Internet to Tunisia
I am hearing reports of Internet blockage in / to Tunisia, where a near full-on revolt is being coordinated / reported on by social media such as twitter ( #sidibouzid ), Facebook and Youtube. Can anyone confirm that there is blockage ? Are there any in-country resources to check this ? There does not appear to be a looking glass in Tunisia. Regards Marshall
Re: Internet to Tunisia
On Tue, Jan 11, 2011 at 05:50:09AM -0500, Marshall Eubanks t...@americafree.tv wrote a message of 10 lines which said: Can anyone confirm that there is blockage ? There exists filtering for a long time and it is widely documented. I am not aware of a global blockage today. Are there any in-country resources to check this ? The Web site of the Tunisian Internet agency, http://www.ati.tn/, it is hosted in Tunis, as are some of the name servers of .TN like ns2.ati.tn.
Re: Internet to Tunisia
On 11/01/2011 10:50, Marshall Eubanks wrote: I am hearing reports of Internet blockage in / to Tunisia, where a near full-on revolt is being coordinated / reported on by social media such as twitter ( #sidibouzid ), Facebook and Youtube. Can anyone confirm that there is blockage ? Are there any in-country resources to check this ? There does not appear to be a looking glass in Tunisia. Are you referring to this: http://www.thetechherald.com/article.php/201101/6651/Tunisian-government-harvesting-usernames-and-passwords (short url: http://tinyurl.com/36tu64h) Nick
Re: Is Cisco equpiment de facto for you?
On Mon, 10 Jan 2011, Greg Whynott wrote: Just as a pointer - one of the largest and most utilized IX (AMS-IX) has their platform built on Brocade devices. Brocade device's pre Foundry purchase correct? I can't see anyone that large using Foundry in large deployments.. Probably not as large as AMX-IX, but London Internet Exchange (LINX): both as Foundry and Brocade. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.
Re: AltDB?
On Jan 11, 2011, at 1:45 AM, Doug Barton wrote: On (admittedly) cursory exam I didn't see a form to submit anything, so I gravitated to the rather large login widget under the assumption that it must be important because it's so big. :) ... Doug - It's perfectly understandable, and doesn't distract from your main point that the circumstances (ARIN effectively mandating MAIL-FROM for authentication) is patently unacceptable and shouldn't require any more effort than pointing such out in email. I did not perceive the situation initially, and hence sent Jeff Wheeler off to said suggestion form. As noted, we're now looking into how to fix the IRR authentication situation and will report back asap. /John John Curran President and CEO ARIN
Re: arin and ops fora (was Re: AltDB?)
On 1/11/2011 12:57 AM, David Conrad wrote: Or not. It may be that network operators (not just the ones that show up at ARIN meetings and are on PPML) are happy with the existing communication channels and that additional structures to encourage participation and input in the ARIN region regarding services ARIN provides to the public are unnecessary. Public easily reachable people. Public information on operations and what they do on their website with tons of pointers (even if it's not laid out the best). Public participation mailing lists. Presence of key people on other lists such as nanog. What more is an org supposed to do to communicate with people? Even the CEO lurks on nanog and responds when necessary. What community were you wanting them to interface with? I could be wrong, but I suspect any genius ideas which the CEO hears via the various communication mediums may quickly find it's way to be implemented. Sure, it may get restricted to some degree depending on how people in PPML feel about it. I'm sure the membership has some say on how their money is spent. Neither of these things limit the ability to suggest an idea. Jack
Re: Satellite IP
On Mon, Jan 10, 2011 at 04:33:30PM -0500, Jay Ashworth wrote: - Original Message - From: Valdis Kletnieks valdis.kletni...@vt.edu Why the hostility, Valdis? As I said several times - it's not hard to be 98% or 99% sure you can make all your commitments. However, since predicting the future is an inexact science, it's really hard to provide a *100% guarantee* that you'll have enough contended capacity to make all the performance targets even if every single occasional customer shows up at once. As Jay pointed out in his follow-up note, his backup strategy is scramble around and hope another provider can come through in time, which is OK if you *know* that's your strategy and are OK on it. However, blindly going along with my usual provider guaranteed 100% availability is a bad idea. I don't think Kelly is on his first rodeo, and I know I'm not. scramble around is a bit pejorative as descriptions for my booking strategy go, but everyone has a cranky day every so often, not least me. :-) And note that I *also* pointed out that carrier statmuxing on the transport is a valid strategy for capacity elasticity, in that particular environment. Remember, we're coming out of a solar minimum. ;) Are we in fact coming out of it yet? I heard it was getting deeper, and that we were looking at a Dalton, if not another Maunder. I'll have to find the paper I read yesterday that said we should expect to wait a long time before we see sunspot counts back where they should be. ... Try this: http://news.sciencemag.org/sciencenow/2010/09/say-goodbye-to-sunspots.html -- Mike Andrews, W5EGO mi...@mikea.ath.cx Tired old sysadmin
Re: Is Cisco equpiment de facto for you?
