Re: About emails impersonating Path Network

[Rafael Possamai]

I've found this article before and implemented it for domains that we own, but 
do not use for e-mail purposes. 
https://www.gov.uk/guidance/protect-domains-that-dont-send-email

Might be worth checking it out.

Cheers,
Rafael

- Original message -
From: Konrad Zemek 
To: nanog@nanog.org
Subject: About emails impersonating Path Network
Date: Monday, February 06, 2023 12:25

Hi Nanog,

It looks like someone with an axe to grind against our company has decided to 
email every AS contact they could find on PeeringDB, impersonating us and 
sometimes spoofing our domains.

We're aware of the emails and are sorry for the inconvenience. We've since 
added SPF records to the domains we own but don't use (the perps have since 
name-squatted some new ones). We're also actively working with law enforcement 
on the matter.

Thanks
Konrad Zemek
CTO Path Network
AS396998

Telia->ATT at 350 Cermak

[Rafael Possamai]

After some time monitoring/troubleshooting, we are seeing what looks like 
congestion between AS1299 and AS7018 at 350 Cermak during typical peak hours. 
Could someone please reach out off-list if possible? Much appreciated.

Thanks,
Rafael

Re: HE.net and BGP Communities

[Rafael Possamai]

>I wish they'd add one more that turns off their "prefer routes learned from a 
>customer" rule.   I'm having to split my blocks in >half and announce them 
>that way to get them to send my traffic directly to me through our IX peering 
>session as opposed to >one of my transit providers.
>I'd rather they just let shortest path selection work. 

I think this is by design so you don't end up with free inbound transit.

If one of their transit customers is trying to reach your prefixes, my guess 
it'd make sense to offload that over IX first, although I'm not sure if that's 
always happens due to path selection.

Re: Verizon no BGP route to some of AS38365 (182.61.200.0/24)

[Rafael Possamai]

>but that it would be incumbent on Verizon to do the legwork to fix it since 
>they are the ones who know their peering >agreements and have these contacts. 
>Unfortunately it seems like policy that Verizon pushes any issues that aren't 
>internal >routing issues to an external party, but surely they have a 
>responsibility to maintain their peering and routes to external >services as 
>well.
>Any thoughts?

You're probably right they have a responsibility to maintain their peering and 
routes, but rather than move mountains to get a large network to do "the right 
thing" (either vzw or baidu), I'd think most of the time it's much easier to 
pick a different provider to work with instead.

RE: Aftermarket switches that were manufactured in any sort of quantity?

[Rafael Possamai]

This may sound bad at first but look into FS.com if you're in a pinch. They may 
not be seen as the typical true enterprise grade (I don't know?) but you can 
probably buy a a new one and a new spare for the price of one overpriced used 
switch.


From: NANOG  On 
Behalf Of Drew Weaver
Sent: Thursday, June 9, 2022 11:42 AM
To: 'nanog@nanog.org' 
Subject: Aftermarket switches that were manufactured in any sort of quantity?

Hello,

We had been purchasing some used 48 port 1BaseT switches /w 6x QSFP28 ports 
for around $3000 until about 2021.

In 2021 the aftermarket pricing went from $3,000 each to $15,000 each.

Now these particular switches are selling for $20,000 each (and people are 
still buying them[?]...)

Obviously I cannot pay $20k for a used switch so I am trying to find 
alternatives that perhaps aren't as rare.

I'm trying to determine whether this pricing is just based on the model I am 
trying to buy or if it is basically every switch from every MFG.

Just trying to see if anyone else has had any luck getting any hardware at 
around a fair price lately?

I'm aware of the macro-economic environment, inflation, chip shortages, etc.. 
Just looking for another option.

Thanks,
-Drew

RE: Github/gist list of modern telemetry/networking polling tools

[Rafael Possamai]

Here is a list: https://github.com/kahun/awesome-sysadmin#monitoring

Personally, I've used smokeping for over a decade (mrtg works too, or rrd and a 
cron job), as well as librenms/prtg and as of the last couple of years a 
software "stack" such as telegraf+influxdb+grafana, although that's more 
resource intensive than the old school stuff that just works.

From: NANOG  On 
Behalf Of Drew Weaver
Sent: Thursday, May 12, 2022 7:50 AM
To: nanog@nanog.org
Subject: Github/gist list of modern telemetry/networking polling tools

Hello,

If you guys are like me I find something that works and I just stick with it.

Now that we're getting to a place where we can re-tool some of our monitoring 
and telemetry for our network I am looking for information/recommendations on 
new tools.

Specifically I am looking a list of NMS, SNMP poller/grapher, sflow/netflow 
cap/dump tools that people are enjoying.

I know a lot of times people post lists of tools over on github or a gist so I 
am just wondering if anyone has any lists for this that they like?

Thanks,
-Drew

Re: Texas internet connectivity declining due to blackouts

[Rafael Possamai]

Buried high voltage lines require expensive/complex insulation (oil, etc). It's 
really expensive to build and to maintain these at enormous scale like the 
continental USA. Not saying it's not possible, but definitely challenging. 
Repairing damage to these lines is a lot more complicated than splicing fiber 
(freeze plugs, huge holes in the ground, etc). Most HV aerial lines can be 
repaired online with helicopters, whereas the stuff in the ground needs to come 
offline for any sort of repair involving the conductors.

I think because one USA state is the size of an entire EU country (or larger) 
then your HV lines would  have to span multiple states (several countries in 
Europe), it'd be an insane effort to build and maintain these for 50+ years.



- Original message -
From: Rod Beck 
To: Peter Beckman 
Cc: "nanog@nanog.org" 
Subject: Re: Texas internet connectivity declining due to blackouts
Date: Wednesday, February 17, 2021 03:17

I have lived in France and now Hungary. I have never seen power lines above 
ground, but I have heard there are some in rural France. 

I disagree with your conclusion - essential infrastructure should be buried if 
possible. The US makes too many excuses for second rate performance. Level3 
buried its infrastructure. This is a case where sacrificing short term profits 
for better long term performance is well worth it. 

Re: ISPs are hit hardest by COVID-19 disruption

[Rafael Possamai]

This reminded me of a quote I read a long time ago: "Most people use statistics 
like a drunk man uses a lamppost; more for support than illumination"

Re: BGP route hijack by AS10990

[Rafael Possamai]

To your point with regards to multiple failures combined causing an outage, 
here's some basic reading on the Swiss cheese model: 
https://en.wikipedia.org/wiki/Swiss_cheese_model 

>From over here it looks like the legacy filter was a latent failure, and the 
>BGP automation from the downstream peer of Telia was an active failure 
>(combined caused the outage). Now from the downstream peer's point of view, 
>perhaps the cause of their BGP automation failure was latent also, but we 
>wouldn't know without more details.

Pretty interesting topic.

Re: CloudFlare Issues?

[Rafael Possamai]

Noticed high latency from some smokeping instances from about 16:10 until 16:35 
(central time). One of the worst variances was from ~20ms to upwards of 100ms 
RTT.

Re: Wifi Calling Firewall Holes to Punch

[Rafael Possamai]

Also do wifi calls from Android phone on VZW behind NAT, with no issues. I do 
have a "network extender" which has GPS link and ethernet (also behind NAT) and 
it does give me 5 bars around the house (up to 70mbps ish of download over 
LTE). 

Now, your NAT setup could possibly interefere? In my case at home I have 
FreeBSD with pf and NAT reflection disabled by default.

Re: MX204 Rails

[Rafael Possamai]

Doesn't the mx204 have rackmount brackets rather than rails? 

Re: Citrix Sales Reps?

[Rafael Possamai]

I wonder if the actual support service will be the same later on.

*Rafael Possamai*
Founder & CEO at E2W Solutions
*office:* (414) 269-6000
*e-mail:* raf...@e2wsolutions.com


On Wed, Mar 23, 2016 at 3:25 AM, Paul Stewart  wrote:

> You too ?  I gave up ... after calling their local offices, their toll
> free number, emails, phone calls, etc.
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Scott Fisher
> Sent: Tuesday, March 22, 2016 1:34 PM
> To: NANOG list 
> Subject: Citrix Sales Reps?
>
> I have sent 4 requests to Citrix for pricing questions on XenServer
> support options and have gotten not a single call back. (Requested via
> email, form, and calls).
>
> Can someone from Citrix please hit me up offlist or can someone direct me
> to an actual person I can hit up?
>
> --
> Scott
>
>

Re: Why the US Government has so many data centers

[Rafael Possamai]

Circuit utilization, capacity and availability shouldn't be calculated
separately in a data center environment. If you look at each separately you
risk making some expensive mistakes.


*Rafael Possamai*
Founder & CEO at E2W Solutions
*office:* (414) 269-6000
*e-mail:* raf...@e2wsolutions.com


On Tue, Mar 22, 2016 at 11:11 AM, Sean Donelan  wrote:

> On Tue, 22 Mar 2016, Jay R. Ashworth wrote:
>
>> But when some Armenian script kiddie DDoSing Netflix takes down your TSA
>> terrorist lookup service, and you come to me asking why the plane blew up,
>> I'm going to tell you "because you fucking ignored my written advice on
>> the matter", while I'm packing my desk.
>>
>
> DOCI is about physical data center opimization, not about network or
> service availability.
>
> DCOI metrics:
> - Energy metering
> - Power Usage Effectiveness (PUE)
> - Virtualization
> - Server Utilization & Automated Monitoring
> - Facility Utilization
>
> Why do you have two circuits with only 40% utilization. The auditor says
> that's waste, and you only need one circuit at 80% utilization for half
> the cost.
>
>
>

Re: ICYMI: FBI looking into LA fiber cuts, Super Bowl

[Rafael Possamai]

I fail to see how drones relate to fiber cuts and the superbowl. Did the
article author just throw that in there? The news helicopter getting aerial
footage also poses a risk, so not sure what's special about drones.

On Tue, Jan 19, 2016 at 2:42 PM, Alain Hebert  wrote:

> Well,
>
> ( In context )
>
> I can tell you that a 4 propeller's drone to the face kinda hurt.
>
> Because that was the context where that quote was ripped from.
>
> -
>
> What's more, the memo also asserted that drones used by "malicious"
> actors "may present a low-altitude hazard to aviation assets supporting
> the event, allow unauthorized video coverage of events, or pose a risk
> of injury to event-goers if an operator loses control."
>
> -
> Alain Hebertaheb...@pubnix.net
> PubNIX Inc.
> 50 boul. St-Charles
> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
>
> On 01/19/16 15:37, Bacon Zombie wrote:
> > Am I the only one who thinks the below line is BS?
> >
> >  "...pose a risk of injury to event-goers if an operator loses control."
> >
> > If there is not safeguards in-place for "normal" network issues then
> > we would of heard of injuries before.
> >
> > On 19 January 2016 at 21:30, Grant Ridder 
> wrote:
> >> Broke ground in April 2012
> >>
> http://www.mercurynews.com/southbayfootball/ci_20434376/49ers-break-ground-this-evening-stadium-at-center
> >>
> >> -Grant
> >>
> >> On Tue, Jan 19, 2016 at 12:12 PM, Jay R. Ashworth 
> wrote:
> >>
> >>> - Original Message -
>  From: "Owen DeLong" 
>  Correct me if I’m wrong, but these FO vandalisms have been going on in
> >>> the bay
>  area since before the stadium
>  was even funded.
> 
>  This leads me to believe that this is just another example of an LE
> >>> landgrab.
> >>>
> >>> How old's the stadium?  The article does mention late '14.
> >>>
> >>> Cheers,
> >>> -- jra
> >>> --
> >>> Jay R. Ashworth  Baylink
> >>> j...@baylink.com
> >>> Designer The Things I Think
>  RFC
> >>> 2100
> >>> Ashworth & Associates   http://www.bcp38.info  2000 Land
> >>> Rover DII
> >>> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727
> 647
> >>> 1274
> >>>
> >
> >
>
>

Re: verizon fios bounced a legit private email of mine telling me it was spam and they would not allow it

[Rafael Possamai]

What a disgrace.

On Wed, Jan 13, 2016 at 3:55 PM, Dan Hollis  wrote:

> This is what's going on at verizon.
>
> http://www.spamhaus.org/news/article/726/
>
> -Dan
>
>

Re: Best Source for ARIN Region /24

[Rafael Possamai]

Makes sense. In that case, I think only way out is to go through a broker
to find a suitable party for a transfer. I would read the rules and
regulations regarding transfer of ARIN blocks, they have some details and
the process requires some paperwork.


On Mon, Jan 11, 2016 at 8:35 PM, Matthew D. Hardeman 
wrote:

> I’m aware of the /24 block for facilitation concept, but my client’s use
> case can qualify as an end-user rather than as an ISP, thus their annual
> operating cost is smaller than even the X-SMALL ISP category, which they’d
> land in — if they opted for the smaller /36 initial IPv6 direct allocation,
> rather than the default /32 direct allocation.
>
> That seems to balance toward buying an existing /24.
>
>
> On Jan 11, 2016, at 8:00 PM, Rafael Possamai 
> wrote:
>
> If you apply for an IPv6 block, as an ISP, and you have the intention of
> truly utilizing it, then you can apply for a /24 to facilitate that
> transition.
>
> It will cost you about $1500 or so, which is about half of what a /24 is
> going for in the transfer market.
>
> Thing is, if you take the IPv6 block just to use the /24 they give you,
> then one could argue you are cheating the system.
>
>
>
> On Mon, Jan 11, 2016 at 1:19 PM, Matthew D. Hardeman <
> mharde...@ipifony.com> wrote:
>
>> I’m looking to buy a /24 of space for a new multi-homed network in the
>> ARIN region.  Can anyone out there speak to going rates for a /24 and best
>> places to shop?
>>
>>
>
>

Re: Best Source for ARIN Region /24

[Rafael Possamai]

If you apply for an IPv6 block, as an ISP, and you have the intention of
truly utilizing it, then you can apply for a /24 to facilitate that
transition.

It will cost you about $1500 or so, which is about half of what a /24 is
going for in the transfer market.

Thing is, if you take the IPv6 block just to use the /24 they give you,
then one could argue you are cheating the system.



On Mon, Jan 11, 2016 at 1:19 PM, Matthew D. Hardeman 
wrote:

> I’m looking to buy a /24 of space for a new multi-homed network in the
> ARIN region.  Can anyone out there speak to going rates for a /24 and best
> places to shop?
>
>

Re: Internap route optimization

[Rafael Possamai]

A few years ago I had a couple boxes in a datacenter in Chicago that had
its traffic optimized by Internap. Latency wise, it was always the lowest
to my other applications, compared to other locations I had on-line. I am
not sure what other benefits it brought aside from lower latency. One thing
to remember is that they had several uplinks, so if you only have a couple
I can't imagine the impact to be great.

Just my 2cents.

On Thu, Nov 5, 2015 at 2:03 AM, Paras  wrote:

> Does anyone know or have any experience with Internap's route
> optimization? Is it any good?
>
> I've heard of competing solutions as well, such as the one provided by
> Noction.
>
> Thanks for your input,
> Paras
>
>

Re: Cogent BGP Woes

[Rafael Possamai]

Similar to low-cost airlines, where you have to pay for a drink and a 4oz
bag of peanuts.

On Fri, Oct 16, 2015 at 3:36 AM, Mike Hammett  wrote:

> Nickles and dimes...
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>
> - Original Message -
>
> From: "Carlos Alcantar" 
> To: "Justin Wilson - MTIN" , "NANOG" 
> Sent: Friday, October 16, 2015 12:12:05 AM
> Subject: Re: Cogent BGP Woes
>
> Sales now handled it because they bill now for having a bgp session.
>
>
>
> Carlos Alcantar
> Race Communications / Race Team Member
> 1325 Howard Ave. #604, Burlingame, CA. 94010
> Phone: +1 415 376 3314 / car...@race.com / http://www.race.com
>
>
> 
> From: NANOG  on behalf of Justin Wilson - MTIN <
> li...@mtin.net>
> Sent: Thursday, October 15, 2015 8:47 PM
> To: NANOG
> Subject: Re: Cogent BGP Woes
>
> I am trying to turn up BGP on a circuit that ha never had it. In the past,
> you went to the support portal, filled out the questionnaire and in a day
> or so you would have you bgp info. When I did that this time I received a
> prompt response back from support saying this is now handled by sales and
> gave me the sales person to contact.
>
> Contacted sales person almost 3 weeks ago. Had to wait until the direct
> draft credited before they could put any new orders in. On a side note,
> Cogent is the only provider I know of that does not credit electronic
> payments within 24-48 hours. All of ours take 5 business days. Once thats
> done, e-mail the sales person back. No response for a few days. Call a
> manager and get them involved. 2 more weeks we still don’t have BGP on this
> circuit. A minimum of 1 e-mail a day asking for status updates. Last
> response was “Everything was entered in the system”.
>
> I guess I don’t understand why a sales order has to be entered for BGP.
> This adds an extra step, which in this case has been a major fail.
>
>
> Justin Wilson
> j...@mtin.net 
>
> ---
> http://www.mtin.net  Owner/CEO
> xISP Solutions- Consulting – Data Centers - Bandwidth
>
> http://www.midwest-ix.com  COO/Chairman
> Internet Exchange - Peering - Distributed Fabric
>
> On Oct 15, 2015, at 2:47 PM, james machado  hvgeekwt...@gmail.com>> wrote:
>
> Justin,
>
> What are you trying to do? I had a similar situation as my rep got
> the wrong product for BGP. I actually cleaned it up by talking to
> support and I had to fill out a second BGP questionnaire but it was
> resolved and turned up in a couple of days.
>
> James
>
> On Thu, Oct 15, 2015 at 11:38 AM, Justin Wilson - MTIN  > wrote:
> Have the rest of you been having as hard a time I am having in turning up
> BgP sessions with Cogent? They have made it a sales order nowadays instead
> of support. I filled out the questionnaire on the support site over 3 weeks
> ago and was directed to sales. I am going on 3 weeks waiting on a session
> to be turned up.
>
> Just wondering if I am alone.
>
>
> Justin Wilson
> j...@mtin.net 
>
> ---
> http://www.mtin.net  Owner/CEO
> xISP Solutions- Consulting – Data Centers - Bandwidth
>
> http://www.midwest-ix.com  COO/Chairman
> Internet Exchange - Peering - Distributed Fabric
>
>
>
>
>

Re: ARIN Region IPv4 Free Pool Reaches Zero

[Rafael Possamai]

T-Mobile implemented 464XLAT successfully, but I have no idea how long they
will still depend on IPv4 because of that setup.

On Thu, Sep 24, 2015 at 2:41 PM, Steve Mikulasik 
wrote:

> Let's just hope carriers don't try to fix IPv4 instead of going to IPv6.
> I'd like my children to grow up in a worlds without cgnat.
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Stephen Satchell
> Sent: Thursday, September 24, 2015 1:38 PM
> To: nanog@nanog.org
> Subject: Re: ARIN Region IPv4 Free Pool Reaches Zero
>
> On 09/24/2015 09:49 AM, Dovid Bender wrote:
> > The issue now is convincing clients that they need it. The other issue
> > is many software vendors still don't support it.
>
> And this may trigger a refresh on routers, as people old or refurbed
> equipment find they need to change.  The whole reason for the inertia
> against going to IPv6 is "it ain't broke, so I not gonna 'fix' it."
>
> Now it's broke.
>
>

Re: Level(3) ex-twtelecom midwest packet loss (4323)

[Rafael Possamai]

I have been seeing the same issues, but haven't heard anything back yet. It
has improved in the last 30 minutes or so, see below.


http://imgur.com/KVAzetA



On Wed, Aug 26, 2015 at 4:34 PM, Ryan K. Brooks  wrote:

> Seeing packet loss on AS4323 since 2:30 Central time.   NOC is
> unresponsive to phone and email.  Anyone have an idea what's going on over
> there?
>

Re: Data Center operations mail list?

