Re: ip address management
On 02/02/2010 21:14, Scott Berkman wrote: I was about to suggest IPPlan, but it is lacking the V6 support. Here is one I found doing some searching, but I haven't used it myself: We use IPPlan for ipv4 and a fairly flexible, but less fully featured management program called vim for ipv6. Migrating our data out of ipplan to something else is a flashpoint that can lead to error, but we might have to do that. It looks like the lack of ipv6 support in ipplan is partly due to the maintainer not wanting to support it, so we might be tempted to (if the license permits) fork the project and hack in support. We have hacked it a lot already to build user-based containment between resources, so that we can have a vlan schema for many networks, and many customers (with their own logins, and only visability of their own subnets) in the same instance. If we hack v6 support in, we could release the finished project - I think there was opposition to doing that thus far because the developer was embarrassed about some of the hacks ;-) Andy
Re: ip address management
I'm actually writing some IP management code. Web based, it knows about the difference between IPv4 and IPv6 in maybe 3 or 4 places. Intention is to release it publicly when it's good to go. On 3/02/2010, at 10:14 AM, Scott Berkman wrote: I was about to suggest IPPlan, but it is lacking the V6 support. Here is one I found doing some searching, but I haven't used it myself: http://sourceforge.net/projects/haci/ -Scott -Original Message- From: Pavel Dimow [mailto:paveldi...@gmail.com] Sent: Tuesday, February 02, 2010 3:55 PM To: nanog@nanog.org Subject: ip address management Hello, does anybody knows what happend with ipat? http://nethead.de/index.php/ipat http://nanog.cluepon.net/index.php/Tools_and_Resources Any other suggestion for a good foss ip address management app with ipv6 support? !DSPAM:22,4b6895ef126381679815450!
Re: ip address management
Andy Davidson (andy) writes: It looks like the lack of ipv6 support in ipplan is partly due to the maintainer not wanting to support it, so we might be tempted to (if the license permits) It's GPL... So for away :) Also, you might want to look at TIPP: http://tipp.tobez.org/ http://github.com/tobez/tipp 2-clause BSD-style license. Was developed for a large ISP. IPv6 support is planned: Future of TIPP - import/export from/to CSV; - IP availability checks (pinging); - editing ranges of IP addresses at once; - plugin architecture for better integration with the existing systems; - IPv6 support; - installation instructions; - automated install script; - fine-grained access control; - an ability to define new classes; - user documentation; - API documentation; Cheers, Phil
Re: ip address management
Phil Regnauld (regnauld) writes: Future of TIPP - import/export from/to CSV; - IP availability checks (pinging); - editing ranges of IP addresses at once; - plugin architecture for better integration with the existing systems; - IPv6 support; Update: IPv6 is planned during february apparently, according to the developer.
Re: Mitigating human error in the SP
Reminds me of the saying, nothing is foolproof given a sufficiently talented fool. I do agree that checklist, peer reviews, parallel turnups, and lab testing when used and not jury rigged have helped me prepare for issue. Usually when I skipped those things are the time I kick myself for not doing it. Another thing that helps is giving yourself enough time, doing what you can ahead of time, and being ready on time. Just my two bits. -- -- Brian Raaen Network Engineer bra...@zcorum.com On Tuesday 02 February 2010, Suresh Ramasubramanian wrote: Never said it was, and never said foolproof either. Minimizing the chance of error is what I'm after - and ssh'ing in + hand typing configs isn't the way to go. Use a known good template to provision stuff - and automatically deploy it, and the chances of human error go down quite a lot. Getting it down to zero defect from there is another kettle of fish altogether - a much more expensive with dev / test, staging and production environments, documented change processes, maintenance windows etc. On Wed, Feb 3, 2010 at 7:00 AM, Michael Dillon wavetos...@googlemail.com wrote: It is easy to create a tangled mess of OSS applications that are glued together by lots of manual human effort creating numerous opportunities for human error. So while I wholeheartedly support automation of network configuration, that is not a magic bullet. You also need to pay attention to the whole process, the whole chain of information flow. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: ip address management
On 03/02/2010 12:51, Andy Davidson wrote: It looks like the lack of ipv6 support in ipplan is partly due to the maintainer not wanting to support it, so we might be tempted to (if the license permits) fork the project and hack in support. There is a FAQ entry for ipv6 support in ipplan: One feature request that comes up from time to time is IPv6. Adding IPv6 support will require major effort but has such a limited audience. Ironically the only people that ever requested IPv6 support are either from Telcos, ISP’s or government departments, yet they are never interested in contributing resources! I deam them parasites of the Open Source world - leaching off the good will and effort of the Open Source community, yet give nothing in return. q.v. http://iptrack.sourceforge.net/doku.php?id=faq I guess we're all entitled to our opinions. The data model used in ipplan is to enumerate all IP addresses in the working ranges. This works fine for ipv4, but obviously breaks horribly for ipv6. Political considerations aside, I suspect that this is at least some of the reason that ipplan doesn't support it. Nick
Re: Research Project: Internet capacity during pandemic events
