Big tech firms seeking power
When I made my posting, I didn't know the context was google in Oregon. I missed that somehow. Anyway, the dam referenced below: http://en.wikipedia.org/wiki/The_Dalles_Dam And the power generated from the region: http://en.wikipedia.org/wiki/Hydroelectric_dams_on_the_Columbia_River Seems like a good place to setup a datacenter. On Fri, 16 Jun 2006, Jeff Shultz wrote: David Lesher wrote: Speaking on Deep Background, the Press Secretary whispered: I wonder just how much power it takes to cool 450,000 servers. . KwH = $111,000 /month in cooling. I don't know the area; but gather it's hydro territory? How about water-source heat pumps? It's lots easier to cool 25C air into say 10-15C water than into 30C outside air. Open loop water source systems do have their issues [algae, etc] but can save a lot of power The Dalles, OR is on the Columbia River just upriver of Portland by 80 miles or so. It has a large dam spanning what used to be Celilo Falls in it's front yard. Hydro territory doesn't even begin to define it... :-) Eco-freak territory also doesn't begin to define it, so the idea of piping water off the Columbia and returning it even 1/2 degree warmer is a non-starter. I'm amazed they let them put up tall cooling towers in the historic, scenic Columbia River Gorge (sorry, old political battle flashback) -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: WSJ: Big tech firms seeking power
No, that's wrong. $ units 2438 units, 71 prefixes, 32 nonlinear units You have: watt You want: btu conformability error 1 kg m^2 / s^3 1055.0559 kg m^2 / s^2 You have: watt hour You want: btu * 3.4121416 / 0.29307107 Agreed, my math should have said btu/hr, which is what any HVAC system is rated in -- how many btus in an hour it can remove. I apologize for the horrendous error, but all of the math stands. Just sed s/btu/btu\/hr/g (also, you can do from watt to btu/hr with the same 3.413 multiplier) -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: WSJ: Big tech firms seeking power
On Fri, 16 Jun 2006, Crist Clark wrote: Error: you MULTIPLY 3.413 to go from watts to BTU, not divide. It's be more like 154,000,000 BTU, /12000 or 12,798 tons. Well, the bigger problem here is that a watt is a measure of power (engergy/time) and a BTU is a unit of energy. There is no dimensionless conversion factor between the two. Alright, I am sorry I missed that. It should read: Error: you MULTIPLY 3.413 to go from watts to BTU/hr, not divide. It's be more like 154,000,000 BTU/hr, /12000 or 12,798 tons. Sorry! Sheesh. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: WSJ: Big tech firms seeking power
What is the amount of energy coming out of a server as heat as opposed to what you put in as electricity? My guess would be pretty close to 100%, but is it really so? And I've also been told that you need approx 1/3 of the energy taken out thru cooling to cool it? So that would mean that to sustain a 100W server you really need approx 130-140W of power when cooling is included in the equation. Is this a correct assumption? Based upon my real-world experience, and talking to a few folks, it's very close to 100%. Most assume 100% for the practice of calculating cooling. However, for those who are very scientific, they try to tell you that some of the power is going into movement of hard drive heads, etc., which creates force on your racks, etc. A true, but irrelevant discussion, really, because it's likely an immeasurable amount. One could do the excercise of putting a computer in a well insulated box and measuring power in vs. rate of rise of temperature. Volunteers? :) -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: 2006.06.06 NANOG-NOTES CC1 ENUM LLC update
Tell you what -- I'd love to see this for every meeting, in some sore of official capacity. Reminds be of Stan's notes from the regional techs meetings.. On Thu, 8 Jun 2006, Patrick W. Gilmore wrote: On Jun 8, 2006, at 10:04 AM, Matthew Petach wrote: (sorry these are coming out delayed, I had to deal with an internal routing challenge for much of yesterday afternoon. --Matt) I think I speak for the whole list when we say you have absolutely NO reason to apologize, Matt. In fact, I think we'll nominate you for Most Useful Meeting Attendee. :) -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: Zebra/linux device production networking?
