Re: IPv6 RA vs DHCPv6 - The chosen one?
On Mon, 19 Dec 2011, Owen DeLong wrote: Different operators will have different preferences in different environments. Ideally, the IETF should provide complete solutions based on DHCPv6 and on RA and let the operators decide what they want to use in their environments. Agree. Selection also influenced by the availability of the particular feature on a particular environments and habits of the operators. Best Regards, Janos Mohacsi Owen On Dec 19, 2011, at 10:27 PM, Ravi Duggal wrote: Hi, IPv6 devices (routers and hosts) can obtain configuration information about default routers, on-link prefixes and addresses from Router Advertisements as defined in Neighbor Discovery. I have been told that in some deployments, there is a strong desire not to use Router Advertisements at all and to perform all configuration via DHCPv6. There are thus similar IETF standards to get everything that you can get from RAs, by using DHCPv6 instead. As a result of this we see new proposals in IETF that try to do similar things by either extending RA mechanisms or by introducing new options in DHCPv6. We thus have draft-droms-dhc-dhcpv6-default-router-00 that extends DHCPv6 to do what RA does. And now, we have draft-bcd-6man-ntp-server-ra-opt-00.txt that extends RA to advertise the NTP information that is currently done via DHCPv6. My question is, that which then is the more preferred option for the operators? Do they prefer extending RA so that the new information loaded on top of the RA messages gets known in the single shot when routers do neighbor discovery. Or do they prefer all the extra information to be learnt via DHCPv6? What are the pros and cons in each approach and when would people favor one over the other? I can see some advantages with the loading information to RA since then one is not dependent on the DHCPv6 server. However, the latter provides its own benefits. Regards, Ravi D.
Re: IPv6 RA vs DHCPv6 - The chosen one?
When a router needs to learn information from another router it will *usually* use the RA messages and not DHCPv6, as the latter is *usually* meant for Router - Host communication. However, it is NOT uncommon to see hosts also learning the information using RA messages. Router's afaik dont usually act as DHCP clients and thus information that can only be passed in DHCPv6 may not be available to the routers, and you may need an alternate mechanism. Glen On Tue, Dec 20, 2011 at 11:57 AM, Ravi Duggal raviduggal2...@gmail.com wrote: Hi, IPv6 devices (routers and hosts) can obtain configuration information about default routers, on-link prefixes and addresses from Router Advertisements as defined in Neighbor Discovery. I have been told that in some deployments, there is a strong desire not to use Router Advertisements at all and to perform all configuration via DHCPv6. There are thus similar IETF standards to get everything that you can get from RAs, by using DHCPv6 instead. As a result of this we see new proposals in IETF that try to do similar things by either extending RA mechanisms or by introducing new options in DHCPv6. We thus have draft-droms-dhc-dhcpv6-default-router-00 that extends DHCPv6 to do what RA does. And now, we have draft-bcd-6man-ntp-server-ra-opt-00.txt that extends RA to advertise the NTP information that is currently done via DHCPv6. My question is, that which then is the more preferred option for the operators? Do they prefer extending RA so that the new information loaded on top of the RA messages gets known in the single shot when routers do neighbor discovery. Or do they prefer all the extra information to be learnt via DHCPv6? What are the pros and cons in each approach and when would people favor one over the other? I can see some advantages with the loading information to RA since then one is not dependent on the DHCPv6 server. However, the latter provides its own benefits. Regards, Ravi D.
ipv6.level3.com responding with a 500 Internal Server Error for 3+ days
ipv6.level3.com has been responding with a 500 Internal Server Error since Saturday morning. I reached out twice to the NOC email address I have on file, but no response. Perhaps someone can reach out to the right person. Frank P.S.: ipv6.cnn.com has not been responding properly for about two-thirds of this month, starting December 7, early a.m. I've reached out to my Turner contact at least twice, but not luck there, either.
routeviews.org domain registration
routeviews.org domain registration has lapsed? I pinged John Kemp at uoregon.edu, but unsure if he is the correct contact for this. Domain ID:D48496876-LROR Domain Name:ROUTEVIEWS.ORG Created On:14-Dec-2000 23:05:47 UTC Last Updated On:20-Dec-2011 08:53:07 UTC Expiration Date:14-Dec-2012 23:05:47 UTC Sponsoring Registrar:Network Solutions LLC (R63-LROR) Status:CLIENT TRANSFER PROHIBITED Status:AUTORENEWPERIOD Registrant ID:DOMAIN-RESALE Registrant Name:Pending Renewal or Deletion Registrant Street1:P.O. Box 430 Registrant Street2: Registrant Street3: Registrant City:Herndon Registrant State/Province:VA Registrant Postal Code:20172 Registrant Country:US Registrant Phone:+1.5707088786 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:pendingrenewalordelet...@networksolutions.com
Re: routeviews.org domain registration
On 20 Dec 2011, at 12:02, Stephen Strowes wrote: I pinged John Kemp at uoregon.edu, but unsure if he is the correct contact for this. I beeped Dave Meyer, who acknowledged, so I think someone is on it. Andy
Nexus emulation? Anyone?
I know we can't throw NX code on Dynamips but I figured I would ask the group anyway. We are starting to discuss Nexus platform options and I can only get so much from demo depot before our AM gets whiny. Is anyone currently emulating Nexus on anything that is open to the public? Not I.O.U. but Dynamips or something similar? If the software is out there I have the hardware to support it. Based on some cheap googling I'm thinking the answer will be no. Although I did find Greg Ferros public outcry for network emulators from last year -- -Hammer- I was a normal American nerd -Jack Herer
IPV6 issue
Hello, I have a SIXXS ipv6 tunnel that terminates in Ashburn, Va. I have two HE ipv6 tunnels, one terminates in Dallas the other terminate in Ashburn. I can ping each endpoint of the tunnels that terminate in Ashburn, but I can't ping between the SIXXS and HE with the HE termination in Dallas. Using Looking Glass at HE I can traceroute to my SIXXS tunnel from Chicago but not from Dallas. Any ideas on how to get this fixed. This problem only started occurring within the last week or so. Thanks for your indulgence, -- Stephen Clark *NetWolves* Sr. Software Engineer III Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com
software wanted
Hi everybody, can anybody recomend a piece of software, that could graph a live network scanning it via snmp. requirements are: 1. must produce a text output suitable for postproduction. graphviz is an ideal, xml - acceptable. 2. must use no external database i.e. have text config file. clean text console, suitable to run as a cronjob. 3. must be able to work in heterogenous environment. thanks a lot in advance -- With best regards, Gregory Edigarov
RE: software wanted
Cacti is a very useful graphing tool We have used it to graph anything we can grab via snmp. Hope that helps. Jeremy Bowen Hi everybody, can anybody recomend a piece of software, that could graph a live network scanning it via snmp. requirements are: 1. must produce a text output suitable for postproduction. graphviz is an ideal, xml - acceptable. 2. must use no external database i.e. have text config file. clean text console, suitable to run as a cronjob. 3. must be able to work in heterogenous environment. thanks a lot in advance - With best regards, Gregory Edigarov -- The information contained in this message, including attachments, may contain privileged or confidential information that is intended to be delivered only to the person identified above. If you are not the intended recipient, or the person responsible for delivering this message to the intended recipient, Windstream requests that you immediately notify the sender and asks that you do not read the message or its attachments, and that you delete them without copying or sending them to anyone else.
Re: software wanted
mrtg? www.mrtg.org On Tue, Dec 20, 2011 at 9:21 AM, Gregory Edigarov g...@bestnet.kharkov.ua wrote: Hi everybody, can anybody recomend a piece of software, that could graph a live network scanning it via snmp. requirements are: 1. must produce a text output suitable for postproduction. graphviz is an ideal, xml - acceptable. 2. must use no external database i.e. have text config file. clean text console, suitable to run as a cronjob. 3. must be able to work in heterogenous environment. thanks a lot in advance -- With best regards, Gregory Edigarov
Re: IPV6 issue
On 2011-12-20 15:17 , Steve Clark wrote: Hello, I have a SIXXS ipv6 tunnel that terminates in Ashburn, Va. I have two HE ipv6 tunnels, one terminates in Dallas the other terminate in Ashburn. I can ping each endpoint of the tunnels that terminate in Ashburn, but I can't ping between the SIXXS and HE with the HE termination in Dallas. Using Looking Glass at HE I can traceroute to my SIXXS tunnel from Chicago but not from Dallas. Any ideas on how to get this fixed. Contact the providers involved directly? Sending a mail to i...@he.net + i...@sixxs.net should get you what you need, given that you actually provide IP addresses and other such useful diagnostics like interface configuration, routing tables etc etc etc. The above mail is far from useful and nobody would be able to help you in anyway except to state the above. Greets, Jeroen
RE: software wanted
Cacti uses MySQL, but I'm not sure if plain rrdtool does. There is support for custom programming, so might be worth checking out. http://oss.oetiker.ch/rrdtool/ Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222 -Original Message- From: Bowen, Jeremy M [mailto:jeremy.m.bo...@windstream.com] Sent: Tuesday, December 20, 2011 9:27 AM To: 'Gregory Edigarov'; nanog@nanog.org Subject: RE: software wanted Cacti is a very useful graphing tool We have used it to graph anything we can grab via snmp. Hope that helps. Jeremy Bowen Hi everybody, can anybody recomend a piece of software, that could graph a live network scanning it via snmp. requirements are: 1. must produce a text output suitable for postproduction. graphviz is an ideal, xml - acceptable. 2. must use no external database i.e. have text config file. clean text console, suitable to run as a cronjob. 3. must be able to work in heterogenous environment. thanks a lot in advance - With best regards, Gregory Edigarov -- The information contained in this message, including attachments, may contain privileged or confidential information that is intended to be delivered only to the person identified above. If you are not the intended recipient, or the person responsible for delivering this message to the intended recipient, Windstream requests that you immediately notify the sender and asks that you do not read the message or its attachments, and that you delete them without copying or sending them to anyone else.
