Re: Wire-rate Packet Capture on 10gbE
On 29 Apr 2011 (18), at 3:59 PM, Attilla de Groot wrote: On Apr 29, 2011, at 3:55 PM, Kyle Creyts wrote: How is this being done? I've looked at looked at PF_RING and TNAPI... is there anything better out there? http://events.ccc.de/congress/2006/Fahrplan/attachments/1225-23c3-slides-av.pdf That should give you some answers. :-) The paper that I wrote for this talk might give you a bit more information than the just the slides: http://events.ccc.de/congress/2006/Fahrplan/attachments/1153-23C3_ArienVijn.pdf This solution filters at full line rate. I am happy to tell more if you are interested. -- Arien
Re: How do you put a TV station on the Mbone?
On 4/29/2011 8:57 PM, Robert Bonomi wrote: Those royalties are based on the_actual_number_ of persons tuning in to each such work. No 'averaging', no 'estimating', nothing based on 'ratings', or other 'sampling techniques -- you have to count the_actual_number_ of people tuned in. It gets messy, but you have to have 'auditable' records of when each person 'tuned in', and when they 'tuned out'. One_has_ to be able to detect the latter condition under all possible circumstances. Really? How do they detect the number of people that were gathered around my screen while I was watching? Does that mean I'll be able to get a refund (pro-rated of course) for falling asleep during UFC 129 this weekend? -- Dave
Bright House residential IPv6
I'm a new Bright House residential customer and I have their new 40/5 'Lightning' service, which is rumored to have free native IPv6. I've called them, but of course no one I talked to knew anything about IPv6. Do any of you have this service and have native? If you do, what did you do to get it activated for your line? Thomas York smime.p7s Description: S/MIME cryptographic signature
trouble with .gov dns?
Hi Folks, Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512? Here's what I'm seeing: No edns-udp-size setting. tcpdump -n -s 0 -vv -i eth1 host 209.112.123.30 or host 69.36.157.30 nslookup www.nsf.gov 127.0.0.1 11:42:36.574916 IP (tos 0x0, ttl 64, id 21833, offset 0, flags [none], proto UDP (17), length 68) 71.246.241.146.10399 69.36.157.30.53: [udp sum ok] 56983 [1au] A? www.nsf.gov. ar: . OPT UDPsize=4096 OK (40) 11:42:36.659636 IP (tos 0x0, ttl 249, id 54334, offset 0, flags [none], proto UDP (17), length 598) 69.36.157.30.53 71.246.241.146.10399: [udp sum ok] 56983- q: A? www.nsf.gov. 0/7/5 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: swirl.nsf.gov. A 198.181.231.15, whirl.nsf.gov. A 198.181.231.16, cyclone.nsf.gov. A 204.14.134.227, twister.nsf.gov. A 198.181.231.17, . OPT UDPsize=1472 (570) edns-udp-size 512 tcpdump -n -s 0 -vv -i eth1 host 209.112.123.30 or host 69.36.157.30 nslookup www.nsf.gov 127.0.0.1 11:53:01.604105 IP (tos 0x0, ttl 64, id 21834, offset 0, flags [none], proto UDP (17), length 68) 71.246.241.146.58103 69.36.157.30.53: [udp sum ok] 10320 [1au] A? www.nsf.gov. ar: . OPT UDPsize=512 OK (40) 11:53:01.690414 IP (tos 0x0, ttl 249, id 28744, offset 0, flags [none], proto UDP (17), length 534) 69.36.157.30.53 71.246.241.146.58103: [udp sum ok] 10320- q: A? www.