On Wed, 7 Jun 2006, Justin W. Pauler wrote: I'm running ImageStream routers for the Internet distribution side of my network (2 edge routers, 2 core routers) and I'm extremely happy... This is a datacenter network and my customers are happy, I guess that's all that counts. In my opinion, I prefer to go with a open-source based solution because of pricing and customizability... I can build a script and load it into the equipment to give me any type of statistic I want... And I don't have to wait for a new IOS release. Note that imagestream is the worst of both worlds. it is ghetto like opensores but you don't get the source to fix it yourself if vendor is not being helpful. -alex
Re: Zebra/linux device production networking?
On Tue, 6 Jun 2006, Nick Burke wrote: First, a little background.. My CTO made my stomach curdle today when he announced that he wanted to do away with all our cisco [routers] and instead use Linux/zebra boxen. We are a small company, so naturally penny pinching is the primary motivation. That, and the sheer joy of watching me squirm. He has informed me that he has found many people who do this for their core devices. I'm not so certain about this whole situation, so I humbly ask: How many of you have actually use(d) Zebra/Linux as a routing device (core and/or regional, I'd be interested in both) in a production (read: 99.999% required, hsrp, bgp, dot1q, other goodies) environment? And, if you care to spend this much time, what pitfalls/benefits did you find out about after implementation? Having done exactly that previously, I wouldn't recommend it. While it will work, most of the time, reaching 99.999% will be a challenge. Amount of engineering time you will spend in order to reach that point (and to maintain your setup) will dwarf the cost of leasing proper equipment. Issues encountered: *) Performance under ddos: Linux routing stack is route-cache-based. That means, performance is a function of flows per second, and even small random src/dst ddos will kill you. Even when this is fixed, performance will be limited by pps - and the worst case performance of PC router is not as impressive as omg i can route 1gbit with p3/1ghz. In the end, worst case performance is what really matters, and it isn't all that awesome. *) Management: It takes certain amount of sysadmin time to manage each PC router (tools/etc). *) Integration: As it is not designed as a complete system, you will have little wierdnesses, such as, quagga not seeing kernel-installed routes, or netlink not being able to keep up with route updates, etc. All of those are fairly small things, but there are more than enough of them. *) Troubleshooting/continuity of operations: It takes two orders of magnitude more clue to troubleshoot zebra network - there are simply *lots* more things that can possibly go wrong - you don't worry just about your links breaking, you have to worry about your software being buggy. While any CCIE will most likely be able to troubleshoot and run a cisco-based network, pool of engineers sufficiently clued in a myriad of things that relate to troubleshooting of a PC router (ie. both network engineer, system admin, protocol engineer, kernel hacker, and at times, zebra-source-code-hacker) is far smaller. *) Maturity: While it has been improving, things like Quagga have still have stability issues and wierd issues that are resolved by killing ospfd. Because of a greater state of flux in such environment, you are likely to encounter things like oh, this bug is fixed in latest release - and then having to retest the new release which has completely different bugs. Yes, I know, you get that with proprietary vendors - but at least you get a benefit of *them* doing at least some amount of testing prior to release. *) Redundancy: Adding more redundancy to such a system is not likely to increase availability - in fact, it is likely to decrease availability because of added complexity and more things to break. Your problems are not likely to be the PC losing power (complete failure). Your problem will be things like zebra's idea of routing table being different from kernel's idea, zebra being unhappy after a transit flaps sucking up CPU time, leading to other things timing out, etc. Redundancy will excarcerbate these issues, making troubleshooting *harder*. So, in conclusion, if you have a large number of clued linux hackers who have nothing better to do, it may be a good idea. Otherwise, you'll realize you are spending far more on sysadmin time than you are saving on equipment cost. -- Alex Pilosov| DSL, Colocation, Hosting Services President | [EMAIL PROTECTED]877-PILOSOFT x601 Pilosoft, Inc. | http://www.pilosoft.com
Re: data center space
On many of the public colo houses earnings calls, they told analysts that they are trying to keep contracts to one year so they can raise prices year over year, that power pricing is fluid and many facilities are being expanded both space and environmental, that most locations really are full or being held down by lack of cooling for existing dense rack space. Basically get ready to hold out your wallet. Is it that? Or, is it some of these companies no realising that charging $250 for a 20 amp outlet is less than their cost, even three years ago? -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
RE: Determine difference between 2 BGP feeds
More than likely, one provider is feeding too many routes -- some that I have run across tend to feed more specific internal routes (read: redistributing IGP into BGP) to customer BGP sessions. The two I've run across, after I yelled, they fixed. On Tue, 18 Apr 2006, Mike Walter wrote: Sounds to me like one of your providers is not feeding you the full internet routing table. Have you checked with them to see if they are providing you that? Mike Walter Systems Administrator -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Tuc Ellentuch at T-B-O-H Sent: Tuesday, April 18, 2006 4:13 PM To: nanog@merit.edu Subject: Determine difference between 2 BGP feeds Hi, We receive a BGP feed from different providers on two different routers. While one seems to be a reasonable amount of feeds after reviewing the CIDR report, the other is anywhere from 3K to 10K more routes. Is there a utility that I can use that will pull the routes off each router (Foundry preferred), and then compare them as best it can to see why there is such a difference? I can understand a handful of routes over what CIDR says, but a minimum of 3K more? Thanks, Tuc/TBOH -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: Wiltel has gone pink.