[Rafael Possamai]

My 2 cents: I use it for other services and haven't had any issues over the
past few months, but one problem I was having with SES + Mailman is that
even though my account was out of their sandbox, I still had some smtp
errors due to "email not verified" which is annoying. So I had to tell
mailman to wrap every message, hence the via NADCOG you probably seen
before. Now that option is back to default by using Chris' server.

Their support sent me a canned message so I decided not to waste too much
time there. As long as 99% of members get their emails I don't think it
really matters whose server they are going through.

Honestly, most things out there are designed to fit the 95th percentile
scale, so if you are on either extreme, one is better off figuring out how
to adapt than to require the whole system to change, that is, if your email
server is blocking more messages than it should, fix your email server,
don't try to fix the whole world wide web.







On Fri, Aug 21, 2015 at 8:49 PM, Mike Hammett  wrote:

> I'm on a mailing list hosted at Amazon, uses their API, etc. Other than
> the bumps in the migration to Amazon, I haven't seen any real issues.
> Hundreds of people on the list posting hundreds (total, not each) of
> messages per day. No complaints. *shrugs*
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> - Original Message -
>
> From: "Rich Kulawiec" 
> To: "Rafael Possamai" 
> Cc: nanog@nanog.org
> Sent: Friday, August 21, 2015 8:46:00 PM
> Subject: Re: Data Center operations mail list?
>
> On Fri, Aug 21, 2015 at 08:18:59PM -0500, Rafael Possamai wrote:
> > Quick update: I moved away from Amazon SES to a private smtp server
> > provided by Chris, who is also helping moderate the list.
>
> That's a good idea. I noticed.
>
> > I left Amazon SES configured as a backup since the bounce rate after
> > thousands of emails peaked at only 0.08%
>
> The bounce rate is not an effective metric, for a number of reasons, not
> the least of which is that some unknown and unknowable number of sites
> are configured to quarantine email. (This is a horrible idea that I've
> railed against many times, but that notwithstanding, ignorant people do it
> every day.) Any site which quarantines mail will not generate a bounce
> (or a reject) but will silently consign incoming traffic to a location
> which may, or may not, be eventually seen by a human being.
>
> The bounce rate yields precisely zero insight into the extent of this
> problem. Nor does it yield any insight into other similar (related)
> problems which are not manifested via the SMTP transaction.
>
> The best course here is to completely avoid any contact with the
> horribly-mismanaged Amazon cloud operation until such time as those
> running it demonstrate a bare minimum of professionalism -- which,
> to date, they have unfortunately not. In this particular case, it
> would be preferable to defer/queue any outbound mail traffic instead of
> attempting to deliver via Amazon: there is unlikely to be anything
> traversing that mailing list which would suffer by being delayed
> by an hour or a day.
>
> ---rsk
>
>
>

Re: Data Center operations mail list?

[Rafael Possamai]

Quick update: I moved away from Amazon SES to a private smtp server
provided by Chris, who is also helping moderate the list.

I left Amazon SES configured as a backup since the bounce rate after
thousands of emails peaked at only 0.08%

Thanks!


Rafael



On Thu, Aug 20, 2015 at 10:43 AM, Rich Kulawiec  wrote:

>
> It appears that this list is sending its outbound traffic via Amazon's
> cloud operation.
>
> This is a profoundly horrible idea, not through any fault of yours, but
> because Amazon's cloud operation is a massive, non-stop fountain of spam
> and Amazon personnel flatly refuse to lift a finger to do anything about
> it.
> As a result of this incompetence/negligence, some folks out there have
> taken defensive measures which may include firewalling, blocking,
> discarding,
> rejecting, etc.  Thus this is not someplace that you want to try to send
> mail from if you really care about having it delivered.
>
> I recommend moving it elsewhere.  And I'm perfectly willing to assist with
> that (either selecting another location or facilitating the move or both).
>
> ---rsk
>

Re: Data Center operations mail list?

[Rafael Possamai]

Hi Rich,

Thank you for letting me know, I expected Amazon to actually take care of
spammers and not let it be a free for all. I can definitely switch it
elsewhere, so please let me know what you have in mind.

I can let the mailman server do deliveries as well, so that's a second
option.


Best regards,
Rafael



On Thu, Aug 20, 2015 at 10:43 AM, Rich Kulawiec  wrote:

>
> It appears that this list is sending its outbound traffic via Amazon's
> cloud operation.
>
> This is a profoundly horrible idea, not through any fault of yours, but
> because Amazon's cloud operation is a massive, non-stop fountain of spam
> and Amazon personnel flatly refuse to lift a finger to do anything about
> it.
> As a result of this incompetence/negligence, some folks out there have
> taken defensive measures which may include firewalling, blocking,
> discarding,
> rejecting, etc.  Thus this is not someplace that you want to try to send
> mail from if you really care about having it delivered.
>
> I recommend moving it elsewhere.  And I'm perfectly willing to assist with
> that (either selecting another location or facilitating the move or both).
>
> ---rsk
>

Re: Data Center operations mail list?

[Rafael Possamai]

I actually suggested this to Chris while discussing what to have in the
website, I definitely think it would be nice to have a platform to help
plan and schedule local events for social and networking purposes.

I am working with a few people on designing a website, so I am guessing
some time in September we will have this in place.


On Sun, Aug 16, 2015 at 2:33 PM, Idafe Houghton 
wrote:

> While I am recent incorporation, have you ever thought about organizing a
> few meetups? I am not from America, but there has been a boom recently, on
> a few cities around the world striving to make a global linked community
> network of techlabs.
>
> Probably, it isn't suited for this community mailing-list, that is pretty
> specialized, but just saying. I have been lately interested in these forms
> of communication, knowledge and experience sharing.
>
> My tips.
>
>
> On dom, ago 16, 2015 at 9:22 , Chris Boyd  wrote:
>
>>
>>  On Aug 15, 2015, at 12:13 PM, Martin Hannigan 
>>> wrote:
>>>
>>>  There is reasonable demand for a forum.  It might need a little
>>> marketing
>>>  to get a list with traction going.
>>>
>>
>> There seems to be some traction, with 268 members on the NADCOG list so
>> far.
>>
>> —Chris
>>
>>

Re: Drops in Core

[Rafael Possamai]

That was just an example, that list has to be completed on a specific
network or scenario, it changes dramatically. Imagine you were to create a
list for a DoD network instead of public peering based network, it would
change dramatically.



On Sat, Aug 15, 2015 at 12:28 PM, Glen Kent  wrote:

> Why do you say that Layer 1 issues in the last mile would be very high?
> How is it any different from the first mile?
>
> On Sat, Aug 15, 2015 at 10:56 PM, Rafael Possamai 
> wrote:
>
>> Hi Glen,
>>
>> If you first list the causes of a dropped packet, then you can figure out
>> how likely they are at different points in time (first\last\peer\etc) by
>> making some assumptions.
>>
>> Here's an **example**:
>>
>> *Cause | Location | Likelihood*
>> Congestion | Last mile | Low
>> Congestion | First mile | Low
>> Congestion | Peering | Medium
>> Layer 1 | First mile | Low
>> Layer 1 | Core | Low
>> Layer 1 | Last mile | High
>>
>> You can even go as far as drawing a cause and effect diagram for each
>> location. Then you can collect real world data and fine tune your
>> assumptions.
>>
>>
>> Rafael
>>
>>
>> On Sat, Aug 15, 2015 at 11:47 AM, Glen Kent  wrote:
>>
>>> Hi,
>>>
>>> Is it fair to say that most traffic drops happen in the access layers, or
>>> the first and the last miles, and the % of packet drops in the core are
>>> minimal? So, if the packet has made it past the first mile and has
>>> "entered" the core then chances are high that the packet will safely get
>>> across till the exit in the core. Sure once it gets off the core, then
>>> all
>>> bets are off on whether it will get dropped or not. However, the key
>>> point
>>> is that the core usually does not drop too many packets - the probability
>>> of drops are highest in the access side.
>>>
>>> Is this correct?
>>>
>>> Glen
>>>
>>
>>
>

Re: Drops in Core

[Rafael Possamai]

Hi Glen,

If you first list the causes of a dropped packet, then you can figure out
how likely they are at different points in time (first\last\peer\etc) by
making some assumptions.

Here's an **example**:

*Cause | Location | Likelihood*
Congestion | Last mile | Low
Congestion | First mile | Low
Congestion | Peering | Medium
Layer 1 | First mile | Low
Layer 1 | Core | Low
Layer 1 | Last mile | High

You can even go as far as drawing a cause and effect diagram for each
location. Then you can collect real world data and fine tune your
assumptions.


Rafael


On Sat, Aug 15, 2015 at 11:47 AM, Glen Kent  wrote:

> Hi,
>
> Is it fair to say that most traffic drops happen in the access layers, or
> the first and the last miles, and the % of packet drops in the core are
> minimal? So, if the packet has made it past the first mile and has
> "entered" the core then chances are high that the packet will safely get
> across till the exit in the core. Sure once it gets off the core, then all
> bets are off on whether it will get dropped or not. However, the key point
> is that the core usually does not drop too many packets - the probability
> of drops are highest in the access side.
>
> Is this correct?
>
> Glen
>

Re: Data Center operations mail list?

[Rafael Possamai]

Thanks! That works for Apache2.2. For those interested that are using
Apache2.4, make this change:

-Order deny,allow
-Deny from all
+Require all denied

The rest should be the same. Here is some more info:
http://httpd.apache.org/docs/2.4/upgrading.html


Best,
Rafael




On Fri, Aug 14, 2015 at 2:16 PM, Jim Popovitch  wrote:

> That's a very old (in Internet Years) Mailman problem that was solved
> with session cookies in v2.1.16 (16-Oct-2013).  If you're still
> paranoid, and don't want to piss your users off with privacy leaking
> captcha, then just set up some referer checking in your apache or
> nginx configs:
>
> Apache:
>
>   # Prevent subscription request spam
>  SetEnvIf Referer lists\.example\.com localreferer
>  
> Order deny,allow
> Deny from all
> Allow from env=localreferer
>  
> -Jim P.
>

Re: Data Center operations mail list?

[Rafael Possamai]

Robert, the first few people who expressed interested were subscribed
manually. Everyone else has been using the list website to subscribe! There
should have been a message sent out with the subscription email explaining
it :)



On Wed, Aug 12, 2015 at 10:28 AM, Robert Webb  wrote:

> Interesting... I just went to the web site to subscribe and I received an
> email that I was already subscribed.
>
> I don't remember doing that... So how did this happen??
>
> Robert
>
>
> On Wed, 12 Aug 2015 07:33:05 -0500
>  Rafael Possamai  wrote:
>
>> I was actually surprised with how many people subscribed already. I think
>> we are close to 100 already in less than 24 hours.
>>
>> I could use some help drafting some basic mailing list rules (no spam, no
>> soliciting, etc) and if anyone has any suggestions, please let me know.
>>
>>
>> On Wed, Aug 12, 2015 at 1:34 AM, Mark Tinka  wrote:
>>
>>
>>> On 11/Aug/15 17:46, Alex Brooks wrote:
>>> > With the lack of interest compared to NANOG (especially seeing how the
>>> > old list simply dried up) it might be best making the list global
>>> > rather than North America only to get the traffic levels up a bit.
>>>
>>> Tend to agree that a list with global scope might be more useful.
>>>
>>> Mark.
>>>
>>>
>
>

Re: Data Center operations mail list?

[Rafael Possamai]

I was actually surprised with how many people subscribed already. I think
we are close to 100 already in less than 24 hours.

I could use some help drafting some basic mailing list rules (no spam, no
soliciting, etc) and if anyone has any suggestions, please let me know.


On Wed, Aug 12, 2015 at 1:34 AM, Mark Tinka  wrote:

>
>
> On 11/Aug/15 17:46, Alex Brooks wrote:
> > With the lack of interest compared to NANOG (especially seeing how the
> > old list simply dried up) it might be best making the list global
> > rather than North America only to get the traffic levels up a bit.
>
> Tend to agree that a list with global scope might be more useful.
>
> Mark.
>

Re: Data Center operations mail list?

[Rafael Possamai]

Haha, are you saying some people out there put nanog on their resume? I
thought 2008 was long gone.

On Tue, Aug 11, 2015 at 10:12 PM, Randy Bush  wrote:

> > Rather than fragmenting further, I'd suggest building up demand first
> > on existing infrastructure. If it gets to the size of NANOG and
> > needing a support organisation around it, then it can split off
> > then...
>
> no!  we need committees, and different colored badges, and web sites,
> and deadlines, and lots of stuff the insecure can put on their resumes.
>
> randy
>

Re: Data Center operations mail list?

[Rafael Possamai]

The list just went live at "lists.nadcog.org". I am open to any
suggestions, just let me know. When you say move forward with the concept,
do you mean get the organization started as well, not just the mailing list?


Thanks,
Rafael


On Tue, Aug 11, 2015 at 7:10 PM, Mike  wrote:

> On 8/11/2015 3:27 PM, Simon Lockhart wrote:
> > On Tue Aug 11, 2015 at 01:35:28pm -0400, Jay Ashworth wrote:
> >> Absolutely feel free to use it; I haven't seen a single message on it
> in...
> >> well, it was 3 years ago I was in datacenters regularly, so I'm goin
> with
> >> "3 years".  :-)
> >
> > There's a message there now... :)
> >
> > Rather than fragmenting further, I'd suggest building up demand first on
> > existing infrastructure. If it gets to the size of NANOG and needing a
> > support organisation around it, then it can split off then...
> >
> > Simon
> >
>
>
> At some point (hopefully sooner than later) the OP should just move
> forward in some manner with the concept.
>
> If I've learned anything about mailing lists in the past 35+ years,
> things will be discussed and discussed and discussed and...
>
>
> Parkinson's Law of Triviality comes to mind...
>
> http://www.greatleadershipbydan.com/2012/12/parkinsons-law-of-triviality.html
>

Re: Data Center operations mail list?

[Rafael Possamai]

What is the mailman URL?

On Tue, Aug 11, 2015 at 10:15 AM, Marcin Cieslak  wrote:

> On Tue, 11 Aug 2015, James Downs wrote:
>
> >
> > > On Aug 11, 2015, at 06:01, Rafael Possamai  wrote:
> >
> > > style as nanog and registered the nadcog.org domain.
> >
> > Nad Cog?
>
>
> datacenterops.org is still available *hint*hint*
>
> ~Marcin
>
>

Re: Data Center operations mail list?

[Rafael Possamai]

Exactly. I figured if it can be organized with the help of the community
and provide other benefits aside from a mailing list, I wouldn't have a
problem with helping.

On Tue, Aug 11, 2015 at 10:07 AM, mikea  wrote:

> On Tue, Aug 11, 2015 at 07:59:41AM -0700, James Downs wrote:
> >
> > > On Aug 11, 2015, at 06:01, Rafael Possamai  wrote:
> >
> > > style as nanog and registered the nadcog.org domain.
> >
> > Nad Cog?
>
> North American Data Center Operations Group, perhaps?
>
> --
> Mike Andrews, W5EGO
> mi...@mikea.ath.cx
> Tired old sysadmin
>

Re: Data Center operations mail list?

[Rafael Possamai]

I am setting one up and invited Chris to moderate it with me. I've always
looked for a list that covers that topic as well. I followed the same name
style as nanog and registered the nadcog.org domain.

On Mon, Aug 10, 2015 at 8:11 PM, Ryan Finnesey  wrote:

> Did you come across one?
>
> Sent from my Windows Phone
> 
> From: Chris Boyd
> Sent: ‎8/‎6/‎2015 1:04 PM
> To: NANOG
> Subject: Data Center operations mail list?
>
> Is there a mail list that’s analogous to NANOG, but focused on the data
> center infrastructure and operations?  The shorty.com hosted list is
> defunct.
>
> Thanks, and apologies for the tangential topic.
>
> —Chris
>
>

Re: Leak or legit ? 11/8

[Rafael Possamai]

This is interesting, the DoD has a half trillion dollar budget, so not sure
what the motivation was to get rid of a /8.

On Sat, Aug 1, 2015 at 3:24 AM, Jérôme Nicolle  wrote:

> Hello,
>
> Just saw something suprising : 11/8 just came live from AS23352
> (ServerCentral)
> http://lg.ring.nlnog.net/prefix_detail/lg01/ipv4?q=11.0.0.0 .
>
> ARIN's registry didn't change :
>
> Net Range   11.0.0.0 - 11.255.255.255
> CIDR11.0.0.0/8
> NameDODIIS
> Handle  NET-11-0-0-0-1
> Parent
> Net TypeDirect Allocation
> Origin AS
> OrganizationDoD Network Information Center (DNIC)
> Registration Date   1984-01-19
> Last Updated2007-08-22
>
> But on ALTDB it's declared as legit :
>
> http://www.altdb.net/whois.cgi?query=11.0.0.0%2F8
>
> So it's unlikely a mistake. What do you think happened here ?
>
> Best regards,
>
> --
> Jérôme Nicolle
>

Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

[Rafael Possamai]

Pavel, what kind of resources does the analysis of a 100G circuit require?
Or is it just counting packets?

