Re: Interesting new spam technique - getting a lot more popular.
On Wed, 2006-06-14 at 05:28 +, Edward B. DREGER wrote: > CLM> Date: Wed, 14 Jun 2006 04:46:31 + (GMT) > CLM> From: Christopher L. Morrow > > CLM> is it really that hard to make your foudry/extreme/cisco l3 switch vlan > CLM> and subnet??? > > Of course not. > > > CLM> Is this a education thing or a laziness thing? > > Both. And in some cases even a nasty fincancial thing. Billing customers extra datatraffic due to a large amount of broadcast traffic (especially when running badly configured Win32 servers) inside a single /23 or even /22 in one large VLAN is sadly still the case for some hosters. -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
Re: cogent+ Level(3) are ok now
On Tue, 2005-11-01 at 18:48 -0500, [EMAIL PROTECTED] wrote: > On Tue, 01 Nov 2005 11:46:20 EST, John Payne said: > > What am I missing? > > Obviously, the same thing that management at SBC is missing: > He argued that because SBC and others have invested to build high-speed > networks, they are due a return. > > "There's going to have to be some mechanism for these people ... to pay for > the > portion they're using. Why should they be allowed to use my pipes?" He offered > no details how his idea could be accomplished. > > For an Internet company to "expect to use these pipes free is nuts!" Whitacre > added for good measure. Sounds like an extremely short-sighted view of the Net and it's economics. Claiming content providers should be charged for "using" broadband access-pipes is fine and dandy, but coveniently forgetting that without content there probably wouldn't be a great deal of customers wanting broadband in the first place is a bit sloppy, no? Erik -- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: multi homing pressure
On Wed, 2005-10-19 at 12:03 -0400, Patrick W. Gilmore wrote: > For the customer with an Internet "mission critical app", being tied > to a Tier 2 has it's own set of problems, which might actually be > worse than being tied to a Tier 1. I think this is largely dependant on the specific topology and redundancy in the Tier-2's network and the way they provide multiple uplinks. When done well, with uplinks spread over separate physical locations, well thought out IP adressing and de-centralised exits from the Tier-2's network out to multiple Tier-n's, there's usually a benefit to multi-homed connections to a Tier-2 rather than a Tier-1, with minimum capacity and pricing being the most important ones. -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
RE: SNMP "Accounting" Software
Cacti does the job graphically extremely well (best rrd front-end ever IMO), but it has no actual reporting tools and it's all rrd based so not extremely handy for long-term accounting and historical data. The 95% and accumulated datatraffic ar generated by the interface, not stored in the actual rra's itself. In terms of reporting there's nothing there really, it's just poll -> store in rra -> graph Erik On Tue, 2005-10-11 at 09:32 -0700, McNamara, Colin wrote: > I would recommend using Cacti for interface speed monitoring. > > It is available at www.cacti.net > > > > --Colin > > > > > __ > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Drew Weaver > Sent: Tuesday, October 11, 2005 9:21 AM > To: nanog@merit.edu > Subject: SNMP "Accounting" Software > > > > > We need some fairly complex SNMP accounting software (data > center) style stuff that can monitor cisco equipment for bandwidth > utilization and generate reports based on 95th percentile and also > perhaps even their actual bandwidth usage (how many gigs of transfer > they use per month, day, week.. etc) Does anyone know of anything good > that does anything like this? It needs to be reliable? Can be open > source, we’re using MRTG to track utilization but we need something > that really handles “accounting” for us. > > > > Thanks, > > -Drew > > -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Regulatory intervention
On Fri, 2005-10-07 at 13:32 -0400, Todd Vierling wrote: > On Fri, 7 Oct 2005, Erik Haagsman wrote: > > Ahhhthey feel they shouldn't sensor, and there I was thinking that > > was Google's task in life. Very generous and what a great idea for new > > laws that firmly put the blame on anyone but Google. > > That wasn't my reason for citing it. Neither Google *nor* intermediaries > should be responsible for illegal content -- to them, it's just bits moving. > > The only responsibility that *either* one should bear is the ability to > provide an audit trail to the real culprit, no more. Correct. Holding a dial-up ISP responsible for content on one of it's customer's machines (or perhaps even a warez server on the other side of the globe?) is complete nonsense. Having them provide forensic info is another (more sensible) matter. -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Regulatory intervention
On Fri, 2005-10-07 at 11:21 -0400, Todd Vierling wrote: > Another snippet from same article: > > = > Google will also push for laws that make ISPs and intermediaries liable for > the content contained on their servers. Google just indexes the information, > the search engine argued, and feels it is not its place to censor > information contained throughout the Web. > = > > Well, isn't that "fun"? Ahhhthey feel they shouldn't sensor, and there I was thinking that was Google's task in life. Very generous and what a great idea for new laws that firmly put the blame on anyone but Google. -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Regulatory intervention
On Fri, 2005-10-07 at 14:56 +0100, [EMAIL PROTECTED] wrote: > Laws only need to be enforced when there is a dispute. > Laws and regulations, do not necessarily imply that > enforcement action is needed. Many people and organizations > comply with laws for reasons other than the existence of > enforcers. For instance, an organization may feel that it > is in the industry's best interests to comply with regulations > and therefore it does so in order to set an example for > its competitors and to attract customers. > > Regulations also do not imply the involvement of governments. > It is possible for industries to self-regulate such as the > ARIN policies which are a product of the ARIN membership, > i.e. companies who use IP addresses in their networks. Very good point and IMHO the preferred way of dealing with these kinds of issues without the overhead of specific legislation and often stifling governmental intervention. The approach you outline below seems very plausible, with a regulatory organisation of some sort driven by the industry itself protecting both ourselves as well as our customers from idiocy like the whole Cogent/L(3) thing. It would improve both better interconnections and network coverage (and thus network quality IMO) as well as more transparency in peering and interconnection relations. Both good things for end-users and xSP's alike. > If the press would truly understand this event then they would > be reporting this as a *MAJOR* flaw in the business model of > the largest ISPs. The absence of regulation in Internet peering > allows this type of situation to come about. It is my opinion > that the network and the Internet business would both be stronger > if there was some regulation of peering and IP/MPLS network > interconnection. > > This could be done in a couple of ways. One is to have an industry > association develop self-regulation in conjunction with major end > users of network services. The other would be for regulation to be > imposed from without by some kind of interconnect or monitoring > business like Equinix or Keynote. The analogy here is the New York > Stock Exchange which is a 3rd party which monitors and interconnects > the buyers and sellers of shares. In the case of Internet operators > I don't foresee the need for an SEC equivalent unless operators > cannot agree to disclose their peering agreements and the technical > details of their interconnects. > > A couple of good things can come out of this "open peering" model. > One is that disclosure of the technical details, including packet > drop, buffer consumption, and bandwidth, would lead to more reliable > interconnects and the ability to provide quality of service SLAs > across provider networks. The other possible benefit is to develop > more sophisticated interconnect variants such as MPLS VPN interconnects > and CDN or multicast interconnects. > > --Michael Dillon > -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Regulatory intervention (Redux: Who is a Tier 1?)