It's not related to Canada directly but but it is related to your question. The following links are to the NANOG archive from Sep 11th 2001 where there was some very good communication, specifically from Sean Donnelan regarding connectivity during crisis. It shows the unknowns that people faced and the teamwork involved in ensuring everyone could communicate (if you overlook the religious and opinionated posts from other members). http://www.merit.edu/mail.archives/nanog/2001-09/ http://www.merit.edu/mail.archives/nanog/2001-09/msg00384.html Regards, Ken On 2 February 2010 21:59, ha...@ualberta.ca wrote: Hello everyone, My name is Mike Haska, and I am a graduate student at the University of Alberta. I am conducting research into Internet capacity issues during pandemic events. In order to analyze certain aspects of this topic, I need to get in touch with representatives from the major Internet service providers in Canada - some of whom, I am hoping, are members of this distribution. Specifically, I am looking to get in touch with individuals who are familiar with the structure of their network and with any pandemic contingency plans that are in place within their organization. If you think you may be able to assist, or if you know of anyone who could, please contact me at (haska at ualberta.ca) and I will provide further information on all aspects of this study. To put your mind at ease - I'm not fishing around for sensitive information or your root passwords; I'm looking for an overview of your policies and your responses to hypothetical scenarios. Your confidentiality is assured and you are welcome to preview all the questions to be asked before you commit to participating in any way. I feel this topic has important implications to network operators in Canada, so any support you can offer to this research project is greatly appreciated. Best regards, -Mike
Re: ip address management
Nick Hilliard (nick) writes: There is a FAQ entry for ipv6 support in ipplan: One feature request that comes up from time to time is IPv6. Adding IPv6 support will require major effort but has such a limited audience. Ironically the only people that ever requested IPv6 support are either from Telcos, ISP?s or government departments, yet they are never interested in contributing resources! I deam them parasites of the Open Source world - leaching off the good will and effort of the Open Source community, yet give nothing in return. Shame. And deam is deem. q.v. http://iptrack.sourceforge.net/doku.php?id=faq I guess we're all entitled to our opinions. Yeah, sad. The data model used in ipplan is to enumerate all IP addresses in the working ranges. This works fine for ipv4, but obviously breaks horribly for ipv6. Political considerations aside, I suspect that this is at least some of the reason that ipplan doesn't support it. It would indeed require a very large screen and lots of memory :) Cheers, Phil
Re: Datacenter for DR in northwestern NJ/NY
On Tue, Feb 2, 2010 at 6:19 PM, Steven Bellovin s...@cs.columbia.edu wrote: On Feb 2, 2010, at 5:52 PM, Cerniglia, Brandon wrote: Cervalis has facilities in wappingers ny 1.5 hours from NYC Hmm -- where to the fibers run from a facility like that? Are the all homed to NYC, or are there runs to, say, Albany or Boston? Cervalis (Wappinger Falls) is a decent facility. There is at least one regional provider (Lightower) in there with a good fiber foot-print. They can get you to mid-hudson valley, nyc, nj, Long Island and Mass. I believe they cover PoPs in the Boston and Albany area. -- Tim: Sent from Brooklyn, NY, United States
How polluted is 1/8?
Hello, After 1/8 was allocated to APNIC last week, the RIPE NCC did some measurements to find out how polluted this block really is. See some surprising results on RIPE Labs: http://labs.ripe.net/content/pollution-18 Please also note the call for feedback at the bottom of the article. Kind Regards, Mirjam Kuehne RIPE NCC
Re: How polluted is 1/8?
On Wed, Feb 03, 2010 at 04:49:00PM +0100, Mirjam Kuehne m...@ripe.net wrote a message of 15 lines which said: After 1/8 was allocated to APNIC last week, the RIPE NCC did some measurements to find out how polluted this block really is. See some surprising results on RIPE Labs: http://labs.ripe.net/content/pollution-18 Not a suprise, unfortunately. See also http://bgpmon.net/blog/?p=275
Re: ip address management
Phil Regnauld wrote: Nick Hilliard (nick) writes: There is a FAQ entry for ipv6 support in ipplan: One feature request that comes up from time to time is IPv6. Adding IPv6 support will require major effort but has such a limited audience. Ironically the only people that ever requested IPv6 support are either from Telcos, ISP?s or government departments, yet they are never interested in contributing resources! I deam them parasites of the Open Source world - leaching off the good will and effort of the Open Source community, yet give nothing in return. Shame. And deam is deem. That's a somewhat shallow reading of the motivation for contributing resources to another project in any event... There wasn't a lot of canned address mangement software when I started supporting v6 in a campus environment 10 years ago either. mysql isn't that hard and neither are spreadsheets embedded in wikis. the important part is the business process where the records in the address management system remain congruent with what's represented in the address mangement system. I don't think (although I could be wrong) that most of our organizations are so deliberately helpless that we need a shrinkwrap software package made specifically for the purpose to track foo resource. Having cut my teeth in technical support in era when pc based RDBMSes took over the world, much less technical people then us manage to track employee hours, video rental inventories, beauty supplies, grades etc quite successfully.
Re: How polluted is 1/8?
It should be of no surprise to anyone that a number of the remaining prefixes are something of a mess(somebody ask t-mobile how they're using 14/8 internally for example). One's new ipv4 assignments are going to be of significantly lower quality than the one received a decade ago, The property is probably transitive in that the overall quality of the ipv4 unicast space is declining... The way to reduce the entropy in a system is to pump more energy in, there's always the question however of whether that's even worth it or not. joel Mirjam Kuehne wrote: Hello, After 1/8 was allocated to APNIC last week, the RIPE NCC did some measurements to find out how polluted this block really is. See some surprising results on RIPE Labs: http://labs.ripe.net/content/pollution-18 Please also note the call for feedback at the bottom of the article. Kind Regards, Mirjam Kuehne RIPE NCC
Re: How polluted is 1/8?
