RE: cooling door
--On March 29, 2008 5:04:01 PM -0500 Frank Coluccio [EMAIL PROTECTED] wrote: Michael Dillon is spot on when he states the following (quotation below), although he could have gone another step in suggesting how the distance insensitivity of fiber could be further leveraged: The high speed fibre in Metro Area Networks will tie it all together with the result that for many applications, it won't matter where the servers are. In fact, those same servers, and a host of other storage and network elements, can be returned to the LAN rooms and closets of most commercial buildings from whence they originally came prior to the large-scale data center consolidations of the current millennium, once organizations decide to free themselves of the 100-meter constraint imposed by UTP-based LAN hardware and replace those LANs with collapsed fiber backbone designs that attach to remote switches (which could be either in-building or remote), instead of the minimum two switches on every floor that has become customary today. Yeah except in a lot of areas there is no MAN, and the ILECs want to bend you over for any data access. I've no idea how well the MAN idea is coming along in various areas, but you still have to pay for access to it somehow, and that adds to overhead. Which leads to attempt efficiency gains through centralization and increased density. We often discuss the empowerment afforded by optical technology, but we've barely scratched the surface of its ability to effect meaningful architectural changes. The earlier prospects of creating consolidated data centers were once near-universally considered timely and efficient, and they still are in many respects. However, now that the problems associated with a/c and power have entered into the calculus, some data center design strategies are beginning to look more like anachronisms that have been caught in a whip-lash of rapidly shifting conditions, and in a league with the constraints that are imposed by the now-seemingly-obligatory 100-meter UTP design. In order for the MAN scenarios to work though access has to be pretty cheap, and fairly ubiquitous. Last i checked though making a trench was a very messy very expensive process. So MANs are great once they're installed but those installing/building them will want to recoup their large investments.
AOL/AOL-UK ATDN routing issues?
We're seeing some persistent routing issues with AOL UK customers, it looks like the issue is somewhere inside of ATDN, and it's definitely affecting 204.11.244.0/22 to the point that no AOL UK customers can apparently reach that network at all. If an AOL engineer is on list or someone can clue-by-four someone over there that'd be great. I've tried with absolutely 0 success at getting past the front lines of AOL and ATDN's various contact points. [EMAIL PROTECTED] appears to be an alias for /dev/null. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: FCC rules for backup power
--On November 13, 2007 3:07:03 PM -0500 Sean Donelan [EMAIL PROTECTED] wrote: Proposed new FCC rules for backup power sources for central offices, cell sites, remote switches, digital loops, etc. For the first time, the FCC is considering specific backup power time requirements of 24 hours for central offices and 8 hours for outside plant and cell sites. Although most carriers tended to follow old Bell System Practices for backup power, BSP's weren't official regulations. ISPs aren't specifically covered, but http://www.tessco.com/yts/industry/products/infra/infrastructure/power_s upplies/pdf/agl_reprint.pdf If it makes Qwest put backup on the mini-DSLAM at my curb, good. I'm damn sick of losing access every time we have a power bump out here because they are too cheap to provide backup for anything except their CO out here. However I do agree that the FCC is the wrong org to do it, because, as stated elsewhere, they don't have a clue about local regs/etc.
Interland dead?
Anyone know what's going on? -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
ICANN to remove fee restrictions on .INFO, .ORG, .BIZ?
http://www.icann.org/announcements/announcement-2-28jul06.htm A bunch of people are calling the sky is falling, the sky is falling. I'm not so sure this is the case. What I'm interested in is if anyone is actually worried about this, or has heard about this, from within this community. For those three TLDs it seems like there is little/less competition than for .COM so price increases could be significant. However I'm not sure this will result in the 'per domain auction' pricing that some people seem to be afraid will happen. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: ICANN to remove fee restrictions on .INFO, .ORG, .BIZ?
--On August 28, 2006 9:52:30 PM + John Levine [EMAIL PROTECTED] wrote: You're confusing registrars and registries. Every TLD has a single monopoly registry to which all registrars funnel the registrations. Switching registrars wouldn't help. AH! That's what I was missing now it makes sense. I wasn't thinking about it carefully enough. So yeah, decidedly bad juju. :/ I have a longer blog entry on this at http://weblog.johnlevine.com. R's, John -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Experiences with Citrix Load Balancing products?
Complete mistakes, errors, and ommissions might be mine. Most people who have had experience with the NetScaler products prior to Citrix seemed to have mostly liked them and been happy with the service and support. I had fewer people respond from this camp though so that might be skewed, the people that did respond seemed much more satisfied than the people that responded who'd bought the Citrix product. Common complaints were Windows and/or Java only WebUIs on both the product and Citrix' support site. No email support to open a case. Required to fill out a Word Doc form for RMAs. People who've tried bonding had various issues with it, but atleast one was able to get it working. The biggest common complaint was the support since going to Citrix was almost universally bad. I had one person who said they'd had good support since the switchover, with others complaining of support chasing the wrong issue, taking many days, requiring remote sessions to windows boxen in order to use a browser on the other end to diagnose, changing settings without consulting the customer. The boxen themselves seem to perform as advertised and are reliable for most people. The general consensus seems to be their is a lack of documentation, a lack of tracking of release issues. It points to a lack of QA/Testing on Citrix' part for new software releases. They seem to not be really well suited for hosting environments with many services, having some limitations in that arena, although the limits do seem to be fairly generous (I wasn't able to get hard numbers). On the whole, noone really raved about the Citrix product. Most were lukewarm at best. My verdict is that we'll keep an eye on them but not going to bother with an eval now. Our deal breakers are the requirement of windows or java webui's to manage the product, or even to get support. Also the general consensus of everyone responding that Citrix' support isn't very great. A few responders did have good support experiences, and reported that during the transition period from NetScaler-Citrix things were definitely sketchy. I'm deliberately not making direct references to any of the people who responded to me, this is just a brief summary of the various conversations I've had today. Thanks again to everyone who responded. I know some of you had much better experiences with Citrix than I've portrayed here, and I honestly hope that that will become the norm, but on the whole people had a fairly poor view of Citrix' support for this product.
Re: mitigating botnet CCs has become useless
--On August 8, 2006 4:03:36 PM +0200 Arjan Hulsebos [EMAIL PROTECTED] wrote: On Sat, 5 Aug 2006 17:17:27 -0400 (EDT), Sean Donelan typed: Railroads have the railroad police. The Post Office has postal inspectors. Do we want to give ISP security the power to arrest people? We (ISPs) already do have that power, we can disconnect misbehaving subscribers. And in cases like this, we should keep them off the 'net until they've cleaned up their PC. That's a nice idea, except how? How do you prove a user has gotten the malware off and patched? And further how can they do that without internet access? Hint, FWIR, it's not legal for us to distribute MS's patches to our subs. So how do you propose that? Some customers will fix themselves, some will just cancel and find an ISP that doesn't care they're spewing spam and worm traffic all the while complaining about how slow their internet service is. I'm really seriously interested, and I'm not trying to be a flaming troll-bait here. This is a *huge* problem. You can turn off a user sure enough, but how do you know it's OK to let that user back on. And besides doing that, we should educate our subs on how to properly maintain their PC (installing and keeping up-to-date antivirus software, patch the OS on a regular basis, you know the drill). And how is it our responsibility to educate users? I don't think it necessarily is. However because noone else is and we're all the ones most hurt by it we're forced to.
Re: mitigating botnet CCs has become useless
--On August 8, 2006 12:06:42 PM -0400 Sean Donelan [EMAIL PROTECTED] wrote: On Tue, 8 Aug 2006, Arjan Hulsebos wrote: We (ISPs) already do have that power, we can disconnect misbehaving subscribers. And in cases like this, we should keep them off the 'net until they've cleaned up their PC. Botnet CCs are not naturally occuring phenomena. Relying only on defensive security, and not arresting the criminals, will just result in the criminals becoming bolder and more aggressive. In most cases ISPs are just taking action against innocent bystanders that got hit in the cross-fire. Those bystanders aren't the cause. If you let the criminals continue trying over and over again, you are just training them to become better shots. Telling your customers they should wear bullet-proof vests whenever they go outside isn't going to stop snippers. Arresting the snipper is going to stop the snipper. Yup this is a social problem. Just like there's nothing actually stopping any of us from beating up a guy on the street, we don't do it because it isn't legal, doesn't make sense, etc. Some muggers do, the people in control of the SPAM problem are the muggersthe people with infected systems are just the ones who've been mugged.
Experiences with Citrix Load Balancing products?
Anyone used them? Good? Bad? Ugly? I don't know a lot about their products but I know they're new to the market compared to some of their competition. Seems they're buzzword compliant but I could care less about that, I'm really curious how they work in the real world. E-mails off list and I can summarize, or we can just have it out on the list (I'd rather the latter, I think this is relevant). Talking with someone in their engineering or sales group but it soundslike a lot of impossibly big claims in terms of concurrent sessions, throughput, and who's using them. TIA
Re: APC Matrix 5000 question(s)
--On July 28, 2006 9:33:59 AM -0400 Robert E.Seastrom [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] writes: I left for several hours and came back to the house stinking like burning rubber. The new batteries are apparently melting the terminal rubber insulation. I had to throw it back into bypass mode and unplug that pack (the only one with new batteries!) By terminal rubber insulation do you mean the insulation on the lugs that bolt to the terminals on the batteries? If so, this is a sign that you either didn't clean the contacts or didn't bolt them together firmly. Those batteries need to be initially charged, and they draw a lot of current when doing that... which heats up any kind of high resistance connection in the chain. Any ideas to the cause? The status screens looked ok. (no bad batteries again) By the way, you probably ought to replace all the batteries in all your packs regardless of what the battery status monitor says. ---Rob Yeah my other thought here was that one or more of the other packs had totally dead shorted cells, that'd cause excessive heating on the other batteries too.
