Re: Switch designed for mirroring tap ports
Ameen, We've had very good success using Brocade MLX's for this very thing (actually, might be older XMRs, but should be same platform at this point). Check out the transparent-hw-flooding command under a VLAN. It basically turns off mac learning, and just floods it on the vlan's member ports. If you want to be creative and say split out port 80 traffic to one port and the rest to another, you can use policy based routing to change the destination VLAN for just tcp/80 traffic. If you want to have many different inputs going to many different outputs some with PBR, some without, then you may have to get very creative and use cables coming out of one port on the box and going back into another port. We're using this successfully with multiple 10GE ports. Jay -- Jay Moran http://tp.org/jay On Thu, Mar 1, 2012 at 3:12 PM, A. Pishdadi apishd...@gmail.com wrote: Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen
Re: Switch designed for mirroring tap ports
Instead of monitoring the physical interface, monitor the vlan from a Cisco IOS perspective on a CAT6500. This will capture all physical interfaces associated with that vlan for mirroring/span. HTH Jonathan #22744 Sent from my HTC on the Now Network from Sprint! - Reply message - From: A. Pishdadi apishd...@gmail.com Date: Wed, Feb 29, 2012 11:12 pm Subject: Switch designed for mirroring tap ports To: NANOG nanog@nanog.org Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen
Re: Switch designed for mirroring tap ports
No the issue isnt monitoring many ports at once, its having more then 1 set of monitoring or 2 sets in the 6500 case. So I am monitoring say port channel 1 to ports 1 2 3 4, and port channel 2 , ports 4 5 6 and 7. After that I cannot monitor anymore ports. On Thu, Mar 1, 2012 at 2:34 AM, gwoo...@gmail.com gwoo...@gmail.com wrote: Instead of monitoring the physical interface, monitor the vlan from a Cisco IOS perspective on a CAT6500. This will capture all physical interfaces associated with that vlan for mirroring/span. HTH Jonathan #22744 Sent from my HTC on the Now Network from Sprint! - Reply message - From: A. Pishdadi apishd...@gmail.com Date: Wed, Feb 29, 2012 11:12 pm Subject: Switch designed for mirroring tap ports To: NANOG nanog@nanog.org Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen
Re: BBC reports Kenya fiber break
Has it been known the exact time of the incident? I have found an article reporting that the cut occurred in the mid-day of Saturday 25th but nothing more precise. We would like to use such information for a BGP anomaly detection analysis that we are carrying out in our research centre. Thanks in advance, George On 02/29/2012 03:53 PM, Jan Schaumann wrote: Joly MacFiej...@punkcast.com wrote: A comment on the WSJ storyhttp://online.wsj.com/article/SB10001424052970203833004577249434081658686.htmlcontains a link to a great map. http://www.submarinecablemap.com/ I always liked this one, too: http://is.gd/DXcddb (Yes, flash. Still.) -Jan
Re: dns and software, was Re: Reliable Cloud host ?
GAI/GNI do not return TTL values, but this should not be a problem. If they were to return anything, it should not be a TTL, but a time() value, after which the result may no longer be used. One way to achieve that would be for GAI to return an opaque structure that contained the IP and such a value, in a manner consumable by the sockets API, and adjust connect() to return an error if passed a structure containing a ' returned time + TTL' in the past. AF_INET_TTL and AFINET6_TTL, with correspondingly expanded struct sockaddr_* ? Code that explictly requests AF_INET or AF_INET6 would get what it was expecting, code that requests AF_UNSPEC on a system with modified getaddrinfo() would get the expanded structs with the different ai_family set, and could pass them straight into a modified connect(). I'm sure I'm grossly oversimplifying somewhere though... Regards, Tim.
Re: Switch designed for mirroring tap ports
Take a look at VACLs on the Cat side. It has a capture feature that is effectively the same as a local SPAN, but without the 2 session limit. If you do a lot of RSPAN though, this wouldn't be your complete answer (VACL captures are local only). VACLs are a bit more granular in defining what's captured, if say for example you only wanted traffic destined to TCP/80, you could configure it that way. David. On Thu, Mar 1, 2012 at 5:52 AM, Terry Baranski terry.baranski.l...@gmail.com wrote: On Mar 1, 2012, at 02:13 AM, apishd...@gmail.com wrote: Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. We like Gigamon for this purpose. -Terry
RE: Switch designed for mirroring tap ports
Echoing what Terry said... we use gigamon devices for this too. -Chris On Mar 1, 2012 5:53 AM, Terry Baranski terry.baranski.l...@gmail.com wrote: On Mar 1, 2012, at 02:13 AM, apishd...@gmail.com wrote: Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. We like Gigamon for this purpose. -Terry
Re: dns and software, was Re: Reliable Cloud host ?
On Feb 29, 2012, at 10:15 PM, Jimmy Hess wrote: On Mon, Feb 27, 2012 at 10:57 PM, Matt Addison matt.addi...@lists.evilgeni.us wrote: gai/gni do not return TTL values on any platforms I'm aware of, the only way to get TTL currently is to use a non standard resolver (e.g. lwres). The issue is application developers not calling gai every time GAI/GNI do not return TTL values, but this should not be a problem. If they were to return anything, it should not be a TTL, but a time() value, after which the result may no longer be used. One way to achieve that would be for GAI to return an opaque structure that contained the IP and such a value, in a manner consumable by the sockets API, and adjust connect() to return an error if passed a structure containing a ' returned time + TTL' in the past. TTL values are a DNS resolver function; the application consuming the sockets API should not be concerned about details of the DNS protocol. All the application developer should need to know is that you invoke GAI/GNI and wait for a response. Once you have that response, it is permissible to use the value immediately, but you may not store or re-use that value for more than a few seconds. If you require that value again later, then you invoke GAI/GNI again; any caching details are the concern of the resolver library developer who has implemented GAI/GNI. -- -JH The simpler approach and perfectly viable without mucking up what is already implemented and working: Don't keep returns from GAI/GNI around longer than it takes to cycle through your connect() loop immediately after the GAI/GNI call. If you write your code to the standard of: getaddrinfo(); /* do something with the results */ freeaddrinfo(); with a very limited amount of time passing between getaddrinfo() and freeaddrinfo(), then, you don't need TTLs and it doesn't matter. The system resolver library should do the right thing with DNS TTLs for records retrieved from DNS and a subsequent call to getaddrinfo() within the DNS TTL for the previously retrieved record should be a relatively cheap, fast in-memory operation. Owen
RE: Switch designed for mirroring tap ports
Re: Switch designed for mirroring tap ports
A. Pishdadi apishd...@gmail.com writes: We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. http://www.netoptics.com/products/regeneration-taps Been reasonably happy with these on 100m and gigabit links in the past, can't imagine that their 10g products don't work just as well. -r
Re: Switch designed for mirroring tap ports
Hi Ameen, Wouldn#39;t it work to have a switch aggregating your monitor sessions just disable MAC learning? Traffic from a single input interface would be replicated to all other ports on the vlan where learning is disabled. I#39;ve used this with a 3750, and I haven#39;t seen any trouble (other than that you don#39;t want that switch in-line with anything else). David Barak
Re: dns and software, was Re: Reliable Cloud host ?