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (506) 11:53:01.695000 IP (tos 0x0, ttl 64, id 20662, offset 0, flags [none], proto UDP (17), length 70) 71.246.241.146.23911 209.112.123.30.53: [udp sum ok] 18982% [1au] A? whirl.nsf.gov. ar: . OPT UDPsize=512 OK (42) 11:53:01.695489 IP (tos 0x0, ttl 64, id 20663, offset 0, flags [none], proto UDP (17), length 70) 71.246.241.146.63892 209.112.123.30.53: [udp sum ok] 3675% [1au] ? whirl.nsf.gov. ar: . OPT UDPsize=512 OK (42) 11:53:01.695931 IP (tos 0x0, ttl 64, id 20664, offset 0, flags [none], proto UDP (17), length 70) 71.246.241.146.37019 209.112.123.30.53: [udp sum ok] 36777% [1au] A? swirl.nsf.gov. ar: . OPT UDPsize=512 OK (42) 11:53:01.696274 IP (tos 0x0, ttl 64, id 20665, offset 0, flags [none], proto UDP (17), length 70) 71.246.241.146.15021 209.112.123.30.53: [udp sum ok] 13755% [1au] ? swirl.nsf.gov. ar: . OPT UDPsize=512 OK (42) 11:53:01.696653 IP (tos 0x0, ttl 64, id 20666, offset 0, flags [none], proto UDP (17), length 72) 71.246.241.146.38082 209.112.123.30.53: [udp sum ok] 14449% [1au] A? cyclone.nsf.gov. ar: . OPT UDPsize=512 OK (44) 11:53:01.697045 IP (tos 0x0, ttl 64, id 20667, offset 0, flags [none], proto UDP (17), length 72) 71.246.241.146.28219 209.112.123.30.53: [udp sum ok] 38858% [1au] ? cyclone.nsf.gov. ar: . OPT UDPsize=512 OK (44) 11:53:01.699294 IP (tos 0x0, ttl 64, id 20668, offset 0, flags [none], proto UDP (17), length 72) 71.246.241.146.50745 209.112.123.30.53: [udp sum ok] 53248% [1au] A? twister.nsf.gov. ar: . OPT UDPsize=512 OK (44) 11:53:01.700257 IP (tos 0x0, ttl 64, id 20669, offset 0, flags [none], proto UDP (17), length 72) 71.246.241.146.21482 209.112.123.30.53: [udp sum ok] 56185% [1au] ? twister.nsf.gov. ar: . OPT UDPsize=512 OK (44) 11:53:01.780833 IP (tos 0x0, ttl 251, id 9453, offset 0, flags [none], proto UDP (17), length 536) 209.112.123.30.53 71.246.241.146.23911: [udp sum ok] 18982- q: A? whirl.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (508) 11:53:01.781284 IP (tos 0x0, ttl 251, id 24142, offset 0, flags [none], proto UDP (17), length 536) 209.112.123.30.53 71.246.241.146.63892: [udp sum ok] 3675- q: ? whirl.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (508) 11:53:01.781999 IP (tos 0x0, ttl 251, id 9454, offset 0, flags [none], proto UDP (17), length 536) 209.112.123.30.53 71.246.241.146.37019: [udp sum ok] 36777- q: A? swirl.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (508) 11:53:01.782136 IP (tos 0x0, ttl 251, id 24143, offset 0, flags [none], proto UDP (17), length 536) 209.112.123.30.53 71.246.241.146.15021: [udp sum ok] 13755- q: ? swirl.nsf.gov. 0/7/1 ns: nsf.gov. NS swirl.nsf.gov., nsf.gov. NS whirl.nsf.gov., nsf.gov. NS cyclone.nsf.gov., nsf.gov. NS twister.nsf.gov., nsf.gov. DS, nsf.gov. DS, nsf.gov. RRSIG ar: . OPT UDPsize=1472 (508) 11:53:01.782552 IP (tos 0x0, ttl 251, id 9455, offset 0, flags [none], proto UDP (17), length
Re: trouble with .gov dns?
* William Herrin: Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512? You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature. This has been noted before, for example: From: Mark Andrews ma...@isc.org Subject: [dnsext] Failure to add glue MUST cause TC to be set. To: dns...@ietf.org Date: Sun, 20 Feb 2011 08:07:15 +1100 Message-Id: 20110219210716.72943a56...@drugs.dv.isc.org
Re: trouble with .gov dns?