On Fri, 2005-10-07 at 07:44 -0400, William Allen Simpson wrote: > I repeat my initial assertion, to wit: > >> This partitioning is exactly what we predicted in many meetings when > >> discussi[ng] the terms of the contracts. > >> > >> Markets are inefficient for infrastructure and tend toward monopoly. > > When the "internal policies" -- which in this case are not technical, > but rather commercial advantage -- are against public policy, that is > the realm of governments. So we want to revert to a model where the goverment starts influencing company policy based on what criteria...? Networks are commercial endeavours by default, since they cost money to run and need to generate revenue stay in existence, at least last time I checked. Unless you'd like the entire Internet to be under governmental control I don't see how you'd want a government to enforce any policy. This sounds very much like trying to turn ISP's into semi-public companies, which they're not and IMO shouldn't be. > > One > > network only peers with a select few, the other only on basis of > > bandwidth profile and some with as many peers as possible. Without one > > telling the other what to do or someone sitting behind a desk trying to > > come up with a Grand Unified Peering Policy that everyone should adhere > > to. Fine by me. > > > I'm afraid your head-in-the-sand approach doesn't appear to be working > well at this time. Major network partition, affecting thousands of > networks and tens (or hundreds) of thousands of actual people, 48 hours > and counting. This is definitely a bad thing but not a problem for governments to solve. Bringing the government to the table will create more problems than solve them. > Moreover, I thought it might be worthwhile to check what you might have > posted previously, and found that you started posting on NANOG in 2004, > during another L(3) partition. Glad you take an interest. > Methinks thou doeth protest too much. Perhaps, but I'd like companies and market forces to solve these problems, not governments. ISP's are free to choose (multiple) upstreams they wish for, people are free to choose whichever ISP they want, and SLA's and contracts *should* be there to protect people from stupidity like this Cogent/L(3) pissing contest. > I'm not entirely sure that you are a shill for L(3), but please explain > your personal interest? Especially as a Northern European posting on a > North American operator's list? I never knew I was Swedish, but thanks for telling me. We've got L(3) as one of our transits, so I do take an interest. Most of my larger upstreams are fully or partly NA based and we send quite a bit of traffic to these parts so I *thought* I'd follow the list and pitch in when I felt like doing so. -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Regulatory intervention (Redux: Who is a Tier 1?)
On Thu, 2005-10-06 at 12:44 -0400, William Allen Simpson wrote: > Erik Haagsman wrote: > > On Thu, 2005-10-06 at 11:56 -0400, William Allen Simpson wrote: > >>This partitioning is exactly what we predicted in many meetings when > >>discussion the terms of the contracts. > >> > >>Markets are inefficient for infrastructure and tend toward monopoly. > > > > > > How does replacing non-profit organisations (which most public IX'es > > are) with government bodies and governmental legislation improve > > anything...? > > > Government _is_ a non-profit organization, with generally broader > representation. > > How does replacing a representative government with a smaller feudal > organization improve anything? The current status quo has IX's in the hands of private but open organisations, run by it's members. Replacing govermental organisations by now is purely hypothetical, it's already happened and in most countries outside the US there never were government controlled IX's for IMO very good reasons, with member's freedom to formulate their own policies as number one. > >>Idiot laissez-faire pseudo-libertarians forget that all markets require > >>regulation and politics. > > > > > > But why government regulated instead of IX member regulated...? > > > Because as much as it's best not to rely on thugs with guns, I really > don't want the thugs with guns to be private armies. Ah yes, we want public armies with guns to rely on, just like we rely on them at the moment regulating software patents, ISP and telco data tapping, all those nifty little ideas that make our lives so much better. -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Regulatory intervention (Redux: Who is a Tier 1?)
On Thu, 2005-10-06 at 14:51 -0400, William Allen Simpson wrote: > >> Cogent, Open > >> Level(3), Not public > >> We Dare B.V., Open > >> > >> So, what did your member organization do to resolve this partition. > >> Cut off Level(3)? Sue them? > > > > > > That particular member organisation has a policy of not interfering with > > its members' peering policies. It expects its members to send packets > > only to people who explicitly asked for it over the shared > > infrastructure (via announcements of prefixes via BGP), and to pay their > > bills on time. > > > Arguably a very good thing. IXs shouldn't be in the "enforcement" > business. That's for governments. Exactly the reason I don't want governments anywhere near an IX. Every network connected to an IX should be allowed to enforce it's own internal policies when connecting with other networks *without* a governmental body trying to enforce certain rules and regulations. One network only peers with a select few, the other only on basis of bandwidth profile and some with as many peers as possible. Without one telling the other what to do or someone sitting behind a desk trying to come up with a Grand Unified Peering Policy that everyone should adhere to. Fine by me. > (As you will remember, I was refuting his generalization that "private" > organizations are somehow preferable to "public" organizations. It has > always been my preference to argue with specifics in hand.) I never generalised, I merely pointed out that creating governmental IX's has nog benefits compared to the current IX's. AMS-IX, DE-CIX, LINX, etc. etc are open to everyone wanting to connect, that's public enough for me, without having to be goverment controlled. -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Regulatory intervention (Redux: Who is a Tier 1?)
On Thu, 2005-10-06 at 11:56 -0400, William Allen Simpson wrote: > J. Oquendo wrote: > > > Let me be the punching bag for pondering this on NANOG... What about the > > roles of governments building a consortium with Teir-1 NSP's where those > > backbone Tiers are regulated and have predefined, strictly enforced > > rulesets they'd have to follow. The irony of this is that it sounds both > > like a nightmare and a dream. > > > This partitioning is exactly what we predicted in many meetings when > discussion the terms of the contracts. > > Markets are inefficient for infrastructure and tend toward monopoly. How does replacing non-profit organisations (which most public IX'es are) with government bodies and governmental legislation improve anything...? > Idiot laissez-faire pseudo-libertarians forget that all markets require > regulation and politics. But why government regulated instead of IX member regulated...? -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Public Works Peering
On Thu, 2005-10-06 at 10:26 -0400, J. Oquendo wrote: > Now that I had time to marinate weird ideas even further, this is how my > previous idea `could` work for all parties. Of course those making > financial decisions would likely hate this idea since it would somehow > manage to "hurt" their business in their eyes... > > States (or countries) would create a massive public NAP which would be > peered in each state. Guaranteed not to go down. Well 99.9% (snicker) > guaranteed not to falter. This network would be funded by taxpayer dollars > and anyone wanting to peer would pay solely enough to maintain this NAP. Marinate and weird are certainly . How is this radically different from current public NAPs, funded by their members without profit as the main driving force and what good would it do? Dragging governments to places we'd normally wouldn't want them? Please let this idea rest in pieces. Cheers, Erik -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Hope this isnt a redundant question : Cisco IOS Netflow analysis mechanisms?