On Wed, Feb 29, 2012 at 4:02 PM, Joe Greco jgr...@ns.sol.net wrote: In the specific case of TTL, the problem is made much worse due to the way most client code has hidden this data from developers, so that many developers don't even have any idea that such a thing exists. I'm not sure how to see that a design failure of the TTL mechanism. Hi Joe, You shouldn't see that as a design failure of the TTL mechanism. It isn't. It's a failure of the system of which DNS TTL is a component. The TTL component itself was reasonably designed. Think that's pretty much what I said. The failure is likened to installing a well designed sprinkler system (the DNS with a TTL) and then shutting off the water valve (gethostbyname/getaddrinfo). No, the water still works as intended. I think your analogy starts to fail here. It's more like expecting a water suppression system to put out a grease fire. The TTL mechanism is completely suitable for what it was originally meant for, and in an environment where everyone has followed the rules, it works fine. If you take a light office space with sprinklers and remodel it into a short order grill, the fire inspector will require you to rework the fire suppression system to an appropriate system. Problem is, TTL is a relatively light-duty system that people have felt free to ignore, overload for other purposes, etc., but there's no fire inspector to come around and tell people how and why what they've done is broken. In the case of TTL, the system is even largely hidden from users, so that it is rarely thought about except now and then on NANOG, dns-operations, etc. ;-) No wonder it is even poorly understood. I don't see developers ignoring DNS and hardcoding IP addresses into code as a failure of the DNS system. It isn't. It's a failure of the sockets API design which calls on every application developer to (a) translate the name to a set of addresses with a mechanism that discards the TTL knowledge and (b) implement his own glue between name to address mapping and connect by address. It would be like telling an app developer: here's the ARP function and the SEND function. When you Send to an IP address, make sure you attach the right destination MAC. Of course the app developer gets it wrong most of the time. That's correct - and it doesn't imply that the system that was engineered is faulty. In all likelihood, the fault lies with what the app developer was told. You originally said: If three people died and the building burned down then the sprinkler system didn't work. It may have sprayed water, but it didn't *work*. That's not true. If it sprayed water in the manner it was designed to, then it worked. If three people took sleeping pills and didn't wake up when the alarms blared, and an arsonist poured ten gallons of gas everywhere before lighting the fire, the system still worked. It failed to save those lives or protect the building from burning down, but I am aware of no fire suppression systems that realistically attempts to address that. It is an unreasonable expectation. I have a hard time seeing the many self-inflicted wounds of people who have attempted to abuse TTL for various purposes as a failure of the TTL design. The design is reasonable. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: dns and software, was Re: Reliable Cloud host ?
On Thu, Mar 1, 2012 at 7:20 AM, Owen DeLong o...@delong.com wrote: The simpler approach and perfectly viable without mucking up what is already implemented and working: Don't keep returns from GAI/GNI around longer than it takes to cycle through your connect() loop immediately after the GAI/GNI call. The even simpler approach: create an AF_NAME with a sockaddr struct that contains a hostname instead of an IPvX address. Then let connect() figure out the details of caching, TTLs, protocol and address selection, etc. Such a connect() could even support a revised TCP stack which is able to retry with the other addresses at the first subsecond timeout rather than camping on each address in sequence for the typical system default of two minutes. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: dns and software, was Re: Reliable Cloud host ?
On Thu, Mar 1, 2012 at 8:25 AM, Joe Greco jgr...@ns.sol.net wrote: If three people died and the building burned down then the sprinkler system didn't work. It may have sprayed water, but it didn't *work*. That's not true. If it sprayed water in the manner it was designed to, then it worked. That's like the old crack about ICBM interceptors. Why yes, our system performed swimmingly in the latest test achieving nine out of the ten criteria for success. Which criteria didn't it achieve? It missed the target. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
RE: Switch designed for mirroring tap ports
Yes, the Cat 6500s are limited to a certain number of SPAN/port monitoring sessions. Another tool, we've switched to after using the Gigamon for many years are taps and the Anue 5236 (10Gb) port aggregator. From this we can split the SPAN feeds into different IDS/monitoring servers or load-share among several output servers. It is a great tool and very easy GUI to control the feeds and output ports. Ian Slade Sr. Network Engineer, SAIC ITS Systems Engineering ian.sl...@saic.com 703-676-5234 http://www.saic.com -Original Message- From: nanog-bounces+ian.slade=saic@nanog.org [mailto:nanog-bounces+ian.slade=saic@nanog.org] On Behalf Of A. Pishdadi Sent: Thursday, March 01, 2012 3:54 AM To: gwoo...@gmail.com Cc: NANOG Subject: Re: Switch designed for mirroring tap ports No the issue isnt monitoring many ports at once, its having more then 1 set of monitoring or 2 sets in the 6500 case. So I am monitoring say port channel 1 to ports 1 2 3 4, and port channel 2 , ports 4 5 6 and 7. After that I cannot monitor anymore ports. On Thu, Mar 1, 2012 at 2:34 AM, gwoo...@gmail.com gwoo...@gmail.com wrote: Instead of monitoring the physical interface, monitor the vlan from a Cisco IOS perspective on a CAT6500. This will capture all physical interfaces associated with that vlan for mirroring/span. HTH Jonathan #22744 Sent from my HTC on the Now Network from Sprint! - Reply message - From: A. Pishdadi apishd...@gmail.com Date: Wed, Feb 29, 2012 11:12 pm Subject: Switch designed for mirroring tap ports To: NANOG nanog@nanog.org Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen
Re: dns and software, was Re: Reliable Cloud host ?
On Thu, Mar 1, 2012 at 8:25 AM, Joe Greco jgr...@ns.sol.net wrote: If three people died and the building burned down then the sprinkler system didn't work. It may have sprayed water, but it didn't *work*. That's not true. =A0If it sprayed water in the manner it was designed to, then it worked. That's like the old crack about ICBM interceptors. Why yes, our system performed swimmingly in the latest test achieving nine out of the ten criteria for success. Which criteria didn't it achieve? It missed the target. Difference: the fire suppression system worked as designed, the ICBM didn't. That's kind of the whole point here. If you have something like an automobile that's designed to protect you against certain kinds of accidents, it isn't a failure if it does not protect you against an accident that is not reasonably within the protection envelope. For example, cars these days are designed to protect against many different types of impacts and provide survivability. It is a failure if my car is designed to protect against a head-on crash at 30MPH by use of engineered crumple zones and deploying air bags, and I get into such an accident and am killed regardless. However, if I fly my car into a bridge abutment at 150MPH and am instantly pulverized, I am not prepared to consider that a failure of the car. Likewise, if a freeway overpass slab falls on my car and crushes me as I drive underneath it, I am not going to consider that a failure of the car. There's a definite distinction between a system that fails when it is deployed and used in the intended manner, and a system that doesn't work as you'd like it to when it is used in some incorrect manner, which is really not a failure as the word is normally used. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: BBC reports Kenya fiber break
On Thu, Mar 1, 2012 at 4:11 AM, Georgios Theodoridis gt...@iti.gr wrote: Has it been known the exact time of the incident? I have found an article reporting that the cut occurred in the mid-day of Saturday 25th but nothing more precise. We would like to use such information for a BGP anomaly detection analysis that we are carrying out in our research centre. Thanks in advance, George It sounds like there were multiple cables that were lost recently. For the EASSy cable issue in the Red Sea, an ISP in Malawi stated the issues started at 09:26 on Friday 17 February. I don't know first hand if that is accurate to the minute or not. I believe this is separate from the cable off the cost of Kenya that was cut on the 25th. Oliver
Re: dns and software, was Re: Reliable Cloud host ?
