Re: ARIN sucks? was Re: Kremen's Buddy?
Richard A Steenbergen wrote: Try looking at it from an outsider's point of view instead. If you're new to dealing with ARIN, it is not uncommon to find the process is absolutely baffling, frustrating, slow, expensive, and requiring intrusive disclosure just shy of an anal cavity probe. I recently had to do the ARIN process for a customer from beginning to end. Never had experience with ARIN, nor its methods or templates (only RIPE experience). Took 5 weeks to get a /19 and then an additional 4 weeks to get the ASN. YMMV. -Hank Nussbacher http://www.interall.co.il
RE: Watch your replies (was Kremen....)
Perhaps the list should be turned into a wiki; I might just to watch the hilarity. Is there any real interest in this? Do we want another wiki to compete with http://nanog.cluepon.net ? Mediawiki is a good idea, but proliferation is not so good. Also, if you want to contribute, why not write up a page or two for the existing wiki? --Michael Dillon
Re: renumbering IPv6
The 8xx system is the one which maps to domain names, not the standard land-line system. In the United States, due to number portability regulations, the standard land-line phone numbers also map to domain names because they are no longer used for routing calls. In the UK, mobile phone numbers also map to domain names because of regulations that allow you to switch mobile network operators and maintain your phone number. Perhaps a customer who wanted to make IP addresses portable would pay a fee to the ISP whose addresses they are, and maintain redirection equipment to the real IPs... And perhaps the price of doing so would actually be higher than just keeping a T1 to that first provider... There are people who are proposing a mechanism like that in order to do a new type of multihoming in IPv6. http://www.ietf.org/html.charters/multi6-charter.html --Michael Dillon
RE: ARIN sucks? was Re: Kremen's Buddy?
Richard A Steenbergen wrote: Try looking at it from an outsider's point of view instead. If you're new to dealing with ARIN, it is not uncommon to find the process is absolutely baffling, frustrating, slow, expensive, and requiring intrusive disclosure just shy of an anal cavity probe. Hank Said, I recently had to do the ARIN process for a customer from beginning to end. Never had experience with ARIN, nor its methods or templates (only RIPE experience). Took 5 weeks to get a /19 and then an additional 4 weeks to get the ASN. YMMV. YMMV, but my mileage has been just as bad yours, in some cases worse. Converting from swip's to RWHOIS took 6 months. ARIN is painful. Overly painful for someone who you pay for the right to USE IP addresses on a yearly basis Of course, that's just my personal viewpoint.
Re: kW Per Rack.
Robert Sherrard wrote: How many of you are currently cooling 7kW+ per cabinet.. are any of you cooling more than 15kW per rack, if so how large is your footprint? Are any of you using water cool racks, by tapping into house water? We are cooling 15KW/rack for high performance computing using the Trox CO2 system: http://www.modbs.co.uk/news/fullstory.php/aid/1735/The_next_generation_of_cooling__for_computer_rooms.html http://www.troxaitcs.co.uk/aitcs/solutions/co2_mcc/index.php Obviously this is a very new technology for the moment but I think our experiences have been favourable. I'm not an expert but I think we reject heat directly outside (300KW plant) but they also have systems designed to exchanged directly into building chilled water. Will
Cyber Storm Findings
A quote from the DHS's recently released report about their Cyberstorm exercise in Feb: http://www.dhs.gov/interweb/assetlibrary/prep_cyberstormreport_sep06.pdf Finding 3: Correlation of Multiple Incidents between Public and Private Sectors. Correlation of multiple incidents across multiple infrastructures and between the public and private sectors remains a major challenge. The cyber incident response community was generally effective in addressing single threats/attacks, and to some extent multiple threats/attack. However, most incidents were treated as individual and discrete events. Players were challenged when attempting to develop an integrated situational awareness picture and cohesive impact assessment across sectors and attack vectors. And a question: Do network operators have something to learn from these DHS activities or do we have best practices that the DHS should be copying? --Michael Dillon
RE: ARIN sucks?
