Re: OT: old farts recollecting -- Re: ASR1002
On Tue, 2010-01-19 at 17:42 -0800, Bill Stewart wrote: Could the comment actually have been about pay telephones, which were once common in cities? Good point Bill, which, if so, would place the comment at or about the start of the cellfone introduction. @Jim, maybe it's more a telco/2600 thing? None of my overnite greps through old saved chats/snippets came up with anything remotely like it, sadly. I tried a few gopher/archie searches but the system is in very poor shape these days, a shadow of it's early 90's usefulness. Maybe it was on Fidonet or similar? Anyone else have any input? Please ask your old folks ;) Gord
Re: OT: old farts recollecting -- Re: ASR1002
On Wed, Jan 20, 2010 at 08:30:52AM +, gordon b slater wrote: On Tue, 2010-01-19 at 17:42 -0800, Bill Stewart wrote: Could the comment actually have been about pay telephones, which were once common in cities? Good point Bill, which, if so, would place the comment at or about the start of the cellfone introduction. @Jim, maybe it's more a telco/2600 thing? found it, actually was once in my .signature: The telephone, for those of you who have forgotten, was a commonly used communications technology in the days before electronic mail. They're still easy to find in most large cities. -- Nathaniel Borenstein i'm guessing this is before the mobile phone explosion. -- Jim Mercerj...@reptiles.org+92 336 520-4504 I'm Prime Minister of Canada, I live here and I'm going to take a leak. - Lester Pearson in 1967, during a meeting between himself and President Lyndon Johnson, whose Secret Service detail had taken over Pearson's cottage retreat. At one point, a Johnson guard asked Pearson, Who are you and where are you going?
Re: OT: old farts recollecting -- Re: ASR1002
On Wed, 2010-01-20 at 03:35 -0500, Jim Mercer wrote: The telephone, for those of you who have forgotten, was a commonly used communications technology in the days before electronic mail. They're still easy to find in most large cities. -- Nathaniel Borenstein Oh, the irony. A quote from Mr MIME himself :) i'm guessing this is before the mobile phone explosion. ...or before acoustic couplers were junked perhaps.
Re: OT: old farts recollecting -- Re: ASR1002
The telephone, for those of you who have forgotten, was a commonly used communications technology in the days before electronic mail. They're still easy to find in most large cities. -- Nathaniel Borenstein i'm guessing this is before the mobile phone explosion. Good old one. It's funny how we circle around with technology, folks are dumping their phone land lines and adopting wireless/mobile that required a substantial technology leap and investment and now we are using the mobile phone to text an incompressible dialect worse than the early teletype/telex days but with a humongous infrastructure to support it. Ohh yeah, now we can send sort of a telegram with multiple fonts and colors almost from anywhere... Cheers Jorge
2009 Worldwide Infrastructure Security Report available for download.
[Apologies for any duplication if you've seen this notification on other lists.] We've just posted the 2009 Worldwide Infrastructure Security Report for download at this URL: http://www.arbornetworks.com/report This year's WWISR is based upon the broadest set of survey data collected by Arbor to date, with the number of respondents doubling from 66 to 132, and much greater input from non-USA/non-EMEA, regional providers. The WWISR is based upon input from the global operational community, and as such, is unique in its focus on the operational security aspects of public-facing networks. Many of you contributed to the survey which forms the foundation of the report; as always, we're grateful for your insight and participation, and welcome your feedback and comments. Thanks much! --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
Re: OT: old farts recollecting -- Re: ASR1002
On Wed, 20 Jan 2010 08:01:50 CST, Jorge Amodio said: Ohh yeah, now we can send sort of a telegram with multiple fonts and colors almost from anywhere... At least it doesn't do blinkBLINK/blink ;) pgpAPxTQSvjnu.pgp Description: PGP signature
RE: 2009 Worldwide Infrastructure Security Report available for download.