On Tue, Jul 21, 2015 at 8:11 AM, Pavel Odintsov 
wrote:

> You could do SQC with FastNetMon. We have per subnet / per host and
> per protocol counters. We are working on multi 100GE mode very well :)
>
> On Tue, Jul 21, 2015 at 4:07 PM, Rafael Possamai 
> wrote:
> > Has anyone tried to implement real-time SQC in their network? You can
> > calculate summary statistics and use math to determine if traffic is
> > "normal" or if there's a chance it's garbage. You won't be able to notice
> > one-off attacks, but anything that repeats enough times should pop up.
> > Facebook uses similar technology to figure out what kind of useless news
> to
> > display on your feed.
> >
> > In summary, instead of blocking an entire country, we should be able to
> > analyze traffic as it comes, and determine a DDoS attack without human
> > intervention.
> >
> > On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch 
> wrote:
> >
> >> On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
> >> >
> >> > DNS is still largely UDP.
> >>
> >> Water is also still wet :) - but you may not be doing 10% of
> your
> >> links as UDP/53.
> >>
> >> DNS can also use TCP as well, including sending more than one
> >> query in a pipelined fashion.
> >>
> >> The challenge that Cameron is trying to document here
> >> is when seeing large volumes of UDP it becomes necessary to do
> >> something to keep the network up.  This response is frustrating for
> those
> >> of us who prefer to have a unfiltered e2e network but maintaining
> >> the network as up in the face of these adverse conditions is important.
> >>
> >> - Jared
> >>
> >> >
> >> > --Curtis
> >> >
> >> > On 7/20/2015 5:40 PM, Ca By wrote:
> >> > >Folks, it may be time to  take the next step and admit that UDP is
> too
> >> > >broken to support
> >> > >
> >> > >https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
> >> > >
> >> > >Your comments have been requested
> >> > >
> >> > >
> >> > >
> >> > >On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver  >
> >> wrote:
> >> > >
> >> > >>Has anyone else seen a massive amount of illegitimate UDP 1720
> traffic
> >> > >>coming from China being sent towards IP addresses which provide VoIP
> >> > >>services?
> >> > >>
> >> > >>I'm talking in the 20-30Gbps range?
> >> > >>
> >> > >>The first incident was yesterday at around 13:00 EST, the second
> >> incident
> >> > >>was today at 09:00 EST.
> >> > >>
> >> > >>I'm assuming this is just another DDoS like all others, but I would
> be
> >> > >>interested to hear if I am not the only one seeing this.
> >> > >>
> >> > >>On list or off-list is fine.
> >> > >>
> >> > >>Thanks,
> >> > >>-Drew
> >> > >>
> >> > >>
> >> >
> >> > --
> >> > Best Regards
> >> > Curtis Maurand
> >> > Principal
> >> > Xyonet Web Hosting
> >> > mailto:cmaur...@xyonet.com
> >> > http://www.xyonet.com
> >>
> >> --
> >> Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
> >> clue++;  | http://puck.nether.net/~jared/  My statements are only
> >> mine.
> >>
>
>
>
> --
> Sincerely yours, Pavel Odintsov
>

Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

[Rafael Possamai]

Yeah, it hurts to see advanced analytics being used to sort the kitten
videos you're most likely to watch, but somehow they make money off of it.
On the other hand, their datacenter and new switching technologies are
really interesting, so that's an opposite example where their corporate
investments can benefit society in general.


On Tue, Jul 21, 2015 at 8:22 AM, Mike Hammett  wrote:

> "Facebook uses similar technology to figure out what kind of useless news
> to display on your feed."
>
> In this case, it'll be of no use whatsoever. ;-)
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> - Original Message -
>
> From: "Rafael Possamai" 
> To: "Jared Mauch" 
> Cc: nanog@nanog.org
> Sent: Tuesday, July 21, 2015 8:07:34 AM
> Subject: Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in
> last 24 hours
>
> Has anyone tried to implement real-time SQC in their network? You can
> calculate summary statistics and use math to determine if traffic is
> "normal" or if there's a chance it's garbage. You won't be able to notice
> one-off attacks, but anything that repeats enough times should pop up.
> Facebook uses similar technology to figure out what kind of useless news to
> display on your feed.
>
> In summary, instead of blocking an entire country, we should be able to
> analyze traffic as it comes, and determine a DDoS attack without human
> intervention.
>
> On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch 
> wrote:
>
> > On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
> > >
> > > DNS is still largely UDP.
> >
> > Water is also still wet :) - but you may not be doing 10% of your
> > links as UDP/53.
> >
> > DNS can also use TCP as well, including sending more than one
> > query in a pipelined fashion.
> >
> > The challenge that Cameron is trying to document here
> > is when seeing large volumes of UDP it becomes necessary to do
> > something to keep the network up. This response is frustrating for those
> > of us who prefer to have a unfiltered e2e network but maintaining
> > the network as up in the face of these adverse conditions is important.
> >
> > - Jared
> >
> > >
> > > --Curtis
> > >
> > > On 7/20/2015 5:40 PM, Ca By wrote:
> > > >Folks, it may be time to take the next step and admit that UDP is too
> > > >broken to support
> > > >
> > > >https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
> > > >
> > > >Your comments have been requested
> > > >
> > > >
> > > >
> > > >On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver 
> > wrote:
> > > >
> > > >>Has anyone else seen a massive amount of illegitimate UDP 1720
> traffic
> > > >>coming from China being sent towards IP addresses which provide VoIP
> > > >>services?
> > > >>
> > > >>I'm talking in the 20-30Gbps range?
> > > >>
> > > >>The first incident was yesterday at around 13:00 EST, the second
> > incident
> > > >>was today at 09:00 EST.
> > > >>
> > > >>I'm assuming this is just another DDoS like all others, but I would
> be
> > > >>interested to hear if I am not the only one seeing this.
> > > >>
> > > >>On list or off-list is fine.
> > > >>
> > > >>Thanks,
> > > >>-Drew
> > > >>
> > > >>
> > >
> > > --
> > > Best Regards
> > > Curtis Maurand
> > > Principal
> > > Xyonet Web Hosting
> > > mailto:cmaur...@xyonet.com
> > > http://www.xyonet.com
> >
> > --
> > Jared Mauch | pgp key available via finger from ja...@puck.nether.net
> > clue++; | http://puck.nether.net/~jared/ My statements are only
> > mine.
> >
>
>

Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

[Rafael Possamai]

Has anyone tried to implement real-time SQC in their network? You can
calculate summary statistics and use math to determine if traffic is
"normal" or if there's a chance it's garbage. You won't be able to notice
one-off attacks, but anything that repeats enough times should pop up.
Facebook uses similar technology to figure out what kind of useless news to
display on your feed.

In summary, instead of blocking an entire country, we should be able to
analyze traffic as it comes, and determine a DDoS attack without human
intervention.

On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch  wrote:

> On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
> >
> > DNS is still largely UDP.
>
> Water is also still wet :) - but you may not be doing 10% of your
> links as UDP/53.
>
> DNS can also use TCP as well, including sending more than one
> query in a pipelined fashion.
>
> The challenge that Cameron is trying to document here
> is when seeing large volumes of UDP it becomes necessary to do
> something to keep the network up.  This response is frustrating for those
> of us who prefer to have a unfiltered e2e network but maintaining
> the network as up in the face of these adverse conditions is important.
>
> - Jared
>
> >
> > --Curtis
> >
> > On 7/20/2015 5:40 PM, Ca By wrote:
> > >Folks, it may be time to  take the next step and admit that UDP is too
> > >broken to support
> > >
> > >https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
> > >
> > >Your comments have been requested
> > >
> > >
> > >
> > >On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver 
> wrote:
> > >
> > >>Has anyone else seen a massive amount of illegitimate UDP 1720 traffic
> > >>coming from China being sent towards IP addresses which provide VoIP
> > >>services?
> > >>
> > >>I'm talking in the 20-30Gbps range?
> > >>
> > >>The first incident was yesterday at around 13:00 EST, the second
> incident
> > >>was today at 09:00 EST.
> > >>
> > >>I'm assuming this is just another DDoS like all others, but I would be
> > >>interested to hear if I am not the only one seeing this.
> > >>
> > >>On list or off-list is fine.
> > >>
> > >>Thanks,
> > >>-Drew
> > >>
> > >>
> >
> > --
> > Best Regards
> > Curtis Maurand
> > Principal
> > Xyonet Web Hosting
> > mailto:cmaur...@xyonet.com
> > http://www.xyonet.com
>
> --
> Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
> clue++;  | http://puck.nether.net/~jared/  My statements are only
> mine.
>

Re: SIP trunking providers

[Rafael Possamai]

When I originally posted the thread, I had asked Chicago due to physical
proximity, and my assumption being the lesser the number of hops, the lower
the probability of running into issues (latency, jitter and congestion). On
the other hand, one of my sandboxes are out of Las Vegas and I haven't had
any issues yet, but the number of test calls I've ran aren't enough to say
with confidence that distance and hops don't matter (indirect ways of
measuring latency, etc).

Another thing is, having your packets stay in Chicago and in Chicago only
is a nice thing, the efficiency of your overall system would be higher for
what it's worth, but as an example, the 2nd hop this e-mail is taking to
get delivered to Nanog is about 100 miles, who knows about the other ones.



On Mon, Jul 20, 2015 at 8:49 AM, Naslund, Steve 
wrote:

> End to end delay is not the most limiting factor.  Jitter is the issue and
> packet drops are the other issue that matters (more importantly the
> distribution of drops).  I think the best reason to select the local
> provider over the distant one is that the sooner he gets off the IP network
> the less impairments he will run into.  The TDM network as antiquated as it
> is, is less susceptible to congestion and call impairments than an IP
> backbone network is.  I can tell you from running a bunch of International
> VOIP networks that they are just not as reliable as TDM.  The average
> internet connection just does not meet the reliability standards that the
> TDM voice network has achieved.  IP networks are affected by congestion and
> routing issues whereas the TDM network seldom has these type of problems.
> An outage on a TDM circuit rarely affects other TDM circuits so they see a
> lot less higher level outages.  I can understand why he does not want to
> haul his voice cross country over IP when he is exiting locally most of the
> time.
>
> Yes, I understand that the carrier might very well be hauling that traffic
> via IP even after he gets to his gateway point but at that point it becomes
> their problem to deal with.
>
> Steven Naslund
> Chicago IL
>
>
> >If you’re going to the PSTN, who gives a shit where you do the
> interconnect as long as its within 100ms.
> >
> >If most of your calls are VOIP<->VOIP within Chicago, then it makes some
> sense to set up a box and just send the external calls out to the trunking
> provider where >you no longer really care where they are.
> >
> >Absent significant network  suckage, there’s no place in the contiguous
> US that isn’t within 100 ms of any other place in the contiguous US these
> days.
> >
> >Owen
>
>

Re: another tilt at the Verizon FIOS IPv6 windmill

[Rafael Possamai]

The best way to "complain" is to simply move the service to another
provider (when possible). 50 bucks a month of revenue to them is not worth
the hassle of having a tech user asking for all sorts of non-standard
configs. It shouldn't be that way, but that's how it usually goes. Think
about it, everyone else (almost literally) is watching cat videos on
youtube and streaming shows on Netflix, so as long as that works, they will
be making their money and not caring about anything else.

 When I got TWC business class a while back, I asked the account manager to
draft a month to month contract. When I realized their DOCSIS network
sucked, and that my gateway was going dark several times a week, I just
cancelled, didn't bother arguing with them. I bet I was the only person in
my block that cared about 99.9% uptime, so why would they bother doing
anything.






On Sat, Jul 18, 2015 at 1:08 PM, Andrew Kirch  wrote:

> I had to beat up on AT&T quite a bit, but instead of letting them "make
> notes", escalate to tier-2 because you can't reach work.  Explain that you
> must have IPv6 to reach work to the tier-2.  If they won't help demand to
> be escalated further.  Your time on the phone costs them money.
>
> On Sat, Jul 18, 2015 at 6:45 AM, Seth Mos  wrote:
>
> > Ricky Beam schreef op 18-7-2015 om 1:14:
> >
> >  On Fri, 17 Jul 2015 06:25:26 -0400, Christopher Morrow <
> >> morrowc.li...@gmail.com> wrote:
> >>
> >>> mean that your UBee has to do dhcpv6? (or the downstream thingy from
> >>> the UBee has to do dhcpv6?)
> >>>
> >>
> >> The Ubee "router" is in bridge mode. Customers have ZERO access to the
> >> thing, even when it is running in routed mode. So I have no idea what
> it's
> >> trying to do.  All I can say is no RAs are coming from it (through
> >> it/whatever) It *could* be it's blocking it -- it's multicast, so who
> knows
> >> what it's doing with it.  Without RAs, nothing connected to it will even
> >> attempt IPv6 -- the RA being the indicator to use DHCP or not, and who's
> >> the router.
> >>
> >> And further, when I tell my Cisco 1841 to do DHCP anyway, I get no
> answer.
> >>
> >> So, the blanket statement that "it's ready" isn't true.
> >>
> > For a point of interest, the Ubee 320 and 321 wireless routers/modems are
> > in use by Ziggo in the Netherlands.
> >
> > Although they've rolled back the 320 modems to a older firmware, the 321
> > is still active on their IPv6 rollout. The problems were not strictly
> > related to Ipv6 perse, but the newer firmware broken Voice on these
> all-the
> > -things-in-one devices.
> >
> > The 321 appears to be unaffected and is still active, although in just a
> > few regions at this point of the rollout.
> >
> > What's very specific about this rollout in relation to the above, is that
> > Ziggo is currently only supporting IPv6 with the Ubee in router mode
> (with
> > the wifi hotspot). The good news is that it also operates a DHCP-PD
> server
> > so that you can connect your own router to the Ubee and still get IPv6
> > routed to you out of the /56 allocated to the customer.
> >
> > For now, all the customers with the Ubee in bridge mode are SOL. It's not
> > clear what the reason is, but Ubee in bridge mode with IPv6 is listed on
> > the road map. If that's intentional policy or that the firmware isn't
> ready
> > yet is not clear at this point.
> >
> > Regards,
> > Seth
> >
>

Re: Speaking of NTP...

[Rafael Possamai]

Depending on how exactly you have these servers configured with relation to
one another, small variations from one single source can be augmented down
the line.

https://en.wikipedia.org/wiki/Propagation_of_uncertainty



On Mon, Jul 13, 2015 at 8:17 AM, Matthew Huff  wrote:

> We have 5 NTP server:  2 x stratum 1 rubidium oscillator time servers with
> GPS sync, and 3 servers running NTP 4.2.6p5-3 synced to external internet
> based NTP stratum 1 servers. We monitor our NTP environment closely, and
> over the last 10+ years, normally all of our NTP servers are sync'ed within
> +/- 2 msec. Starting last Friday, we started seeing some remote NTP servers
> with GPS reference consistently offset by 10 msec.
>
> Any one else seeing this?
>
> 
> Matthew Huff | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC   | Phone: 914-460-4039
> aim: matthewbhuff| Fax:   914-694-5669
>
>

Re: in-cabinet PDU safety regs?

[Rafael Possamai]

I've referenced article 645 before, but you have to look at anything
upstream or downstream of the PDU as well, as the system as a whole needs
to be within standards.

On Wed, Jul 1, 2015 at 11:42 AM, William Herrin  wrote:

> Hi Folks,
>
> Do you know of any regulations, standards or publications covering the
> safe installation and use of the little 1U and 2U PDUs in rack
> cabinets? My google fu is failing me. All I've found is OSHA
> 1926.403(i)(1)(i)
> (
> https://www.osha.gov/pls/oshaweb/owadisp.show_document?p_table=STANDARDS&p_id=10704
> )
> and I'm not 100% sure it applies.
>
> Thanks in advance,
> Bill Herrin
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems . Web: 
>

Re: World's Fastest Internet™ in Canadaland

[Rafael Possamai]

Good for you.

On Sat, Jun 27, 2015 at 6:36 PM, Irwin, Kevin 
wrote:

> Based on our 1Gbps residential customers usage, I believe you just sit at
> home and run speedtest all day.
>
> Sent from my iPhone
>
> > On Jun 26, 2015, at 2:41 PM, Rafael Possamai  wrote:
> >
> > How does one fully utilize a gigabit link for home use? For a single
> person
> > it is overkill. Similar to the concept of price elasticity in economics,
> > going from 50mbps to 1gbps doesn't necessarily increase your average
> > transfer rate, at least I don't think it would for me. Anyone care to
> > comment? Just really curious, as to me it's more of a marketing push than
> > anything else, even though gigabit to the home sounds really cool.
> >
> >
> >
> >> On Fri, Jun 26, 2015 at 1:13 PM, Eric Dugas 
> wrote:
> >>
> >> Nice try Bell.. So-Net did it two years ago, 2Gbps FTTH in Japan.
> >>
> >> Article: http://bgr.com/2013/06/13/so-net-nuro-2gbps-fiber-service/
> >>
> >> If you read Japanese: http://www.nuro.jp/hikari/
> >>
> >> Eric
> >>
> >> -Original Message-
> >> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Hank Disuko
> >> Sent: June 26, 2015 2:04 PM
> >> To: NANOG
> >> Subject: World's Fastest Internet™ in Canadaland
> >>
> >> Bell Canada is apparently gearing up to provide the good people of
> Toronto
> >> with the World's Fastest Internet™.
> >>
> >>
> http://www.thestar.com/news/city_hall/2015/06/25/bell-canada-to-give-toronto-worlds-fastest-internet.html
> >>
> >>
> >>
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you receive
> this in error, please contact the sender and destroy any copies of this
> document.
>

Re: ARIN just subdivided their last /17, /18, /19, /20, /21 and /22. Down to only /23s and /24s now. : ipv6

[Rafael Possamai]

Randy,

How long do you think it will take to completely get rid of IPv4? Or is it
even going to happen at all?

On Sat, Jun 27, 2015 at 4:57 AM, Randy Bush  wrote:

> the rirs have run out of their free source of short ints to rent to us.
> i am sure everyone will move to ipv6 in a week.  news at eleven.
>
> randy
>

Re: Re: World's Fastest Internet™ in Canadaland

[Rafael Possamai]

Good points. But just like I won't take more than one shower at a time, I
probably won't watch more than one Netflix stream session at a time
(assuming that for myself only). Downloading a large ISO image in seconds
is definitely a plus, although at the office I never reach a steady 120MB/s
from some Linux mirror out there. I've recently created a Debian mirror and
the 1500GB or so of data came at an average speed of 270mbps using a 1gbps
datacenter link.

I think it will still be a while until we can saturate a 1gbps link inside
the average home. While there are people working hard to deliver 1gbps
FTTH, there are others working equally as hard in developing video
compression algorithms to utilize less bandwidth on the content provider
side.

Not arguing against it, I'm just throwing gas at the fire to see what
different perspectives come out.