On 03/01/2012 06:26 AM, William Herrin wrote: On Thu, Mar 1, 2012 at 7:20 AM, Owen DeLongo...@delong.com wrote: The simpler approach and perfectly viable without mucking up what is already implemented and working: Don't keep returns from GAI/GNI around longer than it takes to cycle through your connect() loop immediately after the GAI/GNI call. The even simpler approach: create an AF_NAME with a sockaddr struct that contains a hostname instead of an IPvX address. Then let connect() figure out the details of caching, TTLs, protocol and address selection, etc. Such a connect() could even support a revised TCP stack which is able to retry with the other addresses at the first subsecond timeout rather than camping on each address in sequence for the typical system default of two minutes. The effect of what you're recommending is to move all of this into the kernel, and in the process greatly expand its scope. Also: even if you did this, you'd be saddled with the same problem because nothing existing would use an AF_NAME. The real issue is that gethostbyxxx has been inadequate for a very long time. Moving it across the kernel boundary solves nothing and most likely causes even more trouble: what if I want, say, asynchronous name resolution? What if I want to use SRV records? What if a new DNS RR comes around -- do i have do recompile the kernel? It's for these reasons and probably a whole lot more that connect just confuses the actual issues. When I was writing the first version of DKIM I used a library that I scraped off the net called ARES. It worked adequately for me, but the most notable thing was the very fact that I had to scrape it off the net at all. As far as I could tell, standard distos don't have libraries with lower level access to DNS (in my case, it needed to not block). Before positing a super-deluxe gethostbyxx that does addresses picking, etc, etc, it would be better to lobby all of the distos to settle on a decomposed resolver library from which that and more could be built. Mike
Re: Switch designed for mirroring tap ports
I believe MRV's Media Cross Connects will do this. http://www.mrv.com/tap/physical-layer/ On Thu, Mar 1, 2012 at 1:12 AM, A. Pishdadi apishd...@gmail.com wrote: Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen
Re: Switch designed for mirroring tap ports
Be careful when considering the Anue products. When we evaluated both Anue and Gigamon, we had to rule out Anue due to total lack of IPv6 support, and went with Gigamon instead. I have not heard whether the situation has changed in the last year. We liked both products for their functionality and ease of use, but for us IPv6 was the distinguishing capability. --Ron Ron Broersma DREN Chief Engineer On Mar 1, 2012, at 9:50 AM, Slade, Ian wrote: Yes, the Cat 6500s are limited to a certain number of SPAN/port monitoring sessions. Another tool, we've switched to after using the Gigamon for many years are taps and the Anue 5236 (10Gb) port aggregator. From this we can split the SPAN feeds into different IDS/monitoring servers or load-share among several output servers. It is a great tool and very easy GUI to control the feeds and output ports. Ian Slade Sr. Network Engineer, SAIC ITS Systems Engineering ian.sl...@saic.com 703-676-5234 http://www.saic.com -Original Message- From: nanog-bounces+ian.slade=saic@nanog.org [mailto:nanog-bounces+ian.slade=saic@nanog.org] On Behalf Of A. Pishdadi Sent: Thursday, March 01, 2012 3:54 AM To: gwoo...@gmail.com Cc: NANOG Subject: Re: Switch designed for mirroring tap ports No the issue isnt monitoring many ports at once, its having more then 1 set of monitoring or 2 sets in the 6500 case. So I am monitoring say port channel 1 to ports 1 2 3 4, and port channel 2 , ports 4 5 6 and 7. After that I cannot monitor anymore ports. On Thu, Mar 1, 2012 at 2:34 AM, gwoo...@gmail.com gwoo...@gmail.com wrote: Instead of monitoring the physical interface, monitor the vlan from a Cisco IOS perspective on a CAT6500. This will capture all physical interfaces associated with that vlan for mirroring/span. HTH Jonathan #22744 Sent from my HTC on the Now Network from Sprint! - Reply message - From: A. Pishdadi apishd...@gmail.com Date: Wed, Feb 29, 2012 11:12 pm Subject: Switch designed for mirroring tap ports To: NANOG nanog@nanog.org Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen smime.p7s Description: S/MIME cryptographic signature
Riverbed/Akamai/Rakamai
As long as we're talking about cloud networks, Akamai and Riverbed have finally let out details on their partnership for optimizing Cloud applications: http://www.nojitter.com/post/232601716/rakamai-makes-the-cloud-work-better While I'm familiar with Akamai (what they do and how they do it) I don't have any experience with Riverbed. Does anyone know what they actually do and how they do it? As usual it's tough to cut through the marketing on the little detail they make available (never a good sign). -- Kristian Kielhofner
Re: dns and software, was Re: Reliable Cloud host ?