Re: Hot weather and power outages continue
--On July 24, 2006 2:22:26 AM -0400 Sean Donelan [EMAIL PROTECTED] wrote: While its expected for individual customers to go down during power outages, usually because the customer does not have local backup power, it is less common for major web sites and co-location centers to experience downtime during power outages. Except if you're in Qwest territory. Apparently they don't put any battery backup at their mini-DSLAMs and such. Every time we lose power, I'm still up, but the DSL signal goes away. Haven't checked dialtone, but I keep meaning too during the next outage. Now I know it's not exactly fair singling out Qwest, because I'll bet Verizon and others share the same thing, and I'm pretty sure it's just their ADSL service and not the voice service (I haven't checked though) it's still becoming more and more common that as an individual user your connection to the internet, unless you're paying for something other than ADSL or Cable, will be just as affected by local power outages.
Re: WSJ: Big tech firms seeking power
--On June 16, 2006 5:24:27 PM -0400 Alex Rubenstein [EMAIL PROTECTED] wrote: But wait, there is more. Just a point of comparison -- Oyster Creek Nuclear Power generation plant, located here on the Jersey Shore, produces 636 megawatts. You'd take one-tenth of that capacity -- in a bulding that would sit on a 10 or 20 acre chunk of land. I put this into the 'unlikely' category. The substation alone to handle stepping 68 mwatts from transmission to 480v would be probably 4 acres. And, 68 megawatts of power at 480 volts 81,888 amps. A typicall 200,000 sq-ft multi-tenant office building has 1600 amps of service; this would be the equivalent of 50 buildings. Having fun yet? I happen to know that a very large power line project was just finished in that area :) (I have family that works for the company that did the job). It's a huge amount of power that's for sure. I'm not sure what the exact route was, nor the endpoint right now, but when I did ask him at the time it didn't make senseNow it might. I'll talk to him again.
Proxad? (Was: Drone Armies)
--On May 16, 2006 7:47:43 AM -0500 [EMAIL PROTECTED] wrote: ... Top 20 ASNes by number of active suspect CCs. These counts are determined by the number of suspect domains or IPs located within the ASN completed a connection request. Percent_ ASN Responsible Party Total OpenResolved ... 12322 PROXAD AS for Proxad ISP7 7 0 Now this is interesting to me, because proxad has been at least as big a pain in my side as far as drones and SPAM sources. Right behind Comcast in no1 and RoadRunner in no2, but I'd never heard of them until they started showing up on my lists a while back...maybe a year or so ago. Anyone else seeing the same amount of problems with these guys? It's just interesting to me that whoever they are, as far as volume of problems from *my* perspective they're as bad as comcast and rr -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Speakeasy / Above.net
--On May 8, 2006 12:57:39 PM -0700 Peter Kranz [EMAIL PROTECTED] wrote: Is anyone aware of Speakeasy Above.net issues that existed in the last 24 hours, doing forensics on some odd traffic flows (HTTP and SSH problems) from customers within Speakeasy in the last 24 hours. I hadn't heard of anything, nor noticed anything. I'm not a speakeasy customer anymore, but they're usually pretty good/on the ball about things. If you know of a speakeasy customer they can use the member login tool and get current network status issues, as well as past closed issues once logged in. Support might be willing to let you know if you called into them as well.
Tools for LARTing large nets of compromised boxen?
One of our customers is (has been) under concerted attempt at a DDoS attack against their web server off and on for a while. I've lists of IPs, lots of them, many hundreds. I'd like to know if anyone has a tool that will take and match these lists of IPs into abuse contacts and fire off a LART to the appropriate RP for the IP, but only one per full set, IE if RP-A has IP A.B.C.D and A.B.C.C he should get one mail clue-batting him for both IPs. Any help? TIA! -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Tools for LARTing large nets of compromised boxen?
--On April 20, 2006 12:51:35 AM -0600 Michael Loftis [EMAIL PROTECTED] wrote: Any help? TIA! And before you go off on me YES these are the RESPONSIBLE boxen. There might be a CnC behind the drones but I'd have no way of obtaining that without cooperation. The actual attack is an old closed attack against phpBB so I've got web transactions on each of these bastards, not just an incoming UDP fart.
Re: Tools for LARTing large nets of compromised boxen? (on/off list summary)
I received quite a few good responses, I've ended up using incident.pl and wormeter.pl from the list below (found at the same place). Thanks again everyone. IASON was pointed out but seems incomplete http://iason.site.voila.fr/ and http://sourceforge.net/projects/iason/ Another member pointed out that Cymru WHOIS server has a bulk mode input to turn IP lists into source ASNs. http://www.cymru.com/ and whois://whois.cymru.com/ incident.pl from http://www.viraj.org/ along with wormeter.pl from same is what I ended up using. I had to write a pattern to match, and remove other patterns to prevent accidental matches but this ended up doing what I wanted. I got some other responses, some duplicates too. I've anonymized responses since I'm not sure if the off-list responders wish to be identified.
Re: [c-nsp] Which IOS do *you* use?
--On March 21, 2006 3:41:47 AM -0500 Robert Boyle [EMAIL PROTECTED] wrote: We run mostly on 7200s. 12.3 definitely still has some bugs. Esp. with odd things like directly connected routes and networks disappearing from the routing table when using CEF - at least until you globally disable and re-enable CEF. However, there are some scenarios where we have to use the 12.3 train. We run 12.2(20 something) wherever possible. We have some customers running super new gear with 12.4T. Craziness I say! I'm not directly involved with those clients at all, but I certainly wouldn't want to run that in production yet. :) 12.2 for everything I touch as well, except for some ooold gear which is stuck in older chains. Similar problems observed with 12.3.
Re: a plea re: shim6
--On March 1, 2006 12:08:21 PM -0800 Matt Ghali [EMAIL PROTECTED] wrote: AFAIK there is no deployed, or even working shim6 code. No there isn't As such, it is not an operational issue by any stretch of the imagination. There are a number of more apropriate mailing lists for discussion of issues surrounding the design and operation of shim6. Coincidentally, I am not subscribed to them. Please let it go. I have to agreeI'm also not subscribed because after perusing various information available on it I've figured out that SHIM is an acronym for Sorry, Half-a__ed Implementation of Multihoming. $0.1USD
Re: shim6 @ NANOG (forwarded note from John Payne)
--On February 28, 2006 5:15:37 PM -0500 John Payne [EMAIL PROTECTED] wrote: On Feb 28, 2006, at 2:22 PM, Iljitsch van Beijnum wrote: Should be doable with a DNS SRV record like mechanism. Don't worry too much about this one. Where does the assumption that the network operators control the DNS for the end hosts come from? Thin air I think. Certainly isn't the case with a large number of domains we host.
Re: Quarantine your infected users spreading malware
--On February 23, 2006 8:02:31 AM -0600 Jack Bates [EMAIL PROTECTED] wrote: We allowed users back online to run Housecall at trendmicro for free so they could get cleaned up and save some money. However, the resuspend rate was so high, we quickly changed to offline cleanup only. It will remain until we perfect our auto defense system. Customers just want things to work. They don't care if they are infected. It's amazing how many customers swear they aren't scanning or sending email, and refuse to understand that their computer is capable of doing things without them knowing. What doesn't help is the ISPs out there who are complete dolts and first don't verify reports and second false alarm. They'll cut a user off on a single complaint without any evidence or verification. Or worse they have some automated system that false alarms without any way to verify you're cleaned up. And if you can't get online you can't get cleaned up anyway. Catch 22.
Re: Quarantine your infected users spreading malware
--On February 23, 2006 9:09:26 PM +0200 Gadi Evron [EMAIL PROTECTED] wrote: I don't really see how any ISP will terminate an account for just one complaint, after all, it's losing money.. We have seen a few good examples of pretty big ISP's who said here how quarantine works for them. Got an example on how ISP's are kicking users out? Speakeasy suspended my service for a week over a single report from someone. The mail never even travelled through or via any of my systems, the header bit that was called in was forged. It took a week to get them to give me the information they'd gotten in complaint. There was a forged Received header (completely fabricated, including the 'Qostfix' MTA) and also a forged HELO or EHLO of a non-existent host when it actually relayed it off onto someone elses MTA. I can't remember the exact ISP...might've been RoadRunner or TW in Toronto, but a friend had her DSL or CableModem suspendded, ended up changing providors. There was an infection, it was cleaned, they were allowed back on, then the ISP either received an old/backlogged complaint or something and they cut them off again,, but the machines were all clean (indeed watching the network for traffic over several days revealede nothing that they claimed to be the problem). -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: nanog.org website - 403s?
--On February 11, 2006 10:09:42 PM +1300 Mark Foster [EMAIL PROTECTED] wrote: Anyone else seeing 403's when trying to pull anything other than the index page from www.nanog.org? Not everywhere but almost every single page yes. mailinglist.html still works... someones FTP client or ssh/scp client set with wrong umask? :D
Re: nanog.org website - 403s?
--On February 11, 2006 12:21:33 PM -1000 Randy Bush [EMAIL PROTECTED] wrote: i am told it is hard disk death. replacement and restoration may take a few hours. good timing, eh? :-) Impeccable, isn't that how it always works? I need to finish packing and get to bed, I've a plane to catch in...9 hrs.
Re: SPAM Level Status - And why not stop the peering with lame ISPs
--On February 10, 2006 11:29:36 AM -0500 Todd Vierling [EMAIL PROTECTED] wrote: On Fri, 10 Feb 2006, Suresh Ramasubramanian wrote: And then a few other well chosen blocklists (not the block all traffic from a country variety at all) These days, a lot of smallish ISP's are blocking CNNIC and/or KRNIC space wholesale. As for CN, the truth of the matter is, the Golden Shield is a very internally oriented (not just xenophobic) filter. CN cares a whole bunch what the rest of the world does to its people. CN doesn't care nearly at all what its people do to the rest of the world. Quite the double standard. The social problem will not be fixed in the foreseeable future, so we have to settle for an imperfect technical solution -- for now. For some operations, the spew level is so high that blanket blocking CNNIC is the only reasonably maintainable option. I'm not (yet) blanket blocking the entire IP space in those countries, but I am blocking huge swaths at the mailserver. Not network wide though. It won't be long before they collectively earn such large blocking at the mailservers I control. On the larger of them we reject anywhere from 6-20k attempts/day per inbound server. Almost all of them do exact numbers of attempts (15, 20, and 50 are very common per ip number attempts). I haven't looked into it any further but we haven't heard any customer complaints.