On Fri, Jun 26, 2015 at 4:56 PM, Mark Andrews  wrote:

>
> In message <
> cajb2g-h2cccqud7_bhpoydo+beysyzpy+js2p+hj6ruk0qx...@mail.gmail.com>
> , Rafael Possamai writes:
> > How does one fully utilize a gigabit link for home use? For a single
> person
> > it is overkill. Similar to the concept of price elasticity in economics,
> > going from 50mbps to 1gbps doesn't necessarily increase your average
> > transfer rate, at least I don't think it would for me. Anyone care to
> > comment? Just really curious, as to me it's more of a marketing push than
> > anything else, even though gigabit to the home sounds really cool.
>
> Overkill is good provided it doesn't cost too much more.  You want
> the connection speed to not be a limitation on what you are trying
> to do.  1G does that at a good price point these days.  At some
> point in the future 1G will seem slow and there will be a new speed
> that stops the link speed being the limitation.
>
> You don't think about the size of power lines coming into a house
> as they are overkill for just about anything you will do in the
> house.
>
> You don't think about the size of water pipes coming into a house
> as they are overkill for just about anything you will do in the
> house.  Very occasionally you will want to connect directly to the
> mains (filling a pool) but otherwise the pipe is more that sufficient.
>
> The worry should be over the gigabytes transfered, the kilowatthours
> and the kilolitres consumed which are the actual resources being
> delivered.
>
> Unfortunately ISP's have made it about link speed rather than what
> it really is about because link speed was the limiting factor.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>

Re: World's Fastest Internet™ in Canadaland

[Rafael Possamai]

That comment was made from a customer perspective (myself) while I wonder
if I ever would wanna pay for it, although it seems like it's pretty cheap
already. As an entrepreneur, business, etc... then yes, I agree. Shoot for
the stars and land on the moon. :)


On Fri, Jun 26, 2015 at 3:02 PM, Karl Auer  wrote:

> On Fri, 2015-06-26 at 13:39 -0500, Rafael Possamai wrote:
> > How does one fully utilize a gigabit link for home use? For a single
> person
> > it is overkill.
>
> This sentiment keeps popping up. It's a failure of vision. To suggest
> that "single people" or "ordinary people" or any other set of presumably
> average and uninteresting people will never be able to fully utilise the
> amazing properties of X, and that they can and should be satisfied with
> some limited version of X or the even more limited alternative Y, is to
> completely miss the point. And to actually provide no more than that is
> to build a self-fulfilling prophecy.
>
> Look at pretty much any modern technology and you can be sure that when
> it was first invented someone wearing the then equivalent of a brown
> cardigan said "yes, that's all very well, but what use will ordinary
> people ever have for it?".
>
> When the first little fire sputtered into life in some Neanderthal cave
> you can bet that some troglodyte said "no point make bigger, me warm
> enough, more hot waste of effort", but of course he hadn't thought of
> bronze, iron, steel, glass, welding or rocketry. Or the steam engine or
> the internal combustion engine. What luck that his kids ignored him, eh?
>
> As William Gibson wrote, "the street finds its uses for things".
>
> I can't think of anything I would or could do with a terabit Internet
> link - but it's not me who needs it. It's the kids now in school who
> will build it, and their kids will think it commonplace. And they will
> look back at you and me and think "how did our grandparents ever manage
> with only a couple of gigabits? How limiting!" And while they are
> thinking that, some bright young things will report that they think
> they've got a primitive exabit link working...
>
> Regards, K.
>
> PS: There are only three real values for network speeds, just as there
> are only three values for amount of personal fortune, RAM, disk space
> and CPU speed. The three values are "not enough", "enough" and "I don't
> know". Always aspire to "I don't know".
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
>
>
>

Re: World's Fastest Internet™ in Canadaland

[Rafael Possamai]

How does one fully utilize a gigabit link for home use? For a single person
it is overkill. Similar to the concept of price elasticity in economics,
going from 50mbps to 1gbps doesn't necessarily increase your average
transfer rate, at least I don't think it would for me. Anyone care to
comment? Just really curious, as to me it's more of a marketing push than
anything else, even though gigabit to the home sounds really cool.



On Fri, Jun 26, 2015 at 1:13 PM, Eric Dugas  wrote:

> Nice try Bell.. So-Net did it two years ago, 2Gbps FTTH in Japan.
>
> Article: http://bgr.com/2013/06/13/so-net-nuro-2gbps-fiber-service/
>
> If you read Japanese: http://www.nuro.jp/hikari/
>
> Eric
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Hank Disuko
> Sent: June 26, 2015 2:04 PM
> To: NANOG
> Subject: World's Fastest Internet™ in Canadaland
>
> Bell Canada is apparently gearing up to provide the good people of Toronto
> with the World's Fastest Internet™.
>
> http://www.thestar.com/news/city_hall/2015/06/25/bell-canada-to-give-toronto-worlds-fastest-internet.html
>
>
>

Re: Level3 NOC Contact

[Rafael Possamai]

The portal should have some stats where you can do basic troubleshooting.
It's really easy to get registered on the portal, you just need account
number and customer name (which is scary, but go figure...).





On Fri, Jun 26, 2015 at 11:10 AM, Michael Loftis  wrote:

> AFAIK theres no longer any way to get their attention unless you're a
> customer AND have signed up for their online portal system at
> https://my.level3.com/ - and I wouldn't expect anything stellar
> then either. You'll likely have to do your own troubleshooting through them
> as my recent experiences have shown little to no clue or assistance from
> them. They were happy to do as asked but weren't able, or willing, or
> whatever to do anything on their own. Make certain you get the problem
> category right too or you'll be stuck in the wrong team without any of them
> telling you that.
>
>
>
> On Friday, June 26, 2015, Nathanael C. Cariaga <
> nathanael.cari...@adec-innovations.com> wrote:
>
> > Hi,
> >
> > Any Level3 NOC contacts on the list?  Our link in Irvine has been on and
> > off for few minutes already.  Would appreciate replies offline..
> >
> >
> > Thanks!
> >
> > -nathan
> >
>
>
> --
>
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
>

Re: Any Verizon datacenter techs about?

[Rafael Possamai]

Be prepared to drop a lot of money for colocation with Verizon. Also,
quoting process is rather long and you will have to sign a NDA most likely,
which just makes it even more fun. For the size of your project I'd pick a
provider that focuses on colocation for small and medium businesses and is
easier to work with.



On Wed, Jun 24, 2015 at 1:46 PM, John Musbach 
wrote:

> Hello,
>
> I'm a techie that recently moved to South Jersey for a tech job. To my
> astonishment, I discovered that there appears to be a Verizon
> datacenter near my house that has colocation:
>
> http://imgur.com/a/PdGno
>
> It's in Somers Point, NJ. While I could not find an address on the
> building, it is on the corner of Bethel Rd and N New Rd. I've tried
> walking around back to see if I could talk to anyone about colocation
> but could not find anyone outside. I've also tried calling Verizon but
> support wasn't very helpful. My question is, what does it take to get
> some colocation space inside of that building? Me and my roommate both
> have a 1u we'd like to rack and having it racked in a datacenter
> walking distance from where we live would be awesome. What we'd need:
>
> 2u space
> 4 power drops for the servers (2 psu per server)
> 2 100Mbps ethernet drops with static IPs
>
> I'm not sure if that's too little to ask for colocation or not, but
> that really is all we'd need. Is there anyone about that knows what
> we'd need to acquire such space, cost, badging, etc? If so, can you
> please reply offlist?
>
> Thanks,
>
> John M
>

Re: Residential VSAT experiences?

[Rafael Possamai]

Reading about SIP made it seem like latency alone is not an issue, aside
from delays which impact verbal communication as previously mentioned. What
is going to be much worse is jitter and packet loss. You can eventually get
used to a significant delay, but dropped calls and chopped sound renders
the service useless.

On Tue, Jun 23, 2015 at 3:44 AM, Tim Franklin  wrote:

> > Interesting that you say that about sip. We had a client that would use
> it
> > for sip on ships all the time. It wasn't the best but it worked. Ping
> times
> > were between 500-700ms.
>
> It really depends on your expectations - or more to the point, your
> end-users' expectations.
>
> I've tested SIP in the lab up to 2000ms RTT.  The protocols all hang
> together and keep working, but it's obviously very much in walkie-talkie
> mode, you can't hold a normal duplex conversation.  500ms there's more of
> the talking over each other / "sorry, you go" / "no, you go" dance, but it
> *is* workable.  If your end-user is expecting land-line replacement
> though...
>
> Regards,
> Tim.
>
>

Re: Data Center Network Monitoring with TAPs

[Rafael Possamai]

Here's a recent forum thread that discussed the same exact topic. You might
find some insight:
http://www.reddit.com/r/networking/comments/3aip3p/data_center_network_monitoring/


On Sat, Jun 20, 2015 at 11:06 AM, Mitch Howards  wrote:

> Hello All,
>
> Was wondering what folks are using to monitor traffic
>  on their networks. Looking into Ixia and APCON devices for dedup and
> other filtering features as well as passive fiber TAPs to capture the
> traffic.
>
> How are folks handling TAP'ing large data center
> networks? TAPs at the "distribution layer" would be the best fit for my
> network but that would require a ton of passive fiber TAPs for the
> incoming fibers to the distribution switches. The end goal is to not
> only capture the north-south traffic on the network but also east-west
> traffic. It seems more efficient to just use SPANs but there are many
> limitations using SPANs.
>
> Thanks in advance for any suggestions.
>
> Mitch

Re: Whats' a good product for a high-density Wireless network setup?

[Rafael Possamai]

No wonder IPv4 is depleted. People's shoes have a MAC address nowadays...

On Sun, Jun 21, 2015 at 8:32 AM, Rob Seastrom  wrote:

>
> Stephen Satchell  writes:
>
> > ... They just couldn't believe that 300 people could max out their system
> > ...
> > Last year, the group AVERAGED four devices each.
>
> A *camping* event that I go to, that is by and large not a
> technology-oriented consituency, averaged 2.6 devices per
> attendee.
>
> -r
>
>

Re: Whats' a good product for a high-density Wireless network setup?

[Rafael Possamai]

That's interesting, I will take a look. Thanks!

On Sat, Jun 20, 2015 at 7:40 AM, Marco Teixeira 
wrote:

> Rafael,
> At some scales, the WiFi standard alone will not cut it... Research on
> MERUNETWORKS virtual cell tecnology. I have done a trial with them. All the
> others are far behind on density. Check their case studies.
> Em 20/06/2015 13:02, "Rafael Possamai"  escreveu:
>
>> I don't think there's an actual standard for density, at least I am not
>> aware of one. Independent of the vendor you use, this guide should be
>> valid
>> at 80% of implementations:
>>
>>
>> http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1250-series/design_guide_c07-693245.html
>>
>> On Meraki's website there's a case study of an entertainment venue that
>> has
>> about 2,000 users per night, so I am assuming 1,000 which is your cause
>> should be doable.
>>
>> On Sat, Jun 20, 2015 at 5:41 AM, Sina Owolabi 
>> wrote:
>>
>> > Thanks everybody. I've been corrected on density... I've been informed
>> that
>> > it's to be a minimum of 1000 users per building.
>> > That's 8,000 users. (8 buildings, not counting walkways and courtyards,
>> > admin, etc.)
>> > Does this qualify as high-density?
>> >
>> > On Sat, Jun 20, 2015 at 5:33 AM Ray Soucy  wrote:
>> >
>> > > Well, I could certainly be wrong, but it's news to me if UBNT started
>> > > supporting DFS in the US.
>> > >
>> > > Your first screenshot is listing the UAP for 5240 which is channel 48,
>> > > U-NII-1.  The second show 5825 which is the upper limit of U-NNI-3.  I
>> > > don't see any U-NII-2 in what you posted.
>> > >
>> > > This forum post may be a bit out of date, but I haven't seen any
>> > > announcement or information on the forums to indicate the situation
>> has
>> > > changed, and I'm pretty good at searching:
>> > >
>> > > https://community.ubnt.com/t5/UniFi-Wireless/DFS/m-p/700461#M54771
>> > >
>> > > From this thread it looks like the ability to configure DFS channels
>> in
>> > the
>> > > US was a UI bug and only showing for ZH anyway.  IIRC they actually
>> got
>> > in
>> > > a bit of trouble with the FCC over not restricting the use of these
>> > > channels enough.
>> > >
>> > > Regardless of whether or not the FCC has cleared UBNT indoor products
>> for
>> > > U-NII-2 and U-NII-2-extended (and I haven't seen evidence of that
>> yet),
>> > > until you can configure APs to use those channels in the controller
>> > without
>> > > violating FCC regulations I don't consider them usable.
>> > >
>> > > The UAP-AC doesn't seem to support DFS channels at all even without
>> FCC
>> > > restrictions, which kind of kills the point of AC, only 4 x 40 MHz or
>> 2 x
>> > > 80 MHz channels doesn't cut it when we're talking about density.
>> > >
>> > > Note we're talking about indoor wireless and there ARE some UBNT
>> products
>> > > for outdoor WISP use that do support DFS and have been cleared by the
>> > FCC,
>> > > but we would only be looking at the UAP-PRO or UAP-AC in this case so
>> > maybe
>> > > that's the point of confusion here.
>> > >
>> > >
>> > >
>> > >
>> > > On Fri, Jun 19, 2015 at 11:36 PM, Faisal Imtiaz <
>> > fai...@snappytelecom.net>
>> > > wrote:
>> > >
>> > > > FCC Cert claims different.
>> > > >
>> > > > :)
>> > > >
>> > > > Faisal Imtiaz
>> > > > Snappy Internet & Telecom
>> > > > 7266 SW 48 Street
>> > > > Miami, FL 33155
>> > > > Tel: 305 663 5518 x 232
>> > > >
>> > > > Help-desk: (305)663-5518 Option 2 or Email:
>> supp...@snappytelecom.net
>> > > >
>> > > > --
>> > > >
>> > > > *From: *"Josh Luthman" 
>> > > > *To: *"Faisal Imtiaz" 
>> > > > *Cc: *"NANOG list" , "Ray Soucy" 
>> > > > *Sent: *Friday, June 19, 2015 9:16:37 PM
>> > > >
>> > > > *Subject: *Re: Whats' a good product for a high-de

Re: SIP trunking providers

[Rafael Possamai]

Thanks everyone for your responses.

On Fri, Jun 19, 2015 at 4:40 PM, Rafael Possamai  wrote:

> Would anyone in the list be able to recommend a SIP trunk provider in the
> Chicago area? Not a VoIP expert, so just looking for someone with previous
> experience.
>
>
> Thanks,
> Rafael
>

Re: Whats' a good product for a high-density Wireless network setup?

[Rafael Possamai]

I don't think there's an actual standard for density, at least I am not
aware of one. Independent of the vendor you use, this guide should be valid
at 80% of implementations:

http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1250-series/design_guide_c07-693245.html

On Meraki's website there's a case study of an entertainment venue that has
about 2,000 users per night, so I am assuming 1,000 which is your cause
should be doable.

On Sat, Jun 20, 2015 at 5:41 AM, Sina Owolabi  wrote:

> Thanks everybody. I've been corrected on density... I've been informed that
> it's to be a minimum of 1000 users per building.
> That's 8,000 users. (8 buildings, not counting walkways and courtyards,
> admin, etc.)
> Does this qualify as high-density?
>
> On Sat, Jun 20, 2015 at 5:33 AM Ray Soucy  wrote:
>
> > Well, I could certainly be wrong, but it's news to me if UBNT started
> > supporting DFS in the US.
> >
> > Your first screenshot is listing the UAP for 5240 which is channel 48,
> > U-NII-1.  The second show 5825 which is the upper limit of U-NNI-3.  I
> > don't see any U-NII-2 in what you posted.
> >
> > This forum post may be a bit out of date, but I haven't seen any
> > announcement or information on the forums to indicate the situation has
> > changed, and I'm pretty good at searching:
> >
> > https://community.ubnt.com/t5/UniFi-Wireless/DFS/m-p/700461#M54771
> >
> > From this thread it looks like the ability to configure DFS channels in
> the
> > US was a UI bug and only showing for ZH anyway.  IIRC they actually got
> in
> > a bit of trouble with the FCC over not restricting the use of these
> > channels enough.
> >
> > Regardless of whether or not the FCC has cleared UBNT indoor products for
> > U-NII-2 and U-NII-2-extended (and I haven't seen evidence of that yet),
> > until you can configure APs to use those channels in the controller
> without
> > violating FCC regulations I don't consider them usable.
> >
> > The UAP-AC doesn't seem to support DFS channels at all even without FCC
> > restrictions, which kind of kills the point of AC, only 4 x 40 MHz or 2 x
> > 80 MHz channels doesn't cut it when we're talking about density.
> >
> > Note we're talking about indoor wireless and there ARE some UBNT products
> > for outdoor WISP use that do support DFS and have been cleared by the
> FCC,
> > but we would only be looking at the UAP-PRO or UAP-AC in this case so
> maybe
> > that's the point of confusion here.
> >
> >
> >
> >
> > On Fri, Jun 19, 2015 at 11:36 PM, Faisal Imtiaz <
> fai...@snappytelecom.net>
> > wrote:
> >
> > > FCC Cert claims different.
> > >
> > > :)
> > >
> > > Faisal Imtiaz
> > > Snappy Internet & Telecom
> > > 7266 SW 48 Street
> > > Miami, FL 33155
> > > Tel: 305 663 5518 x 232
> > >
> > > Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net
> > >
> > > --
> > >
> > > *From: *"Josh Luthman" 
> > > *To: *"Faisal Imtiaz" 
> > > *Cc: *"NANOG list" , "Ray Soucy" 
> > > *Sent: *Friday, June 19, 2015 9:16:37 PM
> > >
> > > *Subject: *Re: Whats' a good product for a high-density Wireless
> network
> > > setup?
> > >
> > > Uhm he's not wrong...
> > >
> > > Josh Luthman
> > > Office: 937-552-2340
> > > Direct: 937-552-2343
> > > 1100 Wayne St
> > > Suite 1337
> > > Troy, OH 45373
> > > On Jun 19, 2015 9:13 PM, "Faisal Imtiaz" 
> > wrote:
> > >
> > >> >>>The thing you need to watch out for with Ubiquiti is that they
> don't
> > >> support DFS, so the entire U-NII-2 channel space is off limits for 5
> > GHz.
> > >>
> > >> Huh 
> > >>
> > >> Please verify your facts before making blanket statements which are
> not
> > >> accurate ...
> > >>
> > >>
> > >>
> > >> Faisal Imtiaz
> > >> Snappy Internet & Telecom
> > >>
> > >>
> > >> - Original Message -
> > >> > From: "Ray Soucy" 
> > >> > To: "Sina Owolabi" 
> > >> > Cc: "nanog@nanog.org list" 
> > >> > Sent: Friday, June 19, 2015 7:07:01 PM
> > >> > Subject: Re: Whats' a good product for a high-density Wireless
> network
> > >> setup?
> > >> >
> > >> > I know you don't want to hear this answer because of cost but I've
> had
> > >> good
> > >> > luck with Cisco for very high density (about 1,000 clients in a
> packed
> > >> > auditorium actively using the network as they follow along with the
> > >> > presenter).
> > >> >
> > >> > The thing you need to watch out for with Ubiquiti is that they don't
> > >> > support DFS, so the entire U-NII-2 channel space is off limits for 5
> > >> GHz.
> > >> > That's pretty significant because you're limited to 9 x 20 MHz
> > channels
> > >> or
> > >> > 4 x 40 MHz channels.  Keeping the power level down and creating
> small
> > >> cells
> > >> > is essential for high density, so with less channels your hands are
> > >> really
> > >> > tied in that case.  Also, avoid the Zero Handoff marketing nonsense
> > they
> > >> > advertise; I'm sure it can work great for a low client residential
> > area
> > >> but
> > >> > it requires all APs to share a singl

SIP trunking providers

[Rafael Possamai]

Would anyone in the list be able to recommend a SIP trunk provider in the
Chicago area? Not a VoIP expert, so just looking for someone with previous
experience.


Thanks,
Rafael

Re: Is it safe to use 240.0.0.0/4

[Rafael Possamai]

Using CGNAT doesn't sound right either, although I haven't read the whole
thing, but it seems reasonable to use that block for CGNAT only.

https://tools.ietf.org/html/rfc1918


On Wed, Jun 17, 2015 at 4:13 PM, Tony Wicks  wrote:

> Use 100.64.0.0/10, this is the CGNAT reserved range.I would most
> definitely not recommend 240.0.0.0
>
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Luan Nguyen
> Sent: Thursday, 18 June 2015 9:07 a.m.
> To: nanog@nanog.org
> Subject: Is it safe to use 240.0.0.0/4
>
> Is that safe to use internally? Anyone using it?
> Just for NATTING on Cisco gears...
>
>

Re: Anycast provider for SMTP?