At 02:07 AM 14-09-06 -0700, Lasher, Donn wrote: YMMV, but my mileage has been just as bad yours, in some cases worse. Converting from swip's to RWHOIS took 6 months. ARIN is painful. Overly painful for someone who you pay for the right to USE IP addresses on a yearly basis I stated those numbers as a good example. My experience in RIPE is 3-4 months for the entire process. My last one in RIPE took 6 months for the IPv4, ASN and IPv6 allocations. The grass is always greener elsewhere :-) -Hank Nussbacher http://www.interall.co.il
Re: Cyber Storm Findings
On Thu, 14 Sep 2006 [EMAIL PROTECTED] wrote: A quote from the DHS's recently released report about their Cyberstorm exercise in Feb: http://www.dhs.gov/interweb/assetlibrary/prep_cyberstormreport_sep06.pdf Finding 3: Correlation of Multiple Incidents between Public and Private Sectors. Correlation of multiple incidents across multiple infrastructures and between the public and private sectors remains a major challenge. The cyber incident response community was generally effective in addressing single threats/attacks, and to some extent multiple threats/attack. However, most incidents were treated as individual and discrete events. Players were challenged when attempting to develop an integrated situational awareness picture and cohesive impact assessment across sectors and attack vectors. And a question: Do network operators have something to learn from these DHS activities or do we have best practices that the DHS should be copying? On the level of response and mitigation on networks, they have a lot to learn. On coordinated response and strategic view of situations across networks, we all definitely can learn from them, only that I don't believe such issues affect the work of individual network operators to that level. Is my network up and running? Is the Internet up and running or is my competitor up and running is secondary until the point where it affects you. I don't see it as a bad thing, as that's the job description, but that will become more apparent in the future. --Michael Dillon
Re: ARIN sucks? was Re: Kremen's Buddy?
Lasher, Donn wrote: YMMV, but my mileage has been just as bad yours, in some cases worse. Converting from swip's to RWHOIS took 6 months. ARIN is painful. Overly painful for someone who you pay for the right to USE IP addresses on a yearly basis Of course, that's just my personal viewpoint. I'm curious why you converted to RWHOIS. I SWIP'd my entire network to get my assignments. Many large ISPs still SWIP. I didn't have time to mess with RWHOIS. -Jack
Re: ARIN sucks? was Re: Kremen's Buddy?
Hi, All our experiences consulting our clients about how to get their AS and Subnets have been pretty easy and fast. First get enought IP from 2 Peer to justify at least a /21; Now that you have 2 Peer, request the AS and a Subnet from ARIN; Take a day or 2 to prepare the paperwork; Submit it in the right sequence to ARIN; And LISTEN to your ARIN rep, they know how the procedure must be done and will help your get it done correctly. Simple really. Hank Nussbacher wrote: Richard A Steenbergen wrote: Try looking at it from an outsider's point of view instead. If you're new to dealing with ARIN, it is not uncommon to find the process is absolutely baffling, frustrating, slow, expensive, and requiring intrusive disclosure just shy of an anal cavity probe. I recently had to do the ARIN process for a customer from beginning to end. Never had experience with ARIN, nor its methods or templates (only RIPE experience). Took 5 weeks to get a /19 and then an additional 4 weeks to get the ASN. YMMV. -Hank Nussbacher http://www.interall.co.il -- Alain Hebert[EMAIL PROTECTED] PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.netfax 514-990-9443
required fields
so... for registration for NANOG, i am REQUIRED to specify a tee-shirt size before being allowed to proceed. i've seen silly stuff in my day, but this might take the cake. as a suggestion, if you (and you know who you are) insist on requiring folks to specify clothing preferences/styles before allowing them to register for a network operational conference you -might- allow them to opt-out by specifing NONE. as usual, YMMV --bill
Re: renumbering IPv6
On Wed, 13 Sep 2006, kloch wrote: http://www.arin.net/registration/templates/v6-end-user.txt An org that already has IPv4 space from ARIN will find it trivial to complete. I wonder how well this would apply to orgs with pre-ARIN allocations, particularly smaller blocks. ...david --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html
Re: renumbering IPv6