On Mon, May 2, 2011 at 1:13 PM, Florian Weimer f...@deneb.enyo.de wrote: * William Herrin: Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512? You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature. Hi Florian, I have dnssec-enable no; in my bind config. Were you able to determine from the tcpdump output that DNSSEC was being requested? How? Thanks, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: trouble with .gov dns?
* William Herrin: On Mon, May 2, 2011 at 1:13 PM, Florian Weimer f...@deneb.enyo.de wrote: * William Herrin: Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512? You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature. I have dnssec-enable no; in my bind config. It does not seem to have the intended effect. Were you able to determine from the tcpdump output that DNSSEC was being requested? [udp sum ok] 10320 [1au] A? www.nsf.gov. ar: . OPT UDPsize=512 OK (40) 11:53:01.690414 IP (tos 0x0, ttl 249, id 28744, offset 0, flags OK means that DO=1 was set.
Re: trouble with .gov dns?
On Mon, May 2, 2011 at 1:31 PM, Florian Weimer f...@deneb.enyo.de wrote:
* William Herrin:
On Mon, May 2, 2011 at 1:13 PM, Florian Weimer f...@deneb.enyo.de wrote:
* William Herrin:
Anyone else having trouble with .gov DNS failing with edns-udp-size
set to 512?
You need an UDP size of at least 1220 for DNSSEC, see RFC 3226,
section 3. A query that advertises a smaller buffer size is
non-compliant. BIND will send such queries, but this is a
controversial feature.
I have dnssec-enable no; in my bind config.
It does not seem to have the intended effect.
Hmm. You're right. Bind won't disable DNSSEC unless you turn edns off
completely with:
server 0.0.0.0/0 {
edns no;
};
Thanks for the info!
Regards,
Bill Herrin
--
William D. Herrin her...@dirtside.com b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004
Suspecious anycast prefixes
Hi all, I found the following prefixes are often originated by many ASNs more than five, wonder if they provide global anycast service, if so what specific service they provide? 12.64.255.0/24 70.37.135.0/24 198.32.176.0/24 199.7.49.0/24 199.7.80.0/24 199.16.93.0/24 199.16.94.0/24 199.16.95.0/24 206.223.115.0/24 Thanks, Yaoqing
Re: How do you put a TV station on the Mbone?
Date: Mon, 02 May 2011 10:11:34 -0400 From: David Sparro dspa...@gmail.com Subject: Re: How do you put a TV station on the Mbone? On 4/29/2011 8:57 PM, Robert Bonomi wrote: Those royalties are based on the_actual_number_ of persons tuning in to each such work. No 'averaging', no 'estimating', nothing based on 'ratings', or other 'sampling techniques -- you have to count the_actual_number_ of people tuned in. It gets messy, but you have to have 'auditable' records of when each person 'tuned in', and when they 'tuned out'. One_has_ to be able to detect the latter condition under all possible circumstances. Really? Yeah, _really_. That is what the law says. How do they detect the number of people that were gathered around my screen while I was watching? Does that mean I'll be able to get a refund (pro-rated of course) for falling asleep during UFC 129 this weekend? There is an 'assumption' built into the applicable implementation rules issued by the government that 'one active display device' == 'one viewer'. How close that assumption is to 'objective reality' is irrelevant to the legalities involved in calculating royalties due.
RE: Suspecious anycast prefixes
-Original Message- From: Yaoqing(Joey) Liu [mailto:joey.li...@gmail.com] Sent: Monday, May 02, 2011 2:17 PM To: nanog@nanog.org Subject: Suspecious anycast prefixes Hi all, I found the following prefixes are often originated by many ASNs more than five, wonder if they provide global anycast service, if so what specific service they provide? 12.64.255.0/24 70.37.135.0/24 198.32.176.0/24 199.7.49.0/24 199.7.80.0/24 199.16.93.0/24 199.16.94.0/24 199.16.95.0/24 206.223.115.0/24 Most of those are for Verisign's DNS resolution services. Definitely nothing to be suspicious about here. Move along. These aren't the droids you are looking for. Stefan Fouant
Re: How do you put a TV station on the Mbone?