[Rafael Possamai]

https://www.google.com/intl/en/ipv6/statistics.html



On Mon, Jun 15, 2015 at 8:26 PM, Matt Palmer  wrote:

> On Mon, Jun 15, 2015 at 05:07:22PM -0700, Dave Taht wrote:
> > On Mon, Jun 15, 2015 at 5:00 PM, Randy Bush  wrote:
> > >> "What about IPv6? We have a plan! We plan to be dead before customers
> > >> demand IPv6".
> > >> I am pretty sure the authors are still alive(?).
> > >
> > > and customer demand for ipv6 still holds strong, right?
> >
> > Does seem to be on the uptick!
>
> It's certainly stronger than it has *ever* been before.
>
> - Matt
>
> --
> I am cow, hear me moo, I weigh twice as much as you. I'm a cow, eating
> grass, methane gas comes out my ass. I'm a cow, you are too; join us all!
> Type apt-get moo.
>
>

Re: Anycast provider for SMTP?

[Rafael Possamai]

Any luck on a DNS based solution?

On Mon, Jun 15, 2015 at 12:50 PM, Joe Hamelin  wrote:

> I have a mail system where there are two MX hosts, one in the US and one in
> Europe.  Both have a DNS MX record metric of 10 so a bastardized
> round-robin takes place.  This does not work so well when one site goes
> down.   My solution will be to place a load balancer in a hosting site
> (virtual, of course) and have it provide HA.  But what about HA for the
> LB?  At first glance anycasting would seem to be a great idea but there is
> a problem of broken sessions when routes change.
>
> Have any of you seen something like this work in the wild?
>
>
> --
> Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474
>

Re: Anycast provider for SMTP?

[Rafael Possamai]

You're welcome. I hope that helps.

On another note, if your internet pipe in Europe isn't as stable as your
pipe in the US, then you could also try and have your infrastructure
provider blend your uplink with two or more carrier-grade paths. You
wouldn't have to worry about signing up for and maintaining an AS, but you
could improve your uptime significantly.


On Mon, Jun 15, 2015 at 2:52 PM, Joe Hamelin  wrote:

> On Mon, Jun 15, 2015 at 12:45 PM, Rafael Possamai 
>  wrote:
>>
>>
>> The other step would be to setup HA in each SMTP node (US and France)
>> such as LB or Failover. Just an idea.
>>
>> I'll look at the AWS doc, thanks.
>
> The mailserver is seldom the problem (it's an AS/400) but the ISP pipe
> experiences prolonged outages.
>
>
>
> --
> Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474
>
>
>

Re: Anycast provider for SMTP?

[Rafael Possamai]

I could be mistaken, but you might get all of this done with AWS's Route53.
I would read this:
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-geo

The other step would be to setup HA in each SMTP node (US and France) such
as LB or Failover. Just an idea.



On Mon, Jun 15, 2015 at 12:50 PM, Joe Hamelin  wrote:

> I have a mail system where there are two MX hosts, one in the US and one in
> Europe.  Both have a DNS MX record metric of 10 so a bastardized
> round-robin takes place.  This does not work so well when one site goes
> down.   My solution will be to place a load balancer in a hosting site
> (virtual, of course) and have it provide HA.  But what about HA for the
> LB?  At first glance anycasting would seem to be a great idea but there is
> a problem of broken sessions when routes change.
>
> Have any of you seen something like this work in the wild?
>
>
> --
> Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474
>

Re: AS4788 Telecom Malaysia major route leak?

[Rafael Possamai]

Well, I was wondering the same. I am guessing it depends on the SLA
contract since they are all very unique and specific. I assume they would
have to, granted the issue lasted for a couple hours. Now, it depends on
how they define the outage. A fiber cut that yields a customer's service
unusable would be an easy SLA breach. Their legal team most likely removed
any liability due to someone else's negligence, although you could argue
they were negligent as well. So in this case they can claim the whole "best
effort" thing and get away with it. I am not a L3 customer, so was just
wondering out of curiosity.

On Sun, Jun 14, 2015 at 8:07 PM, Aftab Siddiqui 
wrote:

> Hi Rafael,
>
> I get that much, just wondering if Level3 would have to pay an SLA breach
>> to its customers given the mess started with TM (even though it could have
>> been avoided). And I am guessing if they do, they wouldn't be able to
>> recover anything from TM.
>
>
> I doubt if L3 has to pay anything to its customers in terms of SLA breach,
> its best effort. Are you aware of any such agreement which suggest
> otherwise? that would be interesting.
>

Re: AS4788 Telecom Malaysia major route leak?

[Rafael Possamai]

I get that much, just wondering if Level3 would have to pay an SLA breach
to its customers given the mess started with TM (even though it could have
been avoided). And I am guessing if they do, they wouldn't be able to
recover anything from TM.

On Sun, Jun 14, 2015 at 7:07 PM, Mel Beckman  wrote:

>  SLAs are part of a contract, and thus only apply to the parties of the
> contract. There are no payments due to other parties. The Internet is a
> "best effort" network, with zero guarantees.
>
>  -mel beckman
>
> On Jun 14, 2015, at 4:06 PM, Rafael Possamai  wrote:
>
>   Does anyone know if there's an official "ruling" as to who gets to pay
> for the SLA breaches?
>
> On Sun, Jun 14, 2015 at 5:56 PM, Mel Beckman  wrote:
>
>> Raymond,
>>
>> But you said "A simple 'sorry' would have done." Now you're asking for
>> lots more detail. Why the change?
>>
>>  -mel beckman
>>
>> > On Jun 14, 2015, at 2:32 PM, Raymond Dijkxhoorn <
>> raym...@prolocation.net> wrote:
>> >
>> > Hello Mel,
>> >
>> > Must just be me then.
>> >
>> > I was most likely expecting a more in depth report. Strange things
>> happened. Perhaps they could post a 'what exactly happened' since this
>> wasnt a average route leak.
>> >
>> > Thanks,
>> > Raymond Dijkxhoorn
>> >
>> >> Op 14 jun. 2015 om 23:27 heeft Mel Beckman  het
>> volgende geschreven:
>> >>
>> >> Raymond,
>> >>
>> >> They provided a "simple sorry":
>> >>
>> >>   "We apologise for any inconvenience caused by the service
>> disruption."
>> >>
>> >> It doesn't get much more simple than that.
>> >>
>> >> -mel beckman
>> >>
>> >>> On Jun 14, 2015, at 2:21 PM, Raymond Dijkxhoorn <
>> raym...@prolocation.net> wrote:
>> >>>
>> >>> Hai!
>> >>>
>> >>> Mark, mistakes and oopses happen. No problem at all. I understand
>> that completely. There is human faillure and this happenes.
>> >>>
>> >>> A simple 'sorry' would have done. Yet their whole message tells 'they
>> did ok' In my very limited view they did NOT ok. Did i misread?
>> >>>
>> >>> I am also very much looking how level3 is going to prevent things
>> like this. But out of own experience they will not. We have seen before
>> that they implemented filtering based on customer lists. But not a per
>> customer filter. They did this globally. So any l3 customer can announce
>> routes of another l3 customer. While this can be changed this outage tells
>> there is certainly room for improvements.
>> >>>
>> >>> I hope people will learn from what happened and implement proper
>> filtering. Thats even more important then a message from a operator that
>> didnt even understand fully what they caused to the internet globally.
>> >>>
>> >>> Thanks,
>> >>> Raymond Dijkxhoorn
>> >>>
>> >>>> Op 14 jun. 2015 om 23:04 heeft Mark Tinka 
>> het volgende geschreven:
>> >>>>
>> >>>>
>> >>>>
>> >>>>> On 14/Jun/15 22:55, Raymond Dijkxhoorn wrote:
>> >>>>> Hai!
>> >>>>>
>> >>>>> Wouw! This is what they came up with?!
>> >>>>>
>> >>>>> Hopefully Level3 will take appropriate measures. Its amazing.
>> Really.
>> >>>>>
>> >>>>> 'Some internationally routes'
>> >>>>>
>> >>>>> Have they any idea what they did at all?
>> >>>>>
>> >>>>> Its amazing that with parties like that the internet still works as
>> is  ...
>> >>>>
>> >>>> I wouldn't be as hard. Stuff happens - and as they said, during a
>> >>>> maintenance activity, they boo-boo'ed.
>> >>>>
>> >>>> Are Level(3) going to own up and say they should have had filters in
>> >>>> place? I certainly hope they do.
>> >>>>
>> >>>> But more importantly, are Level(3) going to implement the filters
>> >>>> against TM's circuit? Are they going to run around the network
>> looking
>> >>>> for any additional customer circuits that need plugging? That's my
>> >>>> concern...
>> >>>>
>> >>>> Mark.
>>
>
>

Re: AS4788 Telecom Malaysia major route leak?

[Rafael Possamai]

Does anyone know if there's an official "ruling" as to who gets to pay for
the SLA breaches?

On Sun, Jun 14, 2015 at 5:56 PM, Mel Beckman  wrote:

> Raymond,
>
> But you said "A simple 'sorry' would have done." Now you're asking for
> lots more detail. Why the change?
>
>  -mel beckman
>
> > On Jun 14, 2015, at 2:32 PM, Raymond Dijkxhoorn 
> wrote:
> >
> > Hello Mel,
> >
> > Must just be me then.
> >
> > I was most likely expecting a more in depth report. Strange things
> happened. Perhaps they could post a 'what exactly happened' since this
> wasnt a average route leak.
> >
> > Thanks,
> > Raymond Dijkxhoorn
> >
> >> Op 14 jun. 2015 om 23:27 heeft Mel Beckman  het
> volgende geschreven:
> >>
> >> Raymond,
> >>
> >> They provided a "simple sorry":
> >>
> >>   "We apologise for any inconvenience caused by the service disruption."
> >>
> >> It doesn't get much more simple than that.
> >>
> >> -mel beckman
> >>
> >>> On Jun 14, 2015, at 2:21 PM, Raymond Dijkxhoorn <
> raym...@prolocation.net> wrote:
> >>>
> >>> Hai!
> >>>
> >>> Mark, mistakes and oopses happen. No problem at all. I understand that
> completely. There is human faillure and this happenes.
> >>>
> >>> A simple 'sorry' would have done. Yet their whole message tells 'they
> did ok' In my very limited view they did NOT ok. Did i misread?
> >>>
> >>> I am also very much looking how level3 is going to prevent things like
> this. But out of own experience they will not. We have seen before that
> they implemented filtering based on customer lists. But not a per customer
> filter. They did this globally. So any l3 customer can announce routes of
> another l3 customer. While this can be changed this outage tells there is
> certainly room for improvements.
> >>>
> >>> I hope people will learn from what happened and implement proper
> filtering. Thats even more important then a message from a operator that
> didnt even understand fully what they caused to the internet globally.
> >>>
> >>> Thanks,
> >>> Raymond Dijkxhoorn
> >>>
>  Op 14 jun. 2015 om 23:04 heeft Mark Tinka  het
> volgende geschreven:
> 
> 
> 
> > On 14/Jun/15 22:55, Raymond Dijkxhoorn wrote:
> > Hai!
> >
> > Wouw! This is what they came up with?!
> >
> > Hopefully Level3 will take appropriate measures. Its amazing. Really.
> >
> > 'Some internationally routes'
> >
> > Have they any idea what they did at all?
> >
> > Its amazing that with parties like that the internet still works as
> is  ...
> 
>  I wouldn't be as hard. Stuff happens - and as they said, during a
>  maintenance activity, they boo-boo'ed.
> 
>  Are Level(3) going to own up and say they should have had filters in
>  place? I certainly hope they do.
> 
>  But more importantly, are Level(3) going to implement the filters
>  against TM's circuit? Are they going to run around the network looking
>  for any additional customer circuits that need plugging? That's my
>  concern...
> 
>  Mark.
>

Re: Open letter to Level3 concerning the global routing issues on June 12th

[Rafael Possamai]

A lot of these things are for show only.. Like a big corporation donating
to non-profits and sponsoring "feel good" events. You can see that a lot of
these same businesses also lobby Washington like crazy, so there you go...
This was either an isolated incident or they really don't care much.

On Sat, Jun 13, 2015 at 1:54 PM, Hank Nussbacher 
wrote:

> At 17:32 12/06/2015 +0200, Martin Millnert wrote:
>
> Interesting that Level3 is a member of http://www.routingmanifesto.org/
>
> or see
>
>
> http://www.internetsociety.org/news/network-operators-around-world-demonstrate-their-commitment-secure-and-resilient-internet
>
> to quote Level3
> "As one of the most connected Internet providers in the world, security of
> the Internet is top-of-mind at Level 3 Communications. We are dedicated to
> supporting and protecting the Internet ecosystem and work each day to
> safeguard customers' critical communications. The Internet is a shared
> responsibility, and only through these important collaborative efforts can
> we continue to ensure the protection of this collective infrastructure."
>
> -Hank
>
>
>  Dear Level3,
>>
>> The Internet is a cooperative effort, and it works well only when its
>> participants take constructive actions to address errors and remedy
>> problems.
>> Your position as a major Internet Carrier bestows upon you a certain
>> degree of responsibility for the correct operation of the Internet all
>> across (and beyond) the planet. You have many customers. Customers will
>> always occasionally make mistakes. You as a major Internet Carrier have
>> a responsibility to limit, not amplify, your customers' mistakes.
>> Other major carriers implement technical measures that severely limits
>> the damages from customer mistakes from having global impact.
>> Other major carriers also implement operational procedures in addition
>> to technical measures.
>> In combination, these measures drastically reduce the outage-hours as a
>> result of customer configuration errors.
>>
>> At 08:44 UTC on Friday 12th of June, one of your transit customers,
>> Telekom Malaysia (AS4788) began announcing the full Internet table back
>> to you, which you accepted and propagated to your peers and customers,
>> causing global outages for close to 3 hours.
>> [ https://twitter.com/DynResearch/status/609340592036970496 ]
>> During this 3 hour window, it appears (from your own service outage
>> reports) that you did nothing to stop the global Internet outage, but
>> that Telekom Malaysia themselves eventually resolved it. This lack of
>> action on your end, and your disregard for the correct operation of the
>> global Internet is astonishing. These mistakes do not need to happen.
>> AS4788 under normal circumstances announces ~1900 IPv4 prefixes to the
>> Internet. You accepted multiple hundred thousand prefixes from them - a
>> max prefix setting would have severely limited the damage. We expect
>> that these are your practices as well, but they failed. When they do, it
>> should not take ~3 hours to shut down the session(s).
>>
>> Many operators, in despair, turned down their peering sessions with you
>> once it was clear you were causing the outages and no immediate fix was
>> in sight. This improved the situation for some - but not all did. Had
>> you deployed proper IRR-filtering to filter the bad announcements the
>> impact would've been far less critical.
>>
>> As a direct consequence of your ~3 hours of inaction, as a local
>> example, Swedish payment terminals were experiencing problems all over
>> the country. The Swedish economy was directly affected by your inaction.
>> There were queues when I was buying lunch! Imagine the food rage. The
>> situation was probably similar at other places around the globe where
>> people were awake.
>>
>> Operators around the planet are curious:
>>   - Did Level3 not detect or understand that it was causing global
>> Internet outages for ~3 hours?
>>   - If Level3 did in fact detect or understand it was causing global
>> Internet outages, why did it not properly and immediately remedy the
>> situation?
>>   - What is Level3 going to do to address these questions and begin work
>> on restoring its credibility as a carrier?
>>
>> We all understand that mistakes do happen (in applying customer
>> interface templates, etc.). However the Internet is all too pervasive in
>> everyday life today for anything but swift action by carriers to remedy
>> breakage after the fact. It is absolutely not sufficient to let a
>> customer spend 3 hours to detect and fix a situation like this one. It
>> is unacceptable that no swift action was taken on your end to limit the
>> global routing issues you caused.
>>
>> Sincerely,
>> Martin Millnert
>> Member of Internet Community - no carrier / ISP affiliation.
>>
>
>

Hardware monitoring

[Rafael Possamai]

Hi everyone,

I know this is slightly off-topic, but since it's still related to the
list, I thought I'd give it a try. I am wondering what systems are out
there (open source, preferably) for data collection and processing of
hardware health data (temperature, CPU clock, fan speeds, etc). Ideally
brand agnostic and location agnostic as well.

I know of Cacti, but it would require SNMP enabled devices AFAIK, so
room/generator/misc monitors wouldn't necessarily be included.


Thanks in advance.

Rafael

Re: Open letter to Level3 concerning the global routing issues on June 12th

[Rafael Possamai]

Something about Malaysia, first the airplanes... now BGP leaks?

On Fri, Jun 12, 2015 at 10:32 AM, Martin Millnert 
wrote:

> Dear Level3,
>
> The Internet is a cooperative effort, and it works well only when its
> participants take constructive actions to address errors and remedy
> problems.
> Your position as a major Internet Carrier bestows upon you a certain
> degree of responsibility for the correct operation of the Internet all
> across (and beyond) the planet. You have many customers. Customers will
> always occasionally make mistakes. You as a major Internet Carrier have
> a responsibility to limit, not amplify, your customers' mistakes.
> Other major carriers implement technical measures that severely limits
> the damages from customer mistakes from having global impact.
> Other major carriers also implement operational procedures in addition
> to technical measures.
> In combination, these measures drastically reduce the outage-hours as a
> result of customer configuration errors.
>
> At 08:44 UTC on Friday 12th of June, one of your transit customers,
> Telekom Malaysia (AS4788) began announcing the full Internet table back
> to you, which you accepted and propagated to your peers and customers,
> causing global outages for close to 3 hours.
> [ https://twitter.com/DynResearch/status/609340592036970496 ]
> During this 3 hour window, it appears (from your own service outage
> reports) that you did nothing to stop the global Internet outage, but
> that Telekom Malaysia themselves eventually resolved it. This lack of
> action on your end, and your disregard for the correct operation of the
> global Internet is astonishing. These mistakes do not need to happen.
> AS4788 under normal circumstances announces ~1900 IPv4 prefixes to the
> Internet. You accepted multiple hundred thousand prefixes from them - a
> max prefix setting would have severely limited the damage. We expect
> that these are your practices as well, but they failed. When they do, it
> should not take ~3 hours to shut down the session(s).
>
> Many operators, in despair, turned down their peering sessions with you
> once it was clear you were causing the outages and no immediate fix was
> in sight. This improved the situation for some - but not all did. Had
> you deployed proper IRR-filtering to filter the bad announcements the
> impact would've been far less critical.
>
> As a direct consequence of your ~3 hours of inaction, as a local
> example, Swedish payment terminals were experiencing problems all over
> the country. The Swedish economy was directly affected by your inaction.
> There were queues when I was buying lunch! Imagine the food rage. The
> situation was probably similar at other places around the globe where
> people were awake.
>
> Operators around the planet are curious:
>   - Did Level3 not detect or understand that it was causing global
> Internet outages for ~3 hours?
>   - If Level3 did in fact detect or understand it was causing global
> Internet outages, why did it not properly and immediately remedy the
> situation?
>   - What is Level3 going to do to address these questions and begin work
> on restoring its credibility as a carrier?
>
> We all understand that mistakes do happen (in applying customer
> interface templates, etc.). However the Internet is all too pervasive in
> everyday life today for anything but swift action by carriers to remedy
> breakage after the fact. It is absolutely not sufficient to let a
> customer spend 3 hours to detect and fix a situation like this one. It
> is unacceptable that no swift action was taken on your end to limit the
> global routing issues you caused.
>
> Sincerely,
> Martin Millnert
> Member of Internet Community - no carrier / ISP affiliation.
>

Re: eBay is looking for network heavies...