On 03/01/2012 06:26 AM, William Herrin wrote: On Thu, Mar 1, 2012 at 7:20 AM, Owen DeLongo...@delong.com wrote: The simpler approach and perfectly viable without mucking up what is already implemented and working: Don't keep returns from GAI/GNI around longer than it takes to cycle through your connect() loop immediately after the GAI/GNI call. The even simpler approach: create an AF_NAME with a sockaddr struct that contains a hostname instead of an IPvX address. Then let connect() figure out the details of caching, TTLs, protocol and address selection, etc. Such a connect() could even support a revised TCP stack which is able to retry with the other addresses at the first subsecond timeout rather than camping on each address in sequence for the typical system default of two minutes. The effect of what you're recommending is to move all of this into the kernel, and in the process greatly expand its scope. Also: even if you did this, you'd be saddled with the same problem because nothing existing would use an AF_NAME. The real issue is that gethostbyxxx has been inadequate for a very long time. Moving it across the kernel boundary solves nothing and most likely causes even more trouble: what if I want, say, asynchronous name resolution? What if I want to use SRV records? What if a new DNS RR comes around -- do i have do recompile the kernel? It's for these reasons and probably a whole lot more that connect just confuses the actual issues. When I was writing the first version of DKIM I used a library that I scraped off the net called ARES. It worked adequately for me, but the most notable thing was the very fact that I had to scrape it off the net at all. As far as I could tell, standard distos don't have libraries with lower level access to DNS (in my case, it needed to not block). Before positing a super-deluxe gethostbyxx that does addresses picking, etc, etc, it would be better to lobby all of the distos to settle on a decomposed resolver library from which that and more could be built. It's deeper than just that, though. The whole paradigm is messy, from the point of view of someone who just wants to get stuff done. The examples are (almost?) all fatally flawed. The code that actually gets at least some of it right ends up being too complex and too hard for people to understand why things are done the way they are. Even in the old days, before IPv6, geez, look at this: bcopy(host-h_addr_list[n], (char *)addr-sin_addr.s_addr, sizeof(addr-sin_addr.s_addr)); That's real comprehensible - and it's essentially the data interface between the resolver library and the system's addressing structures for syscalls. On one hand, it's great that they wanted to abstract the dirty details of DNS away from users, but I'd say they failed pretty much even at that. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Switch designed for mirroring tap ports
How about splitting up a heavy stream (10G) into components (1G) to run through an inline device and reassemble the pieces back to an aggregate afterward? TippingPoint makes a core controller box for this but it's pretty hideously expensive. Could do it with two 6500s but that's pretty hideously expensive as well :) Jeff
Re: Switch designed for mirroring tap ports
Gigamon has a new product offering that claims to do this (their sales guys just met with me a few days ago and gave me a update on their latest offerings). It's the G-Secure-something or other. We're using the 2404's so I don't have any experience with it. Cheers, Harry On 03/01/2012 10:22 AM, Jeff Kell wrote: How about splitting up a heavy stream (10G) into components (1G) to run through an inline device and reassemble the pieces back to an aggregate afterward? TippingPoint makes a core controller box for this but it's pretty hideously expensive. Could do it with two 6500s but that's pretty hideously expensive as well :) Jeff
Re: BBC reports Kenya fiber break
On 3/1/2012 5:54 PM, Oliver Garraux wrote: On Thu, Mar 1, 2012 at 4:11 AM, Georgios Theodoridis gt...@iti.gr wrote: Has it been known the exact time of the incident? I have found an article reporting that the cut occurred in the mid-day of Saturday 25th but nothing more precise. We would like to use such information for a BGP anomaly detection analysis that we are carrying out in our research centre. Thanks in advance, George It sounds like there were multiple cables that were lost recently. For the EASSy cable issue in the Red Sea, an ISP in Malawi stated the issues started at 09:26 on Friday 17 February. I don't know first hand if that is accurate to the minute or not. I believe this is separate from the cable off the cost of Kenya that was cut on the 25th. Oliver timestamp is GMT+0(or maybe UTC) : 6413: Feb 17 07:17:53.606: %LINEPROTO-5-UPDOWN: Line protocol on Interface POS0/1/0, changed state to down yes, on NTP. Frank
Re: Riverbed/Akamai/Rakamai
In a message written on Thu, Mar 01, 2012 at 10:09:27AM -0500, Kristian Kielhofner wrote: Does anyone know what they actually do and how they do it? As usual it's tough to cut through the marketing on the little detail they make available (never a good sign). It's been a while since I looked at Riverbed, and it was part of a test with other providers of the same technologies. So I'll give you a general overview of the sorts of things they do. WAN Optimizers implment an array of tricks to get more throughput out of the same bandwidth: - Compression, simply compress the data as it flows. - TCP optimization, work around known issues with window scaling and other TCP throughput problems by being a man in the the middle and faking out one or both sides. - Tricking LAN protocols into working over the WAN. This was one of the first big selling points. Various MS LAN protocls weren't designed for high latency links with packet loss, and so by being a man in the middle dealing with the WAN and presenting an optimized view they worked much better. - Data deduplication, cache blocks of data repeatedly sent (file sharing read-only documents is a prime example) at the far end and re-serve them without going across a WAN. - Caching various soft failures (PMTU failures, unreachables, etc) to deliver them faster. Depending on your workload they may be total magic, getting gigabits of throughput from a T1, or snake oil, not making a bit of difference. The key in all cases is they have to be paired though, one on each end of the WAN (read low bandwidth and/or high latency) link. To date that has limited them to deployments inside of enterprises for the most part, and often to places with a hub and spoke topology otherwise the deployment gets complex quickly. What I'm hearing here is one of these boxes is in the Akamai node. Now if the enterprise customer has one at their site you have two end points for downloading Akamaized content. This may be able to optimize throughput (say, via compression or TCP optimization) or reduce load/costs (say via data deduplication) or both for a customer who happens to have a Riverbed box on their network. I've got no idea how effective this would be on standard Akamized content, but if you already own a Riverbed it's probably some free optimization. Is it enough to make you buy a Riverbed if you don't already own one? Interesting question. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpNN8Cz0UsAe.pgp Description: PGP signature
Re: dns and software, was Re: Reliable Cloud host ?
On 03/01/2012 07:22 AM, Joe Greco wrote: It's deeper than just that, though. The whole paradigm is messy, from the point of view of someone who just wants to get stuff done. The examples are (almost?) all fatally flawed. The code that actually gets at least some of it right ends up being too complex and too hard for people to understand why things are done the way they are. Even in the old days, before IPv6, geez, look at this: bcopy(host-h_addr_list[n], (char *)addr-sin_addr.s_addr, sizeof(addr-sin_addr.s_addr)); That's real comprehensible - and it's essentially the data interface between the resolver library and the system's addressing structures for syscalls. On one hand, it's great that they wanted to abstract the dirty details of DNS away from users, but I'd say they failed pretty much even at that. Yes, as simple as the normal kernel interface is for net io, getting to the point that you can do a connect() is both maddeningly messy and maddeningly inflexible -- the worst of all possible worlds. We shouldn't kid ourselves that DNS is a simple protocol though. It has layers of complexity and the policy decisions about address picking are not easy. But things like dealing with caching correctly shouldn't be that painful if done correctly by, say, discouraging copying addresses with, say, a wrapper function that validates the TTL and hands you back a filled out sockaddr. But not wanting to block -- which is needed for an event loop or run to completion like interface -- adds a completely new dimension. Maybe it's the intersection of all of these complexities that's at the root of why we're stuck with either gethostbyxx or roll your own. Mike
Re: WW: Colo Vending Machine
- Original Message - From: Dale Shaw dale.shaw+na...@gmail.com What about something like this? http://www.comsol.com.au/SL-PCC-01 While they might not sell to the US, that's roughly equivalent in formfactor to the Lantronix spider to which I posted a link... Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: BBC reports Kenya fiber break
Hi Georgios, .-- My secret spy satellite informs me that at 12-03-01 1:11 AM Georgios Theodoridis wrote: Has it been known the exact time of the incident? I have found an article reporting that the cut occurred in the mid-day of Saturday 25th but nothing more precise. We would like to use such information for a BGP anomaly detection analysis that we are carrying out in our research centre. Looking at BGP data we can see large outages for both Kenya and Uganda starting at around 9:12 UTC on February the 25th. Also see: http://www.bgpmon.net/africa-feb25.png Cheers, Andree
Re: [nanog] Re: Switch designed for mirroring tap ports
We're doing something similar - VACLs (using the redirect action) with port-channel destinations on a span aggregation 650x. If you've got a spare 650x chassis lying around and your configuration requirements aren't terribly complex/dynamic, you can do monitoring with filtering and load-balancing at high-throughput on it. On 03/01/12 06:03, David Swafford wrote: Take a look at VACLs on the Cat side. It has a capture feature that is effectively the same as a local SPAN, but without the 2 session limit. If you do a lot of RSPAN though, this wouldn't be your complete answer (VACL captures are local only). VACLs are a bit more granular in defining what's captured, if say for example you only wanted traffic destined to TCP/80, you could configure it that way. David. On Thu, Mar 1, 2012 at 5:52 AM, Terry Baranski terry.baranski.l...@gmail.com wrote: On Mar 1, 2012, at 02:13 AM, apishd...@gmail.com wrote: Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. We like Gigamon for this purpose. -Terry
Re: Riverbed/Akamai/Rakamai
Found this in one of my RSS feeds this am: http://www.youtube.com/watch?v=GNOXSmMfcGs Sort of explains it. On Thu, Mar 1, 2012 at 10:09 AM, Kristian Kielhofner k...@kriskinc.com wrote: As long as we're talking about cloud networks, Akamai and Riverbed have finally let out details on their partnership for optimizing Cloud applications: http://www.nojitter.com/post/232601716/rakamai-makes-the-cloud-work-better While I'm familiar with Akamai (what they do and how they do it) I don't have any experience with Riverbed. Does anyone know what they actually do and how they do it? As usual it's tough to cut through the marketing on the little detail they make available (never a good sign). -- Kristian Kielhofner -- [stillwa...@gmail.com ~]$ cat .signature cat: .signature: No such file or directory [stillwa...@gmail.com ~]$
Re: dns and software, was Re: Reliable Cloud host ?