On Thu, 14 Sep 2006, david raistrick wrote: On Wed, 13 Sep 2006, kloch wrote: http://www.arin.net/registration/templates/v6-end-user.txt An org that already has IPv4 space from ARIN will find it trivial to complete. I wonder how well this would apply to orgs with pre-ARIN allocations, particularly smaller blocks. If you qualify for IPv4 micro-allocation under current ARIN policies (i.e. including for smaller /22 block) which is true about many legacy smaller blocks, then there is a new policy (active and available for use as of 15 days ago) that allows you to get IPv6 Micro-Allocation: http://www.arin.net/policy/proposals/2005_1.html That is BTW what Bill Manning was referring to when he said ARIN is making disruptive changes in general RIR policies... -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: ARIN sucks? was Re: Kremen's Buddy?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alain Hebert wrote: Hi, All our experiences consulting our clients about how to get their AS and Subnets have been pretty easy and fast. First get enought IP from 2 Peer to justify at least a /21; Now that you have 2 Peer, request the AS and a Subnet from ARIN; Take a day or 2 to prepare the paperwork; Submit it in the right sequence to ARIN; And LISTEN to your ARIN rep, they know how the procedure must be done and will help your get it done correctly. Simple really. - -- I'm in the process of obtaining PI ASN for my customer. Looking at ARIN's template, it appears to be pretty straight forward. 1. POC 2. ORG ID 3. AS Number 4. End-User Network Request (/22) Provided there aren't any issues with the filings, this entire process shouldn't take more than 1 week tops. regards, /virendra Hank Nussbacher wrote: Richard A Steenbergen wrote: Try looking at it from an outsider's point of view instead. If you're new to dealing with ARIN, it is not uncommon to find the process is absolutely baffling, frustrating, slow, expensive, and requiring intrusive disclosure just shy of an anal cavity probe. I recently had to do the ARIN process for a customer from beginning to end. Never had experience with ARIN, nor its methods or templates (only RIPE experience). Took 5 weeks to get a /19 and then an additional 4 weeks to get the ASN. YMMV. -Hank Nussbacher http://www.interall.co.il -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFCXhEpbZvCIJx1bcRAplAAJkBPRQtw4TkAmteEXmdk3LTlrIaLACgtimT PvbaT4t0w2AbWohvhuU1/6Y= =sxRi -END PGP SIGNATURE-
Re: IPv6 PI block is announced - update your filters 2620:0000::/23
Stephen Sprunk wrote: Thus spake Jeroen Massar [EMAIL PROTECTED] 8- IPv6 Assignment Blocks CIDR Block 2620::/23 -8 Expect blocks in between /40 and /48 there. Expect mostly /48s and /44s, given that ARIN has not defined any criteria for what justifies more than a /48. The first three are already available: 2620::/48 - U.S. Securities Exchange Commission 2620:0:10:/48 - S. D. Warren Services Co. 2620:0:20:/48 - CollabNet These have been added to GRH (http://www.sixxs.net/tools/grh/) now lets see how long it takes for them to show up in the global tables and how far their reach will be. Hallway talk: one of them was requested 6 sept, answer on the same day that it will be issued, received on 13 sept, nice work there ARIN :) Of course, some folks will announce a /44 instead since the block is reserved, but it should still only be one route. That it is reserved as a /44 doesn't mean one can announce that /48 as it is not assigned to them. Still, even if every org that qualified for an assignment today got one, you're still only looking at a couple tens of thousands of routes max. ARIN using a /23 for PIv6 is either serious overkill or we'll never need to allocate another block at work. The /23 is a good thing indeed, people won't most likely have to ever update their filters for that one. [..] IMHO, BGP will fall over and die long before we get to that many ASNs. I guess that will indeed be the case. Remember, the goal in giving people really big v6 blocks, vs. IPv4-style multiple allocations/assignments, is to reduce the necessary number of routes to (roughly) the number of ASNs. But people require Traffic Engineering, as such they might want to do some routing tricks and thus split up their /48. Only the future will tell. If PIv6 folks start announcing absurd numbers of routes within their allocation, I'd expect ISPs to start filtering everything longer than /48 -- if they don't do so from the start. Most ISP's already do this now. In effect /19 - /48 is unfiltered in most places. Greets, Jeroen PS: Anybody knows when ARIN will finally learn CIDR? :) 8--- $ whois -h whois.arin.net 2620::/48 CIDR queries are not accepted No match found for 2620::/48. 8 They clearly understand it is CIDR and the resulting record even has a CIDR field; they really should move to the RPSL based db that RIPE provides. signature.asc Description: OpenPGP digital signature
Q on what IGP routing protocol to use for supplying only gateway address
I need to implement a sort-of failover-loadbalancing where systems would receive gateway address from at least two routers (including metric preference if possible). This needs to be done so that no special additional config is required on routers for each new system and for each system all they need is gateway address and nothing else (no routes will be advertised to the router; but for security I'll want to specify that no routes should be accepted). The systems receiving the routes would be primarily linux PCs but will also include several windows and solaris machines. I don't want to use RIP (any version) or proxy ARP. The routers are currently all cisco equipment. Any suggestion as to what IGP protocol is best for this scenario? -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: ARIN sucks? was Re: Kremen's Buddy?