In a message written on Wed, Feb 03, 2010 at 04:49:00PM +0100, Mirjam Kuehne wrote: After 1/8 was allocated to APNIC last week, the RIPE NCC did some measurements to find out how polluted this block really is. Having this data is useful, but I can't help to think it would be more useful if it were compared with 27/8, or other networks. Is this slightly worse, or significantly worse than other networks? -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpOjMitM1uYk.pgp Description: PGP signature
Re: Mitigating human error in the SP
On Mon, Feb 01, 2010 at 09:46:07PM -0500, Stefan Fouant wrote: Vijay Gill had some real interesting insights into this in a presentation he gave back at NANOG 44: http://www.nanog.org/meetings/nanog44/presentations/Monday/Gill_programatic_N44.pdf His Blog article on Infrastructure is Software further expounds upon the benefits of such an approach - http://vijaygill.wordpress.com/2009/07/22/infrastructure-is-software/ That stuff is light years ahead of anything anybody is doing today (well, apart from maybe Vijay himself ;) ... but IMO it's where we need to start heading. Vijay's stuff is fascinating. The vision is great. But in my experience, the vendors and implementations basically ruin the dream for anyone who doesn't have his pull. I'm sure my software is nowhere close to being as sophisticated as his, but my plans are pretty much in line with his suggestions. Some problems I've run into that I don't see any kind of solution for: 1) Forwarding-impacting bugs: IOS bugs that are triggered by SNMP are easily the #1 cause of our accidental service impact. Most seem to be race conditions that require real-world config and forwarding load - not something a small shop can afford to build a lab to reproduce. If we stuck to manual deployment, we might have made a few mistakes but would it have been worse? Maybe - but honestly, it could be a wash. 2) Vendor support is highly suspicious of automation: anytime I open a ticket, even unrelated to an automated software process, the first thing the vendor support demands is to disable all automation. Juniper is by far the best about this, and they *still* don't actually believe their own automation tools work. Cisco TAC's answer has always been don't ever use SNMP if it causes crashes! Procurve doesn't even bother to respond to tickets related to automation bugs, even if they are remotely triggerable crashes in the default config. 3) Automation interfaces are largely unsupported: I imagine vendor software development having one or two guys that are the masterminds for SNMP/NETCONF/whatever - and that's it. When I have a question on how to find a particular tool, or find a bug in an automation function, I can often go months on a ticket with people that have no idea what I'm talking about. What documentation exists is typically incomplete or inconsistent across versions and product lines. 4) Related tools prevent reliable error reporting: as far as I can tell, Net-SNMP returns random values if a request fails; if there's a pattern, I've failed to discern it. expect is similar. ScreenOS's SSH implementation always returns that a file copy failed. Procurve only this year implemented ssh key-based auth in combination with remote authentication. The best-of-breed seems to be an oft-pathetic collection of tools. 5) Management support: developing automation software is hard - network devices aren't nearly as easy to deal with as they should be. When I spend weeks developing features that later causes IOS to spontaneously reload, people that don't understand the relation to operational impact start to advocate dismantling the automation just like the vendors above. I'm sure we'll continue to build automated policy and configuration tools. I'm just not convinced it's the panacea that everyone thinks. Unless you're one of the biggest, it puts your network at someone else's mercy - and that someone else doesn't care about your operational expenses. Ross -- Ross Vandegrift r...@kallisti.us If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher. --Woody Guthrie signature.asc Description: Digital signature
Re: Research Project: Internet capacity during pandemic events
Mike, Is your interest events like the recent semi-non-event with H1N1, where for contagation management, workforce labor and school age children were not compulsorily aggregated, or morbidity and mortality effects on network operator labor for an event such as the dispersal of a weaponized biological? Restated, is your interest bursty behavior on the edge (houses of workers at big box employers X,Y,Z), rather than at the core (big box employer X,Y,Z), or how do network operators plan continuity as the skilled labor available count goes to zero? We sort of had the latter exercise over the past three weeks in Haiti, where fuel, food, and families assumptions about operational readiness were tested, and only just kept above zero. Eric On 2/2/10 10:59 PM, ha...@ualberta.ca wrote: Hello everyone, My name is Mike Haska, and I am a graduate student at the University of Alberta. I am conducting research into Internet capacity issues during pandemic events. In order to analyze certain aspects of this topic, I need to get in touch with representatives from the major Internet service providers in Canada - some of whom, I am hoping, are members of this distribution. Specifically, I am looking to get in touch with individuals who are familiar with the structure of their network and with any pandemic contingency plans that are in place within their organization. If you think you may be able to assist, or if you know of anyone who could, please contact me at (haska at ualberta.ca) and I will provide further information on all aspects of this study. To put your mind at ease - I'm not fishing around for sensitive information or your root passwords; I'm looking for an overview of your policies and your responses to hypothetical scenarios. Your confidentiality is assured and you are welcome to preview all the questions to be asked before you commit to participating in any way. I feel this topic has important implications to network operators in Canada, so any support you can offer to this research project is greatly appreciated. Best regards, -Mike
Re: Mitigating human error in the SP