Brocade device's pre Foundry purchase correct? I can't see anyone that large using Foundry in large deployments.. Foundry/Brocade is used heavily in portions of DoD's research and engineering community. It is usually preferred where you need high 10Gig port density, IPv6, and/or sflow. But Juniper and Cisco are used heavily as well, depending on local requirements and culture. --Ron smime.p7s Description: S/MIME cryptographic signature
RE: Is Cisco equpiment de facto for you?
For anyone that is following this thread/subject from yesterday, is it me or does it seem as if Cisco really isn't the choice for most SP's? Someone has mentioned that it all really depends on your needs and what it is you want to provide. IMO, every vendor has something they are good at. I wouldn't use Cisco for everything, nor Juniper etc etc... The concern I sense is that from Cisco's POV, it's their way or the highway. Not only do you pay a premium for smartnet, but if there's an issue, they are quick to point the finger. That is not service/support that I desire Is this what everyone is sensing as well? I'm starting to look at Brocade now just to do some fair comparisons. Date: Tue, 11 Jan 2011 13:56:31 + From: jethro.bi...@strath.ac.uk To: nanog@nanog.org Subject: Re: Is Cisco equpiment de facto for you? On Mon, 10 Jan 2011, Greg Whynott wrote: Just as a pointer - one of the largest and most utilized IX (AMS-IX) has their platform built on Brocade devices. Brocade device's pre Foundry purchase correct? I can't see anyone that large using Foundry in large deployments.. Probably not as large as AMX-IX, but London Internet Exchange (LINX): both as Foundry and Brocade. Jethro. .. . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.
Re: Internet to Tunisia
On Jan 11, 2011, at 6:03 AM, Nick Hilliard wrote: On 11/01/2011 10:50, Marshall Eubanks wrote: I am hearing reports of Internet blockage in / to Tunisia, where a near full-on revolt is being coordinated / reported on by social media such as twitter ( #sidibouzid ), Facebook and Youtube. Can anyone confirm that there is blockage ? Are there any in-country resources to check this ? There does not appear to be a looking glass in Tunisia. Are you referring to this: http://www.thetechherald.com/article.php/201101/6651/Tunisian-government-harvesting-usernames-and-passwords (short url: http://tinyurl.com/36tu64h) No, I have received personal communications. On twitter right now there are frequent claims that all https is blocked (presumably a port blocking). Regards Marshall Nick
Re: Internet to Tunisia
On Tuesday 11 January 2011 14:58:51 Marshall Eubanks wrote: On twitter right now there are frequent claims that all https is blocked (presumably a port blocking). A quick search pulls up. http://www.cpj.org/internet/2011/01/tunisia-invades-censors-facebook-other-accounts.php Since Gmail defaults to HTTPS, and many other sites left to their own devices, it is necessary for an attacker to try and force clients to use HTTP or start conversation using HTTP (so that no one notices when the important bit isn't encrypted, or to enable javascript from a third part to be injected). NoScript for Firefox has a force HTTPS for a domain feature. http://noscript.net/faq#qa6_3 But what clients really need is a way for servers to say always use encryption. http://noscript.net/faq#STS Of course when it gets to the level of countries, it is quite plausible your browser may already trust a certificate authority under their jurisdiction so all bets are off. I think I'm saying HTTPS doesn't quite hack it in browsers yet, but it will be secure enough real soon now.
RE: AltDB?