-Original Message- From: Dobbins, Roland [mailto:rdobb...@arbor.net] Sent: Wednesday, January 20, 2010 9:17 AM To: NANOG list Subject: 2009 Worldwide Infrastructure Security Report available for download. [Apologies for any duplication if you've seen this notification on other lists.] We've just posted the 2009 Worldwide Infrastructure Security Report for download at this URL: http://www.arbornetworks.com/report This year's WWISR is based upon the broadest set of survey data collected by Arbor to date, with the number of respondents doubling from 66 to 132, and much greater input from non-USA/non-EMEA, regional providers. The WWISR is based upon input from the global operational community, and as such, is unique in its focus on the operational security aspects of public-facing networks. Many of you contributed to the survey which forms the foundation of the report; as always, we're grateful for your insight and participation, and welcome your feedback and comments. Thanks Roland. I'm wondering if you can clarify why 'Figure 1' only goes up to 2008 and states in key findings This year, providers reported a peak rate of only 49 Gbps. I happen to personally recall looking at ATLAS sometime last year and seeing an ongoing attack that was on orders of magnitude larger than that. It was interesting to see the observation that DDoS attack scale growth has slowed over the past 12 months, including the authors belief that this is a result of the upper bounds of IP backbone network capacity (e.g., Nx10 Gbps backbone link rates, awaiting upgrades to 100 Gbps rather than 40 Gbps deployment). It is expected that 100 Gbps will be quickly adopted this year in order to remove the inefficiencies of Nx10 Gbps LAG bundles, and 10 Gbps is likely to start being adopted at the server level. Also there is already talk about Terabit Ethernet sometime in 2015. All of this leads me to believe that attack size will likely increase again as these technologies become more widely deployed. An interesting observation was the decrease in the use of flow-based tools, and the corresponding increase in the use of things like SNMP tools, DPI, and customer calls for attack detection. Surely this must have been a factor of a larger respondent pool... I'd really like to think people aren't opting not to use flow-based tools in favor or receiving customer calls :( Completely agree on the disturbing observation of the increase in rate-limiting as a primary mitigation mechanism for dealing with DDoS. I've seen more and more people using this as a mitigation strategy, against my advice. For anyone interested in more information on the topic, and why rate-limiting is akin to cutting your foot off, I highly recommend you take a look at the paper Effectiveness of Rate-Limiting in Mitigating Flooding DoS Attacks presented by Jarmo Molsa at the Third IASTED International conference. It's nice that the report includes respondent organization types, but what I'd really like to see is number of attacks broken down by industry. I think this would go a long way towards allowing companies to better quantify their risk-score and associated spend based on their associated industry. Otherwise, really good stuff. Thanks for sharing! Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
Cisco Security Advisory: Cisco IOS XR Software SSH Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS XR Software SSH Denial of Service Vulnerability Advisory ID: cisco-sa-20100120-xr-ssh Revision 1.0 For Public Release 2010 January 20 1600 UTC (GMT) +- Summary === The SSH server implementation in Cisco IOS XR Software contains a vulnerability that an unauthenticated, remote user could exploit to cause a denial of service condition. An attacker could trigger this vulnerability by sending a crafted SSH version 2 packet that may cause a new SSH connection handler process to crash. Repeated exploitation may cause each new SSH connection handler process to crash and lead to a significant amount of memory being consumed, which could introduce instability that may adversely impact other system functionality. During this event, the parent SSH daemon process will continue to function normally. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100120-xr-ssh.shtml. Affected Products = Vulnerable Products +-- This vulnerability affects Cisco IOS XR systems that are running an affected version of Cisco IOS XR Software and have the SSH server feature enabled. A system with the SSH server feature enabled will have the command ssh server [v2] present in its configuration. Refer to the Cisco IOS XR System Security Configuration Guide at http://www.cisco.com/en/US/docs/routers/crs/software/crs_r3.9/security/configuration/guide/sc39ssh.html#wp1044523 for additional details regarding configuration of the SSH server in Cisco IOS XR Software. The SSH server can only be enabled in Cisco IOS XR Software if the security Package Information Envelope (PIE) is installed. Administrators can issue the show install summary command to confirm if the security PIE is installed. This command will display an active package similar to platform-k9sec-version or, for example, c12k-k9sec-3.6.1 if the security PIE is installed. Refer to the Software Version and Fixes section of this advisory for information on specific affected software versions. Products Confirmed Not Vulnerable + SSH server implementations in Cisco IOS Software and Cisco IOS XE Software are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco IOS XR Software is a member of the Cisco IOS Software family that uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR Software runs on the Cisco CRS-1 Carrier Routing System, Cisco 12000 Series Routers, and Cisco ASR 9000 Series Aggregation Services Routers. More information on Cisco IOS XR Software is available at http://www.cisco.com/en/US/products/ps5845/index.html. The SSH protocol was developed as a secure replacement for