On Thu, Mar 1, 2012 at 10:01 AM, Michael Thomas m...@mtcc.com wrote: On 03/01/2012 06:26 AM, William Herrin wrote: The even simpler approach: create an AF_NAME with a sockaddr struct that contains a hostname instead of an IPvX address. Then let connect() figure out the details of caching, TTLs, protocol and address selection, etc. Such a connect() could even support a revised TCP stack which is able to retry with the other addresses at the first subsecond timeout rather than camping on each address in sequence for the typical system default of two minutes. The effect of what you're recommending is to move all of this into the kernel, and in the process greatly expand its scope. Hi Michael, libc != kernel. I want to move the action into the standard libraries where it can be done once and done well. A little kernel action on top to parallelize connection attempts where there are multiple candidate addresses would be gravy, but not required. even if you did this, you'd be saddled with the same problem because nothing existing would use an AF_NAME. It won't instantly fix everything so we shouldn't do it at all? what if I want, say, asynchronous name resolution? What if I want to use SRV records? What if a new DNS RR comes around Then you do it the long way, same as you do now. But in the 99% of the time that you're initiating a connection the normal way, you don't have to (badly) reinvent the wheel. As far as I could tell, standard distos don't have libraries with lower level access to DNS (in my case, it needed to not block). Before positing a super-deluxe gethostbyxx that does addresses picking, etc, etc it would be better to lobby all of the distos to settle on a decomposed resolver library from which that and more could be built. (A) Revised standards are -how- multiple OSes from multiple vendors coordinate the deployment of an identical capability. (B) Application programmers generally DO want the abstraction from DNS to Name resolution. If there's an /etc/hosts name or a NIS name or a Windows name available, you ordinarily want to use it. You don't want to build extra code to search each name service independently any more than you want to build extra code to cycle through candidate addresses. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Switch designed for mirroring tap ports
Thus spake Jeff Kell (jeff-k...@utc.edu) on Thu, Mar 01, 2012 at 10:22:29AM -0500: How about splitting up a heavy stream (10G) into components (1G) to run through an inline device and reassemble the pieces back to an aggregate afterward? Sounds like a perfect job for a commodity switch that supports OpenFlow. Dale
Many dns queries to a.root-servers.net
Hi, I'm seeing quite a lot of queries for a.root-servers.net IN A in the logs of my caching servers. They seem to be coming from home normal DSL customers (IPs who would be expected to be using the name servers) with each sending one query every 2 seconds. They all together represents more than de 10% of the total queries. I am guessing it is probably some sort of spyware/malware/virus/router/O.S. version but I was wondering if anyone knows offhand?
Re: BBC reports Kenya fiber break
On Feb 29, 2012, at 11:17 17AM, Marshall Eubanks wrote: On Wed, Feb 29, 2012 at 10:08 AM, Justin M. Streiner strei...@cluebyfour.org wrote: On Wed, 29 Feb 2012, Rodrick Brown wrote: There's about 1/2 a dozen or so known private and government research facilities on Antarctica and I'm surprised to see no fiber end points on that continent? This can't be true. Constantly shifting ice shelves and glaciers make a terrestrial cable landing very difficult to implement on Antarctica. Satellite connectivity is likely the only feasible option. There are very few places in Antarctica that are reliably ice-free enough of the time to make a viable terrestrial landing station. Getting connectivity from the landing station to other places on the continent is another matter altogether. Apparently at least one long fiber pull has been contemplated. http://news.bbc.co.uk/2/hi/sci/tech/2207259.stm (Note : the headline is incorrect - the Internet reached the South Pole in 1994, via satellite, of course : http://www.southpolestation.com/trivia/90s/ftp1.html ) As far as I can tell, this was never done, and the South Pole gets its Internet mostly via TDRSS. http://www.usap.gov/technology/contentHandler.cfm?id=1971 Yes. I had discussions with some of their network support folks circa 1994 -- with limited bandwidth (DS0, as I recall) and only a few hours of connectivity per day, when a satellite was over the horizon, they were very concerned about attackers clogging their link. --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: dns and software, was Re: Reliable Cloud host ?
On 03/01/2012 08:57 AM, David Conrad wrote: Moving it across the kernel boundary solves nothing Actually, it does. Right now, applications effectively cache the address in their data space, requiring the application developer to go to quite a bit of work to deal with the address changing (or, far more typically, just pretend addresses never change). This has a lot of unfortunate side effects. My rule of thumb is for this sort of thing does it *require* kernel level access? In this case, the answer is manifestly no. As far as ttl's go in particular, most apps would work perfectly well always doing real DNS socket IO to a local resolver each time which has the side effect that it would honor ttl, as well as benefiting from cross process caching. It could be done in the kernel, but it would be introducing a *lot* of complexity and inflexibility. Even if you did want super high performance local DNS resolution, there are still a lot of other ways to achieve that besides jamming it into the kernel. A lot of the beauty of UNIX is that the kernel system interface is simple... dragging more into the kernel is aesthetically wrong. What if I want to use SRV records? What if a new DNS RR comes around -- do i have do recompile the kernel? I believe with the exception of A/, RDATA is typically returned as either opaque (to the DNS) data blobs or names. This means the only stuff the kernel would need to deal with would be the A/ lookups, everything else would be passed back as data, presumably via a new system call. SRV records? This is starting to get really messy inside the kernel and for no good reason that I can see. As far as I could tell, standard distos don't have libraries with lower level access to DNS (in my case, it needed to not block). There have been lower-level resolver APIs since (at least) BSD 4.3 (man resolver(3)). This is all getting sort of hazy since it was 8 years ago, but yes res_XX existed, and hence the ares_ analog that I used. Maybe all that's really needed for low level access primitives is a merger of res_ and ares_... asynchronous resolution is a fairly important feature for modern event loop like things. But I don't claim to be a DNS wonk so it might be worse than that. Mike
Re: dns and software, was Re: Reliable Cloud host ?
