Re: SORBS contact?
mailop list? I run a dnsbl myself (dronebl to be exact), call me dumb or whatever, but never heard about that list. In fact, I am also working on granting AS admins to be able to list entries in their ranges etc, so if you are listed in whois as administrator of an AS and you want access to listings within your ranges, gimme a yell. Op 23-3-2011 0:25, Rich Kulawiec schreef: For future reference: you're much more likely to elicit a useful response by using the mailop list, since you'll be addressing a mixed audience of mail system operators, DNSBL operators, software authors, etc., all of whom are focused on mail and not network operations. ---rsk signature.asc Description: OpenPGP digital signature
DNSSEC on the resolver-side?
Hi, I wonder... How many people here have activated DNSSEC validation on their resolvers? Please let me know off-list when the page below results in a green tick: http://dnssectest.sidn.nl/ Additional details are welcome, like: - The IP-address of the resolver(s) you used (if you know) - Whether this is an 'official' resolver at an ISP or not - You current IP-address, or the ISP you are at (http://ip.sidn.nl might be helpful). Maybe some of you DNS-gurus are even able to tell why DNSSEC validation failed, even when using DNSSEC-enabled resolvers. For example because of some old-school DNS-forwarder in your ADSL modem or something. That would be great information also. The reason for this post is just for me to get a rough understanding of the level of DNSSEC adoption on the resolver-side and the problems that might still exist with DNSSEC validation. The NANOG wiki (http://nanog.cluepon.net) has nothing about DNSSEC yet. Would it be an idea to add something about DNSSEC? I am more than willing to do the kick-off for that. Regards, -- Marco
Re: Creating an IPv6 addressing plan for end users
Nathalie, As an end customer (not a carrier) over in ARIN land I purchased a /48 about a year ago for our future IPv6 needs. We have 4 different Internet touchpoints (two per carrier) all rated at about 1Gbps. Recently, both carriers told us that the minimum advertisement they would accept PER CIRCUIT would be a /48. I was surprised to say the least. Basically a /48 would not be enough for us. The arguement was that this was to support all the summarization efforts and blah blah blah. Even though my space would be unique to either carrier. So now I'm contemplating a much larger block. Seems wasteful but I have to for the carriers. Have you heard of this elsewhere or is this maybe just an ARIN/American thing? Both carriers told me that in discussions with their peers that they were all doing this. -Hammer- I was a normal American nerd. -Jack Herer On Wed, Mar 16, 2011 at 1:52 PM, Schiller, Heather A heather.schil...@verizonbusiness.com wrote: For those who don't like clicking on random bit.ly links: http://www.ripe.net/training/material/IPv6-for-LIRs-Training-Course/IPv6 _addr_plan4.pdf --Heather -Original Message- From: Nathalie Trenaman [mailto:natha...@ripe.net] Sent: Wednesday, March 16, 2011 5:05 AM To: nanog@nanog.org Subject: Creating an IPv6 addressing plan for end users Hi all, In our IPv6 courses, we often get the question: I give my customers a /48 (or a /56 or a /52) but they have no idea how to distribute that space in their network. In December Sander Steffann and Surfnet wrote a manual explaining exactly that, in clear language with nice graphics. A very useful document but it was in Dutch, so RIPE NCC decided to translate that document to English. Yesterday, we have published that document on our website and we hope this document is able to take away some of the fear that end users seem to have for these huge blocks. You can find this document here: http://bit.ly/IPv6addrplan (PDF) I look forward to your feedback, tips and comments. With kind regards, Nathalie Trenaman RIPE NCC Trainer
Re: Question/Netflix issues?
Netflix was hard down for about an hour last night. This is strictly from an end user perspective. Several of my buddies told me it was not even responding to DNS. -Hammer- I was a normal American nerd. -Jack Herer On Tue, Mar 22, 2011 at 7:32 PM, Scott, Robert D. rob...@ufl.edu wrote: Greetings, I know this is way off topic, but is anyone else getting calls/tickets about Netflix access problems? SNIP -Joe Blanchard Quite to the contrary Joe. It is actually a pleasure to read an operationally relevant thread on NANOG. If your customers are calling about accessibility issues then this is 200% relevant. The week long diatribe about why, who, what, when, and if Sun Spots caused it, after the fact, are not. Robert D. Scott rob...@ufl.edu Senior Network Engineer 352-273-0113 Phone CNS - Network Services352-392-2061 CNS Phone Tree University of Florida 352-273-0743 FAX Florida Lambda Rail 352-294-3571 FLR NOC Gainesville, FL 32611321-663-0421 Cell
Re: OT: Question/Netflix issues?