Re: NANOG36 PGP Key Signing
--On February 7, 2006 7:29:56 AM -0800 Majdi S. Abbas [EMAIL PROTECTED] wrote: PGP on a Mac: I assume the procedure is similar to the one for Windows, but cannot confirm this. Hopefully it's easy enough to figure out. Depends on what you're using. GPG instructions are the same, there's also a utility called GPG Keychain Access, click on the correct key, click on export, check ASCII Armored and give it a file name and a place to store it. But, hopefully, anyone using OS X has already figured these out ;)
Re: flow - web
--On February 3, 2006 9:10:36 PM -0800 Peter Wohlers [EMAIL PROTECTED] wrote: Justin M. Streiner wrote: On Fri, 3 Feb 2006, Randy Bush wrote: i have a few routers of various flavors spewing netflow data. currently i use flowtools, and get text reports via email. but they're s 20th century. what will accept flow data from the routers and give me a sexy web page or two showing the elephant apps and sites? has to be in freebsd ports tree, as i don't have much time to spend on this. ntop off the cuff. In the ports tree. Stager looks interesting too, not in the ports tree but had FreeBSD specific documentation: http://software.uninett.no/stager/?page=docs --Peter Never did like ntop, always used a lot of memory, and has never been stable. Also no history, just 'current'.
Re: MPLS vs PTP
--On January 31, 2006 9:56:46 AM + [EMAIL PROTECTED] wrote: it seems to me that a correctly configured, directly connected pipe would work as well as mpls, with the benefit of local control of my routers and owning any incompetence. I feel like I'm living in the twilight zone... No no, that's just the vendor koolaide machine running momentarily dry. Hold on a moment, I'm sure someone will refill it shortly with the buzzwordblend ;)
Re: CME-24/BlackWorm email notifications - next TOP unreachables
--On February 1, 2006 3:09:08 AM +0200 Gadi Evron [EMAIL PROTECTED] wrote: Gadi Evron wrote: Below are the top-7 ASN's that *we* have not been able to reach with our email notifications of CME-24/BlackWorm infected machines: ... Know of a working contact for these? Please contact me off-list. For any you do get ahold of but-not-via-their ASN/Whois information, please politely ask them to update that on the community's behalf if they can :)
Re: PI space and colocation
--On January 18, 2006 5:21:35 PM -0500 Patrick W. Gilmore [EMAIL PROTECTED] wrote: Well, obviously, the path entry is longer. :) Yeah and if they (somehow) obtain an ASN for this non-multihoming venture then that completely wastes an ASN for no good. And as we all know there aren't an infinite number of those either. It's not huge, but it is there. And like I said, many people argue over additions to the table which are actually useful. -- TTFN, patrick -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: GoDaddy.com shuts down entire data center?
--On January 16, 2006 10:32:58 PM -0800 Jim Popovitch [EMAIL PROTECTED] wrote: I want to say, from an outsider's perspective, that I whole heartily applaud GoDaddy on the actions they took and the consistent professionalism exhibited by their tech support representative. Despite obvious (and heavily edited) calls to the same agent, the consumer was informed in a professional manner of his/her avenue for resolution. No doubt remains in my mind that the caller was not caught blind by this situation. Go Daddy has a privacy policy that no doubt prohibits them from releasing details of their side of this case, however to me the recording suggests that the caller knew this was the end result, not a sudden surprise move, and they just wanted to circumvent standard procedure. The caller's prior thought to record, what appears as a standard call to tech-support, is insightful and should be an obvious sign of his motivation. Theres a clear case of he said they said going on with this case. Nectartech is making claims that they fixed the issue. Also note that the caller is not a Nectartech employee at all. He's a customer who's also friends with the owner. Atleast that's what he says in WHT thread. In any event I don't think Nectartech handled this very well, and more likely than not still had a problem and were given ample time to properly correct it.
Re: GoDaddy.com shuts down entire data center?
--On January 17, 2006 7:27:20 AM -0500 Robert E.Seastrom [EMAIL PROTECTED] wrote: Now that Go Daddy has ensured that I'll never do business with them (which is a shame; I liked certain lawsuits that they brought in the past, but if being their customer means subscribing to their thought police, count me out), I think it's time to carefully go over the registration agreements with the registrars I use... never know when someone will slip in something truly odious, and the argument that none of them would be so crazy as to try it appears to be incorrect. This thread gets less and less operationalhowever...I'm trying to keep this in scope...I think this relates operationally because we all have and enforce AUPs and ToS on our customer bases, both internal, and external. We also have AUPs and ToS enforced on us, by business relationships and peerings, etc. Most ToS and AUP out there at the consumer level state basically the service is worthless, that we can and will d/c you at will, without cause, at our whim. Overzealous lawyering has made this a necessity. How much any of these might or might not stand up in court, I have no clue. As you get into the business world some ToS and AUP become more weighty, but far more structured. Giving both sides clearer and well defined policies and practices for responding to issues. Requiring notification, escalation, etc. I think what matters is the way that the AUPs are applied. This case...the facts...don't match up. webhosting.info (not an authoritative source mind you, but a datapoint) only sees ~150 hosts by this ISP. From what I understand this number is from whois data with nameservers pointing to theirs. Contrast this with mydyndns.org, google.com, ebay.com, prioritycolo.com, wellsfargo.com (ok so this ones not that much more, at ~800), even sun.com has more domains listed. Those last two aren't even 'in the business' and they have more. While they may have a large datacenter, I'm not even remotely sure that this incident darkened the whole thing. It might've taken rDNS offline, but that's far from darkening a whole datacenter. It sounds like another WHTer puffing themselves up to being bigger than they are. They *must* be small to let a *CUSTOMER* advocate for them to a third party! Nectartech clearly knew about this and sanctioned it, and the person recording the phone calls has pointed this out more than once. There are no facts in this case either way, because it is really Go Daddy against Nectartech. And Nectartech has a lot more reason to lie to make itself look better in front of its customers. If their whole datacenter went dark then it's some unrelated thing, or some really bad practice (such as somehow establishing iBGP based on domain names maybe? hell I dunno). I've seen so much utter BS spouted by a lot of the self proclaimed web hosts on WHT that I'm not inclined to believe his side of the story any more (or any less) because of it. Go Daddy has to my knowledge never been draconian in applying their AUP (I think atleast some of us here would know about it if so).
Re: AW: Odd policy question.
--On January 13, 2006 10:09:51 AM -1000 Randy Bush [EMAIL PROTECTED] wrote: it is a best practice to separate authoritative and recursive servers. why? Cache poisoning (though this is less likely with more modern bind's and other resolvers) and the age old your view is NOT the same as the world view. IE if you've got a customer who has offsite DNS, but hasn't told you, and you've got authoritative records for his zone, you might be delivering mail locally, or to the wrong place, and it can take a long time to figure this out. e.g. a small isp has a hundred auth zones (secondaried far away and off-net, of course) and runs cache. why should they separate auth from cache? randy -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: QWest is having some pretty nice DNS issues right now
--On January 9, 2006 5:30:12 PM + Christopher L. Morrow [EMAIL PROTECTED] wrote: What's interesting to me, atleast, is that this is about the 5th time someone has said similar things in the last 6 months: DNS is harder than I thought it was (or something along that line...) So, do most folks think: 1) get domain-name 2) get 2 machines for DNS servers 3) put ips in TLD system and roll! It seems like maybe that is all too common. Are the 'best practices' documented for Authoritative DNS somewhere central? Are they just not well publicized? Do registrars offer this information for end-users/clients? Do they show how their hosted solutions are better/works/in-compliance-with these best practices? (worldnic comes to mind) Should this perhaps be better documented and presented at a future NANOG meeting? (and thus placed online in presentation format) Also it should be noted that there's a general lack of understanding about how very crucial DNS resolver performance is in the end user/customer perception of a network's performance. I can't tell you how many times I've used a local resolver, even on a modem mind you, and seen a dramatic improvement in the end user experience, which is, the web browser. Other applications are pretty DNS bound too anymore. And many large ISPs overload their resolvers, or have resolvers not prepared/configured to handle the amount of queries they're getting. I'm not saying I know the answers there, I'm just saying that I've seen quite a few times where DNS (or even other central directories, LDAP, ActiveDirectory come to mind) have been the 'bottleneck' from a user standpoint since name resolution would take so long. -Chris -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Leap second reminder - Check your NTP
--On December 31, 2005 6:57:45 PM -0600 Kevin Day [EMAIL PROTECTED] wrote: While I can't say anything broke on our network as a result of the leap second, a good percentage of our gear lost NTP sync or had some kind of NTP problem around midnight UTC. You may want to check your NTP status at some point, in case something drifted quite a way off and won't step itself back now because the difference is too great. We've Nagios monitoring a majority of our NTP devices. Around the appropriate time I got a pretty big flurry of ntp sync warnings, took about half an hour for everything to get in sync. Everything looks normal as of right now (has been for a while). I hadn't thought to turn off the alarms even though I was aware of the leap. That resulted in a lot of notifications going out to our on-call people.
RE: Two Tiered Internet
--On December 15, 2005 11:27:29 AM +0700 Randy Bush [EMAIL PROTECTED] wrote: given an internet where the congestion is at the edges, where there are no alternate paths, i am not sure i understand your suggestion. fergie's message gets my vote for right-on message of the month. this is all smoke. Exactly. They're scared that VoIP will eat them alive (probably right) and so they're rushing to 'do something about it' and so they're using the PUCs to legalize their monopolies. Can't have this router riff-raff running the show now can we. They've been watching income dwindle for a while now. Long distance isn't the cash cow it once was, with every cell phone getting free, at least nearly, or cheap LD. And the prospect of WiFi enabled cities, that means that no one has to pay them for the last mile, or at least a lot less people will, well, they (Ma Bell and the Babies) just can't have that. I'm hoping to get some more time this week to really read through the proposed junk and get a better handle on *what* they're trying to do, other than the obvious of securing their revenue stream by all means necessary. Fact is, we're (ISPs in general) all lighter, faster, and more aggressive.