On Wed, Feb 3, 2010 at 11:14 AM, Ross Vandegrift r...@kallisti.us wrote: On Mon, Feb 01, 2010 at 09:46:07PM -0500, Stefan Fouant wrote: Vijay Gill had some real interesting insights into this in a presentation he gave back at NANOG 44: http://www.nanog.org/meetings/nanog44/presentations/Monday/Gill_programatic_N44.pdf His Blog article on Infrastructure is Software further expounds upon the benefits of such an approach - http://vijaygill.wordpress.com/2009/07/22/infrastructure-is-software/ That stuff is light years ahead of anything anybody is doing today (well, apart from maybe Vijay himself ;) ... but IMO it's where we need to start heading. Vijay's stuff is fascinating. The vision is great. But in my experience, the vendors and implementations basically ruin the dream for anyone who doesn't have his pull. you know what helps? lots of operations folks asking for the same set of capabilities... Vendors build what will make them money. If you want a device to do X, getting lots of your friends in the operator community to agree and talk to the vendor with the same message helps the vendor understand and prioritize the request. If you want more/better/faster/simpler configuration via 'script' (program) it makes sense to ask the vendor(s) for these capabilities... -chris
RE: Datacenter for DR in northwestern NJ/NY
I haven't worked with them personally but am aware of FiberTech and have spoken with them. http://www.fibertech.com/enterprise/colocation-service/ If you need a contact him me off list. -- Jeffrey Meltzer Director of Network Operations Long Island Fiber Exchange / Exobit Networks (A LIFE Company) -Original Message- From: Matt Sprague [mailto:mspra...@readytechs.com] Sent: Tuesday, February 02, 2010 4:16 PM To: nanog@nanog.org Subject: Datacenter for DR in northwestern NJ/NY Hello NANOG! Does anyone know of some strong datacenters in northwestern NJ, or north of Westchester NY without getting too far away from NYC? I'm looking for a DR colo solution for a site that is in NYC; this needs to be at least 50m away from NYC, but I'm trying to keep it not too much further than that for convenience. I'm also trying to keep this to top level providers as there may be compliance requirements. Thanks in advance for any responses. -- Matt Sprague ReadyTechs, LLC mspra...@readytechs.commailto:mspra...@readytechs.com 973-455-0606 x1204 (voice) http://www.readytechs.com/
BGP FlowSpec (RFC 5575) route injector
Hi, I juste added some preliminary support for FlowSpec (RFC5575) to my BGP route injector http://bgp.exa.org.uk/ As I am not aware of any other project allowing to inject flow route into a network, I am taking the liberty to plug it here. You can access the SVN repository at: http:/svn.exa.org.uk/bgp/trunk/ the code is under a 3-clauses BSD licence. More information about the installation are available on the wiki. I performed basic testing by rate-limiting one of my coworkers mail and web flows - seems to work - for the rest, it may not do what it should. If you are interested, have any questions, or are missing a feature, or just find any bugs, please, just let me know. Changing the configuration and sighuping the application perform send the peers the correct update messages to change the peer RIB. Or just enable graceful-restart and restart the application if you do not care about the number of update :p More information: - http://www.terena.org/activities/tf-ngn/tf-ngn17/uze-flowspec.pdf - http://resources.nznog.org/2006/Friday-240306/DavidLambert-BGPFlowSpecificationUpdate/Lambert.ppt - http://uknof.org/uknof15/Mangin-NakedBGP.pdf (another shameless selfplug - BGP overview - 3 slides on FlowSpec) Thomas -- Exa Networks Limited - http://www.exa-networks.co.uk/ Company No. 04922037 - VAT no. 829 1565 09 27-29 Mill Field Road, BD16 1PY, UK Phone: +44 (0) 845 145 1234 - Fax: +44 (0) 1274 567646 - neighbor 82.219.123.221 { [] flow { route { match { source 10.0.0.1/32; destination 192.168.0.1/32; port =80; destination-port =3128 80808088; source-port 1024; protocol tcp; # protocol [ tcp udp ]; # packet-length 200300 400500; # fragment not-a-fragment; # fragment [ first-fragment last-fragment ]; # icmp-type [ unreachable echo-request echo-reply ]; # icmp-code [ host-unreachable network-unreachable ]; # tcp-flags [ urgent rst ]; # dscp [ 10 20 ]; } then { discard; # rate-limit 9600; # redirect 65500:12345; # redirect 1.2.3.4:5678; } } } } thomas.man...@m7i-4.u3.tcw.uk show configuration logical-routers trap protocols bgp local-as 30740; group flow { type external; multihop; local-preference 100; local-address 82.219.123.221; import no-export; export deny-all; peer-as 65500; neighbor 82.219.131.242 { traceoptions { file bgp; flag all; } family inet { unicast; flow { no-validate everything; } } family inet6 { unicast; } } } thomas.man...@m7i-4.u3.tcw.uk show configuration logical-routers trap policy-options policy-statement everything then accept; # env PYTHONPATH=~/source/bgp/lib/ python daemon/bgpd etc/bgp/m7i-service.txt 033 12:28:13 Supervisor/performing reload 033 12:28:13 Supervisor/New Peer 82.219.123.221 033 12:28:1482.219.123.221/ 30740 - OPEN version=4 asn=65500 hold_time=180 router_id=82.219.131.242 capabilities=[Graceful Restart Flags 0x8 Time 5 IPv4/flow-ipv4=0x80 IPv4/unicast=0x80 IPv6/unicast=0x80, Multiprotocol IPv4 unicast IPv6 unicast IPv4 flow-ipv4] 033 12:28:1582.219.123.221/ 30740 - OPEN version=4 asn=30740 hold_time=90 router_id=82.219.123.221 capabilities=[Cisco Route Refresh (unparsed), Multiprotocol IPv4 unicast IPv6 unicast IPv4 flow-ipv4, Route Refresh (unparsed)] 033 12:28:1682.219.123.221/ 30740 - KEEPALIVE 033 12:28:1782.219.123.221/ 30740 - KEEPALIVE announcing IPv6 unicast 2a02:b80:0:6:50::1/128 next-hop 2a02:b80::90:0:52e:0:1 med 100 announcing IPv4 flow-ipv4 destination 192.168.0.1/32,source 10.0.0.1/32,protocol =TCP,port =80,destination-port =3128 80808088,source-port 1024 extended community [ 0x80 0x6 0x0 0x0 0x0 0x0 0x0 0x0 ] announcing IPv4 unicast 82.219.4.100/32 next-hop 82.219.4.101 med 100 033 12:28:1782.219.123.221/ 30740 - UPDATE (3) 033 12:28:1782.219.123.221/ 30740 - KEEPALIVE thomas.man...@m7i-4.u3.tcw.uk show route logical-router trap table inetflow.0 extensive inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) 192.168.0.1,10.0.0.1,proto=6,port=80,dstport=3128,80808088,srcport1024/256 (1 entry, 0 announced) *BGPPreference: 170/-101 Next hop type: Fictitious Next-hop reference count: 1 State: Active Ext Peer AS: 65500 Age: 1:13
Re: Datacenter for DR in northwestern NJ/NY
Hello NANOG! Does anyone know of some strong datacenters in northwestern NJ, or north of Westchester NY without getting too far away from NYC? I'm looking for a DR colo solution for a site that is in NYC; this needs to be at least 50m away from NYC, but I'm trying to keep it not too much further than that for convenience. I'm also trying to keep this to top level providers as there may be compliance requirements. Thanks in advance for any responses. Washington DC is just an Acela train ride away if you are willing to go a bit further. It has a lot of fiber connectivity and a good selection of datacenters - plus the Acela train is really comfortable. Leslie