On Apr 29, 2011, at 8:46 PM, Jared Mauch wrote: I think this is sadly the truth. There are some problems that can be solved by multicast, but I've seen the number of customer requests for v4 multicast go by the wayside over the years. The only people that are generally interested are the conference venues for technical things, e.g.: RIPE, ARIN/NANOG, APRICOT, etc. Plus, conferences like NANOG have beamed the video back to some other site for fanout as well, for both unicast and multicast. The problems at Layer7 and below are solvable with market forces. They're all 8/9 issues, about the content providers wanting to be paid-per-subscriber/viewer. They don't want to know how few people are actually tuned in at that moment in some cases. I'm sure they want to be paid some fraction of that cost that goes to your TV Transport conduit provider. I'm not at all certain that this is a political problem. I believe it is more of a user need / want problem (which I guess you could classify as layer 7 if you want). The occasional large live event - and when I say occasional, I mean not a few per year - likely could be helped if there were a magic wand to wave which made multicast work for no CapEx or OpEx and perfectly billed. But the vast majority of traffic cannot be served by multi-cast. The real cost of multi-cast (when it works at all!) may be too great for the small benefit, even ignoring the billing mechanism. People's proclivities change. As a vendor / supplier / company who gets paid, we have to adjust to the wishes of the people paying us as best we can. Or someone else will. -- TTFN, patrick
Re: How do you put a TV station on the Mbone?
In a message written on Mon, May 02, 2011 at 02:53:35PM -0400, Patrick W. Gilmore wrote: I'm not at all certain that this is a political problem. I believe it is more of a user need / want problem (which I guess you could classify as layer 7 if you want). The users don't care if the content arrives via unicast, multicast, ipv4, ipv6, or any other method. They just care when they click on the link that it works. I think the multicast issues have been largely discovered and solved in small to medium deployments, but for some reason there is no desire to work on them at Internet scale. In small deployments the multicast is treated as unidirectional, with a small number of fixed sources and lots of receivers. This takes out a lot of technical obsticals to any-to-any multicast, and simplifies a lot of the business relationship issues. Billing for multicast is seen as hard for instance, and if anyone can dynamically put up or tear down sessions I can see how that's true. But compare to a TV model which has a fixed, 24x7 broadcaster and it is easy. It's not a solution to every problem for sure. However it is a way to bring 24x7 TV like service to the Internet _very_ efficiently. I'm sure sites like cnn.com would rather pay to multicast their traffic to the end user providers than to build the infrastructure for all the unicast streams if the service was reliable and offered by all. How do you get the business people to deal with it though? With unicast every new viewer is more traffic, and traffic is a proxy for revenue. Is it not the same problem as your electric company not being incentivised to help you conserve? Why would companies who make money selling megabits and gigabits want to give their largest content customers a way to do things for a fraction of the cost? That I think is the real issue. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpXi8krWkZWh.pgp Description: PGP signature
Re: Amazon diagnosis
Jeff Wheeler wrote: IT managers would do well to understand that a few smart programmers, who understand how all their tools (web servers, databases, filesystems, load-balancers, etc.) actually work, can often do more to I fully agree. But much to my dismay and surprise I have learned that developers know very little above and beyond their field of interest, say java programming. And I bet this is vice versa. It surprised me because I, perhaps naively, assumed IT workers in general have a rather broad knowledge because in general they're interested in many aspects of IT, try to find out as much as possible and if they do not know something they make an effort learning it. Also considering many (practical) things just aren't taught in university, which is to be expected since the idea is to develop an academic way of thinking. Maybe this hacker mentality is less prevalent than I, naively, assumed. So I believe it's just really hard to find someone who is smart and who understands all or most of the aspects of IT, i.e. servers, databases, file systems, load balancers, networks etc. And it's easier and cheaper in the short term to just open a can of insert random IT job and hope for the best. Regards, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