Re: software wanted
On Tue, 20 Dec 2011 16:21:50 +0200 Gregory Edigarov g...@bestnet.kharkov.ua wrote: Hi everybody, can anybody recomend a piece of software, that could graph a live network scanning it via snmp. requirements are: 1. must produce a text output suitable for postproduction. graphviz is an ideal, xml - acceptable. 2. must use no external database i.e. have text config file. clean text console, suitable to run as a cronjob. 3. must be able to work in heterogenous environment. thanks a lot in advance and, the question is about producing network schematic, not about graphs like mrtg, cacti etc, etc -- With best regards, Gregory Edigarov
Re: software wanted
On 12/20/11 9:21 AM, Gregory Edigarov wrote: Hi everybody, can anybody recomend a piece of software, that could graph a live network scanning it via snmp. requirements are: 1. must produce a text output suitable for postproduction. graphviz is an ideal, xml - acceptable. 2. must use no external database i.e. have text config file. clean text console, suitable to run as a cronjob. 3. must be able to work in heterogenous environment. thanks a lot in advance This *might* do what you want. It will create the graph for you, what happens after that I don't know. http://www.mikrotik.com/thedude.php I played with it briefly but it didn't really serve a purpose for us since we derive our network layout from the OSS database. -- Mark Radabaugh Amplex m...@amplex.net 419.837.5015
Re: software wanted
So you want a dynamic real time network discovery / topology mapping? I think Whatsup gold tried this years ago and it could even export to Visio. But not sure lately. -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 08:37 AM, Gregory Edigarov wrote: On Tue, 20 Dec 2011 16:21:50 +0200 Gregory Edigarovg...@bestnet.kharkov.ua wrote: Hi everybody, can anybody recomend a piece of software, that could graph a live network scanning it via snmp. requirements are: 1. must produce a text output suitable for postproduction. graphviz is an ideal, xml - acceptable. 2. must use no external database i.e. have text config file. clean text console, suitable to run as a cronjob. 3. must be able to work in heterogenous environment. thanks a lot in advance and, the question is about producing network schematic, not about graphs like mrtg, cacti etc, etc
RE: software wanted
can anybody recommend a piece of software, that could graph a live network scanning it via snmp. requirements are: 1. must produce a text output suitable for postproduction. graphviz is an ideal, xml - acceptable. 2. must use no external database i.e. have text config file. clean text console, suitable to run as a cronjob. 3. must be able to work in heterogenous environment. Except for requirement #2, NetDisco would fulfill your requirements. On the otherhand, NetDisco uses a database for topology management. For the graph side, it creates a text file useable by graphviz. Raymond. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: IPv6 RA vs DHCPv6 - The chosen one?
I had some trouble parsing what Glen was saying, so, I'll provide some clarification of how things actually work today and what I think would be desirable in future development: 1. In IPv6, it is not uncommon for certain types of routers to be DHCP clients. DHCPv6-PD is relatively useless except when talking to a router. 2. Routers rarely listen to RAs and mostly generate them. There's no reason for router A to listen to RAs from router B on the same link. Router A doesn't care that Router B can be a default gateway. If Router A needs a default gateway, router A shouldn't be advertising himself with RAs and should know about Router B from a static route or some routing protocol. RAs are only useful (as far as routing is concerned) for routers to announce themselves as default gateways. They do not provide any mechanism for advertising more specific routes. 3. As it currently stands, RAs can provide the following information: + Default Router (anything sending an RA should be a valid default router). + Router Priority (High/Medium/Low) + Prefixes (must be /64) for SLAAC * Desired Lifetime * Valid Lifetime + DHCP Server Address + DNS Resolver Address[1] + M-Bit (Network is managed, host should ask DHCP server for some configuration information) + A-Bit (DHCP server is authoritative for addressing, do not use SLAAC to generate unicast addresses from prefixes) [1] Requires recent extensions to SLAAC and RA. Not available in all implementations. 4. As it currently stands, a DHCPv6 server can provide most of the things you're used to a DHCP server providing. It cannot provide any information about routing whatsoever. There is currently no mechanism for a host to ask a DHCPv6 server for configuration information unless and until it receives an RA with at least the M-Bit set. (You currently can't use DHCP without RA). Currently, many clients support only SLAAC and Static for configuring IPv6 information. If you have such clients in your environment, setting the A-bit is generally self-destructive. Short of some form of NAC[2], there is currently no mechanism for preventing a host which uses SLAAC in spite of the A-bit being present (nefariously or erroneously) from making use of the network with that address. (i.e. you can't force a host to use DHCPv6 if it is not well behaved). [2] Network Admission Control -- A process which does not place clients into functional VLANs on the switch until certain policy defined criteria have been met. 5. What I'd like to see: 1. A mechanism for DHCP to be used without requiring RA at all. 2. A mechanism for DHCP to provide zero or more copies of an optional attribute called Routing Information. Said attribute's value would be a structure containing: Prefix (128 bits) Masklen (8 bits) Next-Hop (128 bits) Metric (16 bits) A default router would be specified as: Prefix 0::0/128 Masklen 0 Next-Hoppfx::gateway A static routing table with specific routes could be built as: Prefix 2001:0db8:0:32:: Masklen 64 Next-Hop2001:0db8:0:7::1 Prefix 2001:0db8:0:64: Masklen 60 Next-Hop2001:0db8:0:7::5 Prefix :: Masklen 0 Next-Hop 2001:0db8:0:7:feed:beef:cafe:babe 3. Extensions to SLAAC to provide for NTP, next-server, boot-file, and certain other key elements available from DHCP, but, not possible in the current specification for SLAAC. Yes, this will annoy those purists who believe there should be one true way to do each thing. That's OK, they're entitled to their opinion, but, this is mine. DIfferent operators have different preferences and different environments sometimes work better or adapt better to different solutions. Currently, most significant environments have to cobble together a complete solution from remnants of SLAAC and DHCP. This is far from ideal. Far better for organizations to look at 2 complete solutions and pick the solution that
Re: IPv6 RA vs DHCPv6 - The chosen one?
* Owen DeLong RAs are only useful (as far as routing is concerned) for routers to announce themselves as default gateways. They do not provide any mechanism for advertising more specific routes. They do, actually. See RFC 4191. -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com/
DNS zone response speed test tool?
I've put monitoring onto my public website, and by far the largest component of the response time it gives me is the DNS lookup -- 4-500ms, which seems entirely unreasonable. Is there a tool that anyone knows about that will measure the response time of my zone servers, somewhere on the web? Is the sum of the times in a dig +trace the proper metric to look at there? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: Overall Netflix bandwidth usage numbers on a network?
Yes, sorry. We will respond to all takers shortly; there was a flaw in our logic used to generate these numbers and wanted to ensure that we were painting an accurate picture. We will have statistics out within a week, hopefully. Thanks, -Dave On 12/16/11 9:55 AM, Paul Stewart wrote: I'll take a guess they are back logged - they have been working on our traffic stats since a week before that posting made it to nanog list --- Sent via IPhone On 2011-12-16, at 9:16 AM, Dennis Burgessdmburg...@linktechs.net wrote: Same here. --- Dennis Burgess, Mikrotik Certified Trainer Link Technologies, Inc -- Mikrotik WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net LIVE On-Line Mikrotik Training - Author of Learn RouterOS -Original Message- From: Blake Hudson [mailto:bl...@ispn.net] Sent: Friday, December 16, 2011 8:11 AM To: Dave Temkin Cc: nanog@nanog.org Subject: Re: Overall Netflix bandwidth usage numbers on a network? Requests to this address appear to go unanswered? Dave Temkin wrote the following on 12/11/2011 6:29 PM: Feel free to contact peering@netflixdotcom - we're happy to provide you with delivery statistics for traffic terminating on your network. Regards, -Dave Temkin Netflix On 12/7/11 8:57 AM, Blake Hudson wrote: Yeah, that's an interesting one. We currently utilize netflow for this, but you also need to consider that netflix streaming is just port 80 www traffic. Because netflix uses CDNs, its difficult to pin down the traffic to specific hosts in the CDN and say that this traffic was netflix, while this traffic was the latest windows update (remember this is often a shared hosting platform). We've done our own testing and have come to a good solution which uses a combination of nbar, packet marking, and netflow to come to a conclusion. On a ~160Mbps link, netflix peaks out between 30-50Mbps around 8-10PM each evening. The rest of the traffic is predominantly other forms of HTTP traffic (including other video streaming services). Martin Hepworth wrote the following on 12/3/2011 2:36 AM: Also checkout Adrian Cockcroft presentations on their architecture which describes how they use aws and CDns etc Martin
Re: DNS zone response speed test tool?