[NANOG] Contacts @ China Unicom and China Telecom
Hi All - Does anyone have peering contacts for China Unicom and China Telecom? Finding that the ones for Any2 in peeringdb.com are no good. Will take replies offlist, thanks! -justin
Re: [NANOG] Contacts @ China Unicom and China Telecom
On Wed, Feb 03, 2010 at 11:40:38AM -0800, Justin Ream wrote: Hi All - Does anyone have peering contacts for China Unicom and China Telecom? Finding that the ones for Any2 in peeringdb.com are no good. Will take replies offlist, thanks! Last I checked the China Telecom e-mails listed worked fine, but the China Unicom/China Netcom addresses have all bounced for at least a couple of years now. I've personally tried every possible combination and permutation of every address listed, including the e-mail address that was used to register the PeeringDB account, and none of them work. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: How polluted is 1/8?
Having this data is useful, but I can't help to think it would be more useful if it were compared with 27/8, or other networks. Is this slightly worse, or significantly worse than other networks? I have only anecdotal information regarding 45/8. 45/8 is assigned to Interop, and as such it is brought up-and-down as Interop's shows move in and out of convention centers. Starting at least 5 years ago, it has proved impractical to start announcing 45/8, since this causes immediate and massive amounts of traffic to flow into the show network. The last time that I know that the full 45/8 was announced, traffic settled down to about a full T3's worth of bandwidth before the network engineers started announcing smaller /16 chunks as actually needed. Even /16 has proved impractical while the network is being built-out, before the show, because the build-out site typically has T1-ish bandwidth---again, saturated with a /16 being announced. This information is very different from the RIPE Labs experiment which I think showed that certain obvious addresses (1.1.1.1 seemed to be the kicker in my short reading of their report) were being mis-used heavily. But I suspect that 27/8 would have similar issues to 45/8. However, it is not clear to me that this is different from any other /8. In other words, for those that have a /8, they probably DO have to put up with a T3-worth of garbage flowing their way before they move the first useful packet. However, you don't get a /8 unless a T3 is small potatoes to you, hence... jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: How polluted is 1/8?
On Wed, 3 Feb 2010, Joel M Snyder wrote: This information is very different from the RIPE Labs experiment which I think showed that certain obvious addresses (1.1.1.1 seemed to be the kicker in my short reading of their report) were being mis-used heavily. But I suspect that 27/8 would have similar issues to 45/8. I would hope that the APNIC would opt not to assign networks that would contain 1.1.1.1 or 1.2.3.4 to customers for exactly that reason. The signal-to-noise ratio for those addresses is likely pretty high. The noise is likely contained on many internal networks for now because a corresponding route doesn't show up in the global routing table at the moment. Once that changes I could see holding those prefixes aside for research purposes (spam traps, honey pots, etc...). jms
Fwd: [Geowanking] model of the internet - need data
Hello, longtime lurker here, an acquaintance is looking for lat/long data and I thought this group might not object to this request. (if you do, it's my fault, not that of Anselm). -Randy Fischer -- Forwarded message -- From: Anselm Hook Date: Wed, Feb 3, 2010 at 1:14 PM Subject: [Geowanking] model of the internet - need data Hi folks, I'm looking for a map of the Internet. A friend wants to project this onto a spinny globe. I've found several pictoral representations but I'm looking a raw data-set that geographically locates major routers and servers. In an ideal world I'd get a database that indicates { ip address, amount of traffic, longitude, latitude, connected to other ip addresses } and then I could draw my own picture. Databases I have seen do not include longitude and latitude which I something I would need. Any leads? I suppose even just given IP addresses I could guess longitude and latitude location... which wouldn't be ideal but perhaps would be acceptable. Here's what I've seen so far, http://www.opte.org/ - I'll try reach out to these folks since they seem to have the best data and are nearby. http://www.technologyreview.com/Infotech/18944/?a=f http://www.chrisharrison.net/projects/InternetMap/ Thanks for any input! - @anselm @wherecamp
Re: [Geowanking] model of the internet - need data
Get your data with these: http://www.maxmind.com/app/api From this database (OSS/Free): http://www.maxmind.com/app/geolitecity Map it with this http://code.google.com/apis/kml/documentation/ Enjoy! --chip On Wed, Feb 3, 2010 at 3:34 PM, Randy Fischer fisc...@sacred.net wrote: Hello, longtime lurker here, an acquaintance is looking for lat/long data and I thought this group might not object to this request. (if you do, it's my fault, not that of Anselm). -Randy Fischer -- Forwarded message -- From: Anselm Hook Date: Wed, Feb 3, 2010 at 1:14 PM Subject: [Geowanking] model of the internet - need data Hi folks, I'm looking for a map of the Internet. A friend wants to project this onto a spinny globe. I've found several pictoral representations but I'm looking a raw data-set that geographically locates major routers and servers. In an ideal world I'd get a database that indicates { ip address, amount of traffic, longitude, latitude, connected to other ip addresses } and then I could draw my own picture. Databases I have seen do not include longitude and latitude which I something I would need. Any leads? I suppose even just given IP addresses I could guess longitude and latitude location... which wouldn't be ideal but perhaps would be acceptable. Here's what I've seen so far, http://www.opte.org/ - I'll try reach out to these folks since they seem to have the best data and are nearby. http://www.technologyreview.com/Infotech/18944/?a=f http://www.chrisharrison.net/projects/InternetMap/ Thanks for any input! - @anselm @wherecamp -- Just my $.02, your mileage may vary, batteries not included, etc
Re: How polluted is 1/8?