Re: Two Tiered Internet
--On December 13, 2005 8:17:43 PM -0800 Tony Li [EMAIL PROTECTED] wrote: One might argue that in such a situation, the end user is getting less value than they did previously. End users might then either demand a price break or might vote with their connectivity. *IF* they have a choice. In many areas for consumer grade access, you don't. I fully agree that you're not getting the same value/.worth out of a service that behaves like that. The strategy they're proposiing is very anti-competitive and very monopolistic.
Re: Sober
--On December 2, 2005 2:02:15 PM -0600 Dennis Dayman [EMAIL PROTECTED] wrote: Interested, but I see many Sober postings and outages on other lists and not here...has anyone been having issues? I know the ISP's are fighting the living out of the virus. I've been seeing a few really large bursts into our mailserver. Not sure if it's a new variant or a reoccurrence of an old strain. I put in a good number of new port 25 inbound blocks for infected systems and attempted to put up a few checks inside of our front end mail servers rather than in the virus and spam filtering (which happens later for us, so for bad surges we put a few custom rules up front early in postfix). Isn't anything we can't handle at this point but it was pretty ugly for a while there.
Re: Outbound mail filtering on large mail / web server farms - just an idea or two that I have
--On November 20, 2005 8:48:08 PM +0530 Suresh Ramasubramanian [EMAIL PROTECTED] wrote: I originally wrote this lot below as boilerplate for large webhosting providers that find themselves with several racks full of pizzabox colos running a web control panel like ensim or cpanel so that the people actually operating the colos may not have too much clue .. and these places are typically riddled with lots and lots of exploitable cgi / php scripts that are broken into and used to send spam using injection / xss etc holes .. Some of the ideas here might well apply to what I was talking about in this thread as well - the two kind of tie in together I've considered a similar setup. Requiring all mgd servers to always use their local mailers, then at the nearby edge, NATing all outbound SMTP port 25 traffic to a set of mail relays setup to do greylisting, rate limiting, and possibly IDENT checks to make (reasonable more) sure that it's the mail server user talking and not some random software. Note that I've done none of it...the idea's a bit insane, but, it would definitely make it easier to spot and treat the problems, the only big black eye here is AOL who would probably rate limit the outbound servers quite often, which they already do to our normal mail systems even when things are going well, again, because of forwards. I'd imagine there's a way I could get just the (AOL) forwarded mail pushed to a separate machine with our current (older version) Postfix setup but I haven't actually looked into it. We use SQL based tables for everything in order to make automation much simpler on our end. I hope this all wasn't too non-operational, it seems relevant to me, so hopefully it's not noise.
Re: Outbound mail filtering on large mail / web server farms - just an idea or two that I have
--On November 21, 2005 8:55:39 AM +0530 Suresh Ramasubramanian [EMAIL PROTECTED] wrote: On 11/20/05, Michael Loftis [EMAIL PROTECTED] wrote: quite often, which they already do to our normal mail systems even when things are going well, again, because of forwards. I'd imagine there's a way I could get just the (AOL) forwarded mail pushed to a separate machine The difference is of course that when you separate .forward traffic to a separate IP you tell AOL its a forwarding server. And setup reverse dns + hostname for that box that says something like dotforward.wgops.com ... Once you do that you should be reasonably good to go Oh I understand the concept perfectly well. It's just that I can't see through to an implementation easily. The system I'm referring to has no internal way of telling the difference easily between forwarded mail and 'other' mail, it's all passed into the same set of virtual tables and the only difference is local versus remote delivery. I can't classify .forward style traffic out from the regular in/out flows. I'm probably not making a whole lot of sense either right now, lets blame that on low caffeine count. I could pass all aol.com traffic (via transport) to a different box but I can't do that just for forwarded mail because inbound mail and outbound (locally generated/initial submission on port 25/etc) aren't handled seperately at all. I can see how they could be, but I don't see any provisions inside of Postfix 2.0 to handle that without separate instances. Not impossible, just impractical right now. The eventual 'plan' is to do almost exactly that, separate instances to handle/classify mail differently based on where the mail was submitted. I guess I'm really curious as to how others might implement something like this. I'd run three instances (machines if you must view it like that) of the MTA, one inbound the outside, say $world, the other $local, the third (call it $forward if you will) is where $world would send all of it's forwarded/outbound mail to that won't be delivered locally. $local would handle local delivery and external delivery for local machines. I think in Exim though it's cleaner because you can specify special processing for other steps. My system has a bit more complication because of the fact we don't use any filesystem. The mail users are purely virtual to the mail system, only existing as an LDAP entry and as a Cyrus Mailbox.
Re: 209.68.1.140 (209.68.1.0 /24) blocked by bellsouth.net for SMTP
--On September 26, 2005 8:59:31 AM +0530 Suresh Ramasubramanian [EMAIL PROTECTED] wrote: On 25/09/05, Michael Loftis [EMAIL PROTECTED] wrote: result in me having to call postmaster to get them to remove it. Also just one hacked webform usually results in the same problem (we have thousands of web hosting customers). It's in our projects list to find 'some way' to rate limit individual senders but it's not a high priority right now. One hacked webform can pump out as much spam in a few hours as the rest of your users would send email to AOL in a week. I realise this, but that's usually not the case. Almost without fail we notice and shut it down long before aol starts blocking, and clear out the queues of anything pending from the spammer. then hours or a day later AOL blocks us for something that's been dealt with. :/
Re: 209.68.1.140 (209.68.1.0 /24) blocked by bellsouth.net for SMTP
--On September 24, 2005 10:20:24 PM -0400 [EMAIL PROTECTED] wrote: Yes, this is quite clearly the case; there are dozens of mutual customers who have forwarding rules setup. We are not generating Spam to send to Bellsouth; it's coming from somewhere else and then being forwarded. At my $employer I have similar problems with AOL. We occasionally get blocked because of bone-headed AOL users thinking that report spam is the same as delete, or thinking that report spam on forwarded mail is helpful, when it's not. It happens atleast once a month that one or more, or all of our outbound MXers get blocked over at AOL with 4xx or 5xx errors that result in me having to call postmaster to get them to remove it. Also just one hacked webform usually results in the same problem (we have thousands of web hosting customers). It's in our projects list to find 'some way' to rate limit individual senders but it's not a high priority right now. I imagine that at some time in the future, forwarding e-mail might become impractical, if receiving systems insist on parsing it as originated or relayed Spam. I've certainly brought up the idea of not allowing offsite forwarding to AOL. We already implemented no offsite catch-alls and I'd like to have removed any possibility of doing catch-alls but management veto-ed me on that one because of the high amount of customer complaints we'd get. Sometimes, the 'cure' is definitely worse than the 'disease.'
Requst for tech/peering contact to Qwest, Bresnan/ATT Worldnet(?) (for Montana)
Please reply privately, off-list... I know this is probably not the best place, but Qwest, being Qwest, if I call their main numbers and try to ask about peering, they do s/peering/transit/ and route me to sales. I need to speak to someone in Qwest about peering at NWIX in Missoula, MT -- http://www.nwix.org/ -- Modwest (my employer) has a decent number of local customers on both of these providers networks, and employees being serviced on Bresnan's network. Bresnan I know has IP gear here in the facility, I just need to get the contact of someone who has the authority to get them plugged into NWIX in Missoula and setup a BGP peering session. I have a sales contact with Bresnan, but, if Bresnan's network guys/gals are on here and listening, this could hasten the process. Qwest I know has a cabinet with an ONS15454, however, I'm not sure about IP. I'm not requesting global peering for either of them (we're just a small content/hosting provider) however I'd like to atleast have Montana customers/local customers see us via the direct link rather than having to go out one of our transit links. Thanks again everyone, I now return you to your (err.. quasi?) operational content! :) -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: DirectNIC requests BellSouth help.
--On September 1, 2005 8:20:12 PM + Paul Vixie [EMAIL PROTECTED] wrote: directnic's nameservers appear to have been botchified during some kind of hurried attempt to mirror them outside of new orleans. ... good eyes paul, been in contact with people over there and it's getting fixed. i hadn't been following nanog but i'm floating in the IRC stuff (since I'm also freenode staff...). Mike B. relays back thanks that the problem is being fixed. (sorry if this is duplicate information!) this is going to make directnic's customers, or any zone served by these two nameservers, harder to reach than they strictly need to be. can someone from directnic contact someone at verisign, or vice versa, and get this straightened out? -- Paul Vixie -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Replacing PSTN with VoIP wise? Was Re: Phone networks struggle in Hurricane Katrina's wake
--On August 31, 2005 2:03:01 PM +0100 [EMAIL PROTECTED] wrote: ... On the other hand, in a circuit switched network you can do all kinds of interesting stuff (such as restarting all your control software) without breaking your sessions. We're only now seeing this in IP, and I think it's not really possible to reach the same levels with IP routing even in the long run. MPLS may have the edge here because you can have backup paths and fast reroute to keep traffic flowing if you have an orderly plan for rebooting routers. Which does us no good in the case that we're close to the edge device and need to reboot the control plane of a nearby router. To me it seems Juniper and Cisco are both making huge steps in understanding this is necessary technology they can 'borrow' from telco's. You've a highly intelligent, but fairly decoupled control plane, with a fairly dumb, but largely automatic 'forwarding' or 'circuit fabric' plane being directed by the control plane. If the control plane takes a nap, the bottom end continues what it was doing until something (control plane coming back online, backup control plane doing takeover) tells it otherwise. No this isn't easily possible in most instances, even with just bare IP and with NAT it becomes really difficult because of the large amount of intelligence (relatively speaking) required to handle NAT. I should clarify that when I say NAT I mean PNAT and application/protocol specific NAT that requires more than just simple packet mangling. I think though, that eventually this will be commonplace, certainly in the core, and even really close to the edges. the M10i's approach this sort of resiliency. the T series and the larger M series also work like thisI think that the ONS' also are pushing on this (though admittedly aren't exactly IP...) Anyway, point is, that if you're right up close to the edge, MPLS may not matter, towards the core sure, where you're away from actual end connections and there's redundancy around you when you need to do a control plane restart. There will always be upgrades. Further there will always be other issues, however, in my mind atleast, today's networks are far more resilient and faster to heal than they've been in the past, atleast in IP PSTN...well...They're reliability king, until something unexpected happens. There were reports on here I believe it was even about call routing issues during this outage, not capacity type issues, simple lack of the systems ability to reconfigure and cope with loss of connectivity. There are places for both PSTN and IP though.