On Tue, Dec 20, 2011 at 10:10:08AM -0500, Jay Ashworth j...@baylink.com wrote a message of 16 lines which said: Is there a tool that anyone knows about that will measure the response time of my zone servers, somewhere on the web? Yes, it is called Nanog. For baylink.com ? Only one real name server and quite slow. % qtest -n 10 SOA baylink.com $(dig +short NS baylink.com.) 148 ns5.baylink.com./69.12.222.27 149 ns6.baylink.com./69.12.222.27 #!/bin/sh # # qtest: queries a set of DNS name servers and report the fastest ones # # Usage: qtest query server... # Example: qtest -n 3 SOA fr $(dig +short NS fr.) # # From: Joe Abley jab...@isc.org # Modified-by: Stephane Bortzmeyer bortzme...@nic.fr # Settings max=1 verbose=0 # Some Unices like NetBSD are crazy enough to ship a dinosaurian # version of getopt, which cannot handle arguments with spaces! So, we # have a lot of work to work around this pre-babylonian limit. test_getopt() { getopt=$1 if [ ! -x $getopt ] ! which $getopt /dev/null 21; then return 1 fi if [ $($getopt -o '' -- 'a b') = -- 'a b' ]; then return 0 else return 1 fi } if test_getopt getopt; then GETOPT=getopt else if test_getopt ggetopt; then GETOPT=ggetopt else if test_getopt /usr/pkg/bin/getopt; then # Last resort for NetBSD GETOPT=/usr/pkg/bin/getopt else echo Cannot find a working getopt on this machine /dev/stderr exit 1 fi fi fi TEMP=$($GETOPT -o n:v -- $@) if [ $? != 0 ]; then echo Usage: $0 [-n MAX] [-v] query server... /dev/stderr exit 1 fi eval set -- $TEMP while true ; do case $1 in -n) max=$2; shift 2;; -v) verbose=1; shift;; --) shift ; break ;; *) echo Internal error! /dev/stderr ; exit 1 ;; esac done query=$1 shift servers= for server in $*; do addresses=$(dig +short A $server ; dig +short $server) if [ -z $addresses ]; then # Let's hope it was an IP address addresses=$server fi for address in $addresses; do servers=$servers $server/$address done done for i in 0 1 2; do for server in $servers; do address=$(echo $server | cut -d/ -f 2) # TODO: if the box has no IPv6 connectivity, or if it is an # old dig without IPv6, we get something like dig: couldn't # get address for '2001:4f8:0:2::8': address family not # supported. Should we do something? echo TEST: $server dig @${address} ${query} done done | \ awk '/^TEST: / { server = $2; } \ /^;; Query time:/ { query_time = $4; } \ /^;; SERVER: / { sum[server] += query_time; num[server]++; } \ END { for (ns in sum) { print int(sum[ns]/num[ns]), ns; } }' | \ sort -n | head -${max}
Re: DNS zone response speed test tool?
http://code.google.com/p/namebench/ Seems like it may be fun to play with On Tue, Dec 20, 2011 at 10:10 AM, Jay Ashworth j...@baylink.com wrote: I've put monitoring onto my public website, and by far the largest component of the response time it gives me is the DNS lookup -- 4-500ms, which seems entirely unreasonable. Is there a tool that anyone knows about that will measure the response time of my zone servers, somewhere on the web? Is the sum of the times in a dig +trace the proper metric to look at there? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 -- Just my $.02, your mileage may vary, batteries not included, etc
OT: Nortel/Ciena Cooling Tray for OME 6500 - NTK607AAE5
For a project that needs to be completed like yesterday in Houston, TX, I need to find cooling trays for Ciena/Nortel OME 6500's .Please contact me off-list if you have any inventory of NTK607AAE5 for sale. Only contact if you have them available, not if you know a guy who knows a guy :) +1-832-615-7743. Thanks and sorry for the OT.
Re: DNS zone response speed test tool?
Doesn't do much for long term graphing and monitoring, but for quickie issue detection or verification, http://www.grc.com/dns/benchmark.htm ...Todd On Tue, Dec 20, 2011 at 8:00 AM, chip chip.g...@gmail.com wrote: http://code.google.com/p/namebench/ Seems like it may be fun to play with On Tue, Dec 20, 2011 at 10:10 AM, Jay Ashworth j...@baylink.com wrote: I've put monitoring onto my public website, and by far the largest component of the response time it gives me is the DNS lookup -- 4-500ms, which seems entirely unreasonable. Is there a tool that anyone knows about that will measure the response time of my zone servers, somewhere on the web? Is the sum of the times in a dig +trace the proper metric to look at there? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 -- Just my $.02, your mileage may vary, batteries not included, etc -- If Americans could eliminate sugary beverages, potatoes, white bread, pasta, white rice and sugary snacks, we would wipe out almost all the problems we have with weight and diabetes and other metabolic diseases. -- Dr. Walter Willett, Harvard School of Public Health
what if...?
Hi, what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com? How can she detect this? Eduardo.- -- Eduardo A. Suarez Facultad de Ciencias Astronómicas y Geofísicas - UNLP FCAG: (0221)-4236593 int. 172/Cel: (0221)-15-4557542/Casa: (0221)-4526589 This message was sent using IMP, the Internet Messaging Program.
RE: what if...?
You mean besides SSL? :) Ken Matlock Network Analyst Systems and Technology Service Center Sisters of Charity of Leavenworth Health System 12600 W. Colfax, Suite A-500 Lakewood, CO 80215 303-467-4671 matlo...@exempla.org -Original Message- From: Eduardo A. Suárez [mailto:esua...@fcaglp.fcaglp.unlp.edu.ar] Sent: Tuesday, December 20, 2011 9:37 AM To: nanog@nanog.org Subject: what if...? Hi, what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com? How can she detect this? Eduardo.- -- Eduardo A. Suarez Facultad de Ciencias Astronómicas y Geofísicas - UNLP FCAG: (0221)-4236593 int. 172/Cel: (0221)-15-4557542/Casa: (0221)-4526589 This message was sent using IMP, the Internet Messaging Program. *** Exempla Confidentiality Notice *** The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any other dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to the message and deleting it from your computer. Thank you. *** Exempla Confidentiality Notice ***
Re: what if...?
On Tue, 20 Dec 2011 13:37:23 -0300, Eduardo A. =?iso-8859-1?b?U3XhcmV6?= said: what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com? How can she detect this? The snarky answer is If your mom has to ask how she can detect this, she's probably going to be unable to do so. The more technically correct answer is that you can check the IP and TTL as returned by your local caching nameserver, and compare them to the values reported from the authoritative NS for the zone. Of course, this means you have to hit the authoritative server, which sort of defeats the purpose of DNS caching. Or you can deploy DNSSEC. Or you can deploy SSL (not perfect, but it raises the bar considerably). Or you can google for DNS RPZ and start reading - the top hit seems to be Paul Vixie's announcement: https://www.isc.org/community/blog/201007/taking-back-dns-0 and start reading - as about the 4th or 5th commenter points out, the threat model is *no* different than a DNS server that forces in its own zones. The commenter is talking in the context of a provider replacing a zone, but it's the same issue if a black hat hacks in a zone. pgpYiJPFGu2cc.pgp Description: PGP signature
Re: what if...?
On Dec 20, 2011, at 11:37 AM, Eduardo A. Suárez wrote: Hi, what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com? How can she detect this? Thankfully mom_bank.com is not valid, as underscores aren't valid in dns names :) Additionally, SSL certificates combined with DNSSEC/DANE can provide some protection. Some of this technology may not be available today, but is worth tracking if you are interested in this topic. - Jared
Re: Nexus emulation? Anyone?
On 20/12/2011 13:55, -Hammer- wrote: I know we can't throw NX code on Dynamips but I figured I would ask the group anyway. We are starting to discuss Nexus platform options and I can only get so much from demo depot before our AM gets whiny. Is anyone currently emulating Nexus on anything that is open to the public? nexus1k? Nick
Re: Nexus emulation? Anyone?