Re: Suspecious anycast prefixes
On 2011-05-02, at 21:16, Yaoqing(Joey) Liu wrote: I found the following prefixes are often originated by many ASNs more than five, wonder if they provide global anycast service, if so what specific service they provide? 12.64.255.0/24 CERNET. 70.37.135.0/24 Microsoft/Hotmail. 198.32.176.0/24 Yahoo! 199.7.49.0/24 VeriSign. 199.7.80.0/24 VeriSign. 199.16.93.0/24 VeriSign. 199.16.94.0/24 VeriSign. 199.16.95.0/24 VeriSign. 206.223.115.0/24 Yahoo! These to me are all organisations that might reasonably be distributing services using anycast. It's difficult to tell whether all the origin ASes you see for those prefixes are legitimate, of course. It's perhaps worth noting that there is work in the IETF to recommend that every prefix originated as part of an anycast cloud uses a unique origin AS (see http://tools.ietf.org/html/draft-ietf-grow-unique-origin-as-00). I'm not personally convinced of the arguments in the draft, but mentioning it in this thread seems reasonable. Joe
Re: Amazon diagnosis
On Mon, 02 May 2011 12:27:34 PDT, Jeroen van Aart said: It surprised me because I, perhaps naively, assumed IT workers in general have a rather broad knowledge No, the average IT worker is always a mere 3 keystrokes away from getting their latest creation listed on www.thedailywtf.com. They're lucky they can manage to get stuff done in their own area of competency, much less develop broad knowledge. Sorry to break it to you. pgp70GPxPr871.pgp Description: PGP signature
Re: Amazon diagnosis
On 05/02/2011 09:27 AM, Jeroen van Aart wrote: Jeff Wheeler wrote: IT managers would do well to understand that a few smart programmers, who understand how all their tools (web servers, databases, filesystems, load-balancers, etc.) actually work, can often do more to I fully agree. But much to my dismay and surprise I have learned that developers know very little above and beyond their field of interest, say java programming. And I bet this is vice versa. It surprised me because I, perhaps naively, assumed IT workers in general have a rather broad knowledge because in general they're interested in many aspects of IT, try to find out as much as possible and if they do not know something they make an effort learning it. Also considering many (practical) things just aren't taught in university, which is to be expected since the idea is to develop an academic way of thinking. I work with a bunch of developers, we're a primarily java based company, but I've got more than enough on my plate trying to keep up with everything practical as a sysadmin, from networks to hardware to audit needs, to even start to think about adding in Java skills to my repertoire! Especially given I'm the only sysadmin here and our infrastructure needs are quite diverse. I've learned to interpret java stack traces that get sent to me 24x7 on our critical mailing list so that I can identify whether is code or infrastructure but that's as far as I go with java. I don't particularly see that I need to either. I strive to work with//developers, no 'them vs us' attitudes, no arrogant my way or the highway. I can't conceive why anyone would even consider maintaining those kind of attitudes but unfortunately have seen them frequently, and it seems so often to be the normal rather than the abnormal. Programming is not something I'd consider myself to be any good at. I'll happily and reasonably competently script stuff in perl, python or bash for sysadmin purposes, but I'd never make any pretence at it being 'good' and well done scripting. It's just not the way my mind works. I have my specialisms and they have theirs, more productive use of time is to work with those who excel at that kind of thing. Here they don't make assumptions about my end of things, and I don't make assumptions about theirs. We ask each other questions, and work together to figure out how best to proceed. Thankfully we're a relatively small enough operation that management isn't too much of a burden. Smart IT managers, in my book, work to take advantage of all the skills that their workers have and provide an efficient framework for them to work together. What it seems we see more often than not are IT managers that persist in seeing Sysadmin and Development as 'ops' and 'dev' separately rather than combined, perpetuating the 'them' vs 'us' attitudes rather than throwing them out for the inefficient, financially wasteful things they are. Paul