On Mon, 2005-09-26 at 11:42 -0700, Will Yardley wrote: > On Mon, Sep 26, 2005 at 02:37:00PM -0400, Drew Weaver wrote: > > > We're looking for a method of actively monitoring certain > > metrics on our network via software or a somewhat inexpensive hardware > > solution (those metrics being which AS numbers are the highest > > destinations for our network) and information like that which will help > > us with capacity planning. We are looking for suggestions if anyone has > > any real-world knowledge of anything that would tell us for example: > > > > 8% of our traffic is destined to AS 2828 (XO communications) etc. > > I've found ntop (along with exported flow data) fairly useful for stuff > like this. ntop is pretty useful but I'd go with flow-tools if you want a far more powerful yet simple base to build a toolset on. The whole flow- capture/flow-report/flow-nfilter tool-chain alone allows you to write little scripts for text only reports telling you just about anything you like as fine grained as you want in a matter of hours (or perhaps minutes if you're a fast man-page reader and comfortable with a *nix command-line ;-) and the output is easily parsible in any kind of scripting language. It also comes with a patched FlowScan including CUFlow/CampusIO/SubnetIO to work with flow-capture instead of cflowd, so depending on your exact needs you might be able to use that out of the box or with reasonably basic changes to the (well documented) FlowScan perl scripts. Take the type of info you're looking for into account before setting up exporting flows from your routers and collecting them on a server. NetFlow V8 uses aggregation on a specific key (AS number, source prefix, destination prefix, etc.) to decrease flow-file size, but it's a rather lossy format compared to the detailed information inside NetFlow V5. If you're not sure yet which metrics you'll be looking for always collect NetFlow V5 to prevent ending up with flows that don't contain the information you might need in the future. Hope this helps, Erik -- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: Tools classifying network traffic to applications
Google for FlowScan and CUFlow On Thu, 2005-09-22 at 18:11 +0800, Joe Shen wrote: > Hi, > > As I know there is tools designed to analyze VoIP > traffic, but for viewpoint of traffic management this > is not enough. Is there tool which could classify > network traffic to its applications? > > e.g. the tools catch network traffic and recognize its > application type automatically. If 80% of (80/tcp) is > web browsing (tcp/80) is recognized as WEB browsing; > if 80% of (1234/tcp) is Edonky, it is recognized as > Edonkey application. > > Joe > > Send instant messages to your online friends http://asia.messenger.yahoo.com -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Boing Boing: Michael Lynn's controversial Cisco security presentat ion
On Fri, 2005-07-29 at 19:06, Daniel Golding wrote: > I hope the leadership at Cisco reflects on this incident and will utilize > different tactics the next time this happens. Similarly, I hope the > cybersecurity folks in our governments realize that, while a strong > relationship with vendors is essential, they must recognize that vendors > have different goals than they do. Perhaps more importantly, ISS should try to get it's act together and realise they let a highly skilled and motivated researcher go over political issues that should have never influenced a true security driven company in their decision making. How on earth are you gonna try to maintain the image of an independent security company after a clear case of politics and behind-the-scenes shennenigans like these...? Erik -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: OSPF -vs- ISIS
On Tue, 2005-06-21 at 09:04 -0500, Dan Evans wrote: > Can anyone point me to information on what the top N service providers > are using for their IGP? I'm trying to build a case for switching from > OSPF to IS-IS. Why are you trying to build a case...? Would you already have operational benefit from switching and are you building a case round that and if not, why switch...? Switching IGP in a non-trivial network isn't something you'd want to do unless you've got a clear motive and it gives you some operational advantage... Cheers, -- --- Erik Haagsman Network Architect We Dare BV Tel: +31(0)10-7507008 Fax: +31(0)10-7507005 http://www.we-dare.nl
Nortel
Looking for some advice regaring Nortel Optera SW versions and SP boards, please reply off-list (and no...not for free, hourly rate is no prob :-) Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: Proper authentication model
On Wed, 2005-01-12 at 20:12, Daniel Golding wrote: > > The biggest problem I've seen with dial-up OOB is reliability. You really > need you really need to have a good series of testing scripts to ensure that > all the phone lines are working, modems have reset properly, serial ports > are ok, etc. Without this, reliability is low. Although it's perhaps not as reliable as a series of dedicated cicruits to connect various locations, I don't consider an ISDN router with it's Ethernet port connected to a management ethernet port as an unreliable solution. Modems and TA's perhaps, but a series of 2600's or similar devices with basic rate interfaces on each location shouldn't be your biggest worry at the moment you actually need them. CHeers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Re: Proper authentication model
On Wed, 2005-01-12 at 12:37, David Gethings wrote: > On Wed, 2005-01-12 at 12:25 +0100, Iljitsch van Beijnum wrote: > > IPv6 is also very useful in providing non-IPv4 management. > Well if we're offering protocols other than IP(v4) for OOB management > then might I chip in with MPLS? What ever happened to simple ISND or analogue dial-up with a small router or modem attached...? Not very hi-tech en often quite slow, but usually suffices for emergency maintenance and prolly as far apart from the operational network as possible (provided your not using transmission from the same telco that supplies the phone lines that is ;-) -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Re: IBGP Question --- Router Reflector or iBGP Mesh
On Wed, 2005-01-12 at 12:20, Iljitsch van Beijnum wrote: > (Obviously the IGP metric will be different at the client, but the > client doesn't see the other routes, so it can't make a different > decision. The real fun starts when the next (intra-AS) hop isn't a > reflector client and the packet now takes a different path than the > reflector client thought it would take.) Yep, policing IGP and i/eBGP route distribution correctly so traffic flows logically through the best path over the network as seen from both the RR clients as intra-AS hops further down the path can be a bit challenging, though you'd want every non-RR router to be a RR client and every RR to behave like an RR client to RR's in other clusters, so you'd have a reasonably uniform view of the network. Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Re: IBGP Question --- Router Reflector or iBGP Mesh
On Tue, 2005-01-11 at 13:09, Daniel Roesen wrote: > One of the main problems of route reflection is that the best path > decision is done centrally. The best route is not seen as from the > router making the forwarding decision, but from the route reflector's > point of view. Depending on network topology, geographic spread end > peering/transit topo, this might/will have significant negative effects. This is where good use of clusters and logical network design are necessary, but I don't think this is a route-reflector specific problem, more a general networking problem once your network starts groing and you start deploying a more complex edge/core based topology. I don't think this is a reason to not use reflection as oppossed to full mesh. Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