the Telnet, FTP, rlogin, remote shell (rsh), and Remote Copy Protocol (RCP) protocols, which allow for remote device access. SSH varies from these older protocols in that it provides strong authentication and confidentiality and uses encrypted transactions. The SSH server implementation in Cisco IOS XR Software contains a vulnerability that an unauthenticated, remote user could exploit to cause a denial of service condition. The vulnerability is triggered when a new SSH handler process handles a crafted SSH version 2 packet, which may cause the process to crash. During this event, a significant amount of memory may be consumed. Repeated exploitation may impact other system functionality, depending upon the size of the available memory and the duration of attack. Although exploitation of this vulnerability does not require user authentication, the TCP three-way handshake must be completed, and some SSH protocol negotiation must occur. The SSH service will continue to function normally during an after an attack. During exploitation of this vulnerability, the system may generate the following messages: RP/0/RP1/CPU0:Jan 14 16:56:34.885 : dumper[59]: %OS-DUMPER-7-DUMP_ATTRIBUTE : Dump request with attribute 407 for process pkg/bin/sshd_child_handler RP/0/RP1/CPU0:Jan 14 16:56:34.897 : dumper[59]: %OS-DUMPER-7-SIGSEGV : Thread 1 received SIGSEGV RP/0/RP1/CPU0:Jan 14 16:56:34.901 : dumper[59]: %OS-DUMPER-7-BUS_ADRERR : Accessed BadAddr 50199000 at PC 4a280c64 RP/0/RP1/CPU0:Jan 14 16:56:34.906 : dumper[59]: %OS-DUMPER-4-CRASH_INFO : Crashed pid = 21733716 (pkg/bin/sshd_child_handler) This vulnerability is documented in Cisco bug ID CSCsu10574 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0137. Vulnerability Scoring Details = Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory
Idiotic Newstar Networking Equipment Sales Droid
Did anyone here get spam from this idiot? It appears someone is harvesting email addresses from nanog. If you do get any contact from this company PLEASE do not do business with them and tell them you don't buy from spammers. The bottom line is the only thing idiots like this understand and if we buy from them, they'll be encouraged to spam more nanog folks. The guy knows it's wrong as he doesn't even use his own name on the email, so we have to deny purchasing from anyone in the company to have an effect. scott --- Begin forwarded message: From: broadc...@nstnetmail.com To: sur...@mauigateway.com Subject: XENPAK/X2/XFP Date: Wed, 20 Jan 2010 10:28:45 +0800 Hello, How are you? We have below items for hot sale, Sending you the list for reference, please check it, X2-10GB-SR X2-10GB-LR X2-10GB-ER XFP-10G-ER XFP-10G-LR XFP-10G-SR XENPAK-10GB-SR XENPAK-10GB-LR XENPAK-10GB-ER If you have any interested, please contact with me, we will try our best for you,thanks! B.R Helen Newstar Networking Technology Co., Ltd. Email:nstnetworksa...@gmail.com Aol: Buyfromnewstar
Re: Idiotic Newstar Networking Equipment Sales Droid
On Wed, 20 Jan 2010 09:10:22 -0800 Scott Weeks sur...@mauigateway.com wrote: Did anyone here get spam from this idiot? It appears someone is harvesting email addresses from nanog. If you do get any contact from this company PLEASE do not do business with them and tell them you don't buy from spammers. The bottom line is the only thing idiots like this understand and if we buy from them, they'll be encouraged to spam more nanog folks. The guy knows it's wrong as he doesn't even use his own name on the email, so we have to deny purchasing from anyone in the company to have an effect. I avoid that by only accepting mail to the address I use on this list from nanog.org. I have the reply-to header set to nanog@nanog.org, so no-one should be attempting to mail me directly. -- John
Re: Katrina response, private and public -- call/fax/email specific congress-critters (please)
Folks, I'm trying to keep the competent engineer count at the Boutilliers NAP from decrementing to zero in the very proximal future. One of several problems being worked by several groups of people. Specifically, I want to get the paperwork done so that Dominique Theodore Guerrier, wife of Reynold Guerrier, Karl Nikolas Guerrier, age 3 and Hann Aurelie Guerrier, age 1, may exit Haiti and travel to Deerfield Beach, Florida, where Reynold's sister lives. If the wife and kids are safe, Reynold will stay on site until relieved. Dominique holds a valid passport, the young children do not. I want some of the NANOG list to do something -- a write your congress critter exercise. See below for instructions. Eric There are three avenues to take: tourist visa from State, humanitarian parole from Homeland Security, and a private request by a member of Congress. Of these, the third is the most successful, so that is what I'm asking NANOG contributors to do. Here are the three primary targets: 1. Representative Ron Klein (D-FL), who represents the district in which Reynold's sister lives (Deerfield Beach) 2. Representative Earl Blumenauer (D-OR), who's staff agreed to look into the situation. 