Jack Wrote: I'm curious why you converted to RWHOIS. I SWIP'd my entire network to get my assignments. Many large ISPs still SWIP. I didn't have time to mess with RWHOIS. Control. Auditing. We got tired of spending countless resources trying to keep track of what we had, what ARIN thought we had, how to make the two match, how to modify it, etc. I don't know what ARIN's stats are, but I would imagine they have some VERY low number (I'd guess 5%) of IP XXX forms that are approved on the first try. I personally have a 0% success rate, and I spent a year or two in college With RWHOIS your IP usage data is internal, easily searchable, modifyable without going through email ping-pong with ARIN. We (at a previous employer)used a 3rd party integration program which stored the data in a database, then wrote out the rwhois file structure, which helped eliminate some of the pain of using the rwhois daemon by itself. It made any new IP address requests far easier, since we could do a complete self-audit before we ever asked ARIN for more space. I have to believe they far prefer that method of customer IP interaction as well. They don't have to chase virtual-paper forms around...
Re: Q on what IGP routing protocol to use for supplying only gateway address
On Sep 14, 2006, at 10:35 AM, william(at)elan.net wrote: Any suggestion as to what IGP protocol is best for this scenario? This is more of a cisco-nsp question, but probably OSPF, as it's supported by the routing daemons on most *NIXes out of the box. I don't know about Windows. Are you doing anycasting or something? If simple redundancy in the default gateway is the goal, another (and probably simpler) method is to implement HSRP or GLBP between your routers which are serving the hosts in question. Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice One of the main causes of the fall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs. -- Robert Firth
Re: Q on what IGP routing protocol to use for supplying only gateway address
On Thu, 14 Sep 2006, william(at)elan.net wrote: I need to implement a sort-of failover-loadbalancing where systems would receive gateway address from at least two routers (including snip Any suggestion as to what IGP protocol is best for this scenario? ipv6 and RA ? oh wait, no widescale deployment of ipv6 :( Paul, or someone from ISC, has mentioned using ospf for this in the past.
Re: Q on what IGP routing protocol to use for supplying only gateway address
--- william(at)elan.net [EMAIL PROTECTED] wrote: Any suggestion as to what IGP protocol is best for this scenario? Are you sure you need an IGP at all? Is it possible that HSRP or GLBP could fit your needs? -David David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Q on what IGP routing protocol to use for supplying only gateway address
On Thu, 14 Sep 2006, Roland Dobbins wrote: On Sep 14, 2006, at 10:35 AM, william(at)elan.net wrote: Any suggestion as to what IGP protocol is best for this scenario? This is more of a cisco-nsp question, but probably OSPF, as it's supported by the routing daemons on most *NIXes out of the box. I don't know about Windows. If this was 5+ years ago, I'd have said RIP as it works great for supplying only gateway address, but I want RIP to go RIP and will not use it again. So yes OSPF seems like best choice, but I was hoping something simple for gateway-only is available. I've no idea yet how to deal with Windows (all win2000 and win2003), anybody? Are you doing anycasting or something? Yes, anycasting will be involved but only for very small number of servers (all linux) - that is kind-of separate issue. The equipment itself however will only see local gateway addresses (obviously), so it should not care or know about it. If simple redundancy in the default gateway is the goal, another (and probably simpler) method is to implement HSRP or GLBP between your routers which are serving the hosts in question. Can't use HSRP in this case (or IVRP or whatever else its called with non-cisco options) - too long to explain why. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Q on what IGP routing protocol to use for supplying only gateway address
From the sounds of what you are trying to accomplish, I'd think VRRP/HSRP would be more up your alley than any dynamic routing protocol. Also look at NIC teaming. Best Regards, -Michael -- Michael Nicks Network Engineer KanREN e: [EMAIL PROTECTED] o: +1-785-856-9800 x221 m: +1-913-378-6516 william(at)elan.net wrote: I need to implement a sort-of failover-loadbalancing where systems would receive gateway address from at least two routers (including metric preference if possible). This needs to be done so that no special additional config is required on routers for each new system and for each system all they need is gateway address and nothing else (no routes will be advertised to the router; but for security I'll want to specify that no routes should be accepted). The systems receiving the routes would be primarily linux PCs but will also include several windows and solaris machines. I don't want to use RIP (any version) or proxy ARP. The routers are currently all cisco equipment. Any suggestion as to what IGP protocol is best for this scenario?