RE: IBGP Question --- Router Reflector or iBGP Mesh
On Tue, 2005-01-11 at 02:03, Eric Kagan wrote: > > Does anyone have any input on when this does make sense ? We have 3 Main IP > pops with upstream BGP at each and 4 internal BGP sessions. I am looking to > add 2 new routers so there will be about 7 sessions on each border router. This seems to be a case where it does make sense. If you set up two route reflectors you could do with providing each border router only two iBGP links. You could for instance split your network into two logical clusters with 1 route reflector each and link the two route reflectors so they bounce routes to each other as well and provide your border routers with BGP links to both for good redundancy and a less complex network layout. Transition isn't that hard really, assuming your border routers already have iBGP links to the routers that will become reflectors it's a matter of configuring the reflectors right and making sure the border routers are connected as route reflector clients, and then start tearing down the remaining sessions. This isn't the only possible option using route reflector and full/partial mesh ofcourse and you'll have to decide what works for your network, but route reflectors would seem to be useful in your set-up. Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
RE: IBGP Question --- Router Reflector or iBGP Mesh
On Sat, 2005-01-08 at 00:20, Robert Crowe wrote: > Yes, an iBGP session is possible between A & C. Route Reflectors > main purpose was to reduce the iBGP full mesh requirement, thus > providing for BGP scalability. If you only have 3 BGP speakers then > there is no need, unless you are expecting BGP speaker growth. I > would address the lack of redundancy for your BGP sessions. Correct, route reflector's main advantage is scalability and if you're thinking to evolve into a larger network with dedicated access and core routers, route reflectors are a far better option than full mesh, though perhaps not from the start. Redundancy is a good point, since in the route reflector diagram you have a single route reflector with single sessions to your edges. If iBGP link A-B goes down, the rest of your network looses 1 transit ISP and customer 1 is cut off from the rest of your network, basically leaving him with a default route out to ISP A and the rest of your network having to rely on transit to reach your own customer. Also depends on the actual physical paths to the customer ofcourse (redundant?), but seems a bit risky, while customer 2 is looking a lot safer. Cheers, Erik -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: BIND + DLZ
On Wed, 2004-12-01 at 20:24, Jeroen Massar wrote: > That is called PowerDNS with a bind-backend ;) > AFAIK PowerDNS is only able to use BIND zone files as a data back-end, not a BIND DLZ database not to mention this will make PowerDNS the DNS server instead of BIND, which is exactly what I want to move away from. Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: BIND + DLZ
And while we're on the subject...anyone know a reliable web-based admin front-end for BIND + DLZ + PostgreSQL...? Or does everybody just roll their own...? On Wed, 2004-12-01 at 19:17, Micah McNelly wrote: > Nanog, > > Does anyone have information on performance numbers comparing tinydns > vs. bind w/ dlz patch? > > Hit me up off-list. > > /m -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: "Make love, not spam"....
I agree and I'm surprised you even mentioned the wordt justice...since when is retaliating bad practices with more bad practises that are hardly likely to take out the real target considered a good idea..? Erik Paul G wrote: spammer buys hosting account, pays with fraudulent credit card, spams,provider gets ddos'ed and ends up paying for all the bandwidth because youcan't well charge some unsuspecting grandma in alabama for it. i don't likethis kind of justice. --- paul galynin
Re: Energy consumption vs % utilization?
It's more or less the truth though. Only on rare occasions, such as the cluster/fail-over scenario given, can you actually supply less power to certain machines, and power use largely unrelated to their actual utilisation. Keep an eye on your UPS load during peak hours and you'll see the load rising when traffic and server utilisation rises, but compared to the baseline power needed to feed servers these fluctuations are peanuts. You supply a server with enough power to run...how is this waste exactly...? If anyone is wasting anything, it's perhaps hardware manufacturers that don't design efficiently enough, but power that you provide and that's used (and paid for) by your customers is not wasted IMO. Cheers, Erik On Tue, 2004-10-26 at 21:07, Alex Rubenstein wrote: > Thats an insane statement. > > Are you saying, "You are only wasting money on things if you aren't > profitable" ? > > /action shakes head. > > > > On Tue, 26 Oct 2004, james edwards wrote: > > > > >> > >> Sorry, this is somewhat OT. > >> > >> I'm looking for information on energy consumption vs percent utilization. > >> In other words if your datacenter consumes 720 MWh per month, yet on > >> average your servers are 98% underutilized, you are wasting a lot of > >> energy (a hot topic these days). Does anyone here have any real data on > >> this? > >> > >> Grisha > > > > It is only waste is the P & L statement is showing no profit. > > > > -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- > --Net Access Corporation, 800-NET-ME-36, http://www.nac.net -- -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Re: Energy consumption vs % utilization?
On Tue, 2004-10-26 at 19:52, Gregory (Grisha) Trubetskoy wrote: > In other words if your datacenter consumes 720 MWh per month, yet on > average your servers are 98% underutilized, you are wasting a lot of > energy (a hot topic these days). Which means you have to make sure the revenue generated by those 98% underutilized servers covers your powerbill and other expenses, preferrably leaving some headroom for a healthy profit margin. As long as that's the case there's no real waste of energy, the services people run on their servers are supposed to be worth the energy and other costs, whether they physically fully utilize their power or not. Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Re: Blackhole Routes
On Thu, 2004-09-30 at 15:45, Robert A. Hayden wrote: > There are mechanisms to do it using eBGP and communities as well which I'm > sure most on this list are more familiar with. > > Think of blackholing as a way to surgically remove a specific IP from your > network, without having to deal with pushing ACLs into multiple entry > points. At least that's what it accomplishes for us. And perhaps more importantly, when using eBGP blackholing communities, without DDoS traffic hitting your ingress bandwidth from your upstreams. ACL's can only filter traffic that's already at your edge, whereas blackholing allows your upstream to filter it for you throughout his network, reducing the risk of congested links. Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
RE: Cisco moves even more to china.