3. Senators Cantwell and Murray (D-WA) were both forwarded the information on Reynold, but have yet to commit. Ordered by effectiveness, there is calling the member's district office, calling the member's Washington office (particularly if you provide service in or near the Congressional District or State), followed by fax, followed by email (or ugly webform). When communicating with the staffers of members of Congress, please make the point that this is a key human technical resource for the basic function of government. There's not a lot of point in entertaining legislation to certify operators if we are indifferent to whether there is anyone technically competent left to run what remains after a network compromising event of the first magnitude. Feel free to use Reynold's mail to NANOG of the 19th: To any of you who wants to help: We would like to provide to the haitian government a UC systems with several branches: * President office:10 Endpoints * PM office: 10 endpoints * 12 mayor city hall offices: 3 for each : 36 endpoints * Ministries(9 differents locations 3 for each) 27 * Communications Center 20 * emergency Clusters 14 Total 117 endpoints Redundant communications. So if someone can provide recommendations, equipment, skilled technician for that it would be fine. Reynold If, after your message across to the initial contact, usually a staffer simply doing phones, you get to an immigration interest, either in the initial staffer, or better, the staffer who handles either immigration requests or technology (see below), and you want me to follow-up, send me email with the contact details and either I or a Cornell Law student will follow-up on the wonk details. In addition to the its-the-right-thing reason, there is a self-interest motivation I want you all to be aware of. The three members (above) and one more, Rep. Chellie Pingree of Maine's 1st CD, are targets because they responded to the Cornell Law effort on MLK Day and yesterday. There is another, larger class of Members to be informed -- the Members who currently sit on the House Committee on Science and Technology and the House Committee on Commerce and Energy. Our collective self-interest in informing these Members is that we, as operators, big and small, are capable of issue advocacy. They already know that our employers, particularly the big ones, are capable of issue advocacy ;-) Committee on Science and Technology: http://science.house.gov/about/members.shtml Commerce and Energy: http://energycommerce.house.gov/index.php?option=com_contentview=categorylayout=blogid=160Itemid=61 Having completed this exercise, please drop me a line at brun...@nic-naa.net so I can keep count of how many inputs went into the system, and where, and possibly infer a causal relation between outputs, if any, and inputs, and routing within the system.
Re: Idiotic Newstar Networking Equipment Sales Droid
Once upon a time, Scott Weeks sur...@mauigateway.com said: Did anyone here get spam from this idiot? It appears someone is harvesting email addresses from nanog. I've been added to several used-equipment sales droids lists after posting here; I just procmail them straigt to the spam folder. I've also been recently added to some Internap newsletter list (without even an opt-out option). Way to make sure I never buy from you! -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
RE: Idiotic Newstar Networking Equipment Sales Droid
These guys don't get it. IF they call and pester me they miss out on a lot of sales. Richey -Original Message- From: Chris Adams [mailto:cmad...@hiwaay.net] Sent: Wednesday, January 20, 2010 12:47 PM To: na...@merit.edu Subject: Re: Idiotic Newstar Networking Equipment Sales Droid Once upon a time, Scott Weeks sur...@mauigateway.com said: Did anyone here get spam from this idiot? It appears someone is harvesting email addresses from nanog. I've been added to several used-equipment sales droids lists after posting here; I just procmail them straigt to the spam folder. I've also been recently added to some Internap newsletter list (without even an opt-out option). Way to make sure I never buy from you! -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Katrina response, private and public
Bahamas Telecommunications Company (BTC), the service provider that runs the Bahamas Domestic Submarine Network (BDSNi) submarine cable system linking to Haiti, reported that service has been disrupted as a result of the earthquake that struck the Port-au-Prince area. - The Teleco Facility that receive the fiber is completely broken (dust) but must of the Technicians are alive and in Port au Prince -M
Re: Katrina response, private and public
On Jan 20, 2010, at 1:20 PM, Max Larson Henry wrote: Bahamas Telecommunications Company (BTC), the service provider that runs the Bahamas Domestic Submarine Network (BDSNi) submarine cable system linking to Haiti, reported that service has been disrupted as a result of the earthquake that struck the Port-au-Prince area. - The Teleco Facility that receive the fiber is completely broken (dust) but must of the Technicians are alive and in Port au Prince There's an article on the subject in today's Wall Street Journal: http://online.wsj.com/article/SB10001424052748703657604575005453223257096.html -- not sure if it's behind the paywall or not. --Steve Bellovin, http://www.cs.columbia.edu/~smb
RE: Idiotic Newstar Networking Equipment Sales Droid
If they see all of us saying we won't buy from them when they do idiotic things like spamming nanog folks (I can't think of too many groups it world be worse to spam... ;-) they will realize that doing this will not only not generate sales, it will actually prevent future sales from occurring. scott --- myli...@battleop.com wrote: From: Richey myli...@battleop.com These guys don't get it. IF they call and pester me they miss out on a lot of sales. -Original Message- From: Chris Adams [mailto:cmad...@hiwaay.net] option). Way to make sure I never buy from you!
Re: Idiotic Newstar Networking Equipment Sales Droid
On Wed, Jan 20, 2010 at 10:43:27AM -0800, Scott Weeks wrote: If they see all of us saying we won't buy from them when they do idiotic things like spamming nanog folks (I can't think of too many groups it world be worse to spam... ;-) they will realize that doing this will not only not generate sales, it will actually prevent future sales from occurring. you are assuming they actually read the list. -- Jim Mercerj...@reptiles.org+92 336 520-4504 I'm Prime Minister of Canada, I live here and I'm going to take a leak. - Lester Pearson in 1967, during a meeting between himself and President Lyndon Johnson, whose Secret Service detail had taken over Pearson's cottage retreat. At one point, a Johnson guard asked Pearson, Who are you and where are you going?