[Rafael Possamai]

+1 for experience.. being able to teach yourself just about anything drops
you into the top 20% of any industry (with maybe a few exceptions). one
thing I noticed is that the best professionals I met out there are just as
good with people as they are with routers and console screens. IT is
usually just a cost center (unless you work for a tech company), so if you
learn how to navigate office politics and push change, then you will have a
spot with the packet wrangling Gods.

On Thu, Jun 11, 2015 at 9:27 AM, Steve Mikulasik 
wrote:

> 25 year old neteng reporting in. I got into networking when I wanted to
> play Quake against my brother and trying to share a single dial-up
> connection between all the computers in the house.
>
> Well I still have a long way to go (employed full time in IT for just over
> 6 years), I think I am ahead of most IT pros in my age group. At the end of
> the day us young kids learned the same way most of you did, bit of
> education, and the vast majority from experience.
>
> I am at the point know where my self-education skills are effective enough
> that I can learn whatever I don't know and solve most any problem I come
> across. From what others have said, I think this is the key to success in
> this field, although I think this is a skill you develop early in life or
> you never get it. I am now trying to learn the things I didn't know I
> needed to know to solve problems I didn't know existed.
>
> I do agree there isn't a big interest from youth in this field. A lot of
> people get introduced to networking through education and never develop a
> passion for it. When they graduate they choose IT areas more interesting to
> themselves. Most schools are teaching recycled CCNA curriculum and/or
> thinking from the early 90s. Can't blame anyone who hasn't developed a
> passion for networking outside of education for not entering the field.
> Memorizing what an Ethernet frame looks like doesn't build an appreciation
> for networking, unless you can see the bigger picture.
>
> Steve Mikulasik
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ray Soucy
> Sent: Thursday, June 11, 2015 7:37 AM
> To: William Waites
> Cc: NANOG
> Subject: Re: eBay is looking for network heavies...
>
> I really wonder how people get into this field today.  It has gotten
> incredibly complex and I've been learning since before I was a teenager
> (back when it was much more simple).
>
> I'm 31 now, but I started getting into computers and specifically
> networking at a very young age (elementary school).  We had a pair of
> teachers that were enthusiasts and built up a computer lab with everything
> on token ring running Novell.  I thought the fact that I could change to a
> different PC by driver letter in DOS was the most amazing thing I had ever
> seen in the 3rd grade.  From there I was really hooked, got really into
> BBSing, and when the first dial-up ISPs started popping up I made it a
> point to get a job with them.
>
> My school district didn't offer a technical program for Internetworking
> but they had a technical school that competed in the SkillsUSA competitions
> and approached me about competing in the Internetworking event, without any
> education or mentor I won the gold medal at the State level both years I
> competed and went on to the nationals (where that lack of guidance and
> access to equipment to train on meant I got my slice of humble pie).  I
> held my own, but the guys who won at the national level were just so much
> more prepared.  Despite the stigma of SkillsUSA being trades focused, the
> Internetworking competition was a really great experience that mixed
> physical networking and basically a CCNA level of theory (they actually
> used an old copy of the CCNA as the exam).
>
> During this same time I got a paid internship for the local hospital and
> rebuilt their entire network after seeing the nightmare it was (they had
> the AS400 with all their healthcare data sitting on a public IP address
> with no firewall and default QSECOFR credentials sitting there for the
> taking with 5020 over IP enabled).  It was pretty crazy for a high school
> student to be doing a full redesign of a network for a healthcare provider,
> even building frame-relay links between facilities and convincing the local
> cable company to provide dark fiber between a few.
>
> When I went to university I made it a point to get student employment with
> the NOC they ran to provide all of the public schools and libraries in the
> state with their Internet access, and that evolved into a full time job for
> them within a few years.
>
> Looking back, it's been like a perfect storm of opportunity that I just
> don't think exists today.  I'm really happy I was born when I was and able
> to have a front row seat to see the explosion of the Internet.  I don't
> know if I'm just getting "old" but I feel like technology has gotten so
> easy for young people that most of th

Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation

[Rafael Possamai]

You could look into LXD for that type of deployment.

On Thu, Jun 4, 2015 at 12:55 PM, Pavel Odintsov 
wrote:

> Brilliant idea! But in Docker we could offer only sflow and sflow. Port
> mirror capture need support from the kernel side. Will try shortly!
>
> On Thursday, June 4, 2015, Roberto Bertó  wrote:
>
> > What about we build a Docker?
> >
> > 2015-06-04 14:47 GMT-03:00 Alexander Maassen  > >:
> >
> > > It's a security tool. So ppl using it want to publicly hide the fact
> they
> > > use it in case you screw up and it contains leaks ;)
> > >
> > >  Oorspronkelijk bericht 
> > > Van: Pavel Odintsov >
> > > Datum:
> > > Aan: Jim Popovitch >
> > > Cc: nanog@nanog.org 
> > > Onderwerp: Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS
> > > mitigation
> > >
> > > Looks like many folks want hide company emails ;) I'm good guy and will
> > not
> > > spam or offer slmething ;)))
> > >
> > > But I'm impressed about amount of off list requests. Really huge
> interest
> > > in tool.
> > >
> > > On Thursday, June 4, 2015, Jim Popovitch  > > wrote:
> > >
> > > > There's a surprising amount of GMail (yes, including me) and new-ness
> > > > in this thread.Should I be impressed with the freshness or
> > > > concerned about astroturfing?   :-)
> > > >
> > > > Bah Humbug!
> > > >
> > > > -Jim P.
> > > >
> > >
> > >
> > > --
> > > Sincerely yours, Pavel Odintsov
> > >
> >
>
>
> --
> Sincerely yours, Pavel Odintsov
>

Re: Should I Reboot, and Why? (was Re: [RDD] No Play out on Cart Wall)

[Rafael Possamai]

I also reboot for kernel updates!

On Thu, Jun 4, 2015 at 11:57 AM, Jay Ashworth  wrote:

> - Original Message -
> > From: "Cowboy" 
>
> > On Sunday 31 May 2015 03:49:10 pm Graham Wilman wrote:
>
> > > after getting the play out working on clienta terminal for the past
> > > 6 days
> > > the decision was taken today to get clientb terminal working which
> > > it now partially is
> > > unfortunately once all 3 terminals the server.clienta and clientb
> > > were rebooted I could
> > > not get play out to work on clienta again
> >
> > Re-booted why ?
> > I've often said that rebooting a *nix machine is usually a bad idea.
>
> And, again, a good to recap some of Good Sysadmin Practice:
>
> In the Windows world, it's often recommended that you reboot a machine that
> is acting -- as we say in support -- hincky.  That's because Windows is
> sufficiently complicated and fragile that things can get corrupt at
> runtime, and the simple fact you rebooted it can fix a problem.
>
> That's traditionally not been true in the *nix world; particularly on
> purpose-built single function servers, there simply isn't enough code
> running at once to allow for the sort of complicated, multiplicative
> complexity failures that you see in many Windows machines.
>
> But does that mean you should never reboot a Linux box, just because
> you usually don't *have* to, to fix your problem?
>
> No, it doesn't, and here's why:
>
> Some of the things you might change in your configuration can affect
> how things start *when* you boot up, and if you've adjusted one of them,
> the time to boot it and find out *is right now, when you've just made the
> change and it's fresh in your mind*, not 6 months from now at 3 in the
> morning, when you don't remember what you did.
>
> Well, I suppose you could look in your logbook.  Or check your ticketing
> system.  :-)
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth  Baylink
> j...@baylink.com
> Designer The Things I Think   RFC
> 2100
> Ashworth & Associates   http://www.bcp38.info  2000 Land
> Rover DII
> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647
> 1274
>

Re: AWS Elastic IP architecture

[Rafael Possamai]

we are starting to waste packets arguing over some private intellectual
property

On Wed, Jun 3, 2015 at 3:24 PM, Christopher Morrow 
wrote:

> On Wed, Jun 3, 2015 at 7:56 AM, Owen DeLong  wrote:
> > For example, let’s say you have 20 machines for whom you want to allow
> inbound SSH access. In the IPv4 world, with NAT, you have to configure an
> individual port mapping for each machine and you have to either configure
> all of the SSH clients, or, specify the particular port for the machine you
> want to get to on the command line.
>
> in the original case in question the fact that there's nat happeng
> isn't material... so all of this discussion of NAT is a red herring,
> right? the user of AWS services cares not that 'nat is happening',
> because they can simply RESTful up a VM instance and ssh into it in
> ~30 seconds, no config required.
>
> let's skip all NAT discussions on this topic from here on out, yes?
>

Re: stacking pdu

[Rafael Possamai]

You could run a PDU in paralallel so that you don't use more current than
the wires are rated for (although the PDU should trip the circuti anyways
in case you overload it). Only problem is matching the receptacles. You
probably don't want to half-ass it, so I'd just add an extra PDU and run an
extra ethernet cable so you can monitor it.

On Fri, May 29, 2015 at 4:29 PM, William Herrin  wrote:

> On Fri, May 29, 2015 at 4:32 PM, shawn wilson  wrote:
> > Is there a way to stack PDUs? like, with 30A 220, we need more plugs
> > than power but I'd like them to communicate to make sure we don't over
> > power the circuit. Do any APC or Triplite systems support this?
>
> Isn't it against the NEC and the fire code to stack power strips? We
> all do it, but isn't it against code?
>
> Regards,
> Bill Herrin
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems . Web: 
>

Re: Capacity/transit costs vs growth

[Rafael Possamai]

If I understand your question correctly, the answer is: it depends. You can
model the cost of delivering your service and keep track of three types of
cost: fixed, variable and marginal. Here is a really good video that
explains these:

https://youtu.be/bBQVaRnHqLs

You might find an industry average for certain economies of scale, but each
system is so unique in it's cost structure that you have to model it from
scratch. Just keep in mind that every model works with TRASH IN => TRASH
OUT, so if you make the wrong assumptions, your answers won't be realistic.

On Wed, May 27, 2015 at 6:54 PM, Jean-Francois Mezei <
jfmezei_na...@vaxination.ca> wrote:

> On 15-05-27 19:20, Faisal Imtiaz wrote:
>
> > The above hypothesis why imply that the 20% linear increase is not fair,
> vs directly making the case that the base rate, set in some point in the
> past is not fair/appropriate anymore ?
>
> These rates cover aggregation between an end user's CO and a central CO
> where an ISP connects. For instance, a Toronto based ISP can serve all
> of Bell Canada's DSL footprint by connecting to the Adelaide Street CO
> in Toronto.  BUT, Bell charges $1016 per 100mbps to carry traffic
> between that point and the CO serving an end user. (for Cable, I am not
> 100% sure if it include the fibre to the node, or just aggregation to
> the CMTS).
>
> there is a separate fixed fee for the "last mile" infrastructure.
>
> The point i am trying to make that that during the period where usage
> increase, the cost per gbps decreases, so it shgould not be a 1:1
> relationship over time.  Currently, the CRTC sets 1:1 relationship over
> 10 years.
>
> So having *rough* idea of decreases in per gbps of capacity over the
> years would help me make the point that the current rate structure is
> flawed.  (I don't need precise at this point, just rough ideas).
>
>
> Different slant to question:
>
> when you move from 1gbps to 10gbps to 40gbps links, what sort of
> price/gnps reduction do you get ? 20% ? 30% ?
>
>
>
>

Re: gmail security is a joke

[Rafael Possamai]

"Security is an illusion" - Confucius probably

On Wed, May 27, 2015 at 8:42 AM, Joel Maslak  wrote:

> I also suspect not every telco validates number porting requests against
> social engineering properly.
>
> A telephone number isn't something you have, it is something your provider
> has.
>
> On Wednesday, May 27, 2015, Saku Ytti  wrote:
>
> > On (2015-05-27 14:19 +0200), Owen DeLong wrote:
> >
> > Hey,
> >
> > > If someone has the ability to hijack your BGP, then you???ve got bigger
> > problems than
> > > having them take over your Gmail account.
> >
> > This is second reply to this notion. I don't understand what is attempted
> > to
> > communicate. I'm sure no one on nanog thinks BGP hijacks are rare,
> > difficult
> > or yield to consequences when called out.
> >
> > > That???s interesting??? Why do you choose to give access to your
> > personal SMS messages
> > > to so many of your coworkers?
> >
> > I don't, but they can provision my number to any SIM they want to.
> >
> > --
> >   ++ytti
> >
>

Re: gmail security is a joke

[Rafael Possamai]

You can also register a U2F key.

On Wed, May 27, 2015 at 3:17 AM,  wrote:

> On Wed, 27 May 2015 09:13:47 +0530, Anil Kumar said:
> > that link, since I have two-step verification set up, I was presented
> > with a demand for a number provided by the Google Authenticator
> > app on my phone. I provided that number and only then was I allowed
> > to reset the password.
>
> And you have to pre-register the phone number.
>
> Sounds about as secure as you're going to get when trying to scale to 10
> digits of users
>
> And as I said earlier - if your threat model involves needing more security
> than that, you have bigger problems.. :)
>

Re: Peering and Network Cost

[Rafael Possamai]

James, curious to know... what size ISPs are they? In the last few years
with the larger ones it has always been about lowering cost and increasing
revenue, which throws the original idea of peering out the window (unless
you are willing to pay).

On Thu, May 21, 2015 at 4:52 AM, James Bensley  wrote:

> On 17 April 2015 at 16:53, Justin Wilson - MTIN  wrote:
> > Peering and peering on an exchange are two different things.  Peering at
> an exchange has several benefits other than the simple cost of transit.  If
> you are in a large data center which charges fees for cross connects a
> single cross connect to an exchange can save you money.
> >
> > Peering can also be a sales tool.  If you buy from a VOIP provider and
> are peered with them your latency and such will go down.  You also have
> more control over the QOS over that peer.  This can be spun into marketing.
> >
> > Not to toot our own horn but we put together a list of benefits for our
> IX customers:
> > http://www.midwest-ix.com/blog/?p=15
> >
> >
> > Also, a good article at:
> >
> http://blog.webserver.com.my/index.php/the-benefits-of-hosting-at-internet-exchange-point/
>
>
> I also have a similar working document that I'd welcome feedback on to
> improve;
>
>
> https://docs.google.com/document/d/1i2bPZDt75hAwcR4iKMqaNSGIeM-nJSWLZ6SLTTnuXNs/edit?usp=sharing
>
> I've used it once to help an ISP evalutate peering and started them in
> the world of public peering. I'm now going through that proces again
> with another ISP and again they will start public peering soon, having
> used this doc in both cases as an intro/FAQ for them.
>
> Cheers,
> James.
>

Re: Low Cost 10G Router

[Rafael Possamai]

Since you are considering multiple options, I'd build a decision matrix.
You can put down all the requirements, score each option, and then
normalize it to give each a final score. After that you can calculate some
other things such as throughput per dollar, etc.

http://asq.org/learn-about-quality/decision-making-tools/overview/decision-matrix.html

Regarding the Mikrotik, there's a difference between Multithreading and
Multiprocessing.


On Wed, May 20, 2015 at 11:44 AM, Colton Conor 
wrote:

> So are the rest of the processes in Mikrotik OS multi threaded? I would
> hope so to take advantage of 36 cores!
>
> What is up with all of these network vendors not supporting more than one
> core in their OS? I just don't get it.
>
>
>
> On Tue, May 19, 2015 at 9:49 PM, Josh Baird  wrote:
>
> > The BGP daemon on the CCR routers is not multi-threaded; it only will use
> > one core.
> >
> > Josh
> >
> > On Tue, May 19, 2015 at 10:06 PM, Colton Conor 
> > wrote:
> >
> >>  So this new $1295 Mikrotik CCR1036-8G-2S+EM  has a 36 core Tilera CPU
> >> with
> >> 16GB of ram. Each core is running at 1.2Ghz? I assume that Mikrotik is
> >> multicore in software, so why does this box not outperform these intel
> >> boxes that everyone is recommending? Is it just a limitation of ports?
> >>
> >>
> >>
> >> On Tue, May 19, 2015 at 6:03 PM, Faisal Imtiaz <
> fai...@snappytelecom.net>
> >> wrote:
> >>
> >> >
> >> >
> >> >
> >> > > I've seen serious, unusual performance bottlenecks in Mikrotik CCR,
> in
> >> > some
> >> > > cases not even achieving a gigabit speeds on 10G interfaces.
> >> Performance
> >> > > drops more rapidly then Cisco with smaller packet sizes.
> >> > >
> >> > >  -mel beckman
> >> >
> >> >
> >> > Folks often forget that Mikrotik ROS can also run on x86 machines.
> >> >
> >> > Size your favorite hardware (server) or network appliance with
> >> appropriate
> >> > ports, add MT ROS on a CF card, and you are good to go.
> >> >
> >> > We use i7 based network appliance with dual 10g cards (you can use a
> >> quad
> >> > 10g card, such as those made by hotlav).
> >> >
> >> > with a 2gig of ram, you can easily do multiple (4-5 or more full bgp
> >> > peers), and i7 are good for approx 1.2mill pps.
> >> >
> >> >
> >> > Best of luck.
> >> >
> >> >
> >> > Faisal Imtiaz
> >> > Snappy Internet & Telecom
> >> >
> >>
> >
> >
>

Re: Low Cost 10G Router

[Rafael Possamai]

Oops, Cisco ASR 1k series might not cut it, you can take a look at their 9k
seriers:
http://www.cisco.com/c/en/us/products/routers/asr-9000-series-aggregation-services-routers/models-comparison.html

On Tue, May 19, 2015 at 12:22 PM, Colton Conor 
wrote:

> What options are available for a small, low cost router that has at least
> four 10G ports, and can handle full BGP routes? All that I know of are the
> Juniper MX80, and the Brocade CER line. What does Cisco and others have
> that compete with these two? Any other vendors besides Juniper, Brocade,
> and Cisco to look at?
>

Re: Low Cost 10G Router

[Rafael Possamai]

Here is what I found on Google about Cisco's options:
http://www.cisco.com/c/en/us/products/routers/asr-1000-series-aggregation-services-routers/models-comparison.html

And when it comes to Juniper, you might be able to get it done with MX40
(look at their options, there are different combinations of chassis and
cards), and you can always upgrade to a MX80 later.

Just not sure you can find anything low cost when you need to route 10gbps.

On Tue, May 19, 2015 at 12:22 PM, Colton Conor 
wrote:

> What options are available for a small, low cost router that has at least
> four 10G ports, and can handle full BGP routes? All that I know of are the
> Juniper MX80, and the Brocade CER line. What does Cisco and others have
> that compete with these two? Any other vendors besides Juniper, Brocade,
> and Cisco to look at?
>

Re: Route Optimization Products

[Rafael Possamai]

I've been a customer before of a datacenter in Chicago that uses/used
Internap's optimized routes and latency was always better than in
comparison to other locations I tested against. That was around 2011 or
2012.