Hi Joseph, On Fri, 2004-09-24 at 13:19, Joseph wrote: > Your perception of Americans I think is very skewed by the media. > You obviously did not read my post and wanted take a cheap shot. Although this is hardly the place to discuss this, I never said Americans, I said "we". I'm Dutch, and we've got an equal amount of people whining about the same problems, thinking we'll be invaded and robbed from jobs because Poland joins the EU and Philips and CMG out-source to China and India. It's the same everywhere in the Western world, and my message was not intended as an attack on either an invidual or one country and it's people. I realise this is very generalising, but the majority of the people in all our countries couldn't care less if we rob the rest of the world blind, until there's a slight possibility they might actually be affected themselves. > Hmmm. I had no idea there were only 2 networking companies, 1 > database and 1 OS. =) With the rich competitive nature of the market I > will continue to support companies which conform to a baseline of > ethical business practice for all workers worldwide. I would like to do the same, but the fact of the matter is that in some key areas there's not much choice, especially when it comes to hardware...unless I've missed something I haven't seen an Open-Source carrier-grade routing system that can rival C or J's, and just about any commercial hardware manufacturer in the world has a production plant in one third world country or another, or at least uses loads of low-priced parts (memory, IC's etc.) that are manufactured in those same places. There's no escaping it if you're working in networking and IT. Kind regards, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
RE: Cisco moves even more to china.
On Fri, 2004-09-24 at 03:53, Joseph wrote: > Its time for all American Tech workers to stand up and let our voices > be heard. Perhaps it's time instead to make sure you're good at what you do and try to be on the forefront of tech, rather than whining about how all those bad people from abroad are stealing your job. It's largely our own fault labour pricing in large outsourcing countries like India are so low, and now it's coming back to bite some of us. > We as world citizens need to come to grips with the fact that we must > compete with workers internationally but we should be doing so on FAIR > playing field. Strangely people only start calling for a level, fair playing field when they feel something's threatening their own little piece of the cake. If most companies and governments we're happy to work for wouldn't have been undermining other people's economies for ages, we wouldn't have this problem and we would have a more or less fair playing field. But now practices that we still are making money of is making our companies stronger, but our workforce weaker, so in the long term probably our overall economy will be weaker. Anyone else see the irony here..? > Don't Support Outsourcing, Don't buy from companies that outsource US > jobs. Hmm...let me see now, no Juniper, no Cisco, no Oracle, no Microsoft, basically not a single vendor left...ah yes, we should just stop working completely and dismantle the Internet, that might just do the trick. Cheers, Erik -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Re: Cisco moves even more to china.
On Fri, 2004-09-24 at 02:29, Dan Mahoney, System Admin wrote:
> I've always personally taken anyone who said "but I'm an MCSE" with a
> grain of salt. I've had equal respect for the A-plus and Net-Plus
> certifications, which are basically bought.
I take most certifications with a grain of salt, including degrees,
unless someone clearly demonstrates he know's what he's talking about,
is able to make intelligent decisions and learns new techniques quickly.
In which case a certification is still just an add-on ;-)
> I used to have more trust in the /CC../ certifications but I find I may be
> laughing those off too quite soon.
The vendor's introductory certs (CCNA, CCNP, JNCIA, JNCIS) don't say
anything about a candidate, except exactly that ("I got the cert"). CCIE
and JNCIE are still at least an indicator someone was at a certain level
at the time of getting the certification, but are still no substitute
for experience and a brain in good working order. It's too bad there
aren't better "general" (non-vendor specific) certs, since what often
lacks is general understanding of network architecture and protocols.
You can teach anyone the right commands for Vendor X and they'll prolly
get a basic config going on a few nodes, but when troubleshooting time
comes it's useless without good knowledge of the underlying technology,
which none of the vendor certs teach very well (IMHO anyway ;-)
Cheers,
Erik
--
---
Erik Haagsman
Network Architect
We Dare BV
tel: +31.10.7507008
fax: +31.10.7507005
http://www.we-dare.nl
Re: Cisco moves even more to china.
Hmm..we're flooded by CCNA's and CCNP's that often hardly know how logon to a router as it is, so this will probably add a lot more, a bit like the MCSE craze a few years ago ;-) When they say training thousands of students, they're not talking thousands of CCIE-level specialists that actually know what they're doing. If anything it looks like we should feel sorry for people working production for Cisco since it looks like production will be completely based in China in the not too far future. Cheers, Erik On Fri, 2004-09-24 at 01:49, Nicole wrote: > > Lovely, Just lovely. Just heard On CNN, Lou Dobbs. (but can't find it on > their site) > > During a Beijing news conference John Chambers (Cisco CEO) Says "We believe in > giving something back and truly becoming a Chineese company." "China will > become the IT center or the world" "China will become the largest economy in the > world." > > CNN Reports: Cisco is investing 32 Million into Changi and is training > 10's of thousands of Chineese university students in Cisco technology. > > > So.. I guess we will be cranking out those H1b's...Plan to kiss your raises > and or jobs bye bye to some specialized cheap imported Cisco trained networking > person from China. > > > *SIGH* > > > Nicole > > > -- > |\ __ /| (`\ > | o_o |__ ) ) > // \\ > - [EMAIL PROTECTED] - Powered by FreeBSD - > -- > "The term "daemons" is a Judeo-Christian pejorative. > Such processes will now be known as "spiritual guides" > - Politicaly Correct UNIX Page > > Opportunity is missed by most people because it is dressed in overalls and > looks like work. >- Thomas Edison > > "Microsoft isn't evil, they just make really crappy operating systems." >- Linus Torvalds -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: Log Analizing tool for Cisco and Juniper router (switch)
Check last week's thread about Open Source NMS tools, there's quite a few messages there with references to log analyzers and similar tools. Cheers, Erik On Tue, 2004-09-21 at 16:49, Joe Shen wrote: > Hi, > > > We want to analize log from Cisco and Juniper Router > and switch periodically. > > We have set up a Solaris box to collect all those log > generated by Juniper router ,Cisco Router , cisco > L2/L3 switch. But, we found log file format diverse > greatly even between Cisco products. > > Is there any good tool for this? > > Thanks > > Joe > > __ > Do You Yahoo!? > Log on to Messenger with your mobile phone! > http://sg.messenger.yahoo.com -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Re: Today's Internet
On Wed, 2004-06-09 at 09:07, John Obi wrote: > Are we part of the Today's Internet mess? > > http://www.internetnews.com/bus-news/article.php/3365491 That guy should stick to writing SciFi...he's seems to be very good at it. -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
nanog@merit.edu
> True, but no-one is saying the entire network should be done in one fell > swoop. Eventually, larger companies WILL have to replace outdated > components and when they do they can replace them and at the same time > make sure ACL's or uBRF uRPF even..weird typo > or whatever you use is in place. And before > that, you could at least make sure your newer equipment that CAN easily > take ACLs is properly configured. Currently most larger companies do > neither, always pointing out the cost of doing a huge network wide > upgrade that in actuality no-one is expecting them to do. Even if only a > percentage of a large ISP's network (especially xDSL and HFC services) > is properly configured, it'll save a lot of grief, cutting maintenance > cost for the ISP itself as well as causing less headaches for other > companies. And over time you just gradually update parts where you're > replacing equipment that's at the end of it's lifecycle anyway. > > > Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