So did anyone get a root cause? -Hammer- I was a normal American nerd. -Jack Herer On Wed, Mar 23, 2011 at 12:05 AM, Roger Marquis marq...@roble.com wrote: A probable case of outsourcing core business functionality without a fully tested plan B... http://www.computerworlduk.com/news/cloud-computing/3250260/netflix-switches-to-amazon-web-services-to-save-money/ http://blog.reddit.com/2011/03/why-reddit-was-down-for-6-of-last-24.html http://www.reddit.com/r/blog/comments/g66f0/why_reddit_was_down_for_6_of_the_last_24_hours/c1l6ykx Roger Marquis We?re sorry, the Netflix website and the ability to instantly watch movies are both temporarily unavailable.However, our shipping centers are continuing to send and receive DVDs so your order is in process as usual. Our engineers are working hard to bring the site and ability to watch instantly back up as soon as possible. We appreciate your patience and, again, we apologize for any inconvenience this may cause. If you need further assistance, please call us at 1-877-445-6064.
Power issues at SAVVIS DC3 yesterday?
We saw multiple 110V power feeds drop simultaneously yesterday at SAVVIS DC3, around 10am EDT. Anyone else have an issue, or is someone just playing with our breakers? We didn't lose any of our 208V. -cjp
Re: Power issues at SAVVIS DC3 yesterday?
On Wed, 23 Mar 2011, Christopher Pilkington wrote: We saw multiple 110V power feeds drop simultaneously yesterday at SAVVIS DC3, around 10am EDT. Anyone else have an issue, or is someone just playing with our breakers? We didn't lose any of our 208V. Usually Savvis sends announcement to all datacenter customers when something like this occurs, and posts it on the portal as well. I don't see anything today (but then, we're not in DC3 either.) Definitely open a ticket and hound them for a resolution on it if you didn't get a notification. -- Jameel Akari
Internet Activity in Libya measured by looking at unsolicited traffic
Dear colleagues, Amidst the recent political unrest in the Middle East, researchers have observed significant changes in Internet traffic and connectivity. In this new article on RIPE Labs, Emile Aben from the RIPE NCC in collaboration with CAIDA, tapped into a previously unused source of data: unsolicited Internet traffic arriving from Libya. http://labs.ripe.net/Members/emileaben/unsolicited-internet-traffic-from-libya Kind Regards, Mirjam Kuehne RIPE NCC
Re: Creating an IPv6 addressing plan for end users
Hi, I saw your document Preparing an IPv6 Addressing Plan after its URL was posted to NANOG. I have one small comment that perhaps you would consider in future revisions: The use of decimal numbers coded in hexadecimal is introduced in section 3.2, Direct Link Between IPv4 and IPv6 Addresses, without discussion. It's also implicit in section 4.9 when encoding decimal VLAN numbers in hexadecimal address ranges. My opinion is that this may be a source of confusion, and should be explicitly described somewhere before section 3.2, as a deliberate implementation choice that makes it easier for human operators to configure and recognize deliberately-chosen mappings between decimals in IPv4 addresses and integers and corresponding fields in hexadecimal address ranges. Without an explicit discussion, this point may be missed by some readers -- especially since this is a training document. Just my opinion! I'm also curious as to whether this describes the way the world has already settled on, or whether this is a novel, controversial, or only-occasonally-observed technique. I see that RFC 5963 - IPv6 Deployment in Internet Exchange Points (IXPs) of August 2010 does mention BCD encoding of both ASNs and IPV4 digits, so I guess it's not that novel. -Original Message- From: Nathalie Trenaman [mailto:natha...@ripe.net] Sent: Wednesday, March 16, 2011 5:05 AM To: nanog@nanog.org Subject: Creating an IPv6 addressing plan for end users Hi all, In our IPv6 courses, we often get the question: I give my customers a /48 (or a /56 or a /52) but they have no idea how to distribute that space in their network. In December Sander Steffann and Surfnet wrote a manual explaining exactly that, in clear language with nice graphics. A very useful document but it was in Dutch, so RIPE NCC decided to translate that document to English. Yesterday, we have published that document on our website and we hope this document is able to take away some of the fear that end users seem to have for these huge blocks. You can find this document here: http://bit.ly/IPv6addrplan (PDF) I look forward to your feedback, tips and comments. With kind regards, Nathalie Trenaman RIPE NCC Trainer
Internet Society’s Next Generation Leaders program