re: Bright House residential IPv6
Bright House does Not provide any IPv6 on any service at this time. It looks like they are allocated a prefix from ARIN, But They do not announce it. Expect them to be the last to support it. Nick Olsen Network Operations (855) FLSPEED x106 From: Thomas York strate...@fuhell.com Sent: Monday, May 02, 2011 10:17 AM To: nanog@nanog.org Subject: Bright House residential IPv6 I'm a new Bright House residential customer and I have their new 40/5 'Lightning' service, which is rumored to have free native IPv6. I've called them, but of course no one I talked to knew anything about IPv6. Do any of you have this service and have native? If you do, what did you do to get it activated for your line? Thomas York
RE: Bright House residential IPv6
As per an off list topic, I'm in downtown Indianapolis. If anyone has a residential contact for this region, I'd much appreciate it. Thanks! Thomas York -Original Message- From: Thomas York [mailto:strate...@fuhell.com] Sent: Monday, May 02, 2011 10:13 AM To: nanog@nanog.org Subject: Bright House residential IPv6 I'm a new Bright House residential customer and I have their new 40/5 'Lightning' service, which is rumored to have free native IPv6. I've called them, but of course no one I talked to knew anything about IPv6. Do any of you have this service and have native? If you do, what did you do to get it activated for your line? Thomas York smime.p7s Description: S/MIME cryptographic signature
Re: Amazon diagnosis
valdis.kletni...@vt.edu wrote: On Mon, 02 May 2011 12:27:34 PDT, Jeroen van Aart said: It surprised me because I, perhaps naively, assumed IT workers in general have a rather broad knowledge Sorry to break it to you. That's ok, the past tense in my story testifies to the fact I was already aware of it. But thanks. ;-) Greetings, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
Re: Amazon diagnosis
On Mon, May 2, 2011 at 2:04 PM, Jeroen van Aart jer...@mompl.net wrote: valdis.kletni...@vt.edu wrote: On Mon, 02 May 2011 12:27:34 PDT, Jeroen van Aart said: It surprised me because I, perhaps naively, assumed IT workers in general have a rather broad knowledge Sorry to break it to you. That's ok, the past tense in my story testifies to the fact I was already aware of it. But thanks. ;-) There was a significant decline in knowledge as the .com era peaked in the 90s; less CS background required as an entry barrier, the employment pool grew fast enough that community knowledge organizations (Usenix, etc) didn't effectively diffuse into the new community, etc. The number of people who get computer architecture, ops, clusters, networking, systems architecture and engineering, etc... Not good. Sigh. -- -george william herbert george.herb...@gmail.com
Re: trouble with .gov dns?
Florian Weimer f...@deneb.enyo.de wrote: I have dnssec-enable no; in my bind config. It does not seem to have the intended effect. BIND's interpretation of the DO bit is I understand DNSSEC RRs so it is OK to send them not I would like you to send DNSSEC RRs. This is why it always sets the DO bit when it can, i.e. when the request contains an EDNS OPT pseudo-RR. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5 or 6 later. Rough or very rough. Occasional rain. Moderate or good, occasionally poor.
Re: Suspecious anycast prefixes
On Mon, May 2, 2011 at 3:35 PM, Joe Abley jab...@hopcount.ca wrote: On 2011-05-02, at 21:16, Yaoqing(Joey) Liu wrote: I found the following prefixes are often originated by many ASNs more than five, wonder if they provide global anycast service, if so what specific service they provide? 12.64.255.0/24 CERNET. 70.37.135.0/24 Microsoft/Hotmail. 198.32.176.0/24 Yahoo! as a note, this is bmanning/ep.net exchange space, no? so this could be just people leaking this into their table/global-table by mistake?
Re: trouble with .gov dns?