On 03/01/2012 08:58 AM, William Herrin wrote: On Thu, Mar 1, 2012 at 10:01 AM, Michael Thomasm...@mtcc.com wrote: On 03/01/2012 06:26 AM, William Herrin wrote: The even simpler approach: create an AF_NAME with a sockaddr struct that contains a hostname instead of an IPvX address. Then let connect() figure out the details of caching, TTLs, protocol and address selection, etc. Such a connect() could even support a revised TCP stack which is able to retry with the other addresses at the first subsecond timeout rather than camping on each address in sequence for the typical system default of two minutes. The effect of what you're recommending is to move all of this into the kernel, and in the process greatly expand its scope. Hi Michael, libc != kernel. I want to move the action into the standard libraries where it can be done once and done well. A little kernel action on top to parallelize connection attempts where there are multiple candidate addresses would be gravy, but not required. connect(2) is a kernel level call just like open(2), etc. It may have a thin wrapper, but that's OS dependent, IIRC. man connect 2: The connect() system call connects the socket referred to by the file descriptor... Mike
Re: dns and software, was Re: Reliable Cloud host ?
On Thu, Mar 1, 2012 at 1:32 PM, Michael Thomas m...@mtcc.com wrote: On 03/01/2012 08:58 AM, William Herrin wrote: libc != kernel. I want to move the action into the standard libraries where [resolve and connect] can be done once and done well. A little kernel action on top to parallelize connection attempts where there are multiple candidate addresses would be gravy, but not required. connect(2) is a kernel level call just like open(2), etc. It may have a thin wrapper, but that's OS dependent, IIRC. man connect 2: The connect() system call connects the socket referred to by the file descriptor... Then name the new one something else and document it in man section 3. Next objection? -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: dns and software, was Re: Reliable Cloud host ?
It's deeper than just that, though. The whole paradigm is messy, from
the point of view of someone who just wants to get stuff done. The
examples are (almost?) all fatally flawed. The code that actually gets
at least some of it right ends up being too complex and too hard for
people to understand why things are done the way they are.
Even in the old days, before IPv6, geez, look at this:
bcopy(host-h_addr_list[n], (char *)addr-sin_addr.s_addr,
sizeof(addr-sin_addr.s_addr));
That's real comprehensible - and it's essentially the data interface
between the resolver library and the system's addressing structures
for syscalls.
On one hand, it's great that they wanted to abstract the dirty details
of DNS away from users, but I'd say they failed pretty much even at that.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again. - Direct Marketing Ass'n position on e-mail
spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
I think that the modern set of getaddrinfo and connect is actually not that
complicated:
/* Hints for getaddrinfo() (tell it what we want) */
memset(addrinfo, 0, sizeof(addrinfo)); /* Zero out the buffer */
addrinfo.ai_family=PF_UNSPEC; /* Any and all address families
*/
addrinfo.ai_socktype=SOCK_STREAM; /* Stream Socket */
addrinfo.ai_protocol=IPPROTO_TCP; /* TCP */
/* Ask the resolver library for the information. Exit on failure. */
/* argv[1] is the hostname passed in by the user. demo is the service name
*/
if (rval = getaddrinfo(argv[1], demo, addrinfo, res) != 0) {
fprintf(stderr, %s: Failed to resolve address information.\n, argv[0]);
exit(2);
}
/* Iterate through the results */
for (r=res; r; r = r-ai_next) {
/* Create a socket configured for the next candidate */
sockfd6 = socket(r-ai_family, r-ai_socktype, r-ai_protocol);
/* Try to connect */
if (connect(sockfd6, r-ai_addr, r-ai_addrlen) 0)
{
/* Failed to connect */
e_save = errno;
/* Destroy socket */
(void) close(sockfd6);
/* Recover the error information */
errno = e_save;
/* Tell the user that this attempt failed */
fprintf(stderr, %s: Failed attempt to %s.\n, argv[0],
get_ip_str((struct sockaddr *)r-ai_addr, buf, BUFLEN));
/* Give error details */
perror(Socket error);
} else {/* Success! */
/* Inform the user */
snprintf(s, BUFLEN, %s: Succeeded to %s., argv[0],
get_ip_str((struct sockaddr *)r-ai_addr, buf, BUFLEN));
debug(5, argv[0], s);
/* Flag our success */
success++;
/* Stop iterating */
break;
}
}
/* Out of the loop. Either we succeeded or ran out of possibilities */
if (success == 0) /* If we ran out of possibilities... */
{
/* Inform the user, free up the resources, and exit */
fprintf(stderr, %s: Failed to connect to %s.\n, argv[0], argv[1]);
freeaddrinfo(res);
exit(5);
}
/* Succeeded. Inform the user and continue with the application */
printf(%s: Successfully connected to %s at %s on FD %d.\n, argv[0], argv[1],
get_ip_str((struct sockaddr *)r-ai_addr, buf, BUFLEN),
sockfd6);
/* Free up the memory held by the resolver results */
freeaddrinfo(res);
It's really hard to make a case that this is all that complex.
I put a lot of extra comments in there to make it clear what's happening for
people who may not be used to coding in C. It also contains a whole lot of
extra user notification and debugging instrumentation because it is designed as
an example people can use to learn with.
Yes, this was a lot messier and a lot stranger and harder to get right with
get*by{name,addr}, but, those days are long gone and anyone still coding with
those needs to move forward.
Owen
Re: dns and software, was Re: Reliable Cloud host ?
On Thu, Mar 1, 2012 at 4:07 PM, Owen DeLong o...@delong.com wrote: I think that the modern set of getaddrinfo and connect is actually not that complicated: Owen, If took you 50 lines of code to do 'socket=connect(www.google.com,80,TCP);' and you still managed to produce a version which, due to the timeout on dead addresses, is worthless for any kind of interactive program like a web browser. And because that code isn't found in a system library, every single application programmer has to write it all over again. I'm a fan of Rube Goldberg machines but that was ridiculous. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: dns and software, was Re: Reliable Cloud host ?
In message CAP-guGXLpzai4LrxyJcNn06yQ1jAEu4QeRpVzGRah=+ogly...@mail.gmail.com , William Herrin writes: On Thu, Mar 1, 2012 at 4:07 PM, Owen DeLong o...@delong.com wrote: I think that the modern set of getaddrinfo and connect is actually not th= at complicated: Owen, If took you 50 lines of code to do 'socket=connect(www.google.com,80,TCP);' and you still managed to produce a version which, due to the timeout on dead addresses, is worthless for any kind of interactive program like a web browser. And because that code isn't found in a system library, every single application programmer has to write it all over again. And your 'socket=connect(www.google.com,80,TCP);' won't work for a web browser either unless you are using threads and are willing to have the thread stall. The existing connect() semantics actually work well for browsers but they need to be properly integrated into the system as a whole. Nameservers have similar connect() issues as web browsers with one advantage, most of the time we are connecting to a machine we have just connected to via UDP. That doesn't mean we don't do non-blocking connect however. I'm a fan of Rube Goldberg machines but that was ridiculous. Regards, Bill Herrin -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: dns and software, was Re: Reliable Cloud host ?