Re: What application runs on port 8094?
--On August 18, 2005 4:25:53 PM +0200 Lars Erik Gullerud [EMAIL PROTECTED] wrote: Since the traffic was 8094/UDP it is definitely not BitTorrent, who uses TCP transport. Azureus, a very popular BT client, has a distributed tracker database mechanism, to get around overloaded/unreliable trackersit might run on that port by default, I honestly don't know. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: power strip with individually monitorable outlet current
--On August 7, 2005 3:01:25 PM -1000 Randy Bush [EMAIL PROTECTED] wrote: don't know the 7901, but i can sure vouch for the 7900 which joel recommended to me. it has saved me from using remote hands to whack a wedged server so many times. Same thing. AP7901 is a NEMA L5-20P/5-20R and the AP7900 is a NEMA 5-15P/5-15R. 20A/15A respectively. APC doesn't sell any individually metered units. Baytech does (as pointed out elsewhere). I don't know about any others myself.
Re: Why some of us are IPv6 holdouts (Was: /8 end user assignment?)
--On August 6, 2005 6:56:27 PM + Christopher L. Morrow [EMAIL PROTECTED] wrote: a good email over all explaining more parts of the pie :) sweet! Thanks... I try to add something to the threads when I weigh in... .. ok, good... now in 5 years when there are 'many more' v6 users are you still in this boat? should some of this work get started also? Would that be facilitated by getting some actual logs? The point really, was that there are many packages of software. Open Source, Commercial, in-house, front-end and back room that will need to be looked at and outfitted. It's happening, but it will take a lot of work, and probably time. In 5 years, I don't know. I hope not. I hope by long before then that a majority of my concerns are addressed. It will take my employer/org about six months, to one year to fully light IPv6 for production. Maybe a bit longer. We've internal software to worry about, and that estimate excludes any set-backs from external sources, like Juniper deciding to twist everyone's arms for IPv6 licensing. I can leave that to a separate thread/argument though. I do have about a paragraph or two of venom on that topic if anyone is interested. :) Maybe I'm more concerned about what (potentially bad) things happen on my networks. Maybe not. Either way, that issue alone means a LOT of other software than the web server, load balancer, and routers need to understand (or speak) IPv6. There's a huge ecosystem of software here. A lot of it hasn't been written in such a way that it takes into account any other addressing/networking scheme than IPv4. agreed, but that problem doesn't seem to be getting addressed any better than the lb/router/web-server problem doe sit? No not particularly. The web server software, routers, and load balancers in my networks are all IPv6 capable, aware, and ready. What isn't at this point is management tools, and an unknown number of customer applications. I work primarily in web hosting. This means that there are lots of unrelated applications that may make turning on IPv6 difficult. I'm not saying it's impossible. I'm not saying it won't happen. Heck I want it to happen. I want to go IPv6, get out of the way of the address shortage that will be. I wanted to point out the bigger picture amongst these threads of half answers and single issues. This isn't a one issue thing. Everyone here on NANOG can make it that if they want to, but I doubt that most of us do. The difficulty is in pointing this out to the 'sky is falling migrate today!' drum beaters, most of us are working on it, but we're not the ones that need to be haranged. SW developers need to be educated too, as much as, maybe more so than the ops community. They're the ones that will ultimately make or break this thing. We can build a network however we damn well please. But in the end the network is just a road. We need applications. Cars. And people to drive those carsuse those applications. That's what it comes down to. Multicast has limited traction not necessarily because of limited technical merit or ability, but because there are few applications that make use of it. As apps improve and start to support or require IPv6, more and more will roll it out or be forced to roll it out. Some of us are being held up by applications, hardware, or upsterams lack of v6, but that won't last forever, and it can't last much longer or we could very realistically miss the deadline, whatever it ends up being, for the 'last of the v4 space'. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: /8 end user assignment?
--On August 5, 2005 12:50:08 PM +0200 Sabri Berisha [EMAIL PROTECTED] wrote: On Fri, Aug 05, 2005 at 12:05:08PM +0200, Iljitsch van Beijnum wrote: Hi, I'm not sure how much room additional records take up, but I think it's a little under 30 bytes. At this rate, there is no way you're going to run out of 512 bytes with less than 10 records. Then there is EDNS0, and failing that, TCP. With the use of anycast DNS servers on the internet, TCP is no longer an option for DNS. Most of us aren't using anycast DNSfor those that are, they know the limitations and problems they face. Though, realistically, for most people I'd bet it's a non-issue anyway. Most replies, including glue/additionals are probably far less than the links packet size in most places. There are exceptions. There are always exceptions. :)
Re: Your router/switch may be less secure than you think
--On August 3, 2005 2:10:10 PM +0100 [EMAIL PROTECTED] wrote: ... Contrary to what some may be worrying about, it it not the GSRs that are most at risk. It is those old 2500's that are connected to your customers. Imagine that one of those customer routers is exploited, the hacker installs a tunnel, and then proceeds to anonymously probe the customer's network. This is the real risk and it may very well be happening right now to one of your customers. While I hate to possibly give ideas to (real) black hats in a public form but no doubt some have thought of this anywayinjecting routes into BGP to steal traffic. A crafty enough person could move traffic back over a tunnel or series of tunnels to be snooped. Yes, theoretically, it'd be noticed fairly soon, but how quickly is soon enough for $xyz critical application? That worries me more, because it only takes one insecure unfiltered setup (or even partially unfiltered setup) to announce something they shouldn't. Hopefully it wouldn't be global-reaching, but, it could be. How much do you trust your peers? How much should you? How much do you have to? For customers, it's obvious, for transit peers, maybe less so. Just my two cents worth... ...
Re: OMB: IPv6 by June 2008
--On July 9, 2005 10:42:57 AM -0700 Alexei Roudnev [EMAIL PROTECTED] wrote: LC can hold only 20,000 ACTIVE routes., and ask central system if it needs more., How many ACTIVE routes are used in any CORE router? 0.1% or CORE? 2% of CORE? Again, today it is not technical issue anymore. Caches arent' necessarily a good idea again because of the miss issue and at OC192 speeds it's nutsyou pretty much have to carry a full table because if you don't the first time you get a DDoS or a DoS with lots of forged sources or dests flowing through your router it'll blow up.
Re: Battery Maint in LEC equipment
--On June 5, 2005 8:11:41 PM -0700 Jay Hennigan [EMAIL PROTECTED] wrote: The corollary to this question: If your data center has an adequate DC plant, will the carriers insist on installing their own batteries and rectifiers? And how many of them have redundant supplies to take advantage of an A and B feed from you? There's no typical response. Here in QWest territory they drop their own cabinet and pull AC power for their own rectifiers and battery string inside the cabinet. (I helped lump the freaking batteries oy...) -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: google.com outage?
--On May 7, 2005 7:37:01 PM -0400 Jonathan M. Slivko [EMAIL PROTECTED] wrote: Hmmm did anyone hear anything about a Google outage that's been going on for the past 20 minutes or so? It appears to be DNS related (ns1-ns4.google.com didn't have a record of www.google.com or www.gmail.com). I can't find any articles on the net about it and was wondering if anyone heard anything. Not sure what happened but i confirmed it at quite a few places. It was DNS related (I was getting host/domain not found errors with www.google.com returning a CNAME record pointing to www.l.google.com and l.google.com not existing.
Re: Paul Wilson and Geoff Huston of APNIC on IP address allocation ITU v/s ICANN etc
--On Wednesday, April 20, 2005 7:41 AM +0530 Suresh Ramasubramanian [EMAIL PROTECTED] wrote: http://www.circleid.com/article/1045_0_1_0_C/ That's a must read article, I'd say. The article seems to be well put and well thought out explanation of what 'we' know. That you can't produce IP addresses. These sorts of articles need to be published more regularly and shoved in the faces of the politico's. Why? Because they don't necessarily understand the problems at hand. We all would love for them to I'm sure, but often times they don't. Many thanks for pointing this little gem out Suresh.
AOL's brains on the floor?
Anyone else confirm? Looks like AIM, www.aol.com...maybe more, are all down form various POPs here.
Re: AOL's brains on the floor?
OK got quite a few confirmations of their IM services being out and one or two others who noticed www.aol.com being out. Noticed a few complaints about mail server issues at another site I admin, but all from AOL subscribers, and it's cleared up now except for IM services. Thanks for the feedback folks, nice to know I'm not entirely insane.
Re: Apology: [Re: Tier-2 reachability and multihoming]
--On Saturday, March 26, 2005 11:51 AM +0530 G Pavan Kumar [EMAIL PROTECTED] wrote: This is with my deepest regrets that I apologize from the bottom of my heart to Mr.Gilmore, Mr.Woodcock, Mr.Bush and also the rest of the honourable members of the list for being ignorant of how high-profile a list this is. I couldn't be more sorry. Please, please forgive me. ps: I sure meant no harm, was just trying to be humorous,(I hope the exclamation marks might have given some hint) anyway it is too late. They say there is no natural punishment than remorse. Also, I was too embarrassed to post a quick apology. No exclamation points indicate yelling, animated, surliness, or a host of other emotions, humor is NOT one of them. If you intent was to joke or in jest then don't use !. use ;) or :) esp. since your second language is pretty clearly english where what you're typing, and what we're reading/getting can be hard to interpret. Thanking you, pavan. -- Undocumented Features quote of the moment... It's not the one bullet with your name on it that you have to worry about; it's the twenty thousand-odd rounds labeled `occupant.' --Murphy's Laws of Combat
Re: Tier-2 reachability and multihoming
--On Wednesday, March 23, 2005 4:54 PM +0530 G Pavan Kumar [EMAIL PROTECTED] wrote: Hi there, I have been working on characterizing the internet hierarchy. I noticed that 27% of the total possible tier-2 provider node pairs are not connected i.e., they dont have any tier-1 node connecting them nor a direct peering link between them. Multihoming can be used as a predominant reason for the reachability of tier-3 nodes which are customers of these nodes, but what about the reachability of tier-2 nodes themselves and its customers which cannot afford to multihoming? How does BGP solve this reachability problem when it gets a request to a prefix unreachable? I think that likely you're looking at partial data (well i am sure you are, since i'm part of the internet and you didn't' get routing data from me...) and not seeing paths because of that. The BGP tables of a single node list all outward paths to other places. Thus from a single sample point it is totally impossible to 'map' the internet. Not to mention the *constant* change in routing.