[NANOG-announce] NANOG 48 is coming up
Stretch your travel dollar further by registering now for NANOG 48, February 21-24, co-hosted by Data Foundry and Giganews in Austin, Texas. The early registration rate prevails through January 21, and the discounted hotel rate expires February 5 or when the room block is full. Rooms are limited so make your reservation soon. We have a great meeting planned, and you can review the draft agenda at http://www.nanog.org/meetings/nanog48/agenda.php. Hotel and travel information, meeting registration, and a list of meeting sponsors and sponsorship opportunities are available through http://www.nanog.org/meetings/nanog48/index.php. Look forward to seeing you there, David Meyer (for the NANOG Program Committee) signature.asc Description: Digital signature ___ NANOG-announce mailing list nanog-annou...@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-announce
Re: Idiotic Newstar Networking Equipment Sales Droid
Scott Weeks wrote: If they see all of us saying we won't buy from them when they do idiotic things like spamming nanog folks (I can't think of too many groups it world be worse to spam... ;-) they will realize that doing this will not only not generate sales, it will actually prevent future sales from occurring. scott If their ISP is on the list, they could have a nice calm chat about their AUP and that would probably end the conversation for everyone...
10Gbps Traffic Test Systems
I am in the market for 10Gbps traffic testers. Here are some of the things I'd like to have: 1) Mixed packet sizes 2) Ramp TCP sessions up/down quickly 3) Many source and destination IPs 4) Ability to ramp traffic up and down 5) Simulate targeted SYN floods 6) 10,000+ packets per second We'll use these devices to test throughput and resource utilization on routers and firewalls/security systems. We'll also test and prove candidate QoS configurations (ie: DSCP41 still works well even when DSCP11 is saturating links). The catch is that I work for a charitable, non-profit with limited resources. I understand you can't have steak on a sardine budget; I'm just trying to find suggestions on a testing platform for thrifty customers! We do not have any existing testing systems other than iPerf on a Mac Mini. Any suggestions, either on-list or off, are welcome and appreciated. Brad Fleming
Re: 10Gbps Traffic Test Systems
I have used Ixia, Spirent AX/4000, Spirent Testcenter and Spirent Smartbits for 1-10GE testing, they've all been able to do the things you ask for - they are quite basic features and any 10GE router tester unit will do what you want. In addition, you should demand much higher than 10Kpps, you should be able to fit roughly 120Mpps of TCP SYN packets in to a 10GE ethernet pipe. On 21/01/2010, at 11:04 AM, Brad Fleming wrote: I am in the market for 10Gbps traffic testers. Here are some of the things I'd like to have: 1) Mixed packet sizes 2) Ramp TCP sessions up/down quickly 3) Many source and destination IPs 4) Ability to ramp traffic up and down 5) Simulate targeted SYN floods 6) 10,000+ packets per second We'll use these devices to test throughput and resource utilization on routers and firewalls/security systems. We'll also test and prove candidate QoS configurations (ie: DSCP41 still works well even when DSCP11 is saturating links). The catch is that I work for a charitable, non-profit with limited resources. I understand you can't have steak on a sardine budget; I'm just trying to find suggestions on a testing platform for thrifty customers! We do not have any existing testing systems other than iPerf on a Mac Mini. Any suggestions, either on-list or off, are welcome and appreciated. Brad Fleming !DSPAM:22,4b577e41217795602264856!