Hello, You are aware Wiltel was acquired by Level(3) some time ago? Going to www.wiltel.com would tell you this. On Mon, 13 Mar 2006, Jo Rhett wrote: This morning we have started receive an abundance of spam from Wiltel customers, pointing boldly back to websites hosted in Wiltel space. OrgAbuseHandle: WAC18-ARIN OrgAbuseName: Wiltel Abuse Contact OrgAbusePhone: +1-918-547-2000 OrgAbuseEmail: [EMAIL PROTECTED] Messages to [EMAIL PROTECTED] are being rejected. This phone number goes to their conferencing group, which doesn't know what 'abuse' is, or even what an IP network is. I went through 4 levels of management, and was informed that they no longer had an abuse team -- that this was disbanded in a recent reorganization. In short, it would appear that Wiltel is now selling pink contracts. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: Wiltel has gone pink.
I don't disagree. In my opinion, companies which neglect the updating of contact information should be beaten, perhaps with a large cue stick or a ball peen hammer. The reality of the situation is that issues can arise much more important than even the one described here (perhaps a large DOS attack), and finding the contact information can be difficult. All I was saying is that there were other means of finding the right person, and perhaps even informing them to update the contact information -- rather than using nanog as a sounding board. On Tue, 14 Mar 2006, Jo Rhett wrote: On Tue, Mar 14, 2006 at 06:56:30AM -0500, Alex Rubenstein wrote: You are aware Wiltel was acquired by Level(3) some time ago? Going to www.wiltel.com would tell you this. Then they need to update their contact information on the zones. Anyway, it turns out that they are using a spam filter on their abuse mailbox. They may or may not be pink, but they're certainly not smart. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: Honest Cogent opinions without rhetoric.
On Wed, 8 Mar 2006, Martin Hannigan wrote: I am looking for user experiences for people who have purchased transit from cogent in the 300Mbps or up range as far as performance, stability, and any other measurable metric of quality you can come up with. We have heard a lot of negatives about them, about their pricing model, about their network, about de-peering with Level 3, etc. What we really need is actual information. Much of the negatives is from jaded competitors who don't want to fairly compete. Other than that, the answer is 'it depends'. At certain cities, your experience will be worse - Cogent doesn't have peers with big boys in every city they are at - so you'll have more chance of being backhauled to sfo/iad than if you bought from $bigger-carrier. With regard to depeerings: they are a fact of life on the internet - and as a service provider, you should always have multiple transits, for this and other reasons. Yes, you obviously will have more risk of being caught in a depeering fight if you are buying from $low-price-leader-du-jour, because these are the ones more likely to be depeered by $big-boys for being too-competitive. ;) With regard to network stability: It *appears* (from number of recent fiber cuts) that Cogent doesn't have enough redundancy on intercity or metro transports - fairly recently network was cut in half for extended period of time due to two concurrent cuts. Not to say that doesn't happen to anyone else, happened to Sprint too, but, losing nyc-iad transport (and having everything go through ord) due to metro fiber cut in nyc is somewhat unexpected. With regard to peers: I can't say that cogent's peers are more congested than any other carrier's peers. With regard to price: There are others who sell at about the same price. Cogent is far better than them. :) Overall: Cogent can be a good part of a transit mix. (from Marty) From a global perspective[1], the top 12 (I stopped at Cogent since you are asking about them) service providers whose customers and peering partners reach the largest number of networks are listed below. You can make some fairly interesting assumptions on your own: snip This gotta be the most meaningless metric ever. What does reach mean? More ASNs seen behind given network? What does it tell, precisely? There are ASNs which have significant chunks of intarweb (say, AS1668) behind them, while AS721 is not likely to matter in a grand scheme of things, even though all .mil installations are behind it. Note that many Cogent customers, while using Cogent for outbound, prefer not to announce any routes to Cogent for political reasons (or prepend or depref their routes). So, that metric won't be exactly helpful.