On 2/3/2010 2:19 PM, Justin M. Streiner wrote: I could see holding those prefixes aside for research purposes (spam traps, honey pots, etc...). I think it is too bad that we didn't have the forethought to route all of those networks to 100-watt resistors some years ago. When I last was admin of a small-corner of the world I routed a lot of that kind of traffic (I don't remember it 1/? was part of that or not) to the null interface. -- Government big enough to supply everything you need is big enough to take everything you have. Remember: The Ark was built by amateurs, the Titanic by professionals. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: How polluted is 1/8?
On Wed, 3 Feb 2010, Larry Sheldon wrote: On 2/3/2010 2:19 PM, Justin M. Streiner wrote: I could see holding those prefixes aside for research purposes (spam traps, honey pots, etc...). I think it is too bad that we didn't have the forethought to route all of those networks to 100-watt resistors some years ago. When I last was admin of a small-corner of the world I routed a lot of that kind of traffic (I don't remember it 1/? was part of that or not) to the null interface. If some unfortunate soul does get 1.1.1.1, 1.2.3.4, 1.3.3.7, etc, they would also likely experience significant global reachability problems in addition to all of the unintended noise that gets sent their way. There are many sites that specifically filter those addresses, in addition to those that don't update bogon filters, or assume no one will _ever_ get 1.2.3.4! :) jms
RE: How polluted is 1/8?
If some unfortunate soul does get 1.1.1.1, 1.2.3.4, 1.3.3.7, etc, they would also likely experience significant global reachability problems in addition to all of the unintended noise that gets sent their way. There are many sites that specifically filter those addresses, in addition to those that don't update bogon filters, or assume no one will _ever_ get 1.2.3.4! :) They would make great DNS server IPs for someone who wanted to host them. :) Deepak
Re: ip address management
I want to point out that OpenNetAdmin (ONA) is a great IP/DNS/Host tracking tool, although not supporting IPv6 yet. It's the first GPL I know of that uses the concept of an abstract host which can have multiple DNS names or IPs. I used IPPLAN in the past but have recently converted to ONA for several of our managed projects and been happy since. The developer is actively working on some improvements. I've wrote some script to convert from your BIND/NAME zone file to ONA. As for the interface, you have the option of using its nice AJAX web based or cli through a PHP script. -bn 0216331C On Tue, Feb 2, 2010 at 12:55 PM, Pavel Dimow paveldi...@gmail.com wrote: Hello, does anybody knows what happend with ipat? http://nethead.de/index.php/ipat http://nanog.cluepon.net/index.php/Tools_and_Resources Any other suggestion for a good foss ip address management app with ipv6 support?
Re: [Geowanking] model of the internet - need data
On Wed, Feb 3, 2010 at 12:41 PM, chip chip.g...@gmail.com wrote: Get your data with these: http://www.maxmind.com/app/api From this database (OSS/Free): http://www.maxmind.com/app/geolitecity In my experience Maxmind does at best a fairly ordinary job when it comes to routers, especially if you're using the free version of the database. Scott
Re: ip address management
On Wed, 3 Feb 2010 16:15:30 +0100 Phil Regnauld regna...@nsrc.org wrote: Nick Hilliard (nick) writes: There is a FAQ entry for ipv6 support in ipplan: One feature request that comes up from time to time is IPv6. Adding IPv6 support will require major effort but has such a limited audience. Ironically the only people that ever requested IPv6 support are either from Telcos, ISP?s or government departments, yet they are never interested in contributing resources! I deam them parasites of the Open Source world - leaching off the good will and effort of the Open Source community, yet give nothing in return. Shame. And deam is deem. q.v. http://iptrack.sourceforge.net/doku.php?id=faq I guess we're all entitled to our opinions. Yeah, sad. I think that if he didn't want commercial organisations to use his software, he shouldn't have chosen a licence that permits them to (the GPL according to the home page). If that's his attitude to possible future contributors and to IPv6, then it seems to me that iptrack has jumped the shark. The data model used in ipplan is to enumerate all IP addresses in the working ranges. This works fine for ipv4, but obviously breaks horribly for ipv6. Political considerations aside, I suspect that this is at least some of the reason that ipplan doesn't support it. It would indeed require a very large screen and lots of memory :) Cheers, Phil
Re: How polluted is 1/8?