Re: OT: old farts recollecting -- Re: ASR1002
Hello Valdis , On Wed, 20 Jan 2010, valdis.kletni...@vt.edu wrote: On Wed, 20 Jan 2010 08:01:50 CST, Jorge Amodio said: Ohh yeah, now we can send sort of a telegram with multiple fonts and colors almost from anywhere... At least it doesn't do blinkBLINK/blink ;) Are we really sure of this ?-} Wave of the future 3x the amount of data for 1/3 the information . Toodles , JimL -- +--+ | James W. Laferriere | SystemTechniques | Give me VMS | | NetworkSystem Engineer | 3237 Holden Road | Give me Linux | | bab...@baby-dragons.com | Fairbanks, AK. 99709 | only on AXP | +--+
RE: 10Gbps Traffic Test Systems
-Original Message- From: Brad Fleming [mailto:bdflem...@kanren.net] Sent: Wednesday, January 20, 2010 5:05 PM I am in the market for 10Gbps traffic testers. Here are some of the things I'd like to have: 1) Mixed packet sizes 2) Ramp TCP sessions up/down quickly 3) Many source and destination IPs 4) Ability to ramp traffic up and down 5) Simulate targeted SYN floods 6) 10,000+ packets per second We'll use these devices to test throughput and resource utilization on routers and firewalls/security systems. We'll also test and prove candidate QoS configurations (ie: DSCP41 still works well even when DSCP11 is saturating links). The catch is that I work for a charitable, non-profit with limited resources. I understand you can't have steak on a sardine budget; I'm just trying to find suggestions on a testing platform for thrifty customers! We do not have any existing testing systems other than iPerf on a Mac Mini. Testing QoS generally requires highly specialized equipment that can send at line-rate and has highly accurate timing. This is necessary to analyze the impacts of latency and jitter, in addition to testing the impact of throughput in multi-queue prioritization tests. Likely this means that the cheaper options are not sufficient unfortunately, and doubly so because you want 10Gbps. I have used Spirent, Ixia, and Agilent boxes with great success, especially in the area of QoS testing. Any one of these should be able to perform well with all of the requirements stated above. Don't go for the Breakingpoint box unless you enjoy banging your head against the wall when you can't do many of the things they claim to be able to do - I was once a proponent of theirs until I really got under the hood, save yourself the headache and look at the other alternatives. Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
Re: Katrina response, private and public
On Jan 19, 2010, at 3:56 PM, Martin Hannigan wrote: Re your plan to potentially run a cable from SD to PaP. Interesting. Looks like 300nm to me. I think you're going to need op amp and power. The idea was to do a festoon cable instead, landing at coastal towns along the way, and using Ethernet switches to break out local service as well as repeating signal. On the Columbus run, they're going to need a landing station. Yep, I expect they hope that the situation will work in their favor, and that they'll be granted one, which would break Teleco's current landing monopoly. I'm going to speculate that this is part of BTC's problem; no landing station of the subsea route was disrupted by the quake The landing station building collapsed. There's no evidence of any damage to the fiber, though that's possible as well. I'd be thinking microwave and towers. Faster. Cheaper. They've already got that, but faster only in the sense that it's already done... They're limited to a few STM1s, which were quickly overwhelmed by the relief workers. This is a common problem in disaster relief, we saw it particularly when we were working in Indonesia and Thailand during the tsunami... An area that had quite modest Internet usage, and infrastructure which may not be great, but is sufficient to its present requirements, gets a flood of relief workers in who all want to use Skype simultaneously, and determine that the perfectly-functional and previously-sufficient Internet is broken and needs to be reengineered. The existing chain of microwave relays is the Haitian ISPs' fix for the problem of Teleco having a monopoly fiber landing and setting astronomical prices on access to it. I'm not interested in reengineering anything, but I am interested in making sure that if aid money goes to the incumbent to fix their fiber, at least the community gets something out of it in the form of the monopoly being broken. Otherwise the fiber being fixed does no one any good, because they still won't be able to use it, same as before the earthquake. It's very easy to spend money and make things worse than they were before. -Bill PGP.sig Description: This is a digitally signed message part
Re: 10Gbps Traffic Test Systems
Rent a EXFO TGE packet blazer On 1/20/10, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: Brad Fleming [mailto:bdflem...@kanren.net] Sent: Wednesday, January 20, 2010 5:05 PM I am in the market for 10Gbps traffic testers. Here are some of the things I'd like to have: 1) Mixed packet sizes 2) Ramp TCP sessions up/down quickly 3) Many source and destination IPs 4) Ability to ramp traffic up and down 5) Simulate targeted SYN floods 6) 10,000+ packets per second We'll use these devices to test throughput and resource utilization on routers and firewalls/security systems. We'll also test and prove candidate QoS configurations (ie: DSCP41 still works well even when DSCP11 is saturating links). The catch is that I work for a charitable, non-profit with limited resources. I understand you can't have steak on a sardine budget; I'm just trying to find suggestions on a testing platform for thrifty customers! We do not have any existing testing systems other than iPerf on a Mac Mini. Testing QoS generally requires highly specialized equipment that can send at line-rate and has highly accurate timing. This is necessary to analyze the impacts of latency and jitter, in addition to testing the impact of throughput in multi-queue prioritization tests. Likely this means that the cheaper options are not sufficient unfortunately, and doubly so because you want 10Gbps. I have used Spirent, Ixia, and Agilent boxes with great success, especially in the area of QoS testing. Any one of these should be able to perform well with all of the requirements stated above. Don't go for the Breakingpoint box unless you enjoy banging your head against the wall when you can't do many of the things they claim to be able to do - I was once a proponent of theirs until I really got under the hood, save yourself the headache and look at the other alternatives. Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D -- Sent from my mobile device Kind Regards, Dennis Springer I'm your huckleberry - Doc Holiday - From the movie Tombstone.