Re: Q on what IGP routing protocol to use for supplying only gateway a ddress
..and from an operational perspective, GLBP works relatively well. $.02, - ferg -- Roland Dobbins [EMAIL PROTECTED] wrote: On Sep 14, 2006, at 10:35 AM, william(at)elan.net wrote: Any suggestion as to what IGP protocol is best for this scenario? This is more of a cisco-nsp question, but probably OSPF, as it's supported by the routing daemons on most *NIXes out of the box. I don't know about Windows. Are you doing anycasting or something? If simple redundancy in the default gateway is the goal, another (and probably simpler) method is to implement HSRP or GLBP between your routers which are serving the hosts in question. [snip] -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RE: ARIN sucks? was Re: Kremen's Buddy?
On Thu, 14 Sep 2006, Lasher, Donn wrote: approved on the first try. I personally have a 0% success rate, and I spent a year or two in college I assume you mean 0% success on first submission of the template. My experience has usually been that I don't give them quite enough detail on the first try. They say fill in some more detail here and here. The hardest part for me has always been forecasting expected future need. Our business changes frequently, and I never know what our expected usage will be...at least not with any certainty. Last time, we were about to roll our DLSAMs in a bunch of COs. The FCC pulled the UNE rug out from under us right as we were beginning deployment, and we canceled that idea. With RWHOIS your IP usage data is internal, easily searchable, modifyable without going through email ping-pong with ARIN. We (at a Are you aware of the use of in [ARIN] whois queries? With that, it's trivial (though time consuming) to get a list of all your SWIPs, and then have someone verify that everything that should be SWIPed is, and any stale ones are undone. I don't agree with the idea that you should only request and receive 3 months worth of IPs at a time, and I wonder how commonly anyone does that in practice...but this is the wrong list for that debate. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Q on what IGP routing protocol to use for supplying only gateway address
From: william(at)elan.net [EMAIL PROTECTED] To: Roland Dobbins [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Q on what IGP routing protocol to use for supplying only gateway address Date: Thu, 14 Sep 2006 10:55:28 -0700 (PDT) On Thu, 14 Sep 2006, Roland Dobbins wrote: On Sep 14, 2006, at 10:35 AM, william(at)elan.net wrote: Any suggestion as to what IGP protocol is best for this scenario? This is more of a cisco-nsp question, but probably OSPF, as it's supported by the routing daemons on most *NIXes out of the box. I don't know about Windows. If this was 5+ years ago, I'd have said RIP as it works great for supplying only gateway address, but I want RIP to go RIP and will not use it again. So yes OSPF seems like best choice, but I was hoping something simple for gateway-only is available. I've no idea yet how to deal with Windows (all win2000 and win2003), anybody? At least a few years ago, Windows OSPF was a port of Bay RS, which was really Wellfleet code. So far, whenever I've needed to look at Windows and figure out how it did something, knowing RS usually gave me the answer. Are you doing anycasting or something? Yes, anycasting will be involved but only for very small number of servers (all linux) - that is kind-of separate issue. The equipment itself however will only see local gateway addresses (obviously), so it should not care or know about it. If simple redundancy in the default gateway is the goal, another (and probably simpler) method is to implement HSRP or GLBP between your routers which are serving the hosts in question. Can't use HSRP in this case (or IVRP or whatever else its called with non-cisco options) - too long to explain why. VRRP for the non-Cisco. I've recently had to deal with some situations, in VoIP, where the critical Call Agents have to stay in communication even if physically distant. 802.1w seves nicely to share a subnet between two geographically separate sites. Admittedly, one can reasonably count on dual OC-192s, diversely routed, and each connected to two switches at either end. _ Windows Live Spaces is here! ItÂ’s easy to create your own personal Web site. http://spaces.live.com/signup.aspx