Re: How do you (not how do I) calculate 95th percentile?
(I did this fast, and, who knows; I could be off my an order or two of magnitude) Most people are using 64 bit counters. This avoids the wrapping problem (assuming you don't have 100GE and poll more then once every 5 years :-)). 2^64 is 18,446,744,073,709,551,616 bytes. 100 GE (100,000,000,000 bits/sec) is 12,500,000,000 bytes/sec. It would take 1,475,739,525 seconds, or 46.79 years for a counter wrap. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
RE: Level3 problems
Gary, I understand your statement, but I am sure the gentleman below does not. If you want a story to be done, so that the world can see how something like this can impact thousands of businesses, the best bet would be to help educate this guy so that he has something to write. Are, were you trying to scare him off from doing a story? Personally, I am quote fed up with the issues that the huge providers have and cause, yet never have anyone document it, find out about it, or do anything about it. I laud this guys effort for actually trying to do his job and expose something that needs to be exposed. I am now putting on my level-3 bullet proof jacket, and will be looking over my shoulder for the next 3 NANOGs. On Fri, 21 Oct 2005, Gary Hale wrote: Are you kidding? -gh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 21, 2005 11:03 AM To: nanog@merit.edu Subject: Re: Level3 problems I'm a reporter with InformationWeek magazine. I'm trying to get an idea of the significance of this morning's outage. Has Level 3 communicated with you about the cause of the outage? How greatly did the outage affect you or your customers? Was this an unusually large event? Thanks, [EMAIL PROTECTED] -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: SNMP Accounting Software
Most people who need this have written custom apps to do so -- myself included. There is nothing off the shelf that I cound find that fits the true need. On Tue, 11 Oct 2005, Drew Weaver wrote: We need some fairly complex SNMP accounting software (data center) style stuff that can monitor cisco equipment for bandwidth utilization and generate reports based on 95th percentile and also perhaps even their actual bandwidth usage (how many gigs of transfer they use per month, day, week.. etc) Does anyone know of anything good that does anything like this? It needs to be reliable? Can be open source, we're using MRTG to track utilization but we need something that really handles accounting for us. Thanks, -Drew -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
RE: Cogent/Level 3 depeering
Customers don't want to pay for a stochastic set of relationships, they will pay for the Internet however. Perhaps we have lied to the them? The internet has always been a stochastic set of relationships -- some relationships of which are based upon two people getting drunk together at the right place, at the right time. Is anyone going to deny this? Further, the internet has always been a best-effort medium. We, as xSP's, have done our best to make the 'best' in 'best effort' as good as we can, to varying levels of success. The fact that the internet is hugely successful, and mostly reliable, is due to smart people and some level of luck. Not because someone peers with someone else. It wasn't designed this way. It's like paying for a telephone that could only call a subset of the Please, for the love of god, do not make analogies to the phone network. Call me crazy if you'd like, but I tend to think that peering on the Internet is too important... Do you think a thread which has made 100 posts on nanog, with people coming out of the woodwork who I haven't seen in years, is something that anyone things is not important? -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: Cogent/Level 3 depeering
Not to add fuel to the fire, but many IP contracts with my upstreams have a clause, which is very similar across vendors: VENDOR cannot guarantee the peering sessions between our ourselves and other companies and/or networks. There is no guarantee of end to end connectivity between you as a CUSTOMER and other non-VENDOR controlled networks. While it actually has meaning now, I am not sure you'd get a vendor to delete that from an agreement. On Wed, 5 Oct 2005, Matthew Crocker wrote: On Oct 5, 2005, at 2:47 PM, Douglas Dever wrote: On 10/5/05, Matthew Crocker [EMAIL PROTECTED] wrote: They did, and I'm not down. I see Level 3 via Sprint and GNAPs/CENT just fine. I didn't lose any connectivity to Level 3 at all. Bits moving down different pipes, not a big deal to me technically. The So, where's the problem, exactly? Um, I only have 2 routes to Level 3 when I should have 3 routes and I'm paying for 3 routes... fact