On Jan 11, 2011 at 8:14AM, John Curran wrote: It's perfectly understandable, and doesn't distract from your main point that the circumstances (ARIN effectively mandating MAIL-FROM for authentication) is patently unacceptable and shouldn't require any more effort than pointing such out in email. I did not perceive the situation initially, and hence sent Jeff Wheeler off to said suggestion form. As noted, we're now looking into how to fix the IRR authentication situation and will report back asap. As you are checking out authentication, can you also check out the notify fields as well. I was informed in July 2010 that neither mnt-nfy nor notify fields were operational. I submitted suggestion 2011.2 requesting these be activated. Regards, Andrew Koch TDS Telecom - IP Network Operations andrew.k...@tdstelecom.com
Re: AltDB?
On Jan 11, 2011, at 10:18 AM, Koch, Andrew wrote: As you are checking out authentication, can you also check out the notify fields as well. I was informed in July 2010 that neither mnt-nfy nor notify fields were operational. I submitted suggestion 2011.2 requesting these be activated. Will do - Thanks for the note. /John John Curran President and CEO ARIN
Re: Is Cisco equpiment de facto for you?
On 1/11/11 6:49 AM, Jack Bates wrote: To be honest, I use smartnet to upgrade the OS. I quit calling TAC after they failed to understand, much less help me with my eigrp over frame relay with automatic ISDN backup on route failure and re-establishment of eigrp over the ISDN. :) The cisco-nsp mailing list is often much more helpful than TAC. ~Seth
Re: NIST IPv6 document
On Mon, 10 Jan 2011 22:22:32 CST, Jack Bates said: Really? Which machine was using the privacy extension address on the /64? I don't see how it's made it any easier to track. In some ways, on provider edges that don't support DHCPv6 IA_TA and relay on slaac, it's one extra nightmare. The same exact way you currently track down an IP address that some machine has started using without bothering to ask your DHCP server for an allocation, of course. Remember - the privacy extension was so that somebody far away on the Internet couldn't easily correlate all these hits on websites were from the same box. It gives a user approximately *zero* protection against their own ISP dumping the ARP tables off every switch 5 minutes and keeping the data handy in case they have to track a specific MAC or IP address down. And if you know how to do that sort of thing for rogue/unexpected stuff on IPv4, doing it for IPv6 is trivial. pgpUJ7vc1S2Yf.pgp Description: PGP signature
Re: NIST IPv6 document
On 1/11/2011 10:57 AM, valdis.kletni...@vt.edu wrote: The same exact way you currently track down an IP address that some machine has started using without bothering to ask your DHCP server for an allocation, of course. But it's no easier. Especially when you hit the customer equipment. NAT may be gone there, but knowing which computer it is will likely be impossible (as it won't be standard policy for the customer to grab arp tables). Remember - the privacy extension was so that somebody far away on the Internet couldn't easily correlate all these hits on websites were from the same box. It gives a user approximately *zero* protection against their own ISP dumping the ARP tables off every switch 5 minutes and keeping the data handy in case they have to track a specific MAC or IP address down. I dislike this method, though. It works, but I much prefer to correlate with radius accounting logs backended on a DHCP server. Sadly, even in v4, implementations are not always available. Of course, I don't run NAT at the provider edge, but customer's often do, and while I will be able to track the customer, knowing which machine will be just as impossible as it is with NAT. Jack
Re: IPv6 - real vs theoretical problems
On Fri, Jan 7, 2011 at 3:44 PM, Owen DeLong o...@delong.com wrote: snip There are multiple purposes to /48s to residential end users. DHCP-PD allows a lot of future innovations not yet available. Imagine a house where the border router receives a /48 from the ISP and delegates /64s or /60s or whatever to other routers within the house. Each home entertainment cluster may be one group of networks with its own router. The appliance network(s) may have their own router(s). RFID tags on groceries may lead to a time when your home automation server can gather up data from your refrigerator, pantries, etc. and present the inventory on your mobile phone while you're at the grocery store. No more need to maintain a shopping list, just query the inventory from the store. These are just the things that could easily be done with the technology we already know about. Imagine what we might think of once we get more used to having prefix abundance. snip Having more address space won't help most of these uses, and as for why, take a look at the proposed situation with for example home media serving/sharing systems by TiVo, Apple, etc. They all require that the units be within the same broadcast domain or that there be a configured bridge of some sort if they even allow that topology. They (actually rightfully) assume that the network topology is flat, single broadcast domain, and mroe and more use Multicast DNS (which I've seen called a bunch of different things) More to the point, your average home user can not technically fathom anything more complicated than plug it in -- and many begin to fail to set something up properly when its extended to something as complicated as plug it in, push a button or plug it in, type some numbers into the device Your average home user has no reason at all for anything more than a PtP to his/her gateway, and a single prefix routed to that gateway. There are most certainly a few (which includes I'm sure 99% of the NANOGers!) subscribers who can and will use more space than that, and ISPs most definitely should make /48s readily and easily available for those customers, but giving each and every customer a /48 (or really, even a pair of /64s, one for the PtP, one delegated) is almost certainly overkill. The devices won't use the extra space unless there's some automagic way of them communicating the desire to eachother, and appropriately configuring themselves, and it would have to be very widely accepted. But there's no technical gain. A typical household would probably have less than about 50, maybe 100 devices, even if we start networking appliances like toasters, hair dryers and every single radio, tv, and light switch. Just my 2 cents worth.