Re: Q on what IGP routing protocol to use for supplying only gateway address
If you wanted it to load balance also I would use GLBP, if you didn't want to have to configure the clients with a gateway I would look into IRDP with GLBP. william(at)elan.net wrote: I need to implement a sort-of failover-loadbalancing where systems would receive gateway address from at least two routers (including metric preference if possible). This needs to be done so that no special additional config is required on routers for each new system and for each system all they need is gateway address and nothing else (no routes will be advertised to the router; but for security I'll want to specify that no routes should be accepted). The systems receiving the routes would be primarily linux PCs but will also include several windows and solaris machines. I don't want to use RIP (any version) or proxy ARP. The routers are currently all cisco equipment. Any suggestion as to what IGP protocol is best for this scenario? -- -- Tom Sands Chief Network Engineer Rackspace Managed Hosting (210)447-4065 --
Cogent problems in the uk.
Anyone else seeing packets being dropped at cogent in London? 1355 ms55 ms55 ms p15-0.core01.ord01.atlas.cogentco.com [66.28.4.6 1] 1478 ms78 ms78 ms p14-0.core01.bos01.atlas.cogentco.com [66.28.4.1 09] 15 148 ms 148 ms 147 ms p3-0.core01.lon01.atlas.cogentco.com [130.117.0. 45] 16 152 ms 147 ms 147 ms ten3-1.mpd01.lon01.atlas.cogentco.com [130.117.1 .62] 17 *** Request timed out. We have a cage at Telecity on the isle of dogs and we just lost our vpn connections to there and now everything is dying at cogent. Thanks Joseph
Re: Cogent problems in the uk.
We have a cage at Telecity on the isle of dogs and we just lost our vpn connections to there and now everything is dying at cogent. Which Telecity on the Isle of Dogs. :-) A couple of messages on the LINX ops list suggest there are power issues at Telecity Bonnington House at the moment... Cheers, Rob
RE: Q on what IGP routing protocol to use for supplying only gateway address
Hi, In Answer to you question re Windows 2000/2k3 you would just need to install routing and remote access service (RRAS) - part of windows, you can then add OSPF as a routing protocol and tell it which adapter to listen on. I have used this successfully when setting ISA Server up with a default gateway off one nic (pointing towards the net - protected by a decent firewall) and another pointing at the local network, one can then learn the LAN routes using OSPF or RIP etc. and have a default route out the other NIC. Mark Kaye -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: 14 September 2006 18:55 To: Roland Dobbins Cc: [EMAIL PROTECTED] Subject: Re: Q on what IGP routing protocol to use for supplying only gateway address On Thu, 14 Sep 2006, Roland Dobbins wrote: On Sep 14, 2006, at 10:35 AM, william(at)elan.net wrote: Any suggestion as to what IGP protocol is best for this scenario? This is more of a cisco-nsp question, but probably OSPF, as it's supported by the routing daemons on most *NIXes out of the box. I don't know about Windows. If this was 5+ years ago, I'd have said RIP as it works great for supplying only gateway address, but I want RIP to go RIP and will not use it again. So yes OSPF seems like best choice, but I was hoping something simple for gateway-only is available. I've no idea yet how to deal with Windows (all win2000 and win2003), anybody? Are you doing anycasting or something? Yes, anycasting will be involved but only for very small number of servers (all linux) - that is kind-of separate issue. The equipment itself however will only see local gateway addresses (obviously), so it should not care or know about it. If simple redundancy in the default gateway is the goal, another (and probably simpler) method is to implement HSRP or GLBP between your routers which are serving the hosts in question. Can't use HSRP in this case (or IVRP or whatever else its called with non-cisco options) - too long to explain why. -- William Leibzon Elan Networks [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
ICANN -- phones busy?