William, I could have done it in a lot less lines of code, but, it would have been much less readable. Not blocking on the connect() call is a little more complex, but, not terribly so. It does, however, again, make the code quite a bit less readable. There are libraries available that abstract everything I did there and you are welcome to use them. Since C does not support overloading, they export different functions for the behavior you seek. If you want, program in Python where the libraries do provide the abstraction you seek. Of course, that means you have to cope with Python's other disgusting habits like spaces are meaningful and variables are indistinguishable from code, but, there's always a tradeoff. You don't have to reinvent what I've done. Neither does every or any other application programmer. You are welcome to use any of the many connection abstraction libraries that are available in open source. I suggest you make a trip through google code. Owen On Mar 1, 2012, at 2:09 PM, William Herrin wrote: On Thu, Mar 1, 2012 at 4:07 PM, Owen DeLong o...@delong.com wrote: I think that the modern set of getaddrinfo and connect is actually not that complicated: Owen, If took you 50 lines of code to do 'socket=connect(www.google.com,80,TCP);' and you still managed to produce a version which, due to the timeout on dead addresses, is worthless for any kind of interactive program like a web browser. And because that code isn't found in a system library, every single application programmer has to write it all over again. I'm a fan of Rube Goldberg machines but that was ridiculous. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: dns and software, was Re: Reliable Cloud host ?
On Thu, Mar 1, 2012 at 5:37 PM, Owen DeLong o...@delong.com wrote: You don't have to reinvent what I've done. Neither does every or any other application programmer. You are welcome to use any of the many connection abstraction libraries that are available in open source. I suggest you make a trip through google code. Which is what everybody basically does. And when it works during the decidedly non-rigorous testing, they move on to the next problem... with code that doesn't perform well in the corner cases. Such as when a host has just been renumbered or one of the host's addresses is unreachable. And because most everybody has made more or less the same errors, the DNS TTL fails to cause their applications to work as intended and loses its utility as a tool to facilitate renumbering. If you want, program in Python where the libraries do provide the abstraction you seek. Of course, that means you have to cope with Python's other disgusting habits like spaces are meaningful and variables are indistinguishable from code, but, there's always a tradeoff. ::shudder:: I don't *want* to do anything in python. The occasional reality of a situation dictates that I do some work in python, but I most definitely don't *want* to. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: dns and software, was Re: Reliable Cloud host ?
On Thu, Mar 01, 2012 at 05:57:11PM -0500, William Herrin wrote: Which is what everybody basically does. And when it works during the decidedly non-rigorous testing, they move on to the next problem... with code that doesn't perform well in the corner cases. Such as when a host has just been renumbered or one of the host's addresses is unreachable. And because most everybody has made more or less the same errors, the DNS TTL fails to cause their applications to work as intended and loses its utility as a tool to facilitate renumbering. Is there an RFC or BCP that describes how to correctly write such a library? Perhaps we need to work to get such a thing, and then push for RFC-compliance of the resolver libraries, or develop a set of libraries named after and fully compliant with the RFC and get software to use them.
Re: BBC reports Kenya fiber break
On Thu, Mar 1, 2012 at 4:11 AM, Georgios Theodoridis gt...@iti.gr wrote: Has it been known the exact time of the incident? I have found an article reporting that the cut occurred in the mid-day of Saturday 25th but nothing more precise. We would like to use such information for a BGP anomaly detection analysis that we are carrying out in our research centre. Thanks in advance, George Renesys published a brief writeup of the incident yesterday. We called it at 09:13 UTC on the 25th. Lots of interesting outage and transit-shift effects to see in the East African BGP data that day. We also report some shifts in latency based on active measurement, as everyone's traffic jumps onto the surviving connectivity through SEACOM. Kenya Data Networks (AS33770) did a particularly good job staying alive by virtue of their upstream provider diversity, kudos to them. http://www.renesys.com/blog/2012/02/east-african-cable-breaks.shtml best, --jim
Re: Reliable Cloud host ?
Randy Carpenter wrote: Does anyone have any recommendation for a reliable cloud host? Basic requirements: 1. Full redundancy with instant failover to other hypervisor hosts upon hardware failure (I thought this was a given!) Assuming a simple set up as you suggest. If what you want to do is a lot more complex it would be worth your while to use your own hardware at a coloc, and alternatively set up your own VPSes. I think your best bet is to design your systems with failover taken into account and not to depend on the VPS provider to provide you this. Say you want smtp in addition to DNS. You would set up a VPS in 2 different locations (or more) using 2 different VPS providers. You set up your favourite name server and email server on each server, configure your mx records to point to both and you tell your registrar to use both servers as the nameserver for your domain(s). When a server goes ofline dns queries and emails automagically go to the other server. No need to depend on one single VPS provider and their crappy infrastructure. 3. reasonable pricing (No, $800/month is not reasonable when I need a tiny 256MB RAM Server with 1GB/mo of data transfers) Lots of reasonably priced VPS providers out there. And once you have set up redundancy in your own design it doesn't matter much how redundant they are. More important will be how spam/pollution free the network neighbourhood is. Amazon would not be the best choice in that regard. I have had good luck with small local VPS providers, often ISPs. Greetings, Jeroen -- Earthquake Magnitude: 3.2 Date: Thursday, March 1, 2012 16:31:08 UTC Location: Central California Latitude: 36.6378; Longitude: -121.2510 Depth: 5.50 km
Re: dns and software, was Re: Reliable Cloud host ?
On Mar 1, 2012, at 2:57 PM, William Herrin wrote: On Thu, Mar 1, 2012 at 5:37 PM, Owen DeLong o...@delong.com wrote: You don't have to reinvent what I've done. Neither does every or any other application programmer. You are welcome to use any of the many connection abstraction libraries that are available in open source. I suggest you make a trip through google code. Which is what everybody basically does. And when it works during the decidedly non-rigorous testing, they move on to the next problem... with code that doesn't perform well in the corner cases. Such as when a host has just been renumbered or one of the host's addresses is unreachable. Then push for better written abstraction libraries. There's no need to break the current functionality of the underlying system calls and libc functions which would be needed by any such library anyway. And because most everybody has made more or less the same errors, the DNS TTL fails to cause their applications to work as intended and loses its utility as a tool to facilitate renumbering. Since I don't write applications for a living, I will admit I haven't rigorously tested any of the libraries out there, but, I'm willing to bet that someone, somewhere has probably written a good one by now. If you want, program in Python where the libraries do provide the abstraction you seek. Of course, that means you have to cope with Python's other disgusting habits like spaces are meaningful and variables are indistinguishable from code, but, there's always a tradeoff. ::shudder:: I don't *want* to do anything in python. The occasional reality of a situation dictates that I do some work in python, but I most definitely don't *want* to. Believe me, I'm in the same boat on that one. However, it is the only language I know of that provides the kind of interface you are demanding. Perhaps this should tell you something about what you are asking for. ;-) Owen
Re: dns and software, was Re: Reliable Cloud host ?