remains that Cogent is not providing the service I'm paying them for and they need to get it fixed. Really? As you already pointed out, your packets are reaching their destination. So, they don't need to get anything fixed. Ok, I *pay* Cogent for 'Direct Internet Access' which is IP Transit service. I *cannot* get to part of the internet via Cogent right now. I also *pay* Sprint and GNAPS for 'Direct Internet Access' and I can get to all parts of the internet via their networks. I *used* to be triple redundant to *all* of the Internet but now I only have *two* connections to Level 3. My packets are reaching their destination because I'm smart enough to be multi-homed, that doesn't remove the responsibility of Cogent to do what I *pay them to do*. Cogent is *not* providing complete Internet access, I really don't care who's fault it is. What utter nonsense... *shakes head and walks away* Is it really that hard to understand? As a paying Cogent customer I expect to be able to get to the Internet through them. Isn't that the business they are in? -doug -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: Dep(3)(3)ring
Appears to be. XO's looking glass for BGP looking is broken (did it break today?), however, traceroute shows: 1 ge5-3-0d4.RAR2.NYC-NY.us.xo.net (65.106.2.1) 0 msec 4 msec 4 msec 2 * * * L3's looking glass: Show Level 3 (San Jose, CA) BGP routes for 207.155.252.78 No matching routes found for 207.155.252.78. Fun. On Wed, 28 Sep 2005, Richard A Steenbergen wrote: Since it hasn't hit nanog yet, I guess I'll go ahead and go ahead and be the first to point it out. It seems that Level 3 (3356) and XO (2828) are no longer carrying each other's routes. :) And just when I was about to release http://www.e-gerbil.net/ras/failure.jpg :) -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
RE: Bell South or Telcove help needed in NOLA
I made the offer to DirectNIC directly (no pun), and now here publicly.. if anyone distressed folks in the New Orleans need any resources, please feel free to contact me. We will do whatever we can to accomodate any needs. On Thu, 1 Sep 2005, Hannigan, Martin wrote: If anyone who works for or has connections with Bell South or Telcove is reading this, tell us what it's going to take to get those OC3s back up and running. We will try to coordinate and make it happen. If I were DirectNIC, I'd be making arrangements to operate from a place other than New Orleans for the time being. -M -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: Yahoo! -- A Phisher-friendly hosting domain?
Shouldn't someone be watching these, though? [EMAIL PROTECTED]:~# whois paypal.com [...] PAYPAL.COM.SV04.COM PAYPAL.COM.LIMITSPEED.NET PAYPAL.COM While I agree in concept that this is not how the internet runs, and I am not proposing a domain name police force be instituted, it seems to me that things like this are easily caught. Not to mention, the purpose of them is clear. On Wed, 31 Aug 2005, Fergie (Paul Ferguson) wrote: That's good, however, I regret that the issue had to be aired here because it didn't get attention it deserved through proper channels and elsewhere... - ferg -- Florian Weimer [EMAIL PROTECTED] wrote: But it caught my eye that SOMEBODY at Yahoo! ought to be reviewing domain names like bankofthewestupdate.com Registrars should as well, but this is not the way the Internet works. Sometimes, this is a good thing, sometimes, it's not. It seems that the A RR has been pulled around 2005-08-30 21:00 UTC, so this particular issue has already been resolved. -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/ -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
RE: MCI billing fraud ... again
Interesting. About 1 year ago (early 2004), in a one month period, we had every single MCI outstanding billing dispute resolved -- some even that were over 4 years old. It seemed to me that the dispute resolution people actually gave a hoot all of a sudden. And, some inside information I gleaned was that they were instructed by the higest levels to do so. Also, about 2 months ago, we had a random $90k charge on an account that usually bills a few thousand a month. This was quickly resolved (as in, already). Our rep was the channel used, and he was good about it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Hollis Sent: Thursday, July 21, 2005 6:32 PM To: 'nanog@merit.edu' Subject: MCI billing fraud ... again We're being hit up by MCI's billing fraud again. You'd think after the multiple settlements, the $4 billion accounting fraud and Ebbers' 25 year prison sentence that MCI would have learned something, but apparently not. Anyone have a definitive method of dealing with these clowns? Any contacts for someone skilled in getting MCI to FOAD? -Dan