On Feb 3, 2010, at 3:10 PM, Joel M Snyder wrote: Having this data is useful, but I can't help to think it would be more useful if it were compared with 27/8, or other networks. Is this slightly worse, or significantly worse than other networks? I have only anecdotal information regarding 45/8. 45/8 is assigned to Interop, and as such it is brought up-and-down as Interop's shows move in and out of convention centers. Starting at least 5 years ago, it has proved impractical to start announcing 45/8, since this causes immediate and massive amounts of traffic to flow into the show network. The last time that I know that the full 45/8 was announced, traffic settled down to about a full T3's worth of bandwidth before the network engineers started announcing smaller /16 chunks as actually needed. Even /16 has proved impractical while the network is being built-out, before the show, because the build-out site typically has T1-ish bandwidth---again, saturated with a /16 being announced. Just because I find it amusing timing... today I sat in a vendor presentation where he connected to his company's demo site and I smiled as I saw IP addresses in 45/8 (as well as 10/8 and others).
Re: How polluted is 1/8?
On 4/02/2010, at 9:19 AM, Justin M. Streiner wrote: I would hope that the APNIC would opt not to assign networks that would contain 1.1.1.1 or 1.2.3.4 to customers for exactly that reason. The signal-to-noise ratio for those addresses is likely pretty high. The noise is likely contained on many internal networks for now because a corresponding route doesn't show up in the global routing table at the moment. Once that changes 1.1.1/24 and 1.2.3/24 are assigned to APNIC. Unless they release them, the general public will not get addresses in these. -- Nathan Ward
Re: Mitigating human error in the SP
3) Automation interfaces are largely unsupported: CLI is an automation interface. Combine that with a management server from which telnet sessions to the router can be managed, and you have probably the lowest risk automation interface possible. This may force you into building your own tools, but if you really want low risk, that's the price you pay. I'm sure we'll continue to build automated policy and configuration tools. I'm just not convinced it's the panacea that everyone thinks. Unless you're one of the biggest, it puts your network at someone else's mercy - and that someone else doesn't care about your operational expenses. That is not a risk of automation. That is a risk of buy versus build. More and more businesses of all sorts are beginning to take a new look at their software and automated systems with a view towards building and owning and maintaining the parts that really are business critical for their unique business. In this brave new world, only the non-essential stuff will be bought in as packages. --Michael Dillon
RE: ip address management
Please take a look at the Network Documentation Tool: http://netdot.uoregon.edu It's more than just IPAM, but it was designed with IPv6 in mind. BTW, I just gave a lighting talk at the I2 Joint Techs meeting in Salt Lake City this morning: http://www.internet2.edu/presentations/jt2010feb/20100203-vincente.pdf Feedback welcome. Regards, Carlos Vicente University of Oregon
Re: ip address management
Hi, Pavel Dimow wrote: does anybody knows what happend with ipat? http://nethead.de/index.php/ipat http://nanog.cluepon.net/index.php/Tools_and_Resources i did take the sources offline a couple of weeks ago cause there didnt seemed to be a lot interest in the software. If you want i can put em up again or send you a download link but you should keep in mind that this is a carrier grade address management tool which requires quite some time to setup. The IP management stuff has been created ontop of the RIPE whois database, means, you will be running a complete registry server. cheers, Arnd
Re: ip address management
Please do send the dn/load link .. thanks - Arnd Vehling a...@nethead.de wrote: Hi, Pavel Dimow wrote: does anybody knows what happend with ipat? http://nethead.de/index.php/ipat http://nanog.cluepon.net/index.php/Tools_and_Resources i did take the sources offline a couple of weeks ago cause there didnt seemed to be a lot interest in the software. If you want i can put em up again or send you a download link but you should keep in mind that this is a carrier grade address management tool which requires quite some time to setup. The IP management stuff has been created ontop of the RIPE whois database, means, you will be running a complete registry server. cheers, Arnd -- Brian R. Watters Director American Broadband Family of Companies 5718 East Shields Ave Fresno, CA. 93727 brwatt...@absfoc.com http://www.americanbroadbandservice.com tel: 559-420-0205 fax:559-272-5266 toll free: 866-827-4638
google contact? why is google hosting/supporting/encouraging spammers?
we have recently started getting alot of spam, out of dubai, from ecampaigners@gmail.com all of the spam comes from/through google and google groups. is this accepted/supported activity on google? if not, where might i find a contact who can cluefully respond? -- Jim Mercerj...@reptiles.org+92 336 520-4504 I'm Prime Minister of Canada, I live here and I'm going to take a leak. - Lester Pearson in 1967, during a meeting between himself and President Lyndon Johnson, whose Secret Service detail had taken over Pearson's cottage retreat. At one point, a Johnson guard asked Pearson, Who are you and where are you going?