On Thu, Mar 1, 2012 at 8:02 PM, Owen DeLong o...@delong.com wrote: There's no need to break the current functionality of the underlying system calls and libc functions which would be needed by any such library anyway. Owen, Point to one sentence written by anybody in this entire thread in which breaking current functionality was proposed. And because most everybody has made more or less the same errors, the DNS TTL fails to cause their applications to work as intended and loses its utility as a tool to facilitate renumbering. Since I don't write applications for a living, I will admit I haven't rigorously tested any of the libraries out there, but, I'm willing to bet that someone, somewhere has probably written a good one by now. Yeah, and if you give me a few weeks I can probably find it amidst all the others which aren't so hot. Regards, Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: dns and software, was Re: Reliable Cloud host ?
On Mar 1, 2012, at 5:15 PM, William Herrin wrote: On Thu, Mar 1, 2012 at 8:02 PM, Owen DeLong o...@delong.com wrote: There's no need to break the current functionality of the underlying system calls and libc functions which would be needed by any such library anyway. Owen, Point to one sentence written by anybody in this entire thread in which breaking current functionality was proposed. When you said that: connect(char *name, uint16_t port) should work That can't work without breaking the existing functionality of the connect() system call. And because most everybody has made more or less the same errors, the DNS TTL fails to cause their applications to work as intended and loses its utility as a tool to facilitate renumbering. Since I don't write applications for a living, I will admit I haven't rigorously tested any of the libraries out there, but, I'm willing to bet that someone, somewhere has probably written a good one by now. Yeah, and if you give me a few weeks I can probably find it amidst all the others which aren't so hot. I doubt it would take weeks, but, in any case, it's probably faster than writing and debugging your own. Owen
Re: dns and software, was Re: Reliable Cloud host ?
On Mar 1, 2012, at 17:10, William Herrin b...@herrin.us wrote: If took you 50 lines of code to do 'socket=connect(www.google.com,80,TCP);' and you still managed to produce a version which, due to the timeout on dead addresses, is worthless for any kind of interactive program like a web browser. And because that code isn't found in a system library, every single application programmer has to write it all over again. I'm a fan of Rube Goldberg machines but that was ridiculous. I'm thinking for this to work it would have to be 2 separate calls: Call 1 being to the resolver (using lwres, system resolver, or whatever you want to use) and returning an array of struct addrinfo- same as gai does currently. If applications need TTL/SRV/$NEWRR awareness it would be implemented here. Call 2 would be a happy eyeballs connect syscall (mconnect? In the spirit of sendmmsg) which accepts an array of struct addrinfo and returns an fd. In the case of O_NONBLOCK it would return a dummy fd (as non-blocking connects do currently) then once one of the connections finishes handshake the kernel connects it to the FD and signals writable to trigger select/poll/epoll. This allows developers to keep using the same loops (and most of the APIs) they're already comfortable with, keeps DNS out of the kernel, but hopefully provides a better and easier to use connect() experience, for SOCK_STREAM at least. It's not as neat as a single connect() accepting a name, but seems to be a happy medium and provides a standardized/predictable connect() experience without breaking existing APIs. ~Matt
Re: dns and software, was Re: Reliable Cloud host ?
On Thu, Mar 1, 2012 at 8:47 PM, Owen DeLong o...@delong.com wrote: On Mar 1, 2012, at 5:15 PM, William Herrin wrote: On Thu, Mar 1, 2012 at 8:02 PM, Owen DeLong o...@delong.com wrote: There's no need to break the current functionality of the underlying system calls and libc functions which would be needed by any such library anyway. Owen, Point to one sentence written by anybody in this entire thread in which breaking current functionality was proposed. When you said that: connect(char *name, uint16_t port) should work That can't work without breaking the existing functionality of the connect() system call. You know, when I wrote 'socket=connect(www.google.com,80,TCP);' I stopped and thought to myself, I wonder if I should change that to 'connectbyname' instead just to make it clear that I'm not replacing the existing connect() call? But then I thought, No, there's a thousand ways someone determined to misunderstand what I'm saying will find to misunderstand it. To someone who wants to understand my point, this is crystal clear. -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: dns and software, was Re: Reliable Cloud host ?
On Mar 1, 2012, at 9:34 PM, William Herrin wrote: On Thu, Mar 1, 2012 at 8:47 PM, Owen DeLong o...@delong.com wrote: On Mar 1, 2012, at 5:15 PM, William Herrin wrote: On Thu, Mar 1, 2012 at 8:02 PM, Owen DeLong o...@delong.com wrote: There's no need to break the current functionality of the underlying system calls and libc functions which would be needed by any such library anyway. Owen, Point to one sentence written by anybody in this entire thread in which breaking current functionality was proposed. When you said that: connect(char *name, uint16_t port) should work That can't work without breaking the existing functionality of the connect() system call. You know, when I wrote 'socket=connect(www.google.com,80,TCP);' I stopped and thought to myself, I wonder if I should change that to 'connectbyname' instead just to make it clear that I'm not replacing the existing connect() call? But then I thought, No, there's a thousand ways someone determined to misunderstand what I'm saying will find to misunderstand it. To someone who wants to understand my point, this is crystal clear. I'm all for additional library functionality built on top of what exists that does what you want. As I said, there are many such libraries out there to do that. If someone wants to add it to libc, more power to them. I'm not the libc maintainer. I just don't want conect() to stop working the way it does or for getaddrinfo() to stop working the way it does. Since you were hell bent on calling the existing mechanisms broken rather than conceding the point that the current process is not broken, but, could stand some improvements in the library (http://owend.corp.he.net/ipv6 I even say as much myself), it was not entirely clear that you did not intend to replace connect() rather than augment the current capabilities with additional more abstract functions with different names. Owen
Re: BBC reports Kenya fiber break
I would like to deeply thank you all for your prompt response as well as for your generous contribution and the most interesting information that you shared. Of course any further insight is still more than welcome. Best regards, George On 03/02/2012 01:22 AM, Jim Cowie wrote: On Thu, Mar 1, 2012 at 4:11 AM, Georgios Theodoridis gt...@iti.gr mailto:gt...@iti.gr wrote: Has it been known the exact time of the incident? I have found an article reporting that the cut occurred in the mid-day of Saturday 25th but nothing more precise. We would like to use such information for a BGP anomaly detection analysis that we are carrying out in our research centre. Thanks in advance, George Renesys published a brief writeup of the incident yesterday. We called it at 09:13 UTC on the 25th. Lots of interesting outage and transit-shift effects to see in the East African BGP data that day. We also report some shifts in latency based on active measurement, as everyone's traffic jumps onto the surviving connectivity through SEACOM. Kenya Data Networks (AS33770) did a particularly good job staying alive by virtue of their upstream provider diversity, kudos to them. http://www.renesys.com/blog/2012/02/east-african-cable-breaks.shtml best, --jim