Bah. Look like I need more of an education on Nexus in general. Thanks for the easy pointer. -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 11:02 AM, Nick Hilliard wrote: On 20/12/2011 13:55, -Hammer- wrote: I know we can't throw NX code on Dynamips but I figured I would ask the group anyway. We are starting to discuss Nexus platform options and I can only get so much from demo depot before our AM gets whiny. Is anyone currently emulating Nexus on anything that is open to the public? nexus1k? Nick
Re: IPV6 issue (occaid.net)
On 12/20/11 06:33, Jeroen Massar wrote: On 2011-12-20 15:17 , Steve Clark wrote: Hello, I have a SIXXS ipv6 tunnel that terminates in Ashburn, Va. I have two HE ipv6 tunnels, one terminates in Dallas the other terminate in Ashburn. I can ping each endpoint of the tunnels that terminate in Ashburn, but I can't ping between the SIXXS and HE with the HE termination in Dallas. Using Looking Glass at HE I can traceroute to my SIXXS tunnel from Chicago but not from Dallas. Any ideas on how to get this fixed. Contact the providers involved directly? Sending a mail to i...@he.net + i...@sixxs.net should get you what you need, given that you actually provide IP addresses and other such useful diagnostics like interface configuration, routing tables etc etc etc. The above mail is far from useful and nobody would be able to help you in anyway except to state the above. Actually, I was about to send a message about this. I believe the problem is in occaid.net, particularly their router in Atlanta. SIXXS uses a variety of providers at various PoPs to provide their tunnel connectivity and occaid.net is the provider at Ashburn (I have a SIXXS tunnel there as well). Tracerouting from the West Coast or Texas goes through occaid.net's router in Atlanta and dies there with 'network unreachable': traceroute6 to burnttofu.net (2001:4830:1600:3bf::2) from 2001:470:1f05:17a6:219:d1ff:fe26:5246, 64 hops max, 12 byte packets 1 2001:470:1f05:17a6::1 0.316 ms 0.321 ms 0.321 ms 2 10-1.tunnel.tserv3.fmt2.ipv6.he.net 28.000 ms 22.402 ms 26.169 ms 3 gige-g5-19.core1.fmt2.he.net 16.697 ms 18.046 ms 15.891 ms 4 10gigabitethernet6-4.core1.lax1.he.net 23.735 ms 25.327 ms 25.711 ms 5 10gigabitethernet1-3.core1.lax2.he.net 25.708 ms 24.923 ms 25.793 ms 6 2001:504:13::8 25.713 ms 23.731 ms 25.705 ms 7 bbr01-v441.atln01.occaid.net 80.617 ms !N 88.252 ms !N 79.369 ms !N Tracerouting from the East Coast is fine: traceroute6 to burnttofu.net (2001:4830:1600:3bf::2) from 2001:470:30:80:e076:63ff:fe88:2d62, 64 hops max, 12 byte packets 1 2001:470:30:80::2 21.739 ms 1.938 ms 2.474 ms 2 gige-g3-3.core1.nyc4.he.net 8.678 ms 2.710 ms 2.596 ms 3 10gigabitethernet2-3.core1.ash1.he.net 7.488 ms 7.168 ms 8.449 ms 4 ibr01-ve96.asbn01.occaid.net 7.211 ms 7.272 ms 7.177 ms 5 equi6ix.dc.hotnic.net 9.789 ms 8.597 ms 8.610 ms 6 sixxs-asbnva-gw.customer.occaid.net 8.782 ms 8.100 ms 9.522 ms 7 cl-960.qas-01.us.sixxs.net 22.621 ms 20.880 ms 21.072 ms Attempts to get a response from n...@occaid.net regarding this issue over the past 36 hours have failed. If there is anyone here from occaid.net or knows a clueful person there, can you please point them to this thread. I still think it's a good idea to contact i...@sixxs.net, so they know what's going on, but I don't think it's actually their problem. michael
Re: what if...?
You tell that to http://www.charset.org/punycode.php?encoded=xn--m_omaaamk.comdecode=Punycode+to+normal+text Normal text FMQQSQQT.com to Punycode xn--m_omaaamk.com ? On 20 Dec 2011, at 17:00, Jared Mauch wrote: On Dec 20, 2011, at 11:37 AM, Eduardo A. Suárez wrote: Hi, what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com? How can she detect this? Thankfully mom_bank.com is not valid, as underscores aren't valid in dns names :) Additionally, SSL certificates combined with DNSSEC/DANE can provide some protection. Some of this technology may not be available today, but is worth tracking if you are interested in this topic. - Jared
Re: what if...?
On 12/20/11 9:14 AM, Christian de Larrinaga wrote: You tell that to http://www.charset.org/punycode.php?encoded=xn--m_omaaamk.comdecode=Punycode+to+normal+text Normal text FMQQSQQT.com to Punycode xn--m_omaaamk.com ? Dash - is a different character than underscore _ ~Seth
Re: what if...?
On Tue, Dec 20, 2011 at 11:53:12AM -0500, valdis.kletni...@vt.edu wrote: On Tue, 20 Dec 2011 13:37:23 -0300, Eduardo A. =?iso-8859-1?b?U3XhcmV6?= said: what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com? How can she detect this? The snarky answer is If your mom has to ask how she can detect this, she's probably going to be unable to do so. The more technically correct answer is that you can check the IP and TTL as returned by your local caching nameserver, and compare them to the values reported from the authoritative NS for the zone. Of course, this means you have to hit the authoritative server, which sort of defeats the purpose of DNS caching. Or you can deploy DNSSEC. Or you can deploy SSL (not perfect, but it raises the bar considerably). Or you can google for DNS RPZ and start reading - the top hit seems to be Paul Vixie's announcement: https://www.isc.org/community/blog/201007/taking-back-dns-0 and start reading - as about the 4th or 5th commenter points out, the threat model is *no* different than a DNS server that forces in its own zones. The commenter is talking in the context of a provider replacing a zone, but it's the same issue if a black hat hacks in a zone. the one difference is that ISC will be shipping RPZ enabled code v. the blackhat having to hack the machine and modify the configuration. in the new BIND w/ RPZ, it will be much harder to determine when RPZ has been tweeked... Lowers the bar considerably. RPZ sucks /bill
Re: what if...?
On Tue, Dec 20, 2011 at 11:37 AM, Eduardo A. Suárez esua...@fcaglp.fcaglp.unlp.edu.ar wrote: Hi, what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com? How can she detect this? Does your Mom call you up every time she gets a dialog box complaining about an invalid certificate ? If she has been conditioned just to click OK when that happens, then she probably can't. Regards Marshall Eduardo.- -- Eduardo A. Suarez Facultad de Ciencias Astronómicas y Geofísicas - UNLP FCAG: (0221)-4236593 int. 172/Cel: (0221)-15-4557542/Casa: (0221)-4526589 This message was sent using IMP, the Internet Messaging Program.
Re: what if...?
On 12/20/11 9:23 AM, Christian de Larrinaga wrote: indeed.. now have your Mom read this again C Uh, what? ~Seth
Re: what if...?
On Tue, 20 Dec 2011 17:16:06 GMT, bmann...@vacation.karoshi.com said: the one difference is that ISC will be shipping RPZ enabled code v. the blackhat having to hack the machine and modify the configuration. EIther way, the blackhat still has to hack the machine and modify the config. The only difference is what config change they make. pgpM8yfnxkqV4.pgp Description: PGP signature
Re: Nexus emulation? Anyone?
You can't use the software switch Nexus 1000V to judge/discuss the Nexus family products N7K, N5K...etc as a whole? Check out this discussion https://supportforums.cisco.com/thread/2054884 Titanium as they call the NX-OS simulator is not available to the public though... -Luan On Tue, Dec 20, 2011 at 12:08 PM, -Hammer- bhmc...@gmail.com wrote: Bah. Look like I need more of an education on Nexus in general. Thanks for the easy pointer. -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 11:02 AM, Nick Hilliard wrote: On 20/12/2011 13:55, -Hammer- wrote: I know we can't throw NX code on Dynamips but I figured I would ask the group anyway. We are starting to discuss Nexus platform options and I can only get so much from demo depot before our AM gets whiny. Is anyone currently emulating Nexus on anything that is open to the public? nexus1k? Nick
Re: what if...?
You probably want to google for the dnschanger virus -- Sent from my smart phone. Please excuse my brevity On Dec 20, 2011 4:38 p.m., Eduardo A. Suárez esua...@fcaglp.fcaglp.unlp.edu.ar wrote: Hi, what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com? How can she detect this? Eduardo.- -- Eduardo A. Suarez Facultad de Ciencias Astronómicas y Geofísicas - UNLP FCAG: (0221)-4236593 int. 172/Cel: (0221)-15-4557542/Casa: (0221)-4526589 --**--** This message was sent using IMP, the Internet Messaging Program.