Enhancing automation with network growth
Hi all, I'm reaching the point where adding in a new piece of infrastructure hardware, connecting up a new cable, and/or assigning address space to a client is nearly 50% documentation and 50% technical. One thing that would take a major load off would be if my MRTG system could simply update its config/index files for itself, instead of me having to do it on each and every port change. Can anyone offer up ideas on how you manage any automation in this regard for their infrastructure gear traffic graphs? (Commercial options welcome, off-list, but we're as small as our budget is). Unless something else is out there that I've missed, I'm seriously considering writing up a module in Perl to put up on the CPAN that can scan my RANCID logs (and perhaps the devices directly for someone who doesn't use RANCID), send an aggregate 'are these changes authorized' email to an engineer, and then proceed to execute the proper commands within the proper MRTG directories if the engineer approves. I use a mix of Cisco/FreeBSDQuagga for routers, and Cisco/HP for switches, so it is not as simple as throwing a single command at all configs. All feedback welcome, especially if you are in the same boat. My IP address documentation/DNS is far more important than my traffic stats, but it really hurts when you've forgotten about a port three months ago that you need to know about now. Steve
RE: Enhancing automation with network growth
I'm reaching the point where adding in a new piece of infrastructure hardware, connecting up a new cable, and/or assigning address space to a client is nearly 50% documentation and 50% technical. A common problem :) One thing that would take a major load off would be if my MRTG system could simply update its config/index files for itself, instead of me having to do it on each and every port change. Can anyone offer up ideas on how you manage any automation in this regard for their infrastructure gear traffic graphs? (Commercial options welcome, off-list, but we're as small as our budget is). Not sure how you're doing your graphs currently, but have you considered Cacti? I use a mix of Cisco/FreeBSDQuagga for routers, and Cisco/HP for switches, so it is not as simple as throwing a single command at all configs. All feedback welcome, especially if you are in the same boat. My IP address documentation/DNS is far more important than my traffic stats, but it really hurts when you've forgotten about a port three months ago that you need to know about now. First, I'll throw out a bit of what we do and it might give some ideas, though not necessarily good ones. We use Linux/Quagga routers, in-house-modified Linux-based LNSs, and HP switches. Some of our configuration and change management is done via cfengine, backed by subversion. The latter yields the added benefit of revision control and all the other good stuff you can get from svn in such a scenario. Unfortunately this is only part of the config/graphs/docs/DNS/IPs/OSS equation and we don't have everything fully integrated yet (nor is there a business case for it at the moment). Some of our OSS is based on a heavily in-house modified version of Freeside as well as our own app/layer that sits on top. This is essentially our base system which allows us to push data and prov services to other internal and external systems - e.g. DNS, IP assignment, vendor's portals/APIs, RADIUS, etc. (basically almost every piece of hardware and software we have) and which interfaces with our self-service (customer portal - aka the almighty call-avoidance solution). We also use IPPlan for managing IP assignment, but are moving away from it. In a perfect world, everything would be integrated with everything else, searching by every data element would be possible, every business process would be automated, all of your docs would be in one place, all linked to the network element / customer / ticket / order / whatever, and so on. For most organizations, this is neither feasible nor required. Each system tends to do one or two things well and you have much unavoidable data duplication and data moving back and forth. Usually the goal is to minimize the amount of manual data entry down to a single time and to push this aspect out towards the customer as much as possible. The extent of that will depend on your specific environment - everyone basically does the same thing, so often there's no need to re-invent the wheel (i.e. let's develop everything from scratch in-house is a very bad move - you're not in the OSS business). OSS/BSS is a huge and complex topic, so I'm only touching the tip of the iceberg here and speaking mostly in general terms. It's definitely something that will be of greater and greater importance as your network grows, so early planning is key, but don't get carried away trying to automate the hell out of everything because you'll lose focus on what you need to do in the short-term. There is often a naive pursuit of perfection in OSS/BSS by those who haven't been doing it for long enough - don't fall into that trap. I'd start by defining your requirements/scope more solidly and then considering whether it makes sense to try to automate or enhance a particular process. It may help to break things down step-by-step, perhaps based on dependencies or some other logical order, then think about how you would eliminate what you perceive to be manual/error-prone/inefficient/slow/whatever. From a costing perspective, you might find yourself in a (unfortunately frequently encountered by some) situation of I just spent 50 hours writing a program to automate a task that would have taken me 2 hours to do manually or we just spent $50k buying a product which we won't use to any reasonable level of capacity for the next five years. -- Erik *** Remove the _list part in my e-mail address to reply. ***
Re: Enhancing automation with network growth
Once upon a time, Steve Bertrand st...@ibctech.ca said: One thing that would take a major load off would be if my MRTG system could simply update its config/index files for itself, instead of me having to do it on each and every port change. Is MRTG a requirement, or just some type of statistical monitoring? There are other packages that can do (or be made to do) what you want. I switched from MRTG to Cricket many years ago, and a big improvement there is that you configure interface names (and Cricket handles tracking the index). There are add-ons like genDevConfig (replaces genRtrConfig) that can auto-generate configs for you. The only downside to Cricket is that development has stagnated (I think it is a case of it works for me for most everybody using it). There's also Cacti, which is newer and more current. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: 10Gbps Traffic Test Systems
I have done QoS testing using Endace DAG cards - they can do capture as well as traffic generation. See http://www.endace.com/dag-8.1sx.html Jonathon This email and attachments: are confidential; may be protected by privilege and copyright; if received in error may not be used, copied, or kept; are not guaranteed to be virus-free; may not express the views of Kordia(R); do not designate an information system; and do not give rise to any liability for Kordia(R).