In message 878vupuiu0@mid.deneb.enyo.de, Florian Weimer writes: * William Herrin: Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512? You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature. This has been noted before, for example: From: Mark Andrews ma...@isc.org Subject: [dnsext] Failure to add glue MUST cause TC to be set. To: dns...@ietf.org Date: Sun, 20 Feb 2011 08:07:15 +1100 Message-Id: 20110219210716.72943a56...@drugs.dv.isc.org And nameservers that don't set TC when they can't fit glue are broken RFC 1034. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Amazon diagnosis
It's always interesting (in a sad way) when a programmer or DBA comes to me with a basic networking or Unix question that any CCNA or RedHat candidate could answer. Then I get a very safe feeling about my job security when they start asking me if I could look at their code. This has happened too many times in my career. People seem to equate broad knowledge to mean you're a jack-of-all-trades-and-master-of-none. These are usually the same Comp Sci PhDs that have no clue why they just got fired for saying something totally inappropriate in front of HR. The more knowledge you have about anything and everything that your systems interact with then the better you will be at your specialty. Sent from my contract free BlackBerry® smartphone on the WIND network. -Original Message- From: Jeroen van Aart jer...@mompl.net Date: Mon, 2 May 2011 19:27:34 To: nanog@nanog.org Subject: Re: Amazon diagnosis Jeff Wheeler wrote: IT managers would do well to understand that a few smart programmers, who understand how all their tools (web servers, databases, filesystems, load-balancers, etc.) actually work, can often do more to I fully agree. But much to my dismay and surprise I have learned that developers know very little above and beyond their field of interest, say java programming. And I bet this is vice versa. It surprised me because I, perhaps naively, assumed IT workers in general have a rather broad knowledge because in general they're interested in many aspects of IT, try to find out as much as possible and if they do not know something they make an effort learning it. Also considering many (practical) things just aren't taught in university, which is to be expected since the idea is to develop an academic way of thinking. Maybe this hacker mentality is less prevalent than I, naively, assumed. So I believe it's just really hard to find someone who is smart and who understands all or most of the aspects of IT, i.e. servers, databases, file systems, load balancers, networks etc. And it's easier and cheaper in the short term to just open a can of insert random IT job and hope for the best. Regards, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
RE: How do you put a TV station on the Mbone?
I'm not at all certain that this is a political problem. I believe it is more of a user need / want problem (which I guess you could classify as layer 7 if you want). The occasional large live event - and when I say occasional, I mean not a few per year - likely could be helped if there were a magic wand to wave which made multicast work for no CapEx or OpEx and perfectly billed. But the vast majority of traffic cannot be served by multi- cast. The real cost of multi-cast (when it works at all!) may be too great for the small benefit, even ignoring the billing mechanism. People's proclivities change. As a vendor / supplier / company who gets paid, we have to adjust to the wishes of the people paying us as best we can. Or someone else will. -- TTFN, patrick Hi, Patrick. It takes some coordination but imagine someone like Comcast or Roadrunner or ATT says hey, want to watch the March Madness games or the Masters or the Olympics or the World Series? Here, download this application and watch it with much better performance than streaming on a web browser. They would rather easily know how many customer ports are watching the broadcast. As I mentioned earlier, Verizon Wireless already uses it in their mobile network. It would take some coordination between the content providers and the large consumer networks but the benefits would be pretty substantial for the customers. So the provider could go to the cable news network and make an offer to provide live content via multicast to their subscribers that would not eat a huge amount of resources for either the content provider or the network provider. It doesn't make sense for a lot of on-demand access but makes a lot of sense for live content like radio talk shows, news, sports, etc. Even webcams could be upgraded to provide streaming content rather than individual frames without chewing up a lot of resources. It wouldn't matter if 1 or 1 million people are watching, the bandwidth resource requirement would remain the same. If there are 10,000 Comcast subscribers watching exactly the same live event on the net, sending 10,000 streams of exactly the same data is dumb and it doesn't have to be that way.