nanog@merit.edu
On Thu, 2004-06-03 at 21:10, Jeff Aitken wrote: > You missed what I was getting at. You asserted that only very small > ISPs (i.e., those using 36xx-class hardware) are subject to ACL > problems. There are many large-ish ISPs still stuck with some > amount of obsolete hardware. OK, sorry about the confusion...I see where your going now. > My point was that while it's easy for > someone whose network consists of 10 routers to say "well gee, > upgrade already" it's not that easy when your network includes > hundreds or thousands of components that need to be upgraded or > replaced, to the tune of several million dollars. True, but no-one is saying the entire network should be done in one fell swoop. Eventually, larger companies WILL have to replace outdated components and when they do they can replace them and at the same time make sure ACL's or uBRF or whatever you use is in place. And before that, you could at least make sure your newer equipment that CAN easily take ACLs is properly configured. Currently most larger companies do neither, always pointing out the cost of doing a huge network wide upgrade that in actuality no-one is expecting them to do. Even if only a percentage of a large ISP's network (especially xDSL and HFC services) is properly configured, it'll save a lot of grief, cutting maintenance cost for the ISP itself as well as causing less headaches for other companies. And over time you just gradually update parts where you're replacing equipment that's at the end of it's lifecycle anyway. Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
nanog@merit.edu
On Wed, 2004-06-02 at 19:32, Jeff Aitken wrote: > On Wed, Jun 02, 2004 at 06:00:38PM +0200, Erik Haagsman wrote: > > Only very small ISPs relying on 36xx's or multilayer switching instead > > of larger, more powerful might be still valid cases where ACL's are a > > problem. > > Interesting assertion. Care to support it? It's not unusual for smaller ISP's and small hosting companies to rely on low-spec equipment that can just deal with normal traffic flows, but start falling apart when a traffic spike hits and access lists are present. As an example, take a lower end IronCore Foudry switch with a management II or III and make a comparison between the impact a DoS has with and without access lists present. Altough it's still depending on exact network topology and the type of traffic, it's usually a difference of night and day performance wise, and the absence or presence of access-lists can mean the difference between keeping the network running while under attack and having it fall over, especially since all access list handling is taken care of by the CPU. This isn't the case for anyone anywhere that uses this type of equipment, but I can understad smaller networks with smaller budgets and equipment running close to their max hesitance to put access lists and filtering polcies in place. On the other hand, the smaller the network, the smaller the amount of actual filters needed, so you might wonder if that's even a reason not to filter. Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
nanog@merit.edu
On Wed, 2004-06-02 at 17:25, Jon R. Kibler wrote: > The sad fact is that simple ingress and egress filtering would > eliminate the majority of bogus traffic on the Internet -- including > (D)DoS attacks. Couldn't agree more. It would probably cut hacked zombies (and that way spam) by at least as much as DDoS traffic, in general we'd all have far less problems if ISP's would stick to simple solutions where they're needed. Although there are DoS's coming from valid IP's, 99 out of a 100 of these valid IP's are zombies hacked by using spoofed IP's so the hacker isn't traceable. Good filtering will make this a lot harder to pull off. > Why no filtering by ISPs? "Because it takes resources and only benefits > the other guy" -- unless your network is the one under attack. And this is exactly the kind of ignorant thinking that prevents us from solving the spam and DoS problems, while the exact same people can't stop complaining about the spammers and script-kiddies ruining their lunch. > Maintenance of the ACLs should not be the issue. A single ACL for each > subnet would be all that would be required for egress filtering. About > 30 ACLs on an inbound border router would be required for ingress > filtering. Keeping the ingress ACLs current is a brain-dead task -- just > subscribe to the bogon mailing list at cymru.com. If maintenance of ACLs was a problem for large ISPs, they'd be out of business since that would imply they don't have the staff to keep their networks running, let alone well enough to actually have customers on it. I've probably heard the argument about the money it would cost and the staff it would take a million times, but the fact is that if every ISP did it's filtering, you'll see the need for troubleshooting, spamfiltering, recovering from hackers, and mitigating DoS attacks drop enormously. I'm 100% sure this would lead to lower maintenance costs, not the other way around. > ACLs have had a bad reputation for greatly slowing down routers. That > may have been true in the past, but properly written ACLs do not seem > to have a significant impact on most new routers. Yes, they may cut > peak through-put a few percent -- but if you are running that close to > the edge, it is time to upgrade anyway. Only very small ISPs relying on 36xx's or multilayer switching instead of larger, more powerful might be still valid cases where ACL's are a problem. But those aren't the ISPs generating 80% of all useless traffic, it's the big boys that have plenty of hardware to burn that refuse to do anything about it. > IMHO, there is absolutely no excuse for not doing ingress and egress > filtering. Hear hear -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Re: OT: Looking for Ethernt/Optical Device
What you could try is use the Cisco CWDM-MUX-4 and it's pluggable optics that can be fit into any GBIC 802.3z compliant slot. It's just an OADM with 4 or 8 wavelengths that delivers GigE to any box with pluggable GBICs provided you use the right optics and it's quite a bit cheaper than using ONS stuff. That said, CWDM doesn't get you much further than 80 kilometres, above that DWDM is your only option, and a hell of a lot more expensive. Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl On Tue, 2004-06-01 at 17:30, Michael Smith wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hello All: > > I'm wondering if anyone has seen a good and cheap(er) solution for > providing multiple Gigabit Ethernet circuits over single pair of > fiber. I'm looking for a way to do CWDM or DWDM that's cheaper than > putting in a Cisco 15454 or 15327. I'm only going to be doing 2 GigE > circuits between two switches, so I don't need to plan for future > growth. > > If anyone knows of a magic box that will do the above I would love to > hear about it. > > Thanks, > > Mike > > - -- > Michael K. SmithNoaNet > 206.219.7116 (work) 866.662.6380 (NOC) > [EMAIL PROTECTED] http://www.noanet.net > > -BEGIN PGP SIGNATURE- > Version: PGP 8.0.3 > > iQA/AwUBQLyiVJzgx7Y34AxGEQIDewCfR8JQG2jqbxsBopUE6u3FUnfiX3UAoODx > 41QL7T1eyK1EQ4ZMnVJU+l2p > =hDVT > -END PGP SIGNATURE-
Re: Port 5000
It is a worm: http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=20301309 Erik On Tue, 2004-05-18 at 15:15, Geo. wrote: > We are seeing many customers here probing port 5000 across the network. It > appears to be some new worm or something but I've had no luck yet in > figuring out what it is except to say norton AV detects nothing yet. > > Anyone have a clue? > > http://isc.incidents.org/port_details.php?isc=b4827221b7f45feeb0c12bc5040cab > c9&port=5000&repax=1&tarax=2&srcax=2&percent=N&days=10&Redraw=Submit+Query > > the jump in traffic is obvious. > > Geo. -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Re: Anti-Spam Router -- opinions?