Re: Traceroute with ASN
--On Tuesday, March 15, 2005 2:22 AM -0800 Bruce Pinsky [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ziggy David Lubowa wrote: | On Tue, 15 Mar 2005 17:51:32 +0800 (CST), Joe Shen wrote | | Yes. Can I do this on a Linux box without having to | install Zebra BGP on it? | | | Doesnt look like you have to, below is the link to the tarball | | http://oppleman.com/dl/?file=lft-2.3.tar.gz | According to the doc, it relies on RADB for its info, so it *might* not be as accurate as an actual BGP feed. I'm certain in many cases it isn't. Since many OPs dont'e ven know about RADB, and RADB charges for ability to register and update. How much? $250/yr. That's buried on their 'about' page. Why? I don't know, terrible site design though. Who goes into an 'about' page looking for billing information or fee schedules or price lists.
Re: nanog
--On Sunday, March 13, 2005 10:28 PM -0500 Jay R. Ashworth [EMAIL PROTECTED] wrote: But note that the OP does not have a MOV issue; he has an inspector issue. His best answer there may be buying outlet strips that offer no surge protection. He likely will need to first pin the inspector down on what rules he's allegely broken, however. This is the most cogent point to date, and the one I made off list: ask him to quote chapter and verse. Yeah, I am waiting on the exact code violation to come down. FWIW the overall consent from various fire marshalls is 'yes, it's fine' but some had misgivings about it. understandable, and strictly according to atleast one rule book it isn't allowed.
Fire Code/UFC Regs?
OK this is only probably marginally operational. Yesterday we were inspected (quite thoroughly I might add.) by the city fire inspector for Missoula, MTNow we did have a couple of things I know need fixing, an emergency light with a dead battery upstairs, I'm using a long orange extension cord w/o a breaker on it for my monitor at my desk. And one incidence where we had some piggy-backing going on. Now what I'm asking is this: we were told that you can NOT plug in breaker protected six outlet strips into battery backup units such as APCs, and we were (or are) being written up for that. My understanding is that most/all (atleast APC units) are properly de-rated (per UFC) and you *can* plug in additional breaker protected extension cords into these units. The problem is if this is not the case we'll be having to put a LOT more BBUs out into our office for workstations than what we planned. I've also never seen this cited as a problem but I could just be ignorant too. Please reply off-list. Sorry if anyone feels like this is a waste of time, but if there is interest I will summarize on list. If this really is true then I can see a lot of places breaking this fire code even here locally. I'm not sure what part of the code it is but he's stated that if I can get him some form of documentation from teh manufacturer or something then he can make a deviation. With a 2200VA unit only having 4-6 outlets on it I can't see *not* using additional power strip off the back of it. Thanks guys, back to the regular NANOG channel... -- GPG/PGP -- 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
Re: Utah considers law to mandate ISP's block harmful sites
--On Friday, March 04, 2005 11:06 AM -0500 Patrick W Gilmore [EMAIL PROTECTED] wrote: Would unplug your cable qualify as a way to disable access? In the same way the FCC allowed TV to so graciously implement the 'V-CHIP' technology? I doubt it. Aside fromt he normal bents of Utah, I bet 'someone' is lobbying the Utah officials. Lots of money to be made, and lost.
Re: vonage routing issues
I'm seeing the same problem here from two points, dropping dead inside/customer edge at ALTERalso can't get to their site. I don't know about my Vonage phone at home though. I can check it when I finally make it home tonight but by then it will probably clear upWhatever it is, it's not local.
Re: AOL scomp
--On Thursday, February 24, 2005 10:18 AM -0800 chuck goolsbee [EMAIL PROTECTED] wrote: It's too bad that about 1/3 of the reported mails are valid opt-in lists. The other 1/3rd are actual spam, but legitimately forwarded as the user requested from a personal or business domain to an AOL account. Any server in the path gets tagged as a spam source. Actually only the server that connected to AOL and relayed the mail into them. I have this same kind of gripe/complaint. Only for me about 2/3rds of my scomp reports are this. The other third are the below...only vry rarely is an actual spam reported from our system, except in the case of where we occasionally have a fraudulent signup come through and then start spamming. And the remaining third seems to be just plain old normal personal correspondence ... which I find weird. This happens because, atleast in many versions I don't know about currently, DELETE and SPAM buttons were right next to eachother, causing mis-clicks.
Re: IRC Bot list (cross posting)
--On Wednesday, February 09, 2005 11:28 +0200 Gadi Evron [EMAIL PROTECTED] wrote: Why is it a bad idea then? Because not all of us are Bill Nash who won't pwn a user. The same can easily be said for ANY public forum.
Re: Time to check the rate limits on your mail servers
--On Thursday, February 03, 2005 11:42 + [EMAIL PROTECTED] wrote: Do you let your customers send an unlimited number of emails per day? Per hour? Per minute? If so, then why? Because there are *NO* packages available that offer limiting. Free or commercial.
Contact point for Lockheed Martin...
Does anyone have a live and clueful contact point for Lockheed? They're running some badly broken proxy software that requests HTTP keepalive service, then 'forgets' about the connection. After forgetting about the connection it makes new ones. Right now I'm playing whack-a-mole as whatever proxy system they're using seems to figure out when I'm blocking them and find another route out of their network. I did have one from 'chase manhattan bank' as well, or IPs controlled by them, and from a different ASN, so maybe this is pretty widespread, maybe not. I need to atleast first find out what proxy software this is because it's getting bloody ridiculous. -- GPG/PGP -- 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
Re: Those interested in NANOG governance, please read...
--On Monday, January 24, 2005 16:35 -0500 John Fraizer [EMAIL PROTECTED] wrote: Sadly, I won't be attending but, I'm sure someone from Cisco and/or PCH will be there and can probably come up with the VoIP phone. There are many folks on the INOC-DBA system who are running Asterisk as well so, setting up a conference bridge is trivial. An ATA-186 with a hybrid on it (to get the PA audio cleanly into the phone) would be an ideal situation. Perhaps there is someone with broadcast engineering experience (besides me) that can assist in this. I made an attempt this past weekend to get INOC-DBA setup on our Asterisk system and ran into lack of documentation and inaccurate/wrong documentation on the inoc-dba site. Specifically I had/have no way of adding a phone because the ASNxxnn format for MAV address just results in an 'invalid MAC address' error message. I'm also not quite clear on why there's not a 'asterisk users click here' instead because asterisk users don't need the config file. I haven't had a chance to pose the question to the list and searching via google yielded very little information.
Registrar and registry backend processes.
I think, briefly, that we need to force Verisign and the registrars to be FAR more public about the backend process for WHOIS data and for the TLD zone data. Especially with .com, .net, and probably .org, and this latest failure of 'the system' and the obvious lack of information on 'the system.' It's clearly broken, and needs to be put up for public review by 'the powers that be' so that it can be fixed. What's happening now feels close to a boiler room poker game, noone seems to know all the players, and even fewer know all the rules, so in the end everyone is a loser. I know this is adding fuel to the proverbial fire, but apparently we need to burn out this thing so we don't get scorched by yet another unexpected fire.
Internap power outage?
From hitting LiveJournal's home page there is/was a major Internap power outage? Any details? Related to Y! Financials outage? -- Undocumented Features quote of the moment... It's not the one bullet with your name on it that you have to worry about; it's the twenty thousand-odd rounds labeled `occupant.' --Murphy's Laws of Combat
Re: Weekly Routing Table Report
--On Friday, January 07, 2005 18:15 -0600 Jerry Pasker [EMAIL PROTECTED] wrote: This was about the weekly routing table report, but I'm going to bring in some numbers from the CIDR report. It would be back down to 140k if the dirty 30 top offenders in the CIDR Report would aggregate their routes. Someone's going to have to draw a line in the sand at some point, and someone thinking locally and acting globally is going to be punished by the globe. Don't ask me how this could work, because I don't have an answer. Yeah I've been noticing this problem myself too...I'm between 150k and 151k at my various peers. Most of the gear at my edges should be fine well past the 250,000 mark or so, but I know of people who are having problems right now, even if they don't know it. What, really, could be done to curtail these offenders? Maybe I'm the Dirty 30 T-Shirts could be made up and handed out. (I wonder if a couple of major routing venders, who profit from routing table growth, would sponsor the creation of the t shirts snicker...) -Jerry -- GPG/PGP -- 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
Re: verizon.net and other email grief
--On Friday, December 10, 2004 12:30 -0800 Paul Trebilco [EMAIL PROTECTED] wrote: Christopher X. Candreva wrote: That would be 1000's of other people's servers getting traffic from you because someone forged their address in the spam. You are effectively doubleing the total load spam places on the net. This doesn't scale. How so? Are you maybe confusing reject with bounce? If address verification takes place while the SMTP connection is still up, no forged adresses get messaged, at least not by the server doing the rejecting. The other part is that you CACHE the answer you get (good, bad, or indifferent). I think that SPF+sender address verification is a GOOD thing when properly implemented. Yes it can be a bit of a hassle, but you shouldn't be sending mail you're not prepared to bounce. That said, none of my sites are running a current enough version of Postfix to do this.