Re: Suspecious anycast prefixes
On Mon, May 02, 2011 at 08:40:01PM -0400, Christopher Morrow wrote: On Mon, May 2, 2011 at 3:35 PM, Joe Abley jab...@hopcount.ca wrote: On 2011-05-02, at 21:16, Yaoqing(Joey) Liu wrote: I found the following prefixes are often originated by many ASNs more than five, wonder if they provide global anycast service, if so what specific service they provide? 12.64.255.0/24 CERNET. 70.37.135.0/24 Microsoft/Hotmail. 198.32.176.0/24 Yahoo! as a note, this is bmanning/ep.net exchange space, no? so this could be just people leaking this into their table/global-table by mistake? used to be. ep.net has fragmented into little bits. most of the prefixes have been transfered to the clients who were using them, the ones who are still around are outside the ARIN region and there is no clean way to move them given ARIN and other RIR policy. This particular prefix was used as a public exchange, operated by Switch Data. Not sure what they have done w/ it since then. Switch and Data Management Company LLC NET-PAIX-V4 (NET-198-32-175-0-1) 198.32.175.0 - 198.32.177.255 EP.NET, LLC. NET-EP-176 (NET-198-32-176-0-1) 198.32.176.0 - 198.32.176.255 /bill
Re: How do you put a TV station on the Mbone?
- Original Message - From: George Bonser gbon...@seven.com It doesn't make sense for a lot of on-demand access but makes a lot of sense for live content like radio talk shows, news, sports, etc. Even webcams could be upgraded to provide streaming content rather than individual frames without chewing up a lot of resources. It wouldn't matter if 1 or 1 million people are watching, the bandwidth resource requirement would remain the same. If there are 10,000 Comcast subscribers watching exactly the same live event on the net, sending 10,000 streams of exactly the same data is dumb and it doesn't have to be that way. And, more to the point, as we proceed more and more into a live-tweet, social TV world, *having all your viewers within a second or two of each other* becomes more and more important. My experience is that that's *much* easier to manage in a multicast environment, than with live-unicast streaming -- especially when there are multiple server clusters in different places for load balancing. Cheers, -- jra
Re: trouble with .gov dns?
* Tony Finch: Florian Weimer f...@deneb.enyo.de wrote: I have dnssec-enable no; in my bind config. It does not seem to have the intended effect. BIND's interpretation of the DO bit is I understand DNSSEC RRs so it is OK to send them not I would like you to send DNSSEC RRs. This is why it always sets the DO bit when it can, i.e. when the request contains an EDNS OPT pseudo-RR. I would go even further---the DO bit is not about DNSSEC at all. The resolver just promises to ignore any ancillary record sets it does not understand. If DO were about DNSSEC, a new flag would have been introduced along with DNSSECbis, where the record types changed so that for resolvers implementing the older protocol, the DNSSECbis records just looked like garbage.
Re: trouble with .gov dns?
* Mark Andrews: You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a controversial feature. This has been noted before, for example: From: Mark Andrews ma...@isc.org Subject: [dnsext] Failure to add glue MUST cause TC to be set. To: dns...@ietf.org Date: Sun, 20 Feb 2011 08:07:15 +1100 Message-Id: 20110219210716.72943a56...@drugs.dv.isc.org And nameservers that don't set TC when they can't fit glue are broken RFC 1034. Only if they produce such answers in response to compliant queries. 8-)
Re: Suspecious anycast prefixes
On Mon, May 2, 2011 at 23:20, bmann...@vacation.karoshi.com wrote: 198.32.176.0/24 Yahoo! This particular prefix was used as a public exchange, operated by Switch Data. Not sure what they have done w/ it since then. Switch and Data Management Company LLC NET-PAIX-V4 (NET-198-32-175-0-1) 198.32.175.0 - 198.32.177.255 EP.NET, LLC. NET-EP-176 (NET-198-32-176-0-1) 198.32.176.0 - 198.32.176.255 Still in-use at the Equinix Palo Alto exchange (former PAIX) https://www.peeringdb.com/private/exchange_view.php?id=7 https://www.peeringdb.com/dns-scan/198-32-176-0-24.txt Andy