I've been trying to reach ICANN by phone and email for ~ 3 weeks. Does anyone ever call them and not get a message, All of our lines are currently busy? Is ICANN considered an operational contact? Deepak
Re: ICANN -- phones busy?
Hi Deepak, People have been getting through without issues. I will send you a separate e-mail to troubleshoot your exact issue. John Crain Deepak Jain wrote: I've been trying to reach ICANN by phone and email for ~ 3 weeks. Does anyone ever call them and not get a message, All of our lines are currently busy? Is ICANN considered an operational contact? Deepak
Re: ICANN -- phones busy?
Is ICANN considered an operational contact? certainly not in any urgent sense. randy
Re: Cyber Storm Findings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Finding 3: Correlation of Multiple Incidents between Public and Private Sectors. Correlation of multiple incidents across multiple infrastructures and between the public and private sectors remains a major challenge... And a question: Do network operators have something to learn from these DHS activities or do we have best practices that the DHS should be copying? First impressions; The point here relates specifically to awareness across organizational lines, and I'd say that both public and private industries have issues with sharing information with anyone outside their organization, especially with competitors (ideological, national, or financial). It doesn't really matter whether you're public or private; what matters is how broad your scope is. I'm sure that backbone providers have a broader view than a leaf node, and that the networking unit in a particular government department is equally situated when compared to an individual remote site. I think that with cryptography we could alleviate some of the concerns with information sharing between enterprises; that allows us to establish a larger, shared view of things. This has a few benefits; we see the problems earlier than the average leaf, and we have more data to analyze trends than the average leaf. However, I think that nobody has made a proper business case for expending the effort, or if someone has that they have not communicated it widely enough. It's not enough for technicians to know, you have to have simple slogans or tragedies large enough that you can point to them and say that's what this would have avoided. I would say that large banks have the best combination of bigness and resources that they can employ, and IIRC have some sort of exclusive information-sharing arrangement about security incidents; they are not allowed to share that information, even with the government, except perhaps under subpoena. Well, that was true in the pre-PATRIOT act days. I know that they are big enough to see malware on occasion before the anti-virus companies see it. Sadly, governments almost always seem to be preparing for the last war, or avoiding yesterday's problem. I believe that this is a direct consequence of the fact that they attract the most risk-averse employees. In the clearance world, being a risk-taker is considered a disqualifying factor. There's a lot of competitiveness for the limelight, and a lot of decisions are made based on trying to make others appear foolish, or to cover up your own mistakes, not only because they desire job security, but also because a lot of the attention is negative. It seems like the government's failures are usually public, and their successes unquantifiable. How many intrusions did you stop? Who knows? When it can't be quantified, or it's really technical, it's subject to internal spin or scapegoating or... well, politics. Also, government agencies have an inherent limitation on efficiency. An unregulated corporation can choose not to enter an unprofitable market. Governments are not allowed this luxury, in general. They also have to balance the desires of different constituents; privacy advocates complaining about any intelligence-gathering, lassez-faire libertarians who think the private sector would do a better job at everything, jingoists and politicians who want to score a point by blaming them for not stopping every bad possibility for every citizen everywhere, all the time, and so on. Personally, I'm not worried about terrorism. Not that long ago, we were worried about the entire planet being made uninhabitable and humanity quickly extinct by mutually assured destruction. Now we only have to worry about a cause of death with roughly the same probability of being killed by a snake bite. I didn't hear anyone calling for a war on snakes (not even on planes). I consider this excellent progress. PS: This is an excellent blog on security, technology, and homeland security: http://www.schneier.com/blog/ - -- The whole point of the Internet is that different kinds of computers can interoperate. Every time you see a web site that only supports certain browsers or operating systems, they clearly don't get it. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFCixYPlSPhv5tocwRAisUAJ479RRbCOGTvhxPye3hxYkdTz1jVQCfc7Vq bGsuq5FuT+srq7usqQaN8Tw= =h775 -END PGP SIGNATURE-