On Wed, 2004-04-07 at 14:25, Dave Howe wrote: > I think 10 is a bit low. It is, although it's more of an example value than a practical one. You'd have to get some statistics on average e-mail use from your mail servers and tune the value accordingly. > I am not really an abnormal email user - but I tend to block answer a lot > of emails, and send them as fast as I type them - so I can easily send > 20-30 emails in the first hour, then maybe an hour slack, then another > dozen or so - depending on inbound traffic and what arguments are ongoing > on my mailing lists at the time. Same here, but this pattern of e-mail burst - slack - burst etc. could be quite easily implemented in the way described, as long as you have some accurate statistics to use as baseline values and adjust the actual operational values accordingly. > Ok, I could in theory use web forums, usenet (probably also subject to > your rate limiting) or whatever for this, but tbh I don't think I can in > practice - if the discussion is on a mailing list, at best I would have to > sign that list to a web mail account and reply that way, and as an average > user I don't see why should I make life awkward for myself like that just > to make life easier for admins (and I *am* an admin, so I have to look at > both sides of the coin here) Agree, it should be transparent to the user, but again that's where accurate figures come in, and ofcourse the whole system could be as fine-grained as you like, with further limits and slack on subnet level, or by dividing into departments/organisations each with their own limits on different levels (although keeping it as simple as possible would ofcourse be preferred). > I notice you are limiting by > smtp session, and a spammer could easily send 100 emails each going to 100 > recipients in a single session. Yep, that's the main problem, limiting the amount of recipients as well as SMTP connections seems to be impractical although perhaps not impossible. An average user nor running a mailing-list will not realisticly send many e-mails to >100 recipients, and when they do it's often internal distribution lists within the same domain, so limiting recipients to a sensible value might not be as hard as it sounds. It also depends on where you want the limiter. When limiting connections between the user and his outgoing SMTP server you run into the recipient problem, so you might be better of limiting outgoing connections from your SMTP server, since multiple recipients will result in multiple outgoing connections from the sending server, althoug this does make coming up with accurate values for the actual base-line limits harder. It would probably require a pretty painful initial setup where the provider tracks e-mail statistics over a period of time and either bases a general limiting value on a good analysis or tweaks the limits on a per customer basis, making the initial setup very labour intensive, but perhaps better in the long term. Instead of automatic blocking you might put in a system where the admin gets alarmed by unusually high activity above the initial limit+slack and the mail is cached but not sent out before admin intervention, allowing the admin to decide whether it's malicious mail traffic or not without disrupting normal service for the user, apart from occasional delivery delay. Regards, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Re: Anti-Spam Router -- opinions?
On Wed, 2004-04-07 at 13:18, [EMAIL PROTECTED] wrote: > If any of your user connections is the origin of more than > 5 SMTP sessions in a single day, send an email to the > registered contact at that site with a little statistical > summary of the activity. No blocking of sessions, just a > note saying that we noticed you sent x number of emails > today. Give the user some action such as a URL that they > can do if they believe that this is abnormal. Why not use a more detailed time-interval based approach only blocking further SMTP connections for say an hour if a user made more than x connects in an y amount of time and automatically resetting the counters and block afterwards..? On top of the x/hour you could make the mechanism less of a burden by putting in an option that would allow connections to be "saved" for a maximum of two or three hours, so when someone comes into his office in the morning he can safely pour out his start-of-the-day e-mail flow without being bothered by the rigid 10 e-mails/hour since there wouldn't have been any connections in the few hours before coming into the office and he might be able to send 20 or 30 e-mails in the first hour before the counters are reset. Spammers can only work when making enormous amounts of connections each hour, so limiting a normal user to 10 connections per hour with some extra slack after two or three connectionless hours, with an hour blocking penalty if the user goes over shouldn't pose a problem to Joe Average and will definitely keep spammers at bay without the added administrative overhead of sending user's mail statistics. Ofcourse as you mentioned, mailinglists and certain users making extreme use of e-mail should always have the possibility of registering for more connections, but when done correctly this could be a more or less hassle free way of controlling mail connection rates without burdening 99% of all users. Regards, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl
Re: Problems with .de abuse
On Wed, 2004-03-24 at 16:57, Paul G wrote:
> slightly OT, but it is a sad day when operators stop being responsible
> neighbours and start responding to abuse reports only when their
> {willy,peering} is on the line.