Re: arin and ops fora (was Re: AltDB?)
On Jan 11, 2011, at 6:15 AM, Jack Bates wrote: On 1/11/2011 12:57 AM, David Conrad wrote: Or not. It may be that network operators (not just the ones that show up at ARIN meetings and are on PPML) are happy with the existing communication channels and that additional structures to encourage participation and input in the ARIN region regarding services ARIN provides to the public are unnecessary. Public easily reachable people. Public information on operations and what they do on their website with tons of pointers (even if it's not laid out the best). Public participation mailing lists. Presence of key people on other lists such as nanog. What more is an org supposed to do to communicate with people? Even the CEO lurks on nanog and responds when necessary. What community were you wanting them to interface with? I could be wrong, but I suspect any genius ideas which the CEO hears via the various communication mediums may quickly find it's way to be implemented. Sure, it may get restricted to some degree depending on how people in PPML feel about it. I'm sure the membership has some say on how their money is spent. Neither of these things limit the ability to suggest an idea. Jack Just to be clear... Participation in PPML is open to ANYONE, not just ARIN members. There are a lot of non-members on PPML and their voices count just as much as members on that list. Owen
RE: IPv6 - real vs theoretical problems
From: Michael Loftis Sent: Tuesday, January 11, 2011 10:46 AM To: nanog Subject: Re: IPv6 - real vs theoretical problems Your average home user has no reason at all for anything more than a PtP to his/her gateway, and a single prefix routed to that gateway. There are most certainly a few (which includes I'm sure 99% of the NANOGers!) subscribers who can and will use more space than that, and ISPs most definitely should make /48s readily and easily available for those customers, but giving each and every customer a /48 (or really, even a pair of /64s, one for the PtP, one delegated) is almost certainly overkill. The devices won't use the extra space unless there's some automagic way of them communicating the desire to eachother, and appropriately configuring themselves, and it would have to be very widely accepted. But there's no technical gain. A typical household would probably have less than about 50, maybe 100 devices, even if we start networking appliances like toasters, hair dryers and every single radio, tv, and light switch. Just my 2 cents worth. And what is to say that some devices won't have several different IPs? Maybe a different subnet is associated with each individual in the household when getting their voicemail or making DVR recordings or whatever.And I might want the stuff in my garage on a different subnet that the stuff in my living room because it has different access policy. To say Your average home user has no reason at all ... seems like saying the average user will have no reason at all to need more than 640K of RAM. Many of us are looking at things from today's perspective. Maybe each room of my house will have its own subnet with a low power access point and I can find which room something is in by the IP address it has. I have no idea, but do believe there is no reason to be restrictive in network assignments with v6.