Re: IPV6 issue (occaid.net)
On 12/20/2011 12:12 PM, Michael Sinatra wrote: On 12/20/11 06:33, Jeroen Massar wrote: On 2011-12-20 15:17 , Steve Clark wrote: Hello, I have a SIXXS ipv6 tunnel that terminates in Ashburn, Va. I have two HE ipv6 tunnels, one terminates in Dallas the other terminate in Ashburn. I can ping each endpoint of the tunnels that terminate in Ashburn, but I can't ping between the SIXXS and HE with the HE termination in Dallas. Using Looking Glass at HE I can traceroute to my SIXXS tunnel from Chicago but not from Dallas. Any ideas on how to get this fixed. Contact the providers involved directly? Sending a mail to i...@he.net + i...@sixxs.net should get you what you need, given that you actually provide IP addresses and other such useful diagnostics like interface configuration, routing tables etc etc etc. The above mail is far from useful and nobody would be able to help you in anyway except to state the above. Actually, I was about to send a message about this. I believe the problem is in occaid.net, particularly their router in Atlanta. SIXXS uses a variety of providers at various PoPs to provide their tunnel connectivity and occaid.net is the provider at Ashburn (I have a SIXXS tunnel there as well). Tracerouting from the West Coast or Texas goes through occaid.net's router in Atlanta and dies there with 'network unreachable': traceroute6 to burnttofu.net (2001:4830:1600:3bf::2) from 2001:470:1f05:17a6:219:d1ff:fe26:5246, 64 hops max, 12 byte packets 1 2001:470:1f05:17a6::1 0.316 ms 0.321 ms 0.321 ms 2 10-1.tunnel.tserv3.fmt2.ipv6.he.net 28.000 ms 22.402 ms 26.169 ms 3 gige-g5-19.core1.fmt2.he.net 16.697 ms 18.046 ms 15.891 ms 4 10gigabitethernet6-4.core1.lax1.he.net 23.735 ms 25.327 ms 25.711 ms 5 10gigabitethernet1-3.core1.lax2.he.net 25.708 ms 24.923 ms 25.793 ms 6 2001:504:13::8 25.713 ms 23.731 ms 25.705 ms 7 bbr01-v441.atln01.occaid.net 80.617 ms !N 88.252 ms !N 79.369 ms !N Tracerouting from the East Coast is fine: traceroute6 to burnttofu.net (2001:4830:1600:3bf::2) from 2001:470:30:80:e076:63ff:fe88:2d62, 64 hops max, 12 byte packets 1 2001:470:30:80::2 21.739 ms 1.938 ms 2.474 ms 2 gige-g3-3.core1.nyc4.he.net 8.678 ms 2.710 ms 2.596 ms 3 10gigabitethernet2-3.core1.ash1.he.net 7.488 ms 7.168 ms 8.449 ms 4 ibr01-ve96.asbn01.occaid.net 7.211 ms 7.272 ms 7.177 ms 5 equi6ix.dc.hotnic.net 9.789 ms 8.597 ms 8.610 ms 6 sixxs-asbnva-gw.customer.occaid.net 8.782 ms 8.100 ms 9.522 ms 7 cl-960.qas-01.us.sixxs.net 22.621 ms 20.880 ms 21.072 ms Attempts to get a response from n...@occaid.net regarding this issue over the past 36 hours have failed. If there is anyone here from occaid.net or knows a clueful person there, can you please point them to this thread. I still think it's a good idea to contact i...@sixxs.net, so they know what's going on, but I don't think it's actually their problem. michael I did and now it appears to be resolved. Thanks HE and SixXS. -- Stephen Clark *NetWolves* Sr. Software Engineer III Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com
Re: what if...?
On 12/20/11 09:31, valdis.kletni...@vt.edu wrote: On Tue, 20 Dec 2011 17:16:06 GMT, bmann...@vacation.karoshi.com said: the one difference is that ISC will be shipping RPZ enabled code v. the blackhat having to hack the machine and modify the configuration. EIther way, the blackhat still has to hack the machine and modify the config. The only difference is what config change they make. Yes and... If you have a really insecure DDNS update mechanism on your master RPZ zone, then I can see how RPZ might lower the bar *a little*, but I have to stretch my imagination quite a bit for that to happen. If your ISP doesn't use RPZ (regardless of whether the code is present in BIND), then the bad guy has to hack the box, set up an RPZ configuration, and then pollute it with bad data. Much easier to just install a bunch of fake zones. RPZ is a red herring here. michael
Re: software wanted
On Tue, Dec 20, 2011 at 04:37:35PM +0200, Gregory Edigarov wrote: [snip] can anybody recomend a piece of software, that could graph a live network scanning it via snmp. requirements are: 1. must produce a text output suitable for postproduction. graphviz is an ideal, xml - acceptable. 2. must use no external database i.e. have text config file. clean text console, suitable to run as a cronjob. 3. must be able to work in heterogenous environment. and, the question is about producing network schematic, not about graphs like mrtg, cacti etc, etc Rather than SNMP probing, for larger layer3 networks try setting up a proper config archive (rancid), then build on mktop and top2dot: http://www.nanog.org/meetings/nanog26/presentations/stephen.pdf If you want to use SNMP and have good detail for layer2 networks and edge stations, take a look at http://www.netdisco.org/ Good old intermapper has been commercial for a while, does probing using several methods and makes pretty maps http://www.intermapper.com/ -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG
Re: Nexus emulation? Anyone?
You couldn't use Titanium to judge/discuss the nexus family as a whole either. Aside from 1KV, all the nexus products use ASIC hardware specific to that platform/linecard and no NXOS software emulator exists that mimics those behaviors. 2 cents, Tim At 09:34 AM 12/20/2011, Luan Nguyen gushed: You can't use the software switch Nexus 1000V to judge/discuss the Nexus family products N7K, N5K...etc as a whole? Check out this discussion https://supportforums.cisco.com/thread/2054884https://supportforums.cisco.com/thread/2054884 Titanium as they call the NX-OS simulator is not available to the public though... -Luan On Tue, Dec 20, 2011 at 12:08 PM, -Hammer- bhmc...@gmail.com wrote: Bah. Look like I need more of an education on Nexus in general. Thanks for the easy pointer. -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 11:02 AM, Nick Hilliard wrote: On 20/12/2011 13:55, -Hammer- wrote: I know we can't throw NX code on Dynamips but I figured I would ask the group anyway. We are starting to discuss Nexus platform options and I can only get so much from demo depot before our AM gets whiny. Is anyone currently emulating Nexus on anything that is open to the public? nexus1k? Nick Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Distinguished Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only.
Re: Nexus emulation? Anyone?
I am understanding that more as I am researching. I didn't realize there was a separation between 1000v and [5,7]K. I thought Nexus was Nexus. I should have known not to simplify it to that level. :) So I'm understanding more the differences as well as why I won't be expecting to find a good way to emulate the [5,7]K anytime soon. Thank you all for your comments. -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 12:03 PM, Tim Stevenson wrote: You couldn't use Titanium to judge/discuss the nexus family as a whole either. Aside from 1KV, all the nexus products use ASIC hardware specific to that platform/linecard and no NXOS software emulator exists that mimics those behaviors. 2 cents, Tim At 09:34 AM 12/20/2011, Luan Nguyen gushed: You can't use the software switch Nexus 1000V to judge/discuss the Nexus family products N7K, N5K...etc as a whole? Check out this discussion https://supportforums.cisco.com/thread/2054884https://supportforums.cisco.com/thread/2054884 Titanium as they call the NX-OS simulator is not available to the public though... -Luan On Tue, Dec 20, 2011 at 12:08 PM, -Hammer- bhmc...@gmail.com wrote: Bah. Look like I need more of an education on Nexus in general. Thanks for the easy pointer. -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 11:02 AM, Nick Hilliard wrote: On 20/12/2011 13:55, -Hammer- wrote: I know we can't throw NX code on Dynamips but I figured I would ask the group anyway. We are starting to discuss Nexus platform options and I can only get so much from demo depot before our AM gets whiny. Is anyone currently emulating Nexus on anything that is open to the public? nexus1k? Nick Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Distinguished Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only.
Re: Nexus emulation? Anyone?
I don't think anyone is asking for a full simulation of the platform in software, that is how the actual ASIC's operate. That is probably best for an entirely different conversation. But there is huge need to simulate the control-plane functionally with a basic forwarding ability (not performant, but pass packets correctly such that you can verify the topology). This is something Dyanmips does great in emulating a cluster of 7200's and allows operators to validate topologies and planned changes in mainstream IOS platforms. Having that for NX-OS would increase the adoption and confidence in the platform. VM's on multiple boxes make simulating a whole network of a given platform simple and easy. From the outside Cisco continues to miss the need for this. At least some of the other vendors are picking up how helpful this and are reacting positively to it. David I've been ranting about this to my account team and Nexus management for a while now, so sorry if this is a duplicate you've already seen. On Dec 20, 2011, at 10:03 AM, Tim Stevenson wrote: You couldn't use Titanium to judge/discuss the nexus family as a whole either. Aside from 1KV, all the nexus products use ASIC hardware specific to that platform/linecard and no NXOS software emulator exists that mimics those behaviors. 2 cents, Tim At 09:34 AM 12/20/2011, Luan Nguyen gushed: You can't use the software switch Nexus 1000V to judge/discuss the Nexus family products N7K, N5K...etc as a whole? Check out this discussion https://supportforums.cisco.com/thread/2054884https://supportforums.cisco.com/thread/2054884 Titanium as they call the NX-OS simulator is not available to the public though... -Luan On Tue, Dec 20, 2011 at 12:08 PM, -Hammer- bhmc...@gmail.com wrote: Bah. Look like I need more of an education on Nexus in general. Thanks for the easy pointer. -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 11:02 AM, Nick Hilliard wrote: On 20/12/2011 13:55, -Hammer- wrote: I know we can't throw NX code on Dynamips but I figured I would ask the group anyway. We are starting to discuss Nexus platform options and I can only get so much from demo depot before our AM gets whiny. Is anyone currently emulating Nexus on anything that is open to the public? nexus1k? Nick Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Distinguished Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only.