It is...and persistently trying a host of SNMP communitie strings on a
neighbour's router interfaces doesn't make it any better :-)
--
Erik Haagsman
Network Architect
We Dare BV
tel: +31(0)10-7507008
fax: +31(0)10-7507005
http://www.we-dare.nl
Re: Problems with .de abuse
> I sent the abuse email 2 days ago and got no response. After 2 more days > of this, I finally just tried to call that number, and it's bogus (or at > least not working). Does anyone have a clue who this is and/or how to > actually get ahold of someone there (preferably one who speaks or > reads/writes English)? Try and reach them at [EMAIL PROTECTED] or try and contact their admin Jens Rosenboom at [EMAIL PROTECTED] I know it's not the regular channel, but and we peer with them at DE-CIX and had similar problems a while back with IP's from their range scanning and trying out SNMP communities on our boxes. They responded on an e-mail sent to their peering address and we haven't had any further scans since, although your complaint seems to disrepute them further. Cheers, -- Erik Haagsman Network Architect We Dare BV tel: +31(0)10-7507008 fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Firewall opinions wanted please
On Wed, 2004-03-17 at 21:44, Bruce Pinsky wrote: > Everything I've ever read about security (network or otherwise) suggests > that a layered approach increases effectiveness. I certainly don't trust a > firewall appliance as my only security device, so I also do prudent things > like disable ports and applications that are not in use on my network and > enforce authentication and authorization for access to legitimate services. Good point...and that's exactly why in some cases, especially in SOHO and SMB oriented products, both hardware as well as software vendors can be part of the security problem by advertising their products as the definite solution to all security holes. Truely securing even a single server or host connected to the Internet entails a lot more than just blocking a few ports, let alone securing a network. By marketing "the perfect solution" to no-too-clueful admins the actual security holes only get bigger and harder to track. -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: Firewall opinions wanted please
On Wed, 2004-03-17 at 21:02, Petri Helenius wrote: > No, the applications should accept only authorized connections. If that > would be the case, there would be no need to filter at packet level. No, since this would be assuming that each application is perfect and there's no such thing as buffer overflows and other software bugs (including those in authentication routines). A firewall is an extra line of defence in preventing malicious packets from reaching the destination app and the more people have one the better (although I'm not sure whether grandma would be too bothered) It's not bulletproof (and could potentially contain a gut itself) but it provides additional security, regardless of authenticaion of connections. -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: Replacement for a Extreme Black Diamond 6808
On Tue, 2004-03-16 at 04:59, Tom (UnitedLayer) wrote: > > Are you using it for L2 only, or L2+L3? > I hear decent things about using them for L2 only, and using J or C boxes > for the L3 portion. Yep...that's the way we do it as well, L2 on the BD6808's and L3 on J boxes although we started out using the BD's for part of our Layer3 traffic as well. They just gave too many problems, so if you can do your L3 on a router and use them strictly for L2 traffic. We also run Foundry switches, and if you absolutely need to do some L3 (OSPF/iBGP) on your switches your better of using Foundry switches with an M4 blade, their L3 code is much more mature than Extreme's, but when it comes to raw performance try to avoid those scenarios and just let the BD do Layer2. Their L3 might be crap, but they scream at L2. Cheers, -- Erik Haagsman Network Architect We Dare BV tel: +31(0)10-7507008 fax: +31(0)10-7507005 http://www.we-dare.nl
Re: How relable does the Internet need to be?
Please...I'm not a browser On Sat, 2004-03-06 at 02:57, John Curran wrote: > > The question in all cases is what is the level of service acceptable > > to regulators and emergency services coordinators? Clearly there are > > problems of both power and call routing which must be addressed. > > It's unlikely NANOG is the forum for specifying standards in this > > area. It is similarly unlikely the IETF is the appropriate body, > > though it may be a place to figure out how to meet the requirements > > specifications of some other body. > > > Active discussion ongoing: > <http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-243851A1.pdf> > > /John -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: UUNet Offer New Protection Against DDoS
Hi Paul, > correct. from our pov, it is gone. given that 'solving the problem' is not > always possible, this is almost as good as it gets in the real world. Fully agree, and this is basically the way it should be: a customer shouldn't be concerned about the carrier solving the problem or not, as long as service isn't interrupted the carrier is doing the job he's promised to do in his SLA > we tend to get small ddos (a few hundred megs) that are more of an annoyance > than anything else, at least before they hit the customer-in-question 's > faste handoff. This is a bit more problematic IMHO. A "small DoS" is very geographically dependent and very "supporting party" dependent: in Ghana with BT as the only provider running over DS3, a few hundred megs means the entire network is cut-off for ages :-) I know this is NANOG and bandwidth is a simple commodity, but even in our parts of the western world bandwidth can be hard to come by and a few hundred megs might be a bigger deal to a smaller NSP's network. > . in other news, noone has solved the perpetuum mobile problem either. > as a carrier, your job is to solve the problem for the customer. this > includes staying up afterwards. Hehe...sadly this perpetuum mobile keeps on running and running (which is what it's supposed to do literally :-) but you're completely right: cutomers should always come first and "hiding" the problem is our only option at the moment. I'm still waiting for that press-release though :-) Regards, Erik > > paul -- --- Erik Haagsman Network Architect > > I haven't seen any major press-releases on actually solving the problem > > instead of hiding it... (granted...I haven't put out one either :-) > We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: UUNet Offer New Protection Against DDoS
On Wed, 2004-03-03 at 09:26, Paul G wrote:
> cant speak for them, but this would be my preferred first step. next step
> is, of course, an attempt to filter on {source, unique characteristics, what
> have you} and removing the blackhole.
What most people seem to forget is that neither of these steps actually
counter the DoS...they merely make the DoS as invisible as possible to
customers while the traffic keeps hitting the carrier in question. For
the large carriers this is only a minor inconvenience.
For smaller carriers or for co-location facilities/NSP's that are
relying on not-so-clueful carriers (read: carriers not supporting any
kind of communities with possible lack of pro-active network management
and/or bad communications) this is a BIG problem. Even though they might
take the heat off the targeted customer, they could be in for a rough
ride themselves as the DoS keeps going and going.
I haven't seen any major press-releases on actually solving the problem
instead of hiding it... (granted...I haven't put out one either :-)
Cheers,
--
---
Erik Haagsman
Network Architect
We Dare BV
tel: +31.10.7507008
fax: +31.10.7507005
http://www.we-dare.nl
RE: Converged Networks Threat (Was: Level3 Outage)
On Wed, 2004-02-25 at 20:16, Bora Akyol wrote: > This train of thought works well for only accidental failures, > unfortunately > if you have an adversary that is bent on disturbing communications > and damaging the critical infrastructure of a country, physical faith > sharing > makes things less robust than they need to be. By the way, no > disagreement > from me on any of the points you make. Keeping it simple and robust is > definitely > a good first step. Having diverse paths in the fiber infrastructure is > also necessary. I don't think faith sharing prevents us from having diverse paths, since this is where redundancy comes in. Even if all services run over the same fibre paths, there isn't any problem as long as there's a sufficient number of alternative paths in case any of the paths goe down. Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
RE: possible L3 issues
C&W seems to be doing fine towards Microsoft, are you still experiencing problems...? Cheers, Erik On Tue, 2004-02-24 at 00:23, Arjan Lugtenberg wrote: > Here at planet (AS8737) we also having problems reaching > msn/hotmail/messenger. > > Seems that C&W are also having problems reaching microsoft?? > > regards, > > Arjan > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: maandag 23 februari 2004 23:53 > To: [EMAIL PROTECTED] > Subject: possible L3 issues > > > > anyone else seeing high latency via L3 , especially the west coast ? > - Keith -- Erik Haagsman Network Architect We Dare BV tel: +31(0)10-7507008 fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Good network sniffer?
tcpdump + Ethereal for *nix, best tool in de biz if you ask me...and free too. Cheers, Erik On Mon, 2004-01-12 at 21:48, Borger, Ben wrote: > Hi Nanog, > > Can anyone recommend a good network monitor that can replay captured > packets? Windows or *nix. Free is great, commercial is ok too. > > TIA, > > Ben >