Re: Enhancing automation with network growth
This should help with part of what you're doing - snmpstat and cisco config repository. http://snmpstat.sourceforge.net/ On Thu, Jan 21, 2010 at 8:24 AM, Steve Bertrand st...@ibctech.ca wrote: One thing that would take a major load off would be if my MRTG system could simply update its config/index files for itself, instead of me having to do it on each and every port change. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: OT: old farts recollecting -- Re: ASR1002
On Wed, 20 Jan 2010 08:01:50 -0600 Jorge Amodio jmamo...@gmail.com wrote: The telephone, for those of you who have forgotten, was a commonly used communications technology in the days before electronic mail. They're still easy to find in most large cities. -- Nathaniel Borenstein i'm guessing this is before the mobile phone explosion. Good old one. It's funny how we circle around with technology, folks are dumping their phone land lines and adopting wireless/mobile that required a substantial technology leap and investment and now we are using the mobile phone to text an incompressible dialect worse than the early teletype/telex days but with a humongous infrastructure to support it. I'm not sure how it is in other countries, but here in .au they're a fixed and predictable price before you pay it, are significantly cheaper than an equivalent phone call, and if you have anything that requires accurate recording e.g. email addresses, geo addresses or phone numbers, far less prone to errors. 25c for a text with 160 characters, or 50c flag fall for a phone call before I've even said a word and I don't know how many I'm going to say? I know which one I'm going to prefer.. Ohh yeah, now we can send sort of a telegram with multiple fonts and colors almost from anywhere... Cheers Jorge
Re: Enhancing automation with network growth
On Wed, Jan 20, 2010 at 09:54:50PM -0500, Steve Bertrand wrote: Hi all, I'm reaching the point where adding in a new piece of infrastructure hardware, connecting up a new cable, and/or assigning address space to a client is nearly 50% documentation and 50% technical. One thing that would take a major load off would be if my MRTG system could simply update its config/index files for itself, instead of me having to do it on each and every port change. It is really quite trivial to auto-discover ifindex-ifdescr mappings on every poll cycle then track your interfaces by their names, pretty much every modern poller system can manage this. MRTG is absurdly old, slow, and generally nasty, and should not be used by anyone in this day and age. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Enhancing automation with network growth
On 20/01/10 21:54 -0500, Steve Bertrand wrote: Can anyone offer up ideas on how you manage any automation in this regard for their infrastructure gear traffic graphs? (Commercial options welcome, off-list, but we're as small as our budget is). Unless something else is out there that I've missed, I'm seriously considering writing up a module in Perl to put up on the CPAN that can scan my RANCID logs (and perhaps the devices directly for someone who doesn't use RANCID), send an aggregate 'are these changes authorized' email to an engineer, and then proceed to execute the proper commands within the proper MRTG directories if the engineer approves. I use a mix of Cisco/FreeBSDQuagga for routers, and Cisco/HP for switches, so it is not as simple as throwing a single command at all configs. OpenNMS works great, but has a steeper learning curve than MRTG. It supports auto discovery of devices, and can pull interface statistics for all new devices/interfaces automatically. I'm graphing all interfaces on around 4 dozen Cisco switches and routers and various other devices on one fairly beefy Linux box. It also has a RANCID integration module, which I haven't had a chance to play with yet. it is not as simple as throwing a single command at all configs Actually it is that simple. As long as the device supports the IF-MIB SNMP table, then your SNMP system should have little problem discovering all interfaces. All devices you list above should work, assuming you've got net-snmp running on the freebsd box. -- Dan White
Re: OT: old farts recollecting -- Re: ASR1002
It's funny how we circle around with technology, folks are dumping their phone land lines and adopting wireless/mobile that required a substantial technology leap and investment and now we are using the mobile phone to text an incompressible dialect worse than the early teletype/telex days but with a humongous infrastructure to support it. and paying and exhorbitant price per word for negligible bandwidth. run your own servers or use a friend's and use email randy