Re: verizon.net and other email grief
--On Friday, December 10, 2004 15:38 -0500 Paul G [EMAIL PROTECTED] wrote: - Original Message - From: Paul Trebilco [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 10, 2004 3:30 PM Subject: Re: verizon.net and other email grief How so? Are you maybe confusing reject with bounce? If address verification takes place while the SMTP connection is still up, no forged adresses get messaged, at least not by the server doing the rejecting. oh, so you would be ok with someone joe-jobbing you on their 1 million messages/day spam run and getting 1 million 'verification' connections to your mailserver farm? Far less traffic than the bounces would create at both ends. Yes this doesn't prevent it from happening if the address is real, but that's why I mentioned SPF in my previous email..That helps to verify the sender can send email for a given domain, and if that passes, then you want to see if the sender exists, if both pass then you can go on to other methods. OF course I'd first check blacklists before any of this, but that's my personal preference.
Re: I want my own IPs
--On Friday, November 12, 2004 14:14 -0500 Alex Kamantauskas [EMAIL PROTECTED] wrote: Yep, I blinked while going through the small town of ARIN Policy and missed it :) ARIN Number Resource Policy Manual, 4.2.2.2: When requesting a /22, demonstrate the efficient utilization of a minimum contiguous or noncontiguous /23 (two /24s) from an upstream. I'm still not exactly clear on the definition of 'efficient utilization' --- in other places it' mentions 80%, but that's only as ISP allocation and request for additional space... Anyone have a pointer as to the ARIN official definition of this language?
RE: I want my own IPs
--On Friday, November 12, 2004 15:43 -0500 K. Scott Bethke [EMAIL PROTECTED] wrote: I have to second this, it really is a simple process. I continue to hear horror stories from people who BELIEVE that it is hard to get PI space. Read the policy, submit the documentation that they ask for and you will do fine. In general I really like the fear factor. Honestly I think it helps keep overall utilization of v4 space down :) I certainly agree, I've never had any problems dealing with ARIN. The documentation burden and paperwork burden is extremely low too compared to many other processes I go through daily.
Re: Verisign vs. ICANN
I'm not a lawyer but I still think businesses have a valid lawsuit against Verisign for whatever the legal term is for using their copyrighted names and likenesses. With SiteFinder it guarantees Verisign 'owns' any domain a particular company may no have yet purchased until such time that they do. And until they do their property gets branded as if it were Verisign's. That's my chief complaint against Verisign. There is also the problem that no one can easily verify non-existence of ANY domain when the SiteFinder is deployed with the Wildcard A record, this is almost certainly detrimental. The BIND source was modified in response to CUSTOMERS REQUESTS. It seems as though Verisign intends to implement it's will by legal maneuvering. It's akin to Microsoft being told by say RedHat that they can't have multiple user logins because Linux does that. Or that Windows can't have a good, useful CLI subsystem even though customers are clamoring for it. I'm not certain what other legal beef Verisign may have with ICANN (and any of the others mentioned in their legal proceedings) but it's certainly not any conspiracy, an option was simply provided at the outcry by a large, well respected, technical community to a change in infrastructure we all rely on that caused problematic effects. It's very regrettable that Verisign's lawyers decided it was necessary to go about this. As part of a a disclaimer: Any various mentioned parties were used above in a purely hypothetical manner and do not represent any companies actual intentions. Any mentioned copyrighted names are the property of their respective copyright or other property holders.
RE: Quick question.
--On Saturday, July 31, 2004 20:51 -0700 Michel Py [EMAIL PROTECTED] wrote: For PCs I install dual Xeons on every production machine for example, even though the CPU power needed for some is a 486; Intel processors do die like anything else; a processor dying will typically lead to a system crash, but it does reboot in single-processor mode when the graveyard dude pushes the reset button. I also try do have RAID-10 arrays span over two raid cards; same as CPUs, a RAID card that dies will likely crash the system but it will reboot in degraded mode. Eh really? Whenever I've lost a second CPU (primary or secondary) the machine was a brick until the secondary CPU was gutted and for Piii slotted systems a terminator board was installed in the secondary slot. What motherboard(s) you using that are holding up to failures like this? My experience has shown PSU and motherboard failures are far more common than CPUs. -- Undocumented Features quote of the moment... It's not the one bullet with your name on it that you have to worry about; it's the twenty thousand-odd rounds labeled `occupant.' --Murphy's Laws of Combat
RE: T1 short-haul vs. long-haul
hate to say it but what is pictured is not a smart jack, it is as you say a glorified patch. a *TRUE* smart jack DOES have the tiny bit of circuitry necess'y to cause it to loop the line back when nothing is connected to it, some can do it via line signaling as well. in some telco territory what they call a smart jack is, most certainly, NOT. as always, YMMV, SBC/PacBell in SFO area usually does use a true smart jack, but not always. out of a number of t-1s installed for both voice and data while working at 2 Connecticut i was about 80/20 in favor of smart jacks. --On Thursday, July 22, 2004 21:15 -0700 Michel Py [EMAIL PROTECTED] wrote: Christopher Woodfield wrote: In the interest of complicating things further, I think you have NIU and smartjack backwards in your explanation You think, which is a good beginning. Seeing it with your own eyes might be of some interest, NTM that doing it for a living for 20+ years may give new an entire new outlook on it. For the entertainment of non-american readers, wannabes, and rookies I stopped by a T1 MPOE on my way home and took a few photos.
Re: Pushing GTLD zones [WAS: Akamai DNS Issue?]
--On Thursday, June 17, 2004 16:07 + [EMAIL PROTECTED] wrote: think stability. I think recent events prove pretty well that Verisign GRS no longer gives a crap about stability. Have we forgotten *.COM so quickly?
Re: Yahoo mail public notice of problems ?
--On Thursday, June 17, 2004 15:00 -0400 Mike Tancsa [EMAIL PROTECTED] wrote: Is there a notice I can point non Yahoo Mail customers to explaining why there are delivery delays? We are seeing a lot of stalled deliveries again, and it would be nice to point to an explanation by yahoo as to whats up Stalls are both at the banner not coming up Seeing the same thing as well... apparently not isolated. As far as a notice or anything I'm not aware of any.
Re: Charter blocking Port 25
Well this could explain the large drop in SPAM loads seen by a lot of us (atleast in part).
Re: who offers cheap (personal) 1U colo?
--On Sunday, March 14, 2004 19:14 -0600 Stephen Sprunk [EMAIL PROTECTED] wrote: Students have an existing legal relationship with the school; they can be required to accept the AUP in writing at some point during the enrollment process. Experiment ... go to a college dorm that's wired, plug your laptop or PC in, start using the net. Assumption here of course is you're not a student there. Nine times out of ten you wont' be challenged and you'll be allowed to use the network. Students also often have friends over that use their systems. Thus you can't assume that every user is a student or faculty. -- Undocumented Features quote of the moment... It's not the one bullet with your name on it that you have to worry about; it's the twenty thousand-odd rounds labeled `occupant.' --Murphy's Laws of Combat
Re: [IP] VeriSign prepares to relaunch Site Finder -- calls
--On Tuesday, February 10, 2004 08:58 -0700 Wayne E. Bouchard [EMAIL PROTECTED] wrote: I still maintain that what sitefinder is trying to do is not really wrong but it's the wrong way to go about it. This is functionality that is strictly for web users. Why should every other protocol that relies on domain name service be subject to this garbage? Precisely! Only web users benefit from this service. And you know what? None of my users did. Caused LOTS of confusion. Does anyone know of a way to get Gartner Group, Nielsen, or some other fairly non-biased large group to do an actual poll/study on this in the next couple of months? If they want to partner with someone to include functionality in their browser such that if gethostbyname() returns NX Domain and subsequently redirect to that site, this is fine by me. But I don't want everything else (ssh, ftp, smtp, pop, imap, etc, etc, etc) to have to compensate for the wildcard record. Making everyone else adjust just so that Verisign can earn another penny per share is just wrong. We've all been saying this all alongQuestion is how to make it heard? Who has contacts in the media? Who would be willing to submit to interviews? Etc. It's totally ridiculous, but this is a political issue being allowed to effect the technical system, and as is almost always the case, it's a miserable failure. -- Michael Loftis
Re: [IP] VeriSign prepares to relaunch Site Finder -- calls
--On Tuesday, February 10, 2004 10:21 +0530 Suresh Ramasubramanian [EMAIL PROTECTED] wrote: You are of course right. The problem posed by sitefinder in its previous form has been discussed already, and our bind / djbdns resolvers have been patched appropriately to ignore the aberrant behavior introduced by verisign. There ends the operational impact of verisign's decision, till such time as they revive sitefinder, and till such time as resolver patches in existence are modified if necessary to cope with the new edition of sitefinder. But that's a HUGE operational impact. Now we're all expected to go around and run patched versions of our resolvers or nameservers to get around a company using shady tactics to just increase it's bottom line! Lets say it takes on average about 10 minutes per machine to do the necessary changes, I'll have to spend several hours installing patched software for something that is harmful. They remove the ONLY method for testing if a domain exists or not, and certainly the only 'lightweight' method. Not to mention there is no guarantee the patch will continue to work. Well already know of a few ways in which it can break, and anything we do to get around those surely introduces maintenance or other headaches. Who's going to pay me to maintain these parts of systems that until now just worked? Who's going to pay any of us? Not VeriSign. But they'll be making quite likely millions off of the hijacked hits. So I ask again, who's going to pay for my time to that? Last time they turned this thing on globally I also spent at least two hours on the phone trying to explain it to various users. And what about the systems or platforms that *CAN'T* be patched? What about systems that have long depended on the way things are supposed to work? -- Michael Loftis
Re: incorrect spam setups cause spool messes on forwarders
I personally haven't seen ANY validation, just an arbitrary block that's been in place for over a month without cause, reason, or even any ability to contact them. It appears nobody at verizon is at the helm anymore. I've tried several times to contact abuse, postmaster, etc, and even a couple people from this list gave me or forwarded my plight to internals with no results. Modwest is still being blocked. Perhaps not very operational in content though here... --On Monday, December 01, 2003 13:46 -0500 Neezam Haniff [EMAIL PROTECTED] wrote: On Mon, 1 Dec 2003, Suresh Ramasubramanian wrote: So this would connect to the MX of gerbangmail.com and try to verify that [EMAIL PROTECTED] exists. Out of curiosity, would you know offhand how they do the validation? Neezam. -- GPG/PGP -- 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
Apologies but...Verizon Postmaster?