Re: IPv6 - real vs theoretical problems
On 1/11/2011 1:05 PM, George Bonser wrote: Many of us are looking at things from today's perspective. Maybe each room of my house will have its own subnet with a low power access point and I can find which room something is in by the IP address it has. Today, there are several vendors who believe the wireless part of their cpe should be a different subnet than the ethernet. There are multiple cases of stacked routers in homes, which requires multiple DHCPv6-PD delegations, and the current philosophy is very wasteful (as DHCPv6 itself doesn't support variable sized requests, chained requesting, and other options which would make it efficient for a requesting router 3 routers away from the initial DHCPv6 server). Jack
Agenda for Miami
Hopefully posted soonish? Less than 3 weeks to the meeting, the early registration window has passed and there is still no agenda. Thanks, --h ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* Heather Schiller Network Security - Verizon Business 1.800.900.0241secur...@verizonbusiness.com
Re: IPv6 - real vs theoretical problems
On Jan 11, 2011, at 10:45 AM, Michael Loftis wrote: On Fri, Jan 7, 2011 at 3:44 PM, Owen DeLong o...@delong.com wrote: snip There are multiple purposes to /48s to residential end users. DHCP-PD allows a lot of future innovations not yet available. Imagine a house where the border router receives a /48 from the ISP and delegates /64s or /60s or whatever to other routers within the house. Each home entertainment cluster may be one group of networks with its own router. The appliance network(s) may have their own router(s). RFID tags on groceries may lead to a time when your home automation server can gather up data from your refrigerator, pantries, etc. and present the inventory on your mobile phone while you're at the grocery store. No more need to maintain a shopping list, just query the inventory from the store. These are just the things that could easily be done with the technology we already know about. Imagine what we might think of once we get more used to having prefix abundance. snip Having more address space won't help most of these uses, and as for why, take a look at the proposed situation with for example home media Yes, it will... serving/sharing systems by TiVo, Apple, etc. They all require that the units be within the same broadcast domain or that there be a configured bridge of some sort if they even allow that topology. They That is the current state of the art which is the direct result of the lack of address space and the lack of the features I am describing making this absolutely necessarily. (actually rightfully) assume that the network topology is flat, single broadcast domain, and mroe and more use Multicast DNS (which I've seen Yes, that assumption is valid today. Future technology can change that assumption in useful and meaningful ways. called a bunch of different things) More to the point, your average home user can not technically fathom anything more complicated than plug it in -- and many begin to fail to set something up properly when its extended to something as complicated as plug it in, push a button or plug it in, type some numbers into the device DHCP-PD will allow for hierarchical topology that is not more complicated than plug it in. No button push, no typing something in. Literally plug it in. Your average home user has no reason at all for anything more than a PtP to his/her gateway, and a single prefix routed to that gateway. Correct. I'm just saying that prefix should be a /48 so that the gateway can work with the other gateways inside the house to designate the best topology within the house. Note, this is all automated. It doesn't require the end-user to actually do anything other than plug it in. There are most certainly a few (which includes I'm sure 99% of the NANOGers!) subscribers who can and will use more space than that, and ISPs most definitely should make /48s readily and easily available for those customers, but giving each and every customer a /48 (or really, even a pair of /64s, one for the PtP, one delegated) is almost certainly overkill. The devices won't use the extra space unless That is today only thinking. Toss out your IPv4 scarcity-based assumptions about what is possible. IPv6 does have new features and new capabilities that we are just beginning to consider. there's some automagic way of them communicating the desire to eachother, and appropriately configuring themselves, and it would have to be very widely accepted. But there's no technical gain. A typical It's called DHCPv6-PD and it already exists. That's the point!! household would probably have less than about 50, maybe 100 devices, even if we start networking appliances like toasters, hair dryers and every single radio, tv, and light switch. It's not about the number of devices. That's IPv4-think. It's about the number of segments. I see a world where each home-entertainment cluster would be a separate segment (today, few things use IP, but, future HE solutions will include Monitors, Amps, Blu-Ray players, and other Media gateways that ALL have ethernet ports for control and software update). The kitchen appliances would probably have their own segment. A refrigerator or pantry may have a front-end router that separates the household backbone from the network interfacing all the RFIDs contained within the device. I'm sure there are other examples where automated segmentation of the network can, does, and will make sense. We're just starting to explore this. The point is to have address delegation policies which don't interfere with this development. Just my 2 cents worth. I'll see your $0.02 and raise you $0.48 ;-) Owen
Re: Agenda for Miami
Date: Tue, 11 Jan 2011 19:22:47 + From: Schiller, Heather A heather.schil...@verizonbusiness.com Hopefully posted soonish? Less than 3 weeks to the meeting, the early registration window has passed and there is still no agenda. Heather, Yes, the holidays and the collision with Internet2 Joint Techs has slowed down the process. The PC is meeting on Thursday to pretty much finalize the agenda and I hope it will be available this week. -- R. Kevin Oberman, Network Engineer NANOG Program Committee