On Fri, May 15, 2015 at 10:19 AM, Mike Hammett  wrote:

> What is out there for route optimization products? I can think of Noction
> (no inbound) or Internap FCP (old).
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>

Re: Route Optimization Products

[Rafael Possamai]

Internap also has a product called MIRO, although I am not sure how it
differs from FCP.

On Fri, May 15, 2015 at 10:19 AM, Mike Hammett  wrote:

> What is out there for route optimization products? I can think of Noction
> (no inbound) or Internap FCP (old).
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>

Re: Rasberry pi - high density

[Rafael Possamai]

Here's someone's comparison between the B and B+ in terms of power:

http://raspi.tv/2014/how-much-less-power-does-the-raspberry-pi-b-use-than-the-old-model-b

On Mon, May 11, 2015 at 10:25 PM, Joel Maslak  wrote:

> Rather then guessing on power consumption, I measured it.
>
> I took a Pi (Model B - but I suspect B+ and the new version is relatively
> similar in power draw with the same peripherials), hooked it up to a lab
> power supply, and took a current measurement.  My pi has a Sandisk SD card
> and a Sandisk USB stick plugged into it, so, if anything, it will be a bit
> high in power draw.  I then fired off a tight code loop and a ping -f from
> another host towards it, to busy up the processor and the network/USB on
> the Pi.  I don't have a way of making the video do anything, so if you were
> using that, your draw would be up.  I also measured idle usage (sitting at
> a command prompt).
>
> Power draw was 2.3W under load, 2.0W at idle.
>
> If it was my project, I'd build a backplane board with USB-to-ethernet and
> ethernet switch chips, along with sockets for Pi compute modules (or
> something similar).  I'd want one power cable and one network cable per
> backplane board if my requirements allowed it.  Stick it all in a nice card
> cage and you're done.
>
> As for performance per watt, I'd be surprised if this beat a modern video
> processor for the right workload.
>
>
> On Mon, May 11, 2015 at 5:16 PM, Rafael Possamai 
> wrote:
>
> > Maybe I messed up the math in my head, my line of thought was one pi is
> > estimated to use 1.2 watts, whereas the nuc is at around 65 watts. 10
> pi's
> > = 12 watts. My comparison was 65watts/12watts = 5.4 times more power than
> > 10 pi's put together. This is really a rough estimate because I got the
> > NUC's power consumption from the AC/DC converter that comes with it,
> which
> > has a maximum output of 65 watts. I could be wrong (up to 5 times) and
> > still the pi would use less power.
> >
> > Now that I think about it, the best way to simplify this is to calculate
> > benchmark points per watt, so rasp pi is at around 406/1.2 which equals
> > 338. The NUC, roughly estimated to be at 3857/65 which equals 60. Let's
> be
> > very skeptical and say that at maximum consumption the pi is using 5
> watts,
> > then 406/5 is around 81. At this point the rasp pi still scores better.
> >
> > Only problem we are comparing ARM to x86 which isn't necessarily fair (i
> am
> > not an expert in computer architectures)
> >
> >
> >
> >
> >
> > On Mon, May 11, 2015 at 5:24 PM, Hugo Slabbert  wrote:
> >
> > > Did I miss anything? Just a quick comparison.
> > >>
> > >
> > > If those numbers are accurate, then it leans towards the NUC rather
> than
> > > the Pi, no?
> > >
> > > Perf:   1x i5 NUC = 10x Pi
> > > $$: 1x i5 NUC = 10x Pi
> > > Power:  1x i5 NUC = 5x Pi
> > >
> > > So...if a single NUC gives you the performance of 10x Pis at the
> capital
> > > cost of 10x Pis but uses half the power of 10x Pis and only a single
> > > Ethernet port, how does the Pi win?
> > >
> > > --
> > > Hugo
> > >
> > >
> > > On Mon 2015-May-11 17:08:43 -0500, Rafael Possamai  >
> > > wrote:
> > >
> > >  Interesting! Knowing a pi costs approximately $35, then you need
> > >> approximately $350 to get near an i5.. The smallest and cheapest
> desktop
> > >> you can get that would have similar power is the Intel NUC with an i5
> > that
> > >> goes for approximately $350. Power consumption of a NUC is about 5x
> that
> > >> of
> > >> the raspberry pi, but the number of ethernet ports required is 10x
> less.
> > >> Usually in a datacenter you care much more about power than switch
> > ports,
> > >> so in this case if the overhead of controlling 10x the number of nodes
> > is
> > >> worth it, I'd still consider the raspberry pi. Did I miss anything?
> > Just a
> > >> quick comparison.
> > >>
> > >>
> > >>
> > >> On Mon, May 11, 2015 at 4:40 PM, Michael Thomas 
> wrote:
> > >>
> > >>  As it turns out, I've been playing around benchmarking things lately
> > >>> using
> > >>> the tried and true
> > >>> UnixBench suite and here are a few numbers that might put this in
> some
> > >>> perspective:
> > >>>
&g

Re: Rasberry pi - high density

[Rafael Possamai]

Maybe I messed up the math in my head, my line of thought was one pi is
estimated to use 1.2 watts, whereas the nuc is at around 65 watts. 10 pi's
= 12 watts. My comparison was 65watts/12watts = 5.4 times more power than
10 pi's put together. This is really a rough estimate because I got the
NUC's power consumption from the AC/DC converter that comes with it, which
has a maximum output of 65 watts. I could be wrong (up to 5 times) and
still the pi would use less power.

Now that I think about it, the best way to simplify this is to calculate
benchmark points per watt, so rasp pi is at around 406/1.2 which equals
338. The NUC, roughly estimated to be at 3857/65 which equals 60. Let's be
very skeptical and say that at maximum consumption the pi is using 5 watts,
then 406/5 is around 81. At this point the rasp pi still scores better.

Only problem we are comparing ARM to x86 which isn't necessarily fair (i am
not an expert in computer architectures)





On Mon, May 11, 2015 at 5:24 PM, Hugo Slabbert  wrote:

> Did I miss anything? Just a quick comparison.
>>
>
> If those numbers are accurate, then it leans towards the NUC rather than
> the Pi, no?
>
> Perf:   1x i5 NUC = 10x Pi
> $$: 1x i5 NUC = 10x Pi
> Power:  1x i5 NUC = 5x Pi
>
> So...if a single NUC gives you the performance of 10x Pis at the capital
> cost of 10x Pis but uses half the power of 10x Pis and only a single
> Ethernet port, how does the Pi win?
>
> --
> Hugo
>
>
> On Mon 2015-May-11 17:08:43 -0500, Rafael Possamai 
> wrote:
>
>  Interesting! Knowing a pi costs approximately $35, then you need
>> approximately $350 to get near an i5.. The smallest and cheapest desktop
>> you can get that would have similar power is the Intel NUC with an i5 that
>> goes for approximately $350. Power consumption of a NUC is about 5x that
>> of
>> the raspberry pi, but the number of ethernet ports required is 10x less.
>> Usually in a datacenter you care much more about power than switch ports,
>> so in this case if the overhead of controlling 10x the number of nodes is
>> worth it, I'd still consider the raspberry pi. Did I miss anything? Just a
>> quick comparison.
>>
>>
>>
>> On Mon, May 11, 2015 at 4:40 PM, Michael Thomas  wrote:
>>
>>  As it turns out, I've been playing around benchmarking things lately
>>> using
>>> the tried and true
>>> UnixBench suite and here are a few numbers that might put this in some
>>> perspective:
>>>
>>> 1) My new Rapsberry pi (4 cores, arm): 406
>>> 2) My home i5-like thing (asus 4 cores, 16gb's from last year): 3857
>>> 3) AWS c4.xlarge (4 cores, ~8gb's): 3666
>>>
>>> So you'd need to, uh, wedge about 10 pi's to get one half way modern x86.
>>>
>>> Mike
>>>
>>>
>>> On 5/11/15 1:37 PM, Clay Fiske wrote:
>>>
>>>  On May 8, 2015, at 10:24 PM, char...@thefnf.org wrote:
>>>>
>>>>>
>>>>> Pi dimensions:
>>>>>
>>>>> 3.37 l (5 front to back)
>>>>> 2.21 w (6 wide)
>>>>> 0.83 h
>>>>> 25 per U (rounding down for Ethernet cable space etc) = 825 pi
>>>>>
>>>>> Cable management and heat would probably kill this before it ever
>>>>> reached completion, but lol…
>>>>>
>>>>>
>>>> This feels like it should be a Friday thread. :)
>>>>
>>>> If you’re really going for density:
>>>>
>>>> - At 0.83 inches high you could go 2x per U (depends on your mounting
>>>> system and how much space it burns)
>>>> - I’d expect you could get at least 7 wide if not 8 with the right
>>>> micro-USB power connector
>>>> - In most datacenter racks I’ve seen you could get at least 8 deep even
>>>> with cable breathing room
>>>>
>>>> So somewhere between 7x8x2 = 112 and 8x8x2 = 128 per U. And if you get
>>>> truly creative about how you stack them you could probably beat that
>>>> without too much effort.
>>>>
>>>> This doesn’t solve for cooling, but I think even at these numbers you
>>>> could probably make it work with nice, tight cabling.
>>>>
>>>>
>>>> -c
>>>>
>>>>
>>>>
>>>>
>>>

Re: Rasberry pi - high density

[Rafael Possamai]

Interesting! Knowing a pi costs approximately $35, then you need
approximately $350 to get near an i5.. The smallest and cheapest desktop
you can get that would have similar power is the Intel NUC with an i5 that
goes for approximately $350. Power consumption of a NUC is about 5x that of
the raspberry pi, but the number of ethernet ports required is 10x less.
Usually in a datacenter you care much more about power than switch ports,
so in this case if the overhead of controlling 10x the number of nodes is
worth it, I'd still consider the raspberry pi. Did I miss anything? Just a
quick comparison.



On Mon, May 11, 2015 at 4:40 PM, Michael Thomas  wrote:

> As it turns out, I've been playing around benchmarking things lately using
> the tried and true
> UnixBench suite and here are a few numbers that might put this in some
> perspective:
>
> 1) My new Rapsberry pi (4 cores, arm): 406
> 2) My home i5-like thing (asus 4 cores, 16gb's from last year): 3857
> 3) AWS c4.xlarge (4 cores, ~8gb's): 3666
>
> So you'd need to, uh, wedge about 10 pi's to get one half way modern x86.
>
> Mike
>
>
> On 5/11/15 1:37 PM, Clay Fiske wrote:
>
>> On May 8, 2015, at 10:24 PM, char...@thefnf.org wrote:
>>>
>>> Pi dimensions:
>>>
>>> 3.37 l (5 front to back)
>>> 2.21 w (6 wide)
>>> 0.83 h
>>> 25 per U (rounding down for Ethernet cable space etc) = 825 pi
>>>
>>> Cable management and heat would probably kill this before it ever
>>> reached completion, but lol…
>>>
>>
>> This feels like it should be a Friday thread. :)
>>
>> If you’re really going for density:
>>
>> - At 0.83 inches high you could go 2x per U (depends on your mounting
>> system and how much space it burns)
>> - I’d expect you could get at least 7 wide if not 8 with the right
>> micro-USB power connector
>> - In most datacenter racks I’ve seen you could get at least 8 deep even
>> with cable breathing room
>>
>> So somewhere between 7x8x2 = 112 and 8x8x2 = 128 per U. And if you get
>> truly creative about how you stack them you could probably beat that
>> without too much effort.
>>
>> This doesn’t solve for cooling, but I think even at these numbers you
>> could probably make it work with nice, tight cabling.
>>
>>
>> -c
>>
>>
>>
>

Re: Rasberry pi - high density

[Rafael Possamai]

>From the work that I've done in the past with clusters, your need for
bandwidth is usually not the biggest issue. When you work with "big data",
let's say 500 million data points, most mathematicians would condense it
all down into averages, standard deviations, probabilities, etc, which then
become much smaller to save in your hard disks and also to perform data
analysis with, as well as transfer these stats from master to nodes and
vice-versa. So for one project at a time, your biggest concern is cpu
clock, ram, interrupts, etc. If you want to run all of the BIG 10s academic
projects into one big cluster for example, then networking might become an
issue solely due to volume.

The more data you transfer, the longer it would take to perform any
meaningful analysis on it, so really your bottleneck is TFLOPS rather than
packets per second. With Facebook it's the opposite, it's mostly pictures
and videos of cats coming in and out of the server with lots of reads and
writes on their storage. In that case, switching tbps of traffic is how
they make money.

A good example is creating a dockr container with your application and
deploying a cluster with CoreOS. You save all that capex and spend by the
hour. I believe Azure and EC2 already have support for CoreOS.




On Sat, May 9, 2015 at 12:48 AM, Tim Raphael 
wrote:

> The problem is, I can get more processing power and RAM out of two 10RU
> blade chassis and only needing 64 10G ports...
>
> 32 x 256GB RAM per blade = 8.1TB
> 32 x 16 cores x 2.4GHz = 1,228GHz
> (not based on current highest possible, just using reasonable specs)
>
> Needing only 4 QFX5100s which will cost less than a populated 6513 and
> give lower latency. Power, cooling and cost would be lower too.
>
> RPi = 900MHz and 1GB RAM. So to equal the two chassis, you'll need:
>
> 1228 / 0.9 = 1364 Pis for compute (main performance aspect of a super
> computer) meaning double the physical space required compared to the
> chassis option.
>
> So yes, infeasible indeed.
>
> Regards,
>
> Tim Raphael
>
> > On 9 May 2015, at 1:24 pm, char...@thefnf.org wrote:
> >
> >
> >
> > So I just crunched the numbers. How many pies could I cram in a rack?
> >
> > Check my numbers?
> >
> > 48U rack budget
> > 6513 15U (48-15) = 33U remaining for pie
> > 6513 max of 576 copper ports
> >
> > Pi dimensions:
> >
> > 3.37 l (5 front to back)
> > 2.21 w (6 wide)
> > 0.83 h
> > 25 per U (rounding down for Ethernet cable space etc) = 825 pi
> >
> > Cable management and heat would probably kill this before it ever
> reached completion, but lol...
> >
> >
> >
>

Re: Thousands of hosts on a gigabit LAN, maybe not

[Rafael Possamai]

- The more switches a packet has to go through, the higher the latency, so
your response times may deteriorate if you cascade too many switches.
Legend says up to 4 is a good number, any further you risk creating a big
mess.

- The more switches you add, the higher your bandwidth utilized by
broadcasts in the same subnet.
http://en.wikipedia.org/wiki/Broadcast_radiation

- If you have only one connection between each switch, each switch is going
to be limited to that rate (1gbps in this case), possibly creating a
bottleneck depending on your application and how exactly it behaves.
Consider aggregating uplinks.

- Bundling too many Ethernet cables will cause interference (cross-talk),
so keep that in mind. I'd purchase F/S/FTP cables and the like.

Here I am going off on a tangent: if your friends want to build a "super
computer" then there's a way to calculate the most "efficient" number of
nodes given your constraints (e.g. linear optimization). This could save
you time, money and headaches. An example: maximize the number of TFLOPS
while minimizing number of nodes (i.e. number of switch ports). Just a
quick thought.






On Fri, May 8, 2015 at 1:53 PM, John Levine  wrote:

> Some people I know (yes really) are building a system that will have
> several thousand little computers in some racks.  Each of the
> computers runs Linux and has a gigabit ethernet interface.  It occurs
> to me that it is unlikely that I can buy an ethernet switch with
> thousands of ports, and even if I could, would I want a Linux system
> to have 10,000 entries or more in its ARP table.
>
> Most of the traffic will be from one node to another, with
> considerably less to the outside.  Physical distance shouldn't be a
> problem since everything's in the same room, maybe the same rack.
>
> What's the rule of thumb for number of hosts per switch, cascaded
> switches vs. routers, and whatever else one needs to design a dense
> network like this?  TIA
>
> R's,
> John
>

Re: Question about co-lo in APAC region

[Rafael Possamai]

Personal opinion: developing countries tend to have unstable utility
service (power is what matters here), so your DC of choice in India should
be Tier 4 preferably, which are hard to find and really expensive. Budget
allowing, I'd stick to Hong Kong, Shangai or Singapore as you mentioned
initially. These cities have pretty large financial services industries
(which rely heavily on IT & telco in general) and large companies like
Equinix/Digital Realty have already done the heavy lifting for you in terms
of scoping a good location for an APAC datacenter.


On Wed, May 6, 2015 at 11:28 AM, c b  wrote:

> This is a pre-project discovery question... any help would be greatly
> appreciated.
> We have upcoming partnerships (opportunities) in APAC. The original plan
> was to place the hub in Singapore. Just weeks before everyone was ready to
> begin the RFP, it turns out that one of our partner businesses owns a Co-Lo
> in India. Not sure what the name or the size of this business is yet. While
> it would be nice to take advantage of this, we have potential partnerships
> in China and other areas of APAC in development... we are hesitating to put
> our APAC hub in India just based on latency and where the undersea cables
> run.
> So, I'm reaching out to NANOG... some of you guys have either worked with
> businesses (or work in provider space) in both India and Singapore (and
> elsewhere, such as Japan). Is there a clear reason to use/not-use India as
> a hub? What would the pros/cons be? Is there a clear advantage to using
> Singapore as we originally planned?
> Again, we appreciate the feedback.
> LFoD

Re: ADSL Line Extenders

[Rafael Possamai]

Yes, you are correct, P2MP is what I meant to say. I'd also suggest
Ubiquiti radios, some of their models being capable of doing 1gbps+.

On Thu, Apr 30, 2015 at 7:59 AM, Shimon Hochbaum <
shimon.hochb...@teliswitch.com> wrote:

> I second wholeheartedly the idea of wireless for this application, except
> that Rafael probably meant point to multipoint solutions: Trango
> https://www.trangosys.com/altum-ac or Waveip
> http://www.waveip.com/products/overview/ are 2 good options.
>
> Line extenders supporting ADSL2+ won't do much good: the 2 and the +
> denote improvements in the short range, less than 5000', probably not
> relevant in your case. If wired is your preferred option, you might want to
> consider HDSL based products, which are meant to drive 1.5M symmetric over
> long distances, power fed from the 2 sides for simplicity, with ability to
> go higher when pairs are bundled. Adtran should be the 1st place to look at.
>
> Good luck, Shimon
>
> > -Original Message-
> > From: Rafael Possamai [mailto:raf...@gav.ufsc.br]
> > Sent: Wednesday, April 29, 2015 17:37
> > To: Jean-Francois Mezei
> > Cc: nanog@nanog.org
> > Subject: Re: ADSL Line Extenders
> >
> > Semi-related question: in instances like this, wouldn't a point-to-point
> link
> > provide larger throughput and be less expensive? Unless you are talking
> about
> > several subscribers that are already installed and operating.
> > Depending on the situation, it might make sense to set a few sectorial
> > antennas at a high-point and link everyone with small inexpensive CPE
> > antennas. Just a quick thought.
> >
> > Good luck,
> > Rafael
> >
> >
> > On Tue, Apr 28, 2015 at 4:24 PM, Jean-Francois Mezei <
> > jfmezei_na...@vaxination.ca> wrote:
> >
> > >
> > > A friend on a rural DSl association asked about ADSL line extenders.
> > >
> > > A search on Google yields many products dating back to the days of
> > > ADSL-1 advertising 1mbps profiles, but a few seem more recent and
> > > support ADSL2+ (not sure if any support VDSL2).
> > >
> > > Are these thing out of date and no longer deployed ? Were they ever
> > > effective, or just vapourware that didn't really improve things ?
> > >
> > >
> > > Do any Telcos still deploy them ?  Anyone know of deployments in
> Canada ?
> > >
> > > I just need a reality check on those devices.
> > >
> > > jf
> > >
>
>
>

Re: ADSL Line Extenders

[Rafael Possamai]

Semi-related question: in instances like this, wouldn't a point-to-point
link provide larger throughput and be less expensive? Unless you are
talking about several subscribers that are already installed and operating.
Depending on the situation, it might make sense to set a few sectorial
antennas at a high-point and link everyone with small inexpensive CPE
antennas. Just a quick thought.