I have been trying for weeks to get in touch with someone who will respond with something other than a form letter at Verizon. Can someone please contact me off-list? My company (Modwest) is being unilaterally blocked. I can't even send mail to abuse, postmaster, etc. from an @modwest.com address because of the block in place without a reason and without recourse. TIA, and I'm sorry for posting here but it's really my last resort (as it should be anyones IMHO). -- GPG/PGP -- 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E pgp0.pgp Description: PGP signature
Re: Portable Cooling
--On Wednesday, November 12, 2003 16:07 + [EMAIL PROTECTED] wrote: I searched the archives and couldn't find anything about a portable cooling units so am resorting to posting, sorry if its redundant. I am setting up a development lab and need additional cooling on a temporary basis. snip IMHO, portable coolers are a bad idea. They add noise to the environment and increase the overall heat level due to the consumption of electricty. When we had them in our office for a week, I started working 3 hour days to escape the hellish atmosphere. In the past I regularly worked in buildings that were 35 degrees Celsius indoors (2 degrees C less than core body temperature) and it was much more comfortable than that week with the portable coolers. There are air to water a/c units or chillers. We used one such unit. They can be located just about anywhere since they can pump, or be fed water through a hose, and drain via another hose. In fact we have the unit still for sale if anyone is interested they may contact me privately and I'd be glad to give you any details you may need. The manuf. is Koldwave BTW. -- Undocumented Features quote of the moment... It's not the one bullet with your name on it that you have to worry about; it's the twenty thousand-odd rounds labeled `occupant.' --Murphy's Laws of Combat
RE: Verizon Postmaster contact?
Getting 550's all day on MAIL FROM: [EMAIL PROTECTED] -- noticed it because we're running billing. --On Monday, November 03, 2003 20:29 -0500 Charles Sprickman [EMAIL PROTECTED] wrote: On Mon, 3 Nov 2003, Dennis Dayman wrote: I am working on the issue(s) now. The only problem is, you're not getting my replies because you are also now deferring mail from this ISP as well... It sounds like something is either a bit overzealous, or more likely, broken. Anyone else want to dig around for VZ deferrals? Thanks, Charles -- Dennis Dayman Verizon Internet Services Operations Security and Legal Compliance -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anne P. Mitchell, Esq. Sent: Monday, November 03, 2003 2:24 PM To: [EMAIL PROTECTED] Subject: Re: Verizon Postmaster contact? I see VZ was not kind enough to put any contact info in Jared's NOC list. They are currently blocking all mail from an ISP customer of mine (based on the envelope From, not IP), and I need to get someone on the phone to clear this up. Verizon is listed in EDDB; I think that I've made this offer here before, but anybody who'd like to participate in EDDB, and who otherwise qualifies, can have a healthy Nanog Discount, or even be listed only (no access) for free. EDDB is at http://www.isipp.com/eddb.php In the meantime, Charles, may I forward your note to the Verizon contact? Anne Anne P. Mitchell, Esq. President/CEO Institute for Spam Internet Public Policy Professor of Law, Lincoln Law School of SJ -- GPG/PGP -- 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
RE: Site Finder
I have a good one, when was the last tiema telco asked any of us, or anyone for that matter, how to handle an NPA-NXX assignment? or LERG? NEVER. We're not qualified to make decisions like that because we don't know what the effects could or would be. Likewise VeriSign obviously doesn't, nor do the general populace. As many have suggested if VeriSign wants to do this they can as a browser plugin or feature. I for one am going to dumping all traffic bound to SiteFinder. --On Thursday, October 16, 2003 9:38 AM -0700 Owen DeLong [EMAIL PROTECTED] wrote: They claim to be representing the USER community and to know better than we what they end users want. They think we're just a bunch of geek engineers that are unwilling to embrace new ideas. Most of all, they think they can make money this way, and, they don't really care about anything else. They're just trying to manipulate things so that the backlash doesn't cause them too much difficulty as they inflict this on the internet. Owen
Re: (on-topic) / RE: Site Finder
My bad I should've been more specific, that is indeed what I will personally be doing on any networks that I can, which should be basically everything. I'm also considering the other alternative suggested by some, which is to push traffic to a host of my own. I will have to do something about email bound for mis-spelled domains because I do not and will not trust some anonymous third party even with my users mis-spelled domain names. So I think one way or another I'm going to be forced into doing work that I don't have time, nor desire to do, just to provide my users with the services they expect. As I'm sure a number of places are going to have to do. Not really networking related -- but -- when VeriSign had SiteFinder turned on before I experienced markedly larger mail queues because of brain-damaged Snubby and/or mail rejector. Not really a problem for my MTA, but more of an issue that I can only imagine how much this caused really big ISPs like AOL to increase the amount of email in their outbound queues. --On Thursday, October 16, 2003 2:20 PM -0500 Bryan Bradsby [EMAIL PROTECTED] wrote: I for one am going to dumping all traffic bound to SiteFinder. One (operational) suggestion. Kindly return an icmp [net|host|port] unreachable, not just a route to /dev/null. Just a thought about the (waste of) client retrys and timeouts. Thank you, -bryan bradsby -- Undocumented Features quote of the moment... It's not the one bullet with your name on it that you have to worry about; it's the twenty thousand-odd rounds labeled `occupant.' --Murphy's Laws of Combat
Massive sprintlink problems?
Anyone else seeing this:: (1sec+ delay to my idle DSL line across sprintlink...) traceroute is definitely taking an asymmetric path, since pings and tcp connections are consistent 1sec plus RTT starting somewhere in seattle or tacoma.tok? tokyo? Anyway before I start rattling this around I wanted to see if anyone else is seeing this to/from other destinations. [EMAIL PROTECTED]:~# traceroute shell.wgops.com traceroute to shell.wgops.com (66.92.192.108), 30 hops max, 38 byte packets 1 r1 (216.129.251.1) 0.196 ms 0.230 ms 0.257 ms 2 ag125.montanavision.com (216.220.20.125) 0.447 ms 0.300 ms 0.351 ms 3 ag102.montanavision.com (216.220.20.102) 8.643 ms 13.078 ms 8.646 ms 4 sl-gw10-che-2-0-TS1.sprintlink.net (144.223.8.57) 19.749 ms 17.973 ms 19.443 ms 5 sl-bb20-che-3-0.sprintlink.net (144.232.15.145) 19.545 ms 19.301 ms 19.513 ms 6 sl-bb23-chi-6-0.sprintlink.net (144.232.19.194) 37.906 ms 37.168 ms 37.574 ms 7 sl-bb24-chi-15-0.sprintlink.net (144.232.26.101) 36.751 ms 35.515 ms 35.890 ms 8 sl-bb21-sj-8-0.sprintlink.net (144.232.20.161) 153.128 ms 133.215 ms 272.201 ms 9 sl-bb22-sj-15-0.sprintlink.net (144.232.3.162) 84.783 ms 83.089 ms 83.520 ms 10 sl-bb20-tok-10-0.sprintlink.net (144.232.9.243) 207.685 ms 208.017 ms 209.261 ms 11 sl-bb21-tac-8-2.sprintlink.net (144.232.19.243) 449.450 ms 446.199 ms 447.872 ms 12 sl-bb22-tac-15-0.sprintlink.net (144.232.17.94) 463.037 ms 1243.175 ms 444.169 ms 13 sl-bb20-sea-0-0.sprintlink.net (144.232.9.150) 1300.127 ms 1245.757 ms 1247.772 ms 14 sl-gw11-sea-7-0.sprintlink.net (144.232.6.126) 1247.891 ms 1246.780 ms 1245.041 ms 15 sl-internap-89-0.sprintlink.net (144.228.94.118) 198.635 ms 196.617 ms 196.579 ms 16 border26s.ge2-1-bbnet2.sea.pnap.net (206.253.192.227) 196.374 ms 196.691 ms 196.872 ms 17 * * ge0-0-0.brd-1-sea.speakeasy.net (206.191.168.200) 206.800 ms 18 fe2-0.spk-2-sea.speakeasy.net (206.191.168.196) 198.894 ms 197.410 ms 197.248 ms 19 kurak.wgops.com (66.92.192.248) 228.267 ms 225.835 ms 226.328 ms 20 shell.wgops.com (66.92.192.108) 226.949 ms 223.640 ms 224.977 ms -- GPG/PGP -- 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
Re: Massive sprintlink problems?
According to speakeasy system status page (my DSL provider at the other end there)... It seems though it's rather more widespread than what this notice makes it out to be. 09/26/03 02:18:07 PM Seattle POP Packet Loss Region : Seattle E.T.A. : (none) Services Affected : Some broadband services We are presently seeing packet loss on one of our Seattle POPs backhaul circuits caused by an unexpected increase in traffic caused by Internet worms. We will be fully upgrading this POP within the next few months and are presently investigating interim solutions to these packet loss issues. -- GPG/PGP -- 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
RE: If Verisign *really* wants to help ...
I fairly certain the previous poster is talking not-in-service numbers, not busy numbers. Busy number redial is available here in the states, but most places you have to bang a *XX code when you get the busy signal, you don't tend to get any recording for it. Not in service numbers may get the LATA unable to connect or unable to route service depending on if the number you dialed was even in LERG. The system only does that in the even that it actually rang (and ringing in this sense doesn't mean you heard a ring generator on your end). And yes, for the benefit of the others on NANOG, the process is more complicated than that, so lets not start another even further off-topic thread on the TDM/POTS system. And how it routes, or fails to route, calls. --On Saturday, September 20, 2003 6:59 PM -0400 Vivien M. [EMAIL PROTECTED] wrote: Just out of curiosity, why did they discontinue it? Here in Bell Canada land, this type of thing has been around for hm... 8 years or so? There was a big outcry the first week or so from dialup users (at the time, busy signals were more common than now), then eventually they all did the *XX code to permanently disable it. It is still enabled on new [residential, at least] POTS lines. Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/ -- Undocumented Features quote of the moment... It's not the one bullet with your name on it that you have to worry about; it's the twenty thousand-odd rounds labeled `occupant.' --Murphy's Laws of Combat