Re: Nexus emulation? Anyone?
Doesn't Titanium achieve this for you? I know. It's Internal. But it simulates the 7k. Or am I getting it backwards? My point is that if Cisco already simulates it Internally it's only a matter of time before someone ports something -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 12:19 PM, David Sinn wrote: I don't think anyone is asking for a full simulation of the platform in software, that is how the actual ASIC's operate. That is probably best for an entirely different conversation. But there is huge need to simulate the control-plane functionally with a basic forwarding ability (not performant, but pass packets correctly such that you can verify the topology). This is something Dyanmips does great in emulating a cluster of 7200's and allows operators to validate topologies and planned changes in mainstream IOS platforms. Having that for NX-OS would increase the adoption and confidence in the platform. VM's on multiple boxes make simulating a whole network of a given platform simple and easy. From the outside Cisco continues to miss the need for this. At least some of the other vendors are picking up how helpful this and are reacting positively to it. David I've been ranting about this to my account team and Nexus management for a while now, so sorry if this is a duplicate you've already seen. On Dec 20, 2011, at 10:03 AM, Tim Stevenson wrote: You couldn't use Titanium to judge/discuss the nexus family as a whole either. Aside from 1KV, all the nexus products use ASIC hardware specific to that platform/linecard and no NXOS software emulator exists that mimics those behaviors. 2 cents, Tim At 09:34 AM 12/20/2011, Luan Nguyen gushed: You can't use the software switch Nexus 1000V to judge/discuss the Nexus family products N7K, N5K...etc as a whole? Check out this discussion https://supportforums.cisco.com/thread/2054884https://supportforums.cisco.com/thread/2054884 Titanium as they call the NX-OS simulator is not available to the public though... -Luan On Tue, Dec 20, 2011 at 12:08 PM, -Hammer-bhmc...@gmail.com wrote: Bah. Look like I need more of an education on Nexus in general. Thanks for the easy pointer. -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 11:02 AM, Nick Hilliard wrote: On 20/12/2011 13:55, -Hammer- wrote: I know we can't throw NX code on Dynamips but I figured I would ask the group anyway. We are starting to discuss Nexus platform options and I can only get so much from demo depot before our AM gets whiny. Is anyone currently emulating Nexus on anything that is open to the public? nexus1k? Nick Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Distinguished Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only.
Re: Nexus emulation? Anyone?
At 10:18 AM 12/20/2011, -Hammer- gushed: Doesn't Titanium achieve this for you? I know. It's Internal. But it simulates the 7k. Or am I getting it backwards? Titanium is basically the NXOS control plane, sans data plane. It's the platform independent part of the OS. My point is that if Cisco already simulates it Internally it's only a matter of time before someone ports something Not saying whether it's right or wrong, but maintaining, releasing, supporting it would require resources, which as you can imagine get prioritized onto other things. Tim -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 12:19 PM, David Sinn wrote: I don't think anyone is asking for a full simulation of the platform in software, that is how the actual ASIC's operate. That is probably best for an entirely different conversation. But there is huge need to simulate the control-plane functionally with a basic forwarding ability (not performant, but pass packets correctly such that you can verify the topology). This is something Dyanmips does great in emulating a cluster of 7200's and allows operators to validate topologies and planned changes in mainstream IOS platforms. Having that for NX-OS would increase the adoption and confidence in the platform. VM's on multiple boxes make simulating a whole network of a given platform simple and easy. From the outside Cisco continues to miss the need for this. At least some of the other vendors are picking up how helpful this and are reacting positively to it. David I've been ranting about this to my account team and Nexus management for a while now, so sorry if this is a duplicate you've already seen. On Dec 20, 2011, at 10:03 AM, Tim Stevenson wrote: You couldn't use Titanium to judge/discuss the nexus family as a whole either. Aside from 1KV, all the nexus products use ASIC hardware specific to that platform/linecard and no NXOS software emulator exists that mimics those behaviors. 2 cents, Tim At 09:34 AM 12/20/2011, Luan Nguyen gushed: You can't use the software switch Nexus 1000V to judge/discuss the Nexus family products N7K, N5K...etc as a whole? Check out this discussion https://supportforums.cisco.com/thread/2054884https://supportforums.cisco.com/thread/2054884https://supportforums.cisco.com/thread/2054884 Titanium as they call the NX-OS simulator is not available to the public though... -Luan On Tue, Dec 20, 2011 at 12:08 PM, -Hammer-bhmc...@gmail.com wrote: Bah. Look like I need more of an education on Nexus in general. Thanks for the easy pointer. -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 11:02 AM, Nick Hilliard wrote: On 20/12/2011 13:55, -Hammer- wrote: I know we can't throw NX code on Dynamips but I figured I would ask the group anyway. We are starting to discuss Nexus platform options and I can only get so much from demo depot before our AM gets whiny. Is anyone currently emulating Nexus on anything that is open to the public? nexus1k? Nick Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Distinguished Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.comhttp://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Distinguished Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only.
Re: Nexus emulation? Anyone?
OK. Thanks for the clarification. I understand that resources would be required to support such an effort. I was more or less implying that if it's done Internally it probably won't be long before someone comes up with a way to do it (Dynamips part deux) for the public. Not supported by Cisco. I don't see how it can hurt Cisco to have people wanting to run their stuff for learning/training/validation purposes in a virtual environment. But that is a whole different thread. -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 12:31 PM, Tim Stevenson wrote: At 10:18 AM 12/20/2011, -Hammer- gushed: Doesn't Titanium achieve this for you? I know. It's Internal. But it simulates the 7k. Or am I getting it backwards? Titanium is basically the NXOS control plane, sans data plane. It's the platform independent part of the OS. My point is that if Cisco already simulates it Internally it's only a matter of time before someone ports something Not saying whether it's right or wrong, but maintaining, releasing, supporting it would require resources, which as you can imagine get prioritized onto other things. Tim -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 12:19 PM, David Sinn wrote: I don't think anyone is asking for a full simulation of the platform in software, that is how the actual ASIC's operate. That is probably best for an entirely different conversation. But there is huge need to simulate the control-plane functionally with a basic forwarding ability (not performant, but pass packets correctly such that you can verify the topology). This is something Dyanmips does great in emulating a cluster of 7200's and allows operators to validate topologies and planned changes in mainstream IOS platforms. Having that for NX-OS would increase the adoption and confidence in the platform. VM's on multiple boxes make simulating a whole network of a given platform simple and easy. From the outside Cisco continues to miss the need for this. At least some of the other vendors are picking up how helpful this and are reacting positively to it. David I've been ranting about this to my account team and Nexus management for a while now, so sorry if this is a duplicate you've already seen. On Dec 20, 2011, at 10:03 AM, Tim Stevenson wrote: You couldn't use Titanium to judge/discuss the nexus family as a whole either. Aside from 1KV, all the nexus products use ASIC hardware specific to that platform/linecard and no NXOS software emulator exists that mimics those behaviors. 2 cents, Tim At 09:34 AM 12/20/2011, Luan Nguyen gushed: You can't use the software switch Nexus 1000V to judge/discuss the Nexus family products N7K, N5K...etc as a whole? Check out this discussion https://supportforums.cisco.com/thread/2054884https://supportforums.cisco.com/thread/2054884https://supportforums.cisco.com/thread/2054884 Titanium as they call the NX-OS simulator is not available to the public though... -Luan On Tue, Dec 20, 2011 at 12:08 PM, -Hammer-bhmc...@gmail.com wrote: Bah. Look like I need more of an education on Nexus in general. Thanks for the easy pointer. -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 11:02 AM, Nick Hilliard wrote: On 20/12/2011 13:55, -Hammer- wrote: I know we can't throw NX code on Dynamips but I figured I would ask the group anyway. We are starting to discuss Nexus platform options and I can only get so much from demo depot before our AM gets whiny. Is anyone currently emulating Nexus on anything that is open to the public? nexus1k? Nick Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Distinguished Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.comhttp://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Distinguished Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only.
Re: Nexus emulation? Anyone?