Good luck,
Rafael


On Tue, Apr 28, 2015 at 4:24 PM, Jean-Francois Mezei <
jfmezei_na...@vaxination.ca> wrote:

>
> A friend on a rural DSl association asked about ADSL line extenders.
>
> A search on Google yields many products dating back to the days of
> ADSL-1 advertising 1mbps profiles, but a few seem more recent and
> support ADSL2+ (not sure if any support VDSL2).
>
> Are these thing out of date and no longer deployed ? Were they ever
> effective, or just vapourware that didn't really improve things ?
>
>
> Do any Telcos still deploy them ?  Anyone know of deployments in Canada ?
>
> I just need a reality check on those devices.
>
> jf
>

Re: rack cable length

[Rafael Possamai]

Hi Shawn,

If you don't leave slack, you can't really pull the server out of the RU
for maintenance (hot swaps, etc). Your best choice is to purchase cable
management trays if that makes sense (Dell servers usually come with
those).  Otherwise you just need to deal with the loops and whatnot the
best way you can. If your colo hardware is really random (dells, HPs,
supermicros) then it gets worse, but if your hardware is homogeneous then
you can come up with some way of attaching brackets to the side of the rack
that could help you avoid a rats nest in the back of your rack (granted you
can't find cable management trays or they are too expensive to justify the
investment).



On Fri, Apr 17, 2015 at 1:44 PM, shawn wilson  wrote:

> This is probably a stupid question, but
>
> We've got a few racks in a colo. The racks don't have any decent cable
> management (square metal holes to attach velcro to). We either order
> cable too long and end up with lots of loops which get in the way (no
> place to loop lots of excess really) or too short to run along the
> side (which is worse). It appears others using the same racks have
> figured this out, but...
>
> Do y'all just order 10 of each size per rack in every color you need
> or is there a better way to figure this out? I'm guessing something
> like 24 inches + 1.75 inchex x Us) + 24 inches and round up to
> standard length...?
>

Spam coming from (possibly) GoDaddy servers - anyone on the list?

[Rafael Possamai]

Received some fake FedEx emails coming from "secureserver.net" servers that
afaik belong to GoDaddy.

I can give more details if someone speaks up. GMail anti-spam only picked
up a few of these, others went straight through to inbox.


Regards,
Rafael

Re: Comcast Support (from NANOG Digest, Vol 84, Issue 23)

[Rafael Possamai]

​

On Tue, Feb 24, 2015 at 10:27 AM, Kain, Rebecca (.)  wrote:

> Ah, Comcast support.  Those people who keep calling my Ford Motor Company
> phone, to threaten to shut off service to my home, which I don't have (I
> have uverse).  They keep saying they will take my Ford number off the
> account (which of course, I don't know the account number because I don't
> have an account) and then they call again, with the same threat.
>
> Real winners.  And yes, I've been saving the chats with support.
>
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Jay Ashworth
> Sent: Tuesday, February 24, 2015 11:23 AM
> To: NANOG
> Subject: Re: Comcast Support (from NANOG Digest, Vol 84, Issue 23)
>
> I thought you were just supposed to give your Geek License number.  :-)
>
> #nothingScales
>
> - Original Message -
> > From: "Kevin McElearney" 
> > To: "Peter Loron" , "John Brzozowski" <
> john_brzozow...@cable.comcast.com>
> > Cc: nanog@nanog.org
> > Sent: Monday, February 23, 2015 9:16:37 AM
> > Subject: Re: Comcast Support (from NANOG Digest, Vol 84, Issue 23)
> > You forgot to use the word “Shibboleet” when you called care.
> > Contacted
> > Peter off-list
> >
> >
> > - Kevin
> >
> > On 2/23/15, 1:25 AM, "Peter Loron"  wrote:
> >
> > >Apologies for a bit off topic, but I’m trying to get an issue
> > >resolved
> > >and am having trouble reaching anybody who seems clue positive.
> > >
> > >From home via Comcast cable, I’m having trouble reaching some
> > >destinations. According to mtr, there is a particular node
> > >(be-11-pe02.11greatoaks.ca.ibone.comcast.net) which is suffering >
> > >30%
> > >loss. Contacting the Comcast consumer support folks is useless (what
> > >are
> > >the lights on your modem doing? Did you power cycle it?). When this
> > >is
> > >happening, I usually am told they need to send a tech to my house.
> > >.
> > >
> > >Is there a way to drop a note to the NOC or other folks who would
> > >understand the info and be able to act on it?
> > >
> > >Thanks!
> > >
> > >-Pete
> > >> On Jan 23, 2015, at 09:14, Brzozowski, John
> > >> wrote:
> > >>
> > >> Folks,
> > >>
> > >> The thread below was sent to me a few times, apologies for not
> > >> catching
> > >>it sooner.
> > >>
> > >> Janet,
> > >>
> > >> I sent you mail unicast with a request for some information. I am
> > >>happy to help you out.
> > >>
> > >> For the larger NANOG audience, Comcast has recently launched IPv6
> > >>support for our BCI products, these are our DOCSIS based commercial
> > >>offerings. This means that if you gateway device is in fact in RG
> > >>mode
> > >>you will be delegated a dynamic IPv6 prefix, by default customers
> > >>are
> > >>delegated a /56 prefix along with a single IPv6 address that is
> > >>assigned
> > >>to the WAN of the gateway device. IPv6 support applies to the
> > >>following
> > >>makes and models:
> > >>
> > >> SMC D3G CCR (http://mydeviceinfo.comcast.net/device.php?devid=216)
> > >> Cisco BWG (http://mydeviceinfo.comcast.net/device.php?devid=347)
> > >> Netgear CG3000D
> > >> (http://mydeviceinfo.comcast.net/device.php?devid=347)
> > >>
> > >> For customers where you bring your own cable modem or have one of
> > >> the
> > >>above in bridge mode we have enabled IPv6 support for you as well.
> > >>However, your router behind the modem must be running software and
> > >>configured with IPv6 support. Specifically, your router needs to be
> > >>support stateful DHCPv6 for IPv6 address and prefix acquisition. We
> > >>have received a number of reports from customers that the Juniper
> > >>SRX
> > >>does not appear to properly support IPv6. We are working with
> > >>Juniper
> > >>and also recommend that you reach out to Juniper as well.
> > >>
> > >> Please keep checking http://www.comcast6.net for updates, we will
> > >> post
> > >>some additional information here in the next week or so. In the mean
> > >>time if you have questions feel free to send me mail or post them
> > >>here
> > >>on the NANOG list.
> > >>
> > >> HTH,
> > >>
> > >> John
> > >> =
> > >> John Jason Brzozowski
> > >> Comcast Cable
> > >> p) 484-962-0060
> > >> w) www.comcast6.net
> > >> e) john_brzozow...@cable.comcast.com
> > >> =
> > >>
> > >>
> > >>
> > >> -Original Message-
> > >> From: "nanog-requ...@nanog.org"
> > >>mailto:nanog-requ...@nanog.org>>
> > >> Reply-To: NANOG mailto:nanog@nanog.org>>
> > >> Date: Friday, January 23, 2015 at 07:00
> > >> To: NANOG mailto:nanog@nanog.org>>
> > >> Subject: NANOG Digest, Vol 84, Issue 23
> > >>
> > >> Date: Thu, 22 Jan 2015 22:42:17 +
> > >> From: Janet Sullivan
> > >> mailto:jan...@nairial.net>>
> > >> To: "'nanog@nanog.org'"
> > >>mailto:nanog@nanog.org>>
> > >> Subject: Comcast Support
> > >> Message-ID:
> > >>
> >
> >> > >>utlook.com CY1PR0701MB1164F3448B35404BBAE671A8DC490@CY1PR0701MB116
> > >>4.namprd07.prod.outlook

Re: Intrusion Detection recommendations

[Rafael Possamai]

Thanks for the awesome response, you have valid points. This could be me
trying to simplify things by suggesting something like Cisco ASA, but the
FreeBSD solution will need much more than just a well written ipfw or pf
set of rules. In his scenario, I would also most likely need to setup VPN,
CARP, etc, which requires decent amount of knowledge. If you use newer
NICs, most likely will need to go with 10.0 or higher, which requires
constant updates/patches since it's new release.





On Sat, Feb 14, 2015 at 11:31 AM, BPNoC Group  wrote:

> On Fri, Feb 13, 2015 at 6:45 PM, Rafael Possamai 
> wrote:
>
>> I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
>> use a fairly well tested security appliance like Cisco's ASA.
>
>
> Or maybe Juniper, Cisco's Ironport, IPSO?
>
> They are all FreeBSD based, big and large critical networks ready.
>
> FreeBSD's ipfw codebase exists for longer than most commercial products
> you somehow believe to be more mature. So, FreeBSD's firewalling code at
> least, as well tested as commercial vendors products.
>
>
>> Depending on
>> the traffic you have on your fiber uplink, you can get a redundant pair of
>> ASAs running for less than $2,000 in the US.
>
>
> For this traffic rate the best part on a commercial product is just
> irrelevant: good specifics hardware. Whatever can be done with a USD 2K
> Cisco based solution can be done on cheap low capacity x86 hardware with
> FreeBSD.
>
>
>> I just find it less stressful
>> to use a solution like ASA rather than worrying about patching your kernel
>> every so often and worrying about possible vulns in the ipfw/pf codes.
>>
>
> One does not need to svn update, build kernel, build world if he does not
> want to. It's just a matter of adding freebsd-update to crontab (or having
> you own manual updating cycle in place).
>
>
>> That, and you have to make sure EVERYTHING is taken into account when you
>> create your rules, which requires some intense knowledge on either ipfw,
>> pf
>> or both.
>>
>
> Another point I am completely inclined to disagree.
>
> My team is made up of junior level, trainees, to +20yr experience
> professionals.
>
> There is absolutely no relevant learning curve for someone who has
> configured a Cisco or Juniper firewall to a PF or IPFW firewall. If the
> guys comes from a Linux background he finds ridiculously simple to have a
> PF firewall up and running, after all for someone used to that weird
> iptables syntax and semantics, a firewall where rules are linear and
> natural syntax are a piece of cake.
>
> For new professionals, they quickly learn PF/IPFW better than Linux or
> Fortigate which is another product we also have in place (heterogenous /
> mixed team and technologies here).
>
> The tool is just the tool, it should a matter of what the tool can or can
> not do, but not a matter on how to use it. Cisco ASA and PF are completely
> different animals, sure, but learning 'em from scratch or coming from other
> animals like Linux or Fortigate is straightforward.
>
> While products like fortigate have a nice GUI interface, it's just limited
> and low productive. My team tendo to configura fortinet on CLI, and guess
> what? Fortinet team are usually joked by BSD team when they see someone
> using Fortinet cli.
>
> It just takes 5 times more to configure several "edit"  blocks, creating
> objects, putting it all together to have a simple firewall rule in the end,
> when the BSD guys do a one line rule with macros and tables sorted all for
> equivalent "object"  advantages. Nobody cares for GUI in my team, but if a
> fancy GUI is required they send pfSense screenshots for the Fortinet guys
> just to keep the making fun...
>
> I strongly believe in the idea that open source has it's place and
> commercial products have their place on different scenarios and
> requirements. And in this scenario Mr Andy is asking about, IMO there's no
> reason not to go with open source BSD.
>
> Specially because he seems already familiar with FreeBSD.
>
> I am not an expert in intrusion detection, so with regards to that, I'd
>> just setup a honeypot and monitor activity. You can also regularly run
>> penetration tests on your own network and see how well you are protected.
>> Just make sure the appropriate people know about these tests so you don't
>> get wrongfully reported.
>>
>
> Not the same thing, same goal or same results.
>
>
>>
>>
>> Rafael
>>
>>
>> On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth 
>> wrote:
>>
>> &g

Re: Intrusion Detection recommendations

[Rafael Possamai]

What is the alternative then... Does he have the time to become a BSD guru
and master ipfw and pf? Probably not feasible with all other job duties,
unless he locks himself in his mom's basement for the next 5 years.


On Fri, Feb 13, 2015 at 3:27 PM, Rich Kulawiec  wrote:

> On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote:
> > I am a huge fan of FreeBSD, but for a medium/large business I'd
> definitely
> > use a fairly well tested security appliance like Cisco's ASA.
>
> Closed-source software is faith-based security.
>
> ---rsk
>

Re: Intrusion Detection recommendations

[Rafael Possamai]

I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
use a fairly well tested security appliance like Cisco's ASA. Depending on
the traffic you have on your fiber uplink, you can get a redundant pair of
ASAs running for less than $2,000 in the US. I just find it less stressful
to use a solution like ASA rather than worrying about patching your kernel
every so often and worrying about possible vulns in the ipfw/pf codes.
That, and you have to make sure EVERYTHING is taken into account when you
create your rules, which requires some intense knowledge on either ipfw, pf
or both.

I am not an expert in intrusion detection, so with regards to that, I'd
just setup a honeypot and monitor activity. You can also regularly run
penetration tests on your own network and see how well you are protected.
Just make sure the appropriate people know about these tests so you don't
get wrongfully reported.


Rafael


On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth  wrote:

> NANOG'ers,
>
> I've been tasked by our company president to learn about, investigate and
> recommend an intrusion detection system for our company.
>
> We're a smaller outfit, less than 100 employees, entirely Apple-based.
> Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the
> world. We are protected by a FreeBSD firewall setup, and we stay current on
> updates/patches from Apple and FreeBSD, but that's as far as my expertise
> goes.
>
> Initially, what do people recommend for:
>
> 1. Crash course in intrusion detection as a whole
> 2. Suggestions or recommendations for intrusion detection hardware or
> software
> 3. Other things I'm likely overlooking
>
> Thank you all in advance for your wisdom.
>
>
> 
> Andy Ringsmuth
> a...@newslink.com
> News Link – Manager Technology & Facilities
> 2201 Winthrop Rd., Lincoln, NE 68502-4158
> (402) 475-6397(402) 304-0083 cellular
>
>

Re: [OT] Re: Intellectual Property in Network Design

[Rafael Possamai]

Thank you for looking up facts, laws, etc... The rest is merely opinion,
and wouldn't necessarily help someone trying to protect their network
designs.

On Fri, Feb 13, 2015 at 11:25 AM,  wrote:

> On Fri, 13 Feb 2015 10:28:25 -0500, William Herrin said:
>
> > I have to disagree with you there. This particular ship sailed four
> decades
> > ago when CONTU found computer software to be copyrightable and the
> > subsequent legislation and litigation agreed.
>
> The output of "craft" is copyrightable even if it doesn't count as "art",
> as long as it meets the requirement of 17 USC 102(a)(1) - "literary works".
>
> The issue with software wasn't if it was "art", but if it was a literary
> work
> (they struggled for a while with the concept of machine-readable versus
> human
> readable).
>
> "Furthermore, the House Report discussing the Act states:
> The term "literary works" does not connote any criterion of literary merit
> or
> qualitative value: it includes catalogs, directories, and similar factual,
> reference, or instructional works and compilations of data. It also
> includes
> computer data bases, and computer programs to the extent that they
> incorporate
> authorship in the programmer's expression of original ideas, as
> distinguished from the ideas themselves. {FN8: H.R. Rep. No. 94-1476 at 54}
>
> http://digital-law-online.info/lpdi1.0/treatise17.html
>
> If catalogs and directories are covered, config files are... :)
>
>

Re: Comcast Static IP Changed With New Modem?

[Rafael Possamai]

I've had a similar mistake happen with TWC. It's most likely a glitch in
their config system which should use the gateway's mac address in order to
assign a static IP on the docsis modem. Tech support should figure this out
pretty quick without escalating it much further. I've had an instance where
a second line/modem was added with the same gateway IP, and that brought us
down for over a day until they got around to fixing it.

My suggestions is to always keep your gateways/edges monitored with a
service like Monitis. I use ping monitors every single minute from three
different locations in the US (abroad available too) and get email/SMS/call
whenever something fails once, twice, etc from one, two or more locations.
Really cool monitoring system.

Hope this helps.



On Mon, Feb 9, 2015 at 10:32 AM, Justin Krejci 
wrote:

> Has anyone run into the situation where their static IP address from
> Comcast (on the business class cable modem Internet service) was changed
> when the modem was replaced?
>
> We have a remote site that uses Comcast as a backup Internet connection
> and when we went to use it recently our VPN tunnel would not establish.
> After working with the Comcast support group we discovered Comcast changed
> our static IP address. I am working through trying to figure out the when
> and the why with Comcast still and suspect it was changed when the modem
> was replaced back in December. The modem was replaced by Comcast as our
> previous modem was apparently EOL'ed.
>
> We're now setting up additional monitoring to verify the accessibility of
> our remote site via the Comcast connection so we don't have any future
> uh-ohs when we need to use our backup connection and it too is not fully
> functional.
>
> TIA,
> -Justin
>

Re: abuse reporting tools

[Rafael Possamai]

Some folks might disagree with this, but if it's an important service that
I have running on a network, I will block a series of garbage AS's (closer
to /8 the better) at the firewall (not at the edge) and that reduces the
headaches by 50%. This isn't practical at the edge, but for system
administration is the only way I have found to minimize the problem. A lot
of times the owners of these IPs don't really care and won't take action.
For example, the amount of garbage that comes out of FDC Servers in Chicago
at times and not much is done.

On Tue, Nov 18, 2014 at 6:58 PM, Mike  wrote:

> Hello,
>
> I provide broadband connectivity to mostly residential users. Over the
> past few years, instances of DDoS against the network - specfically
> targeting end users - has been on the rise, and today I can qualify many
> of these as simple acts of revenge where someone will engage a dos
> (possibly, services like 'booters' or similar) because they lost an
> online game or had some interactive in a forum they didn't like. I have
> good 'consumer broadband' filtering rules in place which make sense and
> protect against quite a lot of obviously ddos oriented traffic streams.
> The next step I want to engage, for those types of traffic which I can
> positively identify as not spoofed, is to send out abuse reports to
> owners of ip ranges used to launch these attacks. Ideally I'd like to be
> able to write up some form letter describing the attack, the source
> ip(s) of note, some disassembled sample packets, and then feed a list of
> IP source addresses and have it mail it out to the abuse contact at each
> source network. I am wondering if anyone has a pointer or reference to
> any tools which might help facillitate this?
>
> Thank you.
>
> Mike-
>