Re: Mitigating human error in the SP
You can completely implement Vijay's most impressive stuff and simply move the problem to a different level of abstraction. No matter what you do, it still comes down to some geek banging on some plastic thingy. I'm as likely to screw up an Extensible Entity-Attribute-Relationship as I am an ACL. David On Wed, Feb 3, 2010 at 8:14 AM, Ross Vandegrift r...@kallisti.us wrote: On Mon, Feb 01, 2010 at 09:46:07PM -0500, Stefan Fouant wrote: Vijay Gill had some real interesting insights into this in a presentation he gave back at NANOG 44: http://www.nanog.org/meetings/nanog44/presentations/Monday/Gill_programatic_N44.pdf His Blog article on Infrastructure is Software further expounds upon the benefits of such an approach - http://vijaygill.wordpress.com/2009/07/22/infrastructure-is-software/ That stuff is light years ahead of anything anybody is doing today (well, apart from maybe Vijay himself ;) ... but IMO it's where we need to start heading. Vijay's stuff is fascinating. The vision is great. But in my experience, the vendors and implementations basically ruin the dream for anyone who doesn't have his pull. I'm sure my software is nowhere close to being as sophisticated as his, but my plans are pretty much in line with his suggestions. Some problems I've run into that I don't see any kind of solution for: 1) Forwarding-impacting bugs: IOS bugs that are triggered by SNMP are easily the #1 cause of our accidental service impact. Most seem to be race conditions that require real-world config and forwarding load - not something a small shop can afford to build a lab to reproduce. If we stuck to manual deployment, we might have made a few mistakes but would it have been worse? Maybe - but honestly, it could be a wash. 2) Vendor support is highly suspicious of automation: anytime I open a ticket, even unrelated to an automated software process, the first thing the vendor support demands is to disable all automation. Juniper is by far the best about this, and they *still* don't actually believe their own automation tools work. Cisco TAC's answer has always been don't ever use SNMP if it causes crashes! Procurve doesn't even bother to respond to tickets related to automation bugs, even if they are remotely triggerable crashes in the default config. 3) Automation interfaces are largely unsupported: I imagine vendor software development having one or two guys that are the masterminds for SNMP/NETCONF/whatever - and that's it. When I have a question on how to find a particular tool, or find a bug in an automation function, I can often go months on a ticket with people that have no idea what I'm talking about. What documentation exists is typically incomplete or inconsistent across versions and product lines. 4) Related tools prevent reliable error reporting: as far as I can tell, Net-SNMP returns random values if a request fails; if there's a pattern, I've failed to discern it. expect is similar. ScreenOS's SSH implementation always returns that a file copy failed. Procurve only this year implemented ssh key-based auth in combination with remote authentication. The best-of-breed seems to be an oft-pathetic collection of tools. 5) Management support: developing automation software is hard - network devices aren't nearly as easy to deal with as they should be. When I spend weeks developing features that later causes IOS to spontaneously reload, people that don't understand the relation to operational impact start to advocate dismantling the automation just like the vendors above. I'm sure we'll continue to build automated policy and configuration tools. I'm just not convinced it's the panacea that everyone thinks. Unless you're one of the biggest, it puts your network at someone else's mercy - and that someone else doesn't care about your operational expenses. Ross -- Ross Vandegrift r...@kallisti.us If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher. --Woody Guthrie -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAktpoNEACgkQMlMoONfO+HB6PACeLoFhmwv8K07Zq9tQDZgKcHYq 5nEAoMnrd2YLrSzGkA71N8vRgFWG/SL1 =FQbw -END PGP SIGNATURE-
Re: google contact? why is google hosting/supporting/encouraging spammers?
ab...@gmail.com maybe? Looks like some random spammer based in Dubai judging by the airport code. On Thu, Feb 4, 2010 at 11:37 AM, Jim Mercer j...@reptiles.org wrote: we have recently started getting alot of spam, out of dubai, from ecampaigners@gmail.com all of the spam comes from/through google and google groups. is this accepted/supported activity on google? if not, where might i find a contact who can cluefully respond? -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: google contact? why is google hosting/supporting/encouraging spammers?
On Thu, Feb 04, 2010 at 12:35:06PM +0530, Suresh Ramasubramanian wrote: ab...@gmail.com maybe? Looks like some random spammer based in Dubai judging by the airport code. yeah, tried that several times. seems to go to a black hole. i've engaged the spammer, and they are telling me that they feel it is ok to subscribe people to their group, because it sends out a subscription notice, as well as an unsubscribe link. they seem to be quite happy to use an @gmail account, and use google groups to propagate their spam. most recently, i got from them: Yes you are right, you can complain to Google, but to complain, you have a right email address, because this address we don't have listed. so, they are not concerned about being reported to google. very odd. is this a legitimate google groups activity? someone can set up and say well, yeah, he musta gone to one of our websites or something, how else would he get on our list? and google is ok with that? geez, do no harm really? --jim On Thu, Feb 4, 2010 at 11:37 AM, Jim Mercer j...@reptiles.org wrote: we have recently started getting alot of spam, out of dubai, from ecampaigners@gmail.com all of the spam comes from/through google and google groups. is this accepted/supported activity on google? if not, where might i find a contact who can cluefully respond? -- Suresh Ramasubramanian (ops.li...@gmail.com) -- Jim Mercerj...@reptiles.org+92 336 520-4504 I'm Prime Minister of Canada, I live here and I'm going to take a leak. - Lester Pearson in 1967, during a meeting between himself and President Lyndon Johnson, whose Secret Service detail had taken over Pearson's cottage retreat. At one point, a Johnson guard asked Pearson, Who are you and where are you going?
Re: google contact? why is google hosting/supporting/encouraging spammers?
Google groups cautions you about pre-emptively adding people if you choose this method of subscribing them. On 02/04/10 02:12, Jim Mercer wrote: [...] and google is ok with that? geez, do no harm really? --jim
Re: google contact? why is google hosting/supporting/encouraging spammers?
On Thu, Feb 04, 2010 at 02:49:42AM -0500, David Ford wrote: Google groups cautions you about pre-emptively adding people if you choose this method of subscribing them. here, have some free guns. oh, by the way, its probably bad if you go around shooting people, so don't do that. it is starting too look to me like google is quite happy to host spammers. or, at best, doesn't care if spammers use them to host their services. On 02/04/10 02:12, Jim Mercer wrote: [...] and google is ok with that? geez, do no harm really? --jim -- Jim Mercerj...@reptiles.org+92 336 520-4504 I'm Prime Minister of Canada, I live here and I'm going to take a leak. - Lester Pearson in 1967, during a meeting between himself and President Lyndon Johnson, whose Secret Service detail had taken over Pearson's cottage retreat. At one point, a Johnson guard asked Pearson, Who are you and where are you going?