Titanium is a release vehicle for LISP (http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/release/LISP/50_lisp_nx-os_release_note.html), so it is public knowledge of it's existence. Given that Titanium is just a PC with a few NIC's there shouldn't be much effort to get it to run under QEMU/KVM/[VM of your choice]. It would probably take someone some time to try and hack it together or quicker if Cisco was willing to publish some use at your own risk pointers. It is, as Tim points out, a support question. Hopefully the pressure of their large customers will get them to see that the support is worth it for the continued adoption of the platform. As I said, other vendors have clued in to this and thus their friction to adoption is reduced as a result. David On Dec 20, 2011, at 10:18 AM, -Hammer- wrote: Doesn't Titanium achieve this for you? I know. It's Internal. But it simulates the 7k. Or am I getting it backwards? My point is that if Cisco already simulates it Internally it's only a matter of time before someone ports something -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 12:19 PM, David Sinn wrote: I don't think anyone is asking for a full simulation of the platform in software, that is how the actual ASIC's operate. That is probably best for an entirely different conversation. But there is huge need to simulate the control-plane functionally with a basic forwarding ability (not performant, but pass packets correctly such that you can verify the topology). This is something Dyanmips does great in emulating a cluster of 7200's and allows operators to validate topologies and planned changes in mainstream IOS platforms. Having that for NX-OS would increase the adoption and confidence in the platform. VM's on multiple boxes make simulating a whole network of a given platform simple and easy. From the outside Cisco continues to miss the need for this. At least some of the other vendors are picking up how helpful this and are reacting positively to it. David I've been ranting about this to my account team and Nexus management for a while now, so sorry if this is a duplicate you've already seen. On Dec 20, 2011, at 10:03 AM, Tim Stevenson wrote: You couldn't use Titanium to judge/discuss the nexus family as a whole either. Aside from 1KV, all the nexus products use ASIC hardware specific to that platform/linecard and no NXOS software emulator exists that mimics those behaviors. 2 cents, Tim At 09:34 AM 12/20/2011, Luan Nguyen gushed: You can't use the software switch Nexus 1000V to judge/discuss the Nexus family products N7K, N5K...etc as a whole? Check out this discussion https://supportforums.cisco.com/thread/2054884https://supportforums.cisco.com/thread/2054884 Titanium as they call the NX-OS simulator is not available to the public though... -Luan On Tue, Dec 20, 2011 at 12:08 PM, -Hammer-bhmc...@gmail.com wrote: Bah. Look like I need more of an education on Nexus in general. Thanks for the easy pointer. -Hammer- I was a normal American nerd -Jack Herer On 12/20/2011 11:02 AM, Nick Hilliard wrote: On 20/12/2011 13:55, -Hammer- wrote: I know we can't throw NX code on Dynamips but I figured I would ask the group anyway. We are starting to discuss Nexus platform options and I can only get so much from demo depot before our AM gets whiny. Is anyone currently emulating Nexus on anything that is open to the public? nexus1k? Nick Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Distinguished Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only.
BGP noob needs monitoring advice
Earlier this year I got a /24 of PA space, set up our shiny new router, got BGP working with both my upstreams, and heaved a sigh of relief: I'll never have to think about THAT again! (Okay, quit laughing; I SAID I was a noob!) Now, I discover that one of my upstreams quit announcing our route in November (fortunately the provider who assigned us the /24, so we're still covered in their /18) and the other upstream apparently started filtering our announcements last week. I'm working with both of them to get that fixed, but it's made it clear to me that I need to be monitoring this. My question for the group is, how? I can and do monitor my own router, and I can see that I'm receiving full routes from both ISPs. I am capable of manually accessing route servers and looking glass servers to check if they're receiving routes to me, but I'd like something more automated. Free is nice, $$ is not a problem, might become a problem. Thanks in advance for any suggestions. -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
RE: BGP noob needs monitoring advice
Hey: Manually speaking, you can always telnet to route-views.routeviews.org which is a restricted Cisco interface. Log in with username rviews and don't enable. From the prompt you can do all the show ip bgp commands you need to see whether or not your /24 is being announced via your upstream providers. As an example 'sho ip bgp x.x.x.x' where x.x.x.x is your /24. You should see the announcement originating from your AS over multiple providers that includes both of yours. If not, you know you have a problem. Mike -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) -Original Message- From: Dave Pooser [mailto:dave.na...@alfordmedia.com] Sent: Tuesday, December 20, 2011 10:53 AM To: nanog@nanog.org Subject: BGP noob needs monitoring advice Earlier this year I got a /24 of PA space, set up our shiny new router, got BGP working with both my upstreams, and heaved a sigh of relief: I'll never have to think about THAT again! (Okay, quit laughing; I SAID I was a noob!) Now, I discover that one of my upstreams quit announcing our route in November (fortunately the provider who assigned us the /24, so we're still covered in their /18) and the other upstream apparently started filtering our announcements last week. I'm working with both of them to get that fixed, but it's made it clear to me that I need to be monitoring this. My question for the group is, how? I can and do monitor my own router, and I can see that I'm receiving full routes from both ISPs. I am capable of manually accessing route servers and looking glass servers to check if they're receiving routes to me, but I'd like something more automated. Free is nice, $$ is not a problem, might become a problem. Thanks in advance for any suggestions. -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
Re: BGP noob needs monitoring advice
At 13:52 20/12/2011 -0500, Dave Pooser wrote: Use one of the following services: http://cyclops.cs.ucla.edu/ http://bgpmon.net/ You'll get an email whenever a routing change takes place in regards to the prefix you are monitoring. -Hank Earlier this year I got a /24 of PA space, set up our shiny new router, got BGP working with both my upstreams, and heaved a sigh of relief: I'll never have to think about THAT again! (Okay, quit laughing; I SAID I was a noob!) Now, I discover that one of my upstreams quit announcing our route in November (fortunately the provider who assigned us the /24, so we're still covered in their /18) and the other upstream apparently started filtering our announcements last week. I'm working with both of them to get that fixed, but it's made it clear to me that I need to be monitoring this. My question for the group is, how? I can and do monitor my own router, and I can see that I'm receiving full routes from both ISPs. I am capable of manually accessing route servers and looking glass servers to check if they're receiving routes to me, but I'd like something more automated. Free is nice, $$ is not a problem, might become a problem. Thanks in advance for any suggestions. -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
Re: BGP noob needs monitoring advice
Is http://cyclops.cs.ucla.edu/ still working? I don't seem to received emails from them anymore when we stop announcing to one of our upstream providers. On the other hand http://bgpmon.net/ does send me emails when an announcement disappears from an upstream, although it's usually a day later. On 12/20/2011 02:03 PM, Hank Nussbacher wrote: At 13:52 20/12/2011 -0500, Dave Pooser wrote: Use one of the following services: http://cyclops.cs.ucla.edu/ http://bgpmon.net/ You'll get an email whenever a routing change takes place in regards to the prefix you are monitoring. -Hank Earlier this year I got a /24 of PA space, set up our shiny new router, got BGP working with both my upstreams, and heaved a sigh of relief: I'll never have to think about THAT again! (Okay, quit laughing; I SAID I was a noob!) Now, I discover that one of my upstreams quit announcing our route in November (fortunately the provider who assigned us the /24, so we're still covered in their /18) and the other upstream apparently started filtering our announcements last week. I'm working with both of them to get that fixed, but it's made it clear to me that I need to be monitoring this. My question for the group is, how? I can and do monitor my own router, and I can see that I'm receiving full routes from both ISPs. I am capable of manually accessing route servers and looking glass servers to check if they're receiving routes to me, but I'd like something more automated. Free is nice, $$ is not a problem, might become a problem. Thanks in advance for any suggestions. -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
Re: BGP noob needs monitoring advice
Depending on the nature of your redundant connections, your traffic engineering/bgp settings, and the visibility of the routing through the lost provider to the internet route servers mentioned, you may/may not be able to easily monitor this. Some failures are harder to find than others. Suggestions: 1) On the provider that stopped accepting your prefix, your inbound traffic would have dropped to 0. Monitor for this if this isn't by design already. 2) Use the bgpmon suggested by Dave below to see events which are visible to the route server they use. On Tue, Dec 20, 2011 at 1:03 PM, Hank Nussbacher h...@efes.iucc.ac.ilwrote: At 13:52 20/12/2011 -0500, Dave Pooser wrote: Use one of the following services: http://cyclops.cs.ucla.edu/ http://bgpmon.net/ You'll get an email whenever a routing change takes place in regards to the prefix you are monitoring. -Hank Earlier this year I got a /24 of PA space, set up our shiny new router, got BGP working with both my upstreams, and heaved a sigh of relief: I'll never have to think about THAT again! (Okay, quit laughing; I SAID I was a noob!) Now, I discover that one of my upstreams quit announcing our route in November (fortunately the provider who assigned us the /24, so we're still covered in their /18) and the other upstream apparently started filtering our announcements last week. I'm working with both of them to get that fixed, but it's made it clear to me that I need to be monitoring this. My question for the group is, how? I can and do monitor my own router, and I can see that I'm receiving full routes from both ISPs. I am capable of manually accessing route servers and looking glass servers to check if they're receiving routes to me, but I'd like something more automated. Free is nice, $$ is not a problem, might become a problem. Thanks in advance for any suggestions. -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