All - Please see below. If you know someone who would benefit from this program, and who meets the requirements outined, please forward this on. If you'd like a copy of the text in French let me know and I'll send you text. - Lucy From r...@isoc.org Mon Mar 14 09:18:35 2011 Date: Mon, 14 Mar 2011 16:55:20 +0100 From: Gerard Ross r...@isoc.org Subject: Applications now open - Next Generation Leaders eLearning programme “Shaping the Internet – History and Futures” - Applications now open - Next Generation Leaders eLearning programme “Shaping the Internet – History and Futures” (English) - Applications are now open for the Internet Society’s Next Generation Leaders (NGL) eLearning programme “Shaping the Internet – History and Futures”. http://www.diplomacy.edu/registration/Register.aspx?IDprogramme=5601a517-757e-4 320-8ae0-b2631a76765e The Internet Society is pleased to call for applications from talented individuals seeking to join the new generation of Internet leaders, who will address the critical technology, policy, business, and education challenges that lie ahead. Following the successful launch of the programme last year, in 2011 the Internet Society is offering concurrent classes in English and French. Both classes will start in the week of 16 May 2011. The course, “Shaping the Internet – History and Futures”, is delivered by the DiploFoundation through their eLearning platform and learning methodology and features weekly online discussions of the course materials, moderated by a tutor and an expert facilitator. The NGL programme is designed to advance the careers of individuals who have the potential to become local, regional, and international leaders within the Internet technology, policy, and governance communities. The curriculum empowers participants to share their particular expertise with colleagues while acquiring knowledge in areas outside of their specialties. Places in the eLearning course are strictly limited, so all applications will be subject to a thorough selection process. * The deadline for applications is 8 April 2011. * The Programme --- The programme offers 20-25 places in each class for professionals from diverse stakeholder backgrounds in the fields of Internet technology, governance, and policy. Both courses are open to individuals from around the world. The programme will be conducted entirely online. The programme includes four thematic parts, which take place over six months during 2011 (May to October, with an exam in the first week of November): - The History of the Internet - Technical Background - Internet Standards and Technology - Internet Governance and Policy - Emerging issues – Studies in Internet Policies, Processes and Diplomacy Learning activities take place in an online classroom and include analysis of course materials, interactive group discussions using a variety of communication tools, assignments, and exams. Successful participants will receive a certificate of completion of the programme. Languages --- Course materials and moderated online discussions for each course are in English and French, respectively. Target Audience The project is designed for Internet Society members from academia, the public sector, technology industries, and civil society who are committed to the ongoing expansion of an open, sustainable Internet. Applications from the following categories of individuals from both developed and developing countries are encouraged: - officials in governmental ministries and departments dealing with ICT-related issues (for example, telecommunications, culture, education, foreign affairs, justice) - officials in regulatory authorities or institutions dealing with Information Society, Internet, and ICT-related issues - postgraduate students and researchers (for example, telecommunications, electrical engineering, law, economics, development studies, sociology) - engineers in the Internet field - civil society activists in the Internet field - journalists covering Internet-related issues - business people in the Internet field (for example, those managing ISPs or involved in software development). Timeline - - 14 March: 2011 Call for Applications begins - 8 April:2011 Call for Applications ends - 28 April: Selection Results released - 16 May: Online classes commence Requirements - Applicants are required to have: - met the age requirement (20-40 years old) - a basic awareness of, and interest in, Internet-related issues - knowledge and experience of the multi-stakeholder approach in international affairs - a professional background and relevant work or academic experience in the Internet field - member status in ISOC - fluency in English or French - good writing
Re: OT: Question/Netflix issues?
Lyndon Nerenberg (VE6BBM/VE7TFX) lyn...@orthanc.ca wrote: Guess that move to Amazon EC2 wasn't such a good idea. First reddit, now netflix. http://techblog.netflix.com/2010/12/four-reasons-we-choose-amazons-cloud-as.html FWIW, at $DAYJOB we haven't been able to run out a pool of a couple of dozen EC2 instances for more than two weeks (since last June) without at least one of them going down. The same number of hardware servers we ran ourselves in Peer1 ran for a couple of years with no unplanned outages. Amortized over five years, Peer1 colo + hardware is also cheaper than the equivalent EC2 cost. Hey everyone! Join the cloud, and stand in the pissing rain. --lyndon Interesting, because we run 120 with almost no issues whatsoever (3 failures over the past 12 months, none of which caused downtime). I've never had an EBS volume fail in the 18 months we've used them. IMHO, the issues with the cloud are almost always at a layer above the infrastructure. --L
route-views.saopaulo.routeviews.org is up and running
We announced on the PTTMetro list yesterday. http://www.routeviews.org/saopaulo.html If there is anyone else on PTTMetro who can share full tables, we would love to work with you on that. [ Also reminders: route-views.sydney.routeviews.org is running at EQIX SYD1. And we have the V6 interface available now at PAIX. Interface specifics at: http://www.peeringdb.com/view.php?asn=6447 ] Thanks, --- John Kemp (k...@routeviews.org) RouteViews Engineer NOC: h...@routeviews.org http://www.routeviews.org
Re: OT: Question/Netflix issues?