Re: BGP noob needs monitoring advice
Try this: http://bgpmon.net/ Richard
Re: BGP noob needs monitoring advice
Hi, .-- My secret spy satellite informs me that at 11-12-20 11:16 AM Bret Clark wrote: Is http://cyclops.cs.ucla.edu/ still working? I don't seem to received emails from them anymore when we stop announcing to one of our upstream providers. On the other hand http://bgpmon.net/ does send me emails when an announcement disappears from an upstream, although it's usually a day later. Just to clarify this: For all alert types below BGPmon.net sends out an alert within minutes: 1) prefix withdrawal (prefix disappeared) 2) new upstream 3) new prefix 4) origin AS changes 5) ASpath regex failure 6) policy violation 7) RPKI validation failure There's one other feature, the routing-report feature, that runs only once a day. It's similar as the cidr report, but specific to your AS. I like to refer to it as a rancid for your BGP announcements. It's basically a diff between how your routes were visible today and yesterday. This specific feature will also notify the user if you lost / gained one or more upstreams per prefix. Also see http://bgpmon.net/blog/?p=257 for more information about that specific feature. Cheers, Andree
Re: IPV6 issue
In message 4ef09908.3050...@netwolves.com, Steve Clark writes: Hello, I have a SIXXS ipv6 tunnel that terminates in Ashburn, Va. I have two HE ipv6 tunnels, one terminates in Dallas the other terminate in Ashburn. I can ping each endpoint of the tunnels that terminate in Ashburn, but I can't ping between the SIXXS and HE with the HE termination in Dallas. Using Looking Glass at HE I can traceroute to my SIXXS tunnel from Chicago bu t not from Dallas. Any ideas on how to get this fixed. This problem only started occurring within the last week or so. Thanks for your indulgence, -- Stephen Clark *NetWolves* Sr. Software Engineer III Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com n...@he.net have always been good when I've had strange issues. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: IPV6 issue
On 12/20/11 12:22, Mark Andrews wrote: In message4ef09908.3050...@netwolves.com, Steve Clark writes: Hello, I have a SIXXS ipv6 tunnel that terminates in Ashburn, Va. I have two HE ipv6 tunnels, one terminates in Dallas the other terminate in Ashburn. I can ping each endpoint of the tunnels that terminate in Ashburn, but I can't ping between the SIXXS and HE with the HE termination in Dallas. Using Looking Glass at HE I can traceroute to my SIXXS tunnel from Chicago bu t not from Dallas. Any ideas on how to get this fixed. This problem only started occurring within the last week or so. Thanks for your indulgence, -- Stephen Clark *NetWolves* Sr. Software Engineer III Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com n...@he.net have always been good when I've had strange issues. It wasn't strictly an HE problem, since I could reproduce it from Level3's looking glass. In both cases, the occaid.net router in Atlanta appeared to be the Point of Breakage. It looks like the problem has been resolved. michael
Re: what if...?
In message 20111220133723.cfjv8g999ssoc...@fcaglp.fcaglp.unlp.edu.ar, Eduard o A. =?iso-8859-1?b?U3XhcmV6?= writes: Hi, what if evil guys hack my mom ISP DNS servers and use RPZ to redirect =20 traffic from mom_bank.com to evil.com? How can she detect this? The bank signs their zone and mum's machine validates the answers it gets from the ISP. This is not rocket science. This is not beyond the capabilities of even the smallest client that mom would use to talk to the bank. This is how DNSSEC was designed to be used. Validating in the resolver protects the resolver itself and the cache from pollution. It also protects non DNSSEC aware clients from upstream of the resolver threats. It was always expected that clients would validate answers themselves. Mark Eduardo.- --=20 Eduardo A. Suarez Facultad de Ciencias Astron=F3micas y Geof=EDsicas - UNLP FCAG: (0221)-4236593 int. 172/Cel: (0221)-15-4557542/Casa: (0221)-4526589 This message was sent using IMP, the Internet Messaging Program. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: DNS zone response speed test tool?
- Original Message - From: Todd Lyons tly...@ivenue.com Doesn't do much for long term graphing and monitoring, but for quickie issue detection or verification, http://www.grc.com/dns/benchmark.htm Am I mistaken in thinking that's a tool for measuring the efficiency and accessibility of *customer resolver* servers, not zone servers? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
RIP DMR - a postscript
In case it hadn't occurred to anyone to look back: http://cm.bell-labs.com/who/dmr/ Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: DNS zone response speed test tool?
On Tue, Dec 20, 2011 at 2:21 PM, Jay Ashworth j...@baylink.com wrote: Doesn't do much for long term graphing and monitoring, but for quickie issue detection or verification, http://www.grc.com/dns/benchmark.htm Am I mistaken in thinking that's a tool for measuring the efficiency and accessibility of *customer resolver* servers, not zone servers? Oops, yeah, I was thinking it would do timing of zone servers, but it's aimed at resolvers. Sorry for the misdirection. ...Todd -- If Americans could eliminate sugary beverages, potatoes, white bread, pasta, white rice and sugary snacks, we would wipe out almost all the problems we have with weight and diabetes and other metabolic diseases. -- Dr. Walter Willett, Harvard School of Public Health
Any clueful Megapath/Covad peeps on the list?
If so, can you ping me off-list? Having issues finding clue through your phone tree. Thank You, Mike
Re: IPv6 RA vs DHCPv6 - The chosen one?
On 20/12/2011 8:31 p.m., Owen DeLong wrote: Ideally, the IETF should provide complete solutions based on DHCPv6 and on RA and let the operators decide what they want to use in their environments. +1 I would like to see a simple presentation of the different ways of setting up a small network at the edge with the features, benefits and issues, of each method. My interest is in networks with 2 to 20 devices in them. ie, small business and home. I would also like to see a survey of how people are setting up their small networks. While some are interested in the purest way of setting them up, I'm not. I'm interested in how people are setting them up. When setting up networks for customers, I'm interested in doing it in the most common way. What I don't want is to end up with a bad name because I set up stuff 'the right way' but in such a way that the next tech the customer calls gets annoyed that what I've done is so complex that it will cost the customer $ to fix a fault. I'm sure these comments have been made by others in the past, I'm just adding a voice. D -- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699
Re: IPv6 RA vs DHCPv6 - The chosen one?
IPv6-RA autoconfiguration method allows to autoconfigure ipv6-capable network interfaces by sending IPv6 prefixes throughout a link, so every node that understands its message format can derive its own IPv6 address based on internal algorithms. By using RA, you can configure almost any node to serve as a router (i.e. running RADVD). As a matter of fact, there are some flags in the RAs to set the DHCP as the complement device to get full information about the network. In cases when the only thing you need to know its a basic network configuration (routes), or if devices don't need to use another external services such as DNS, RA should me enough. On the other hand, DHCPv6 works in a way very similar like DHCPv4, and you can spread information like the DNS-servers for a given link or network. More advanced auto-configuration schemas may be reached if using RA+DHCPv6. Think on scenarios like mobile networks, multihommed hosts and low-power consuption ip based network-based networks. BR. -- Daniel Espejel Pérez
Happy xmas folks
I just want to say happy xmas to everyone at NANOG. I'm about to sign off for the holidays. Andrew
Re: Happy xmas folks
On 12/20/2011 10:08 PM, andrew.wallace wrote: I just want to say happy xmas to everyone at NANOG. I'm about to sign off for the holidays. Andrew enjoy your chistmas, and you don't have to come back after the holidays, we'll be fine without you. Andrew
Re: Happy xmas folks
On Wed, Dec 21, 2011 at 3:44 AM, Andrew D Kirch trel...@trelane.net wrote: On 12/20/2011 10:08 PM, andrew.wallace wrote: I just want to say happy xmas to everyone at NANOG. I'm about to sign off for the holidays. Andrew enjoy your chistmas, and you don't have to come back after the holidays, we'll be fine without you. Andrew Thats fine. Andrew https://plus.google.com/115085501867247270932/about
Re: BGP noob needs monitoring advice
On 12/20/2011 1:52 PM, Dave Pooser wrote: My question for the group is, how? I can and do monitor my own router, and I can see that I'm receiving full routes from both ISPs. I am capable of you might want to start with a good monitoring software like Argus - http://argus.tcp4me.com/ Group Upstream Connections { Group T3 to whomever { Service Ping { hostname: far-side.example.net } Service UDP/SNMP { eqvalue: 6 label: BGP uname: BGP oid: .1.3.6.1.2.1.15.3.1.2.x.x.x.x hostname: your-router.example.net } } Group T3 to whomever2 { Service Ping { hostname: far-other-side.example.net } Service UDP/SNMP { eqvalue: 6 label: BGP uname: BGP oid: .1.3.6.1.2.1.15.3.1.2.x.x.x.x hostname: your-router.example.net } } } something like that will alert you when BGP is anything other than happy. your oid may vary. use snmpwalk to help. then you could also add: Service Prog { frequency: 1800 command: chkbgp.pl -a ASN -n network -r route_server nexepect: evil } *http://jeremy.kister.net/code/perl/chkbgp.pl -- Jeremy Kister http://jeremy.kister.net./