On 03/23/2011 09:41 AM, sillywiz...@rs4668.com wrote: Lyndon Nerenberg (VE6BBM/VE7TFX)lyn...@orthanc.ca wrote: Guess that move to Amazon EC2 wasn't such a good idea. First reddit, now netflix. http://techblog.netflix.com/2010/12/four-reasons-we-choose-amazons-cloud-as.html FWIW, at $DAYJOB we haven't been able to run out a pool of a couple of dozen EC2 instances for more than two weeks (since last June) without at least one of them going down. The same number of hardware servers we ran ourselves in Peer1 ran for a couple of years with no unplanned outages. Amortized over five years, Peer1 colo + hardware is also cheaper than the equivalent EC2 cost. Hey everyone! Join the cloud, and stand in the pissing rain. --lyndon Interesting, because we run 120 with almost no issues whatsoever (3 failures over the past 12 months, none of which caused downtime). I've never had an EBS volume fail in the 18 months we've used them. IMHO, the issues with the cloud are almost always at a layer above the infrastructure. --L Reddit has routinely had EBS volumes either outright fail (2 major outages in the last month/month and a half, both caused by several EBSs vanishing), or show some not insignificant degradation in performance, and it seems barely a month goes by when I don't hear someone on twitter talking about similar with their infrastructures. Most of the problems I've heard about do seem to revolve around EBS, however, rather than their other services. It may be just the nature of people to pick on and shout about the biggest targets, but I'm reasonably sure almost all the problems I hear about relating to cloud services revolve around Amazon and rarely their competitors. http://highscalability.com/blog/2010/12/20/netflix-use-less-chatty-protocols-in-the-cloud-plus-26-fixes.html When it comes to other layers in the infrastructure probably one of the most talked about problems is network latency between instances. Netflix had to specifically re-engineer their platform because of it (and other major users talk of similar changes). There is almost certainly an argument to be made that the outcome of the forced re-engineering is a good thing as it's generally boosting resilience, but that it's been forced on them in such a way surely should also be of some cause for concern also. Reddit seem to be working hard to make their platform as resilient as possible to their routine problems cause by the infrastructure. One of their outgoing dev's gave a pretty interesting read on the problems they'd experience with Amazon: http://www.reddit.com/r/blog/comments/g66f0/why_reddit_was_down_for_6_of_the_last_24_hours/c1l6ykx I absolutely do think cloud hosting / virtual servers have value and use and shouldn't be underestimated or written off as a fad, but I'm also not entirely convinced at the moment that Amazon is a vendor to particularly trust with such services, I'd probably also argue that anyone keeping their eggs in one basket and relying on a single vendor for such services is taking a significant risk. There are plenty of tools and libraries out there to help provide a standard API for rolling out servers on different platforms. It seems crazy not to take advantage of the flexibility the cloud offers to remove as many SPOFs as possible. Paul
The state-level attack on the SSL CA security model
To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security. Essentially a state somewhere between Iraq and Pakistan snatched valid certs for: - mail.google.com - www.google.com - login.yahoo.com - login.skype.com - addons.mozilla.org - login.live.com - global trustee https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html http://www.imperialviolet.org/2011/03/18/revocation.html (on epic failure of cert revocation lists implementations in browsers, failing open (!)) http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/ http://www.microsoft.com/technet/security/advisory/2524375.mspx For over a week users of browsers, and the internet at large, were/was not informed by COMODO that their security was compromised. Why not is beyond many of us. Announcing this high and loud even before fixes were available would not have exposed more users to threats, but less. Conclusion: protecting people must not be a priority in the SSL CA model. In some places, failure of internet security means people die, and it is high time to start serious work to replace this time-and-time again proven flawed model with something that, at the very least, does not fail this tragically. DNSSEC is a good but insufficient start in this particular case. Regards, Martin
Re: The state-level attack on the SSL CA security model
On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote: Announcing this high and loud even before fixes were available would not have exposed more users to threats, but less. An argument against doing this prior to fixes being available is that miscreants who didn't know about this previously would be alerted to the possibility of using one of these certs (assuming they could get their hands on one) in conjunction with name resolution manipulation. Note that announcing this prior to fixes would've dramatically increased the resale value of these certificates in the underground economy, making them much more attractive/lucrative. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde