APRICOT 2013 in Singapore

[Philip Smith]

Hi everyone,

Just to let you know that the call for papers for APRICOT 2013 (in
Singapore next February) opened a few days ago.

Rather than posting the whole cfp here, you can see it via the programme
page on the APRICOT website - www.apricot2013.net/program.

NANOG and APRICOT are the network operations conferences for adjacent
regions - and indeed both regions have considerable overlap and
interests in common.

Please give some thought to presenting something topical at APRICOT -
the Programme Committee would love to hear from you. You can submit your
proposal via http://papers.apricot.net.

Thanks!

philip
(on behalf of the APRICOT PC)
--

RE: What is BCP re De-Aggregation: strict filtering /48s out of /32 RIR minimums.

[Ben S. Butler]

Hi,

I thought I would share an extract from an email I sent off list to a peer.  My 
mail was a rather ramberly stream of consciousness exploring the issue, which 
worked its way to a potential solution... Hence why I am sharing an extract 
from it.  I am not sure how practicably implementable it would be with the use 
of communities and some extra filtering logic implemented by the router 
software to enable prefix matching on less specific.  I include for open 
discussion, I am sure there are things wrong with this idea, but maybe we can 
move towards a solution that works for everyone, rather than continuing in a 
straight line and having a bloated v6 route soup of indistinguishable /48s all 
over the place.  Maybe the below has some legs, I leave it for those clever 
than me to see if this can be incorporated into an emergent BCP that might 
address what we should be doing and give everyone clear guidelines and keep 
everything on track.

snip

As I said its not the content networks I have issue with, it the rest of the 
access networks and hosting networks that are going to abuse a relaxation 
policy of you should only announce /32 and use communities and no export for 
TE to adjacent ASes, but because there are a lot of island networks that 
require /48 support yours will also get accepted but please don't do this for 
TE reasons.

What we need is a way to filter that says throw this prefix away if I can see 
it inside of another prefix.  Ie discard this /48 if it is part of a /32 (or 
bigger) that I also have in my RIB and then insert the /32 into FIB and discard 
the /48.  That would dump off all the TE nonsense, while keeping the island 
networks /48s.  This new functionality could be used in a route map so it could 
be augmented with community matching or AS filter lists.  That would solve the 
problem, all be it at the cost of the processing overhead to examine each /48 
in the table and recurse its route, versus simple application of a filter list 
based on net block and minimum allocation size.  I guess another thing that 
might work is if we all start passing communities and then we can tag some /48s 
as I am a TE prefix with a cover route and use a different community to tag I 
am an island prefix with no cover route, and then we can filter or permit those 
in a route map as the recipient sees fit and next the route map could filter 
everything left on RIR minimums for the block.  That might work a lot better, 
if everyone passed communities At least people would be incentivised to tag 
the island routes which would be guaranteed to be permitted, we might have to 
worry about some people tagging a TE route as an island route.  So I guess the 
logic becomes

/48 Routes tagged with an island community permit as long as there is not a 
less specific covering route in the RIB.

/48 Routes tagged with a TE community can be permitted or denied as chosen by 
the recipient end AS but should be carried in the DFZ by transit providers.

/48 Routes that are not tagged should be assessed against RIR netblock minimums 
as being valid or invalid.

Future RIR assignments should rigorously explore if the assignment is intended 
to be going to have an aggregate route or not, so for island networks that will 
not be aggregated are moved to a separate /12 with a /48 minimum and /40 
maximum announced prefix size - rather than carried in the same block as PA 
(Aggregated) / ISP blocks that have a /32 minimum.

If we do that, it keeps the existing problem the size it is currently and 
solves it for future assignments, allows the island networks to work, prevents 
people cheating by trying to sneak a TE route in as an island route when there 
is covering /32 route, dumps off the rubbish from spurious announcements and 
hijacking, while allowing PI end user /48s to continue to work...  I think that 
would address the problem.

/snip

Thoughts...?

Ben
-Original Message-
From: Ben S. Butler 
Sent: 15 November 2012 00:05
To: 'Michael Smith'; William Herrin
Cc: nanog@nanog.org
Subject: RE: What is BCP re De-Aggregation: strict filtering /48s out of /32 
RIR minimums.

Hi,

 Again, I thought the discussion was about PI, not PA.  I don't announce any 
PA.

My point, which I feel may be getting lost, and for which ARIN may already have 
policies in place for, is that an IP assignment is made out of a block with a 
defined minimum assignment size.

Now some people simply advertise the assignment that is made to them, some 
people chose to advertise more specifics with a covering route, I have no 
problem with any of this.  What I am saying, is if people chose to deagregate 
to create islands, for which I can completely understand the commercial and 
networking reason and why it is then by extension impossible for them to 
advertise the covering route. Then in these specific cases of islands then 
these assignments should be made by the RIR from a block with a minimum prefix 
size of a /48.  Then the 

Dns sometimes fails using Google DNS / automatic dnssec

[MailPlus| David Hofstee]

Hi,

We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8.8 en 
8.8.4.4. They are not always provided. They cause problems for some of our 
customers in a weird way I cannot explain. For them these records do not 
resolve but I cannot reproduce it.

So when I run dig command

dig @8.8.8.8 m1.mailplus.nl

it often provides the RRSIG record (but e.g. the TXT record will not be 
signed). I've heard that DNS may fall back to TCP and/or may be filtered by 
firewalls if UDP is over 512 bytes. However, the request is not that long, 
about 200 bytes if I interpret the answer correctly.

Can someone come up with a good explanation why a tiny percentage of our 
customers cannot resolve (some of) our domains?

Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly 
asked. What is standard here?


Thanks,

David Hofstee

RE: Eaton 9130 UPS feedback

[Brandt, Ralph]

Note the EATON Press release.  Maybe the burn on the bench is the way
they get to the California energy reduction Standards?  If it isn't
working it isn't using power.


Date: 23 October 2012

Latest Eaton Thought Leadership White Paper Provides Technical Analysis
of Eaton's Energy Saver System

Eaton today announced the release of its latest white paper,
Understanding Eaton Energy Saver System. In the paper, George Navarro,
an Eaton technical solutions engineering specialist, explains how
Eaton's Energy Saver System (ESS) enables large uninterruptible power
systems (UPSs) to operate at up to 99 percent efficiency without
sacrificing reliability.

Though ESS is rapidly gaining support in the UPS industry for its
ability to build on the strengths of traditional double-conversion
architectures, many consultants and end users have questions about how
ESS works and what enables it to lower power consumption while
maintaining high levels of availability. In the paper, Navarro answers
these questions by providing in-depth technical information about ESS's
architecture, reliability characteristics, computational infrastructure
and surge suppression attributes.

Ralph Brandt

-Original Message-
From: Seth Mattinen [mailto:se...@rollernet.us] 
Sent: Tuesday, November 13, 2012 2:59 PM
To: nanog@nanog.org
Subject: Eaton 9130 UPS feedback

Does anyone use Eaton 9130 series UPS for anything? I'm curious how
they've worked out for you.

I bought a 700VA model to give it a whirl versus the traditional APC
since the Eaton is an online type with static bypass and also does some
high efficiency thing where it normally stays on bypass, but the first
thing it did on the bench was have the inverter/rectifier or bypass
section catch on fire and destroy itself.

~Seth

Re: Dns sometimes fails using Google DNS / automatic dnssec

[Yunhong Gu]

Hi, David

I work at Google Public DNS and will take a look at this issue. No
RRSIG should be returned unless the client set the DO bit to ask for
it.

Thanks
Yunhong

On Thu, Nov 15, 2012 at 9:12 AM, MailPlus| David Hofstee
da...@mailplus.nl wrote:
 Hi,

 We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8.8 
 en 8.8.4.4. They are not always provided. They cause problems for some of our 
 customers in a weird way I cannot explain. For them these records do not 
 resolve but I cannot reproduce it.

 So when I run dig command

 dig @8.8.8.8 m1.mailplus.nl

 it often provides the RRSIG record (but e.g. the TXT record will not be 
 signed). I've heard that DNS may fall back to TCP and/or may be filtered by 
 firewalls if UDP is over 512 bytes. However, the request is not that long, 
 about 200 bytes if I interpret the answer correctly.

 Can someone come up with a good explanation why a tiny percentage of our 
 customers cannot resolve (some of) our domains?

 Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly 
 asked. What is standard here?


 Thanks,

 David Hofstee

RE: Eaton 9130 UPS feedback

[Tom Morris]

Yeah, that's about right. When I had one fail that was not set in power
saver mode, it just shut off intermittently before letting out the genie.
When I had one go out while it was in energy saver mode, it continued to
operate but put out a weak ~80Vrms with heavy distortion that caused
equipment damage.

Foul.

Also in regards to OutBack - the Radian GS8048 is beautiful. I'd highly
recommend it. It is basically two inverter/charger  modules paralleled in
one chassis, each being 4Kw. I was playing with one and yoinked the control
cable to one module -- the power stayed on without incident and the MATE3
control unit (which is fun and Ethernet equipped) reported the error. If
you use the 8048 in half capacity it's redundant.

It gives 120/240 (l1, neutral, l2) out of the box and is pure sine. I
recommend getting the matching GS load center with it because it makes the
install super easy and includes the requisite breakers.

Tom Morris, KG4CYX
Chairman, South Florida Tropical Hamboree
Mad Scientist, Miami Children's Museum

This message sent from a mobile device. Silly typos provided free of charge.
On Nov 15, 2012 9:29 AM, Brandt, Ralph ralph.bra...@pateam.com wrote:

 Note the EATON Press release.  Maybe the burn on the bench is the way
 they get to the California energy reduction Standards?  If it isn't
 working it isn't using power.


 Date: 23 October 2012

 Latest Eaton Thought Leadership White Paper Provides Technical Analysis
 of Eaton's Energy Saver System

 Eaton today announced the release of its latest white paper,
 Understanding Eaton Energy Saver System. In the paper, George Navarro,
 an Eaton technical solutions engineering specialist, explains how
 Eaton's Energy Saver System (ESS) enables large uninterruptible power
 systems (UPSs) to operate at up to 99 percent efficiency without
 sacrificing reliability.

 Though ESS is rapidly gaining support in the UPS industry for its
 ability to build on the strengths of traditional double-conversion
 architectures, many consultants and end users have questions about how
 ESS works and what enables it to lower power consumption while
 maintaining high levels of availability. In the paper, Navarro answers
 these questions by providing in-depth technical information about ESS's
 architecture, reliability characteristics, computational infrastructure
 and surge suppression attributes.

 Ralph Brandt

 -Original Message-
 From: Seth Mattinen [mailto:se...@rollernet.us]
 Sent: Tuesday, November 13, 2012 2:59 PM
 To: nanog@nanog.org
 Subject: Eaton 9130 UPS feedback

 Does anyone use Eaton 9130 series UPS for anything? I'm curious how
 they've worked out for you.

 I bought a 700VA model to give it a whirl versus the traditional APC
 since the Eaton is an online type with static bypass and also does some
 high efficiency thing where it normally stays on bypass, but the first
 thing it did on the bench was have the inverter/rectifier or bypass
 section catch on fire and destroy itself.

 ~Seth

Re: Brasil/Mexico/Argentina connectivity

[Jima]

On Wednesday, November 14th, 2012, Olivier CALVANO wrote:
 I am search one or more carrier for connect 3 sites in Brasil, Mexico
 and Argentina to one of our pop
 in USA or Spain.

 I don't deal with it directly, but my employer has used MPLS offerings
from (in alphabetical order) BT, Level 3/Global Crossing, and Verizon in
a number of countries.  I suspect any of the three have access in all of
the countries listed.  I imagine there are others, but those are the ones
that sprung to mind.

 Jima

RE: Dns sometimes fails using Google DNS / automatic dnssec

[MailPlus| David Hofstee]

root@e3:/home/services# dig @8.8.8.8 m1.mailplus.nl

;  DiG 9.7.3  @8.8.8.8 m1.mailplus.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 38880
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;m1.mailplus.nl.IN  A

;; ANSWER SECTION:
m1.mailplus.nl. 1867IN  A   46.31.50.16
m1.mailplus.nl. 1867IN  RRSIG   A 7 3 3600 20130517082302 
20121115082302 3767 mailplus.nl. 
WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1pQRo8YIcxzlSN 
tHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0bMKYKIDuK8Gtz47AVDJaU0eX 
0FR8F5qqw897ClGf5ISa0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWF ujs=

;; Query time: 5 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Nov 15 16:05:26 2012
;; MSG SIZE  rcvd: 219



---
David Hofstee

-Oorspronkelijk bericht-
Van: Yunhong Gu [mailto:g...@google.com] 
Verzonden: donderdag 15 november 2012 15:47
Aan: MailPlus| David Hofstee
CC: nanog@nanog.org
Onderwerp: Re: Dns sometimes fails using Google DNS / automatic dnssec

Hi, David

I work at Google Public DNS and will take a look at this issue. No
RRSIG should be returned unless the client set the DO bit to ask for
it.

Thanks
Yunhong

On Thu, Nov 15, 2012 at 9:12 AM, MailPlus| David Hofstee
da...@mailplus.nl wrote:
 Hi,

 We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8.8 
 en 8.8.4.4. They are not always provided. They cause problems for some of our 
 customers in a weird way I cannot explain. For them these records do not 
 resolve but I cannot reproduce it.

 So when I run dig command

 dig @8.8.8.8 m1.mailplus.nl

 it often provides the RRSIG record (but e.g. the TXT record will not be 
 signed). I've heard that DNS may fall back to TCP and/or may be filtered by 
 firewalls if UDP is over 512 bytes. However, the request is not that long, 
 about 200 bytes if I interpret the answer correctly.

 Can someone come up with a good explanation why a tiny percentage of our 
 customers cannot resolve (some of) our domains?

 Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly 
 asked. What is standard here?


 Thanks,

 David Hofstee

RE: Dns sometimes fails using Google DNS / automatic dnssec

[Jay Ford]

It looks like if the server has the RRSIG RR, it returns it.  For example, a
query with +dnssec will cause it to cache the RRSIG, after which it returns
it even if +dnssec not specified.


Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951


query without +dnssec before RRSIG is cached; RRSIG not returned


  : dig @8.8.8.8 m1.mailplus.nl

  ;  DiG 9.8.1-P1  @8.8.8.8 m1.mailplus.nl
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; -HEADER- opcode: QUERY, status: NOERROR, id: 3665
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;m1.mailplus.nl.IN  A

  ;; ANSWER SECTION:
  m1.mailplus.nl. 2985IN  A   46.31.50.16

  ;; Query time: 15 msec
  ;; SERVER: 8.8.8.8#53(8.8.8.8)
  ;; WHEN: Thu Nov 15 11:22:02 2012
  ;; MSG SIZE  rcvd: 48


query with +dnssec; RRSIG is returned


  : dig +dnssec +multi @8.8.8.8 m1.mailplus.nl

  ;  DiG 9.8.1-P1  +dnssec +multi @8.8.8.8 m1.mailplus.nl
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; -HEADER- opcode: QUERY, status: NOERROR, id: 58877
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags: do; udp: 512
  ;; QUESTION SECTION:
  ;m1.mailplus.nl.IN A

  ;; ANSWER SECTION:
  m1.mailplus.nl. 2978 IN A 46.31.50.16
  m1.mailplus.nl. 2978 IN RRSIG A 7 3 3600 20130517082302 (
  20121115082302 3767 mailplus.nl.
  WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p
  QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0
  bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa
  0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= )

  ;; Query time: 16 msec
  ;; SERVER: 8.8.8.8#53(8.8.8.8)
  ;; WHEN: Thu Nov 15 11:22:10 2012
  ;; MSG SIZE  rcvd: 230


query without +dnssec after RRSIG is cached; RRSIG returned


  : dig +multi @8.8.8.8 m1.mailplus.nl

  ;  DiG 9.8.1-P1  +multi @8.8.8.8 m1.mailplus.nl
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; -HEADER- opcode: QUERY, status: NOERROR, id: 13524
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;m1.mailplus.nl.IN A

  ;; ANSWER SECTION:
  m1.mailplus.nl. 2974 IN A 46.31.50.16
  m1.mailplus.nl. 2974 IN RRSIG A 7 3 3600 20130517082302 (
  20121115082302 3767 mailplus.nl.
  WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p
  QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0
  bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa
  0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= )

  ;; Query time: 17 msec
  ;; SERVER: 8.8.8.8#53(8.8.8.8)
  ;; WHEN: Thu Nov 15 11:22:13 2012
  ;; MSG SIZE  rcvd: 219

Re: Dns sometimes fails using Google DNS / automatic dnssec

[Yunhong Gu]

Hi, we have found the bug that caused this problem. It was introduced
in a very recent release. The fix is on its way.

Thanks very much for the report,
Yunhong

On Thu, Nov 15, 2012 at 12:26 PM, Jay Ford jay-f...@uiowa.edu wrote:
 It looks like if the server has the RRSIG RR, it returns it.  For example, a
 query with +dnssec will cause it to cache the RRSIG, after which it returns
 it even if +dnssec not specified.

 
 Jay Ford, Network Engineering Group, Information Technology Services
 University of Iowa, Iowa City, IA 52242
 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951

 
 query without +dnssec before RRSIG is cached; RRSIG not returned
 

   : dig @8.8.8.8 m1.mailplus.nl

   ;  DiG 9.8.1-P1  @8.8.8.8 m1.mailplus.nl

   ; (1 server found)
   ;; global options: +cmd
   ;; Got answer:
   ;; -HEADER- opcode: QUERY, status: NOERROR, id: 3665

   ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

   ;; QUESTION SECTION:
   ;m1.mailplus.nl.IN  A

   ;; ANSWER SECTION:
   m1.mailplus.nl. 2985IN  A   46.31.50.16

   ;; Query time: 15 msec
   ;; SERVER: 8.8.8.8#53(8.8.8.8)
   ;; WHEN: Thu Nov 15 11:22:02 2012
   ;; MSG SIZE  rcvd: 48

 
 query with +dnssec; RRSIG is returned
 

   : dig +dnssec +multi @8.8.8.8 m1.mailplus.nl

   ;  DiG 9.8.1-P1  +dnssec +multi @8.8.8.8 m1.mailplus.nl

   ; (1 server found)
   ;; global options: +cmd
   ;; Got answer:
   ;; -HEADER- opcode: QUERY, status: NOERROR, id: 58877
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags: do; udp: 512

   ;; QUESTION SECTION:
   ;m1.mailplus.nl.IN A

   ;; ANSWER SECTION:
   m1.mailplus.nl. 2978 IN A 46.31.50.16
   m1.mailplus.nl. 2978 IN RRSIG A 7 3 3600 20130517082302 (

   20121115082302 3767 mailplus.nl.

 WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p

 QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0

 bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa
   0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= )

   ;; Query time: 16 msec
   ;; SERVER: 8.8.8.8#53(8.8.8.8)
   ;; WHEN: Thu Nov 15 11:22:10 2012
   ;; MSG SIZE  rcvd: 230

 
 query without +dnssec after RRSIG is cached; RRSIG returned
 

   : dig +multi @8.8.8.8 m1.mailplus.nl

   ;  DiG 9.8.1-P1  +multi @8.8.8.8 m1.mailplus.nl

   ; (1 server found)
   ;; global options: +cmd
   ;; Got answer:
   ;; -HEADER- opcode: QUERY, status: NOERROR, id: 13524

   ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

   ;; QUESTION SECTION:
   ;m1.mailplus.nl.IN A

   ;; ANSWER SECTION:
   m1.mailplus.nl. 2974 IN A 46.31.50.16
   m1.mailplus.nl. 2974 IN RRSIG A 7 3 3600 20130517082302 (

   20121115082302 3767 mailplus.nl.

 WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p

 QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0

 bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa
   0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= )

   ;; Query time: 17 msec
   ;; SERVER: 8.8.8.8#53(8.8.8.8)
   ;; WHEN: Thu Nov 15 11:22:13 2012
   ;; MSG SIZE  rcvd: 219

Re: Brasil/Mexico/Argentina connectivity

[alejandroacostaalamo]

Hi Jima,
   I can help you contacting BT if you need so.

Alejandro,



--Mensaje original--
De: Jima
Para: nanog@nanog.org
Asunto: Re: Brasil/Mexico/Argentina connectivity
Enviado: 15 nov, 2012 11:35

On Wednesday, November 14th, 2012, Olivier CALVANO wrote:
 I am search one or more carrier for connect 3 sites in Brasil, Mexico
 and Argentina to one of our pop
 in USA or Spain.

 I don't deal with it directly, but my employer has used MPLS offerings
from (in alphabetical order) BT, Level 3/Global Crossing, and Verizon in
a number of countries.  I suspect any of the three have access in all of
the countries listed.  I imagine there are others, but those are the ones
that sprung to mind.

 Jima




Este mensaje ha sido enviado gracias al servicio BlackBerry de Movilnet

RE: Dns sometimes fails using Google DNS / automatic dnssec

[Tony Finch]

Jay Ford jay-f...@uiowa.edu wrote:

 It looks like if the server has the RRSIG RR, it returns it.  For example, a
 query with +dnssec will cause it to cache the RRSIG, after which it returns
 it even if +dnssec not specified.

It's weird. If you repeatedly query 8.8.4.4 without the DO bit, you get a
mixture of responses with and without an RRSIG and with varying TTLs. With
DO it appears to consistently return an RRSIG in the answer and the TTL
drops monotonically. 8.8.8.8 is similar except DO=0 replies don't include
RRSIGs. (Querying from JANET UK and hitting some servers a lethargic 12ms
away.)

while sleep 1; do dig +dnssec @8.8.4.4 m1.mailplus.nl; done

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

RE: authority to route?

[Schiller, Heather A]

..for some blocks I've taken over admin for.

  Make sure you are visibly listed as a Point of Contact on those records in 
the appropriate RIR, so that folks who get your request can verify you.  Even 
better, register in your RIR's RPKI program and generate a ROA for it.  Info 
about ARIN's here: https://www.arin.net/resources/rpki/index.html

 Then yes, notify their upstreams/peers if needed and post here if things get 
really desperate - have your records in order first.  

 --Heather

-Original Message-
From: Jim Mercer [mailto:j...@reptiles.org] 
Sent: Monday, November 12, 2012 2:44 PM
To: nanog@nanog.org
Subject: authority to route?

Hi,

Is there a common practice of providers to vet / validate requests to advertise 
blocks?

Who is the authority when it comes to determining if a request for routing is 
valid?

Is it the WHOIS data maintained by the various RIR?

It seems I'm playing whack-a-mole to get some routes shut down for some blocks 
I've taken over admin for.

If I email the contacts for the AS in WHOIS, and get no response, or a negative 
response, should I start going to their peers?

Some practical advice would be appreciated.

-- 
Jim Mercer Reptilian Research  j...@reptiles.org+1 416 410-5633
He who dies with the most toys is nonetheless dead

MPLS acceptable latency?

[Mikeal Clark]

Hello!

I have some ATT MPLS sites under a managed contract with latency
averaging 75-85 ms without any load.  These sites are only 45 minutes
away.  What is considered normal/acceptable?

Thanks,

Re: MPLS acceptable latency?

[Dan White]

On 11/15/12 12:54 -0600, Mikeal Clark wrote:

Hello!

I have some ATT MPLS sites under a managed contract with latency
averaging 75-85 ms without any load.  These sites are only 45 minutes
away.  What is considered normal/acceptable?


I recently had a scenario with some MPLS sites within the state nearly
doubling in latency (below 50ms round trip). Typically I see
round trip latency in the 20-35ms range, and those sites are within about a
90 minute drive from each other (Oklahoma, mostly T1s).

When I asked an ATT tech to investigate, he did not see log entries to
explain the increase or admit to any trouble, and stated that the service
levels for these MPLS circuits allowed for 75-80ms and I don't recall if
that was one way or round trip. He said that was to allow for coast to
coast latency scenarios. Delay returned to typical levels about 4 days
later, without explanation.

--
Dan White

Re: MPLS acceptable latency?

[Mike Hale]

Acceptable from a technical standpoint (in that stuff works) or acceptable
from an expected service standpoint?

In the case of the former, MPLS can run over really high latencies, so
you're nowhere near the limit.

For the latter, 85ms would be highly unacceptable to me for a circuit to a
site that's so close.  I would think your traffic is either being routed
really, really badly or their circuits are way over-subscribed.


On Thu, Nov 15, 2012 at 10:54 AM, Mikeal Clark mikeal.cl...@gmail.comwrote:

 Hello!

 I have some ATT MPLS sites under a managed contract with latency
 averaging 75-85 ms without any load.  These sites are only 45 minutes
 away.  What is considered normal/acceptable?

 Thanks,




-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Re: MPLS acceptable latency?

[Scott Weeks]

--- mikeal.cl...@gmail.com wrote:
From: Mikeal Clark mikeal.cl...@gmail.com

I have some ATT MPLS sites under a managed contract with latency
averaging 75-85 ms without any load.  These sites are only 45 minutes
away.  What is considered normal/acceptable?



Coast-to-coast latency is around 60-65msec, so that's high.

scott

Re: MPLS acceptable latency?

[Jared Mauch]

On Nov 15, 2012, at 1:54 PM, Mikeal Clark wrote:

 Hello!
 
 I have some ATT MPLS sites under a managed contract with latency
 averaging 75-85 ms without any load.  These sites are only 45 minutes
 away.  What is considered normal/acceptable?

MPLS as a technology should not add any significant delay as it is just a few 
bytes of label on the packet.

What is the physical path of the circuits involved?  Have you asked for the 
design of them?

- Jared

Re: MPLS acceptable latency?

[Jared Mauch]

On Nov 15, 2012, at 2:15 PM, Scott Weeks wrote:

 
 
 --- mikeal.cl...@gmail.com wrote:
 From: Mikeal Clark mikeal.cl...@gmail.com
 
 I have some ATT MPLS sites under a managed contract with latency
 averaging 75-85 ms without any load.  These sites are only 45 minutes
 away.  What is considered normal/acceptable?
 
 
 
 Coast-to-coast latency is around 60-65msec, so that's high.

What link speed?

Perhaps he's using ISDN or a T1?

Serialization delay is not to be ignored.

- Jared

Re: MPLS acceptable latency?

[Mikeal Clark]

The location in question is 7 T1s.  They were not willing to give us fiber.

On Thu, Nov 15, 2012 at 1:20 PM, Jared Mauch ja...@puck.nether.net wrote:

 On Nov 15, 2012, at 2:15 PM, Scott Weeks wrote:



 --- mikeal.cl...@gmail.com wrote:
 From: Mikeal Clark mikeal.cl...@gmail.com

 I have some ATT MPLS sites under a managed contract with latency
 averaging 75-85 ms without any load.  These sites are only 45 minutes
 away.  What is considered normal/acceptable?
 


 Coast-to-coast latency is around 60-65msec, so that's high.

 What link speed?

 Perhaps he's using ISDN or a T1?

 Serialization delay is not to be ignored.

 - Jared

Re: MPLS acceptable latency?

[PC]

Your provider is likely backhauling the circuits opposite directions to PE
routers in a different geographic local than the sites.  It's time to have
a discussion with your sales engineer about the physical pathing of your
circuits and PE router locations.

When I know I have latency critical circuits, I always insist on backhaul
to the same geographic region and/or Pe.

It's unlikely the MPLS or circuits themselves have anything to do with the
latency, assuming this is T1, Ethernet, or similar.

It's possible it could be a routing issue SP side, but is not as likely as
a general pathing issue.

On Thu, Nov 15, 2012 at 12:20 PM, Jared Mauch ja...@puck.nether.net wrote:


 On Nov 15, 2012, at 2:15 PM, Scott Weeks wrote:

 
 
  --- mikeal.cl...@gmail.com wrote:
  From: Mikeal Clark mikeal.cl...@gmail.com
 
  I have some ATT MPLS sites under a managed contract with latency
  averaging 75-85 ms without any load.  These sites are only 45 minutes
  away.  What is considered normal/acceptable?
  
 
 
  Coast-to-coast latency is around 60-65msec, so that's high.

 What link speed?

 Perhaps he's using ISDN or a T1?

 Serialization delay is not to be ignored.

 - Jared

Re: MPLS acceptable latency?

[Wes Tribble]

I concur.  We have sites all over the US and it is about 80-100 ms from
coast to coast with both of our MPLS providers.  45 minutes away your
latency should be 5ms on a decent network.




-



--- mikeal.cl...@gmail.com wrote:

From: Mikeal Clark mikeal.cl...@gmail.com



I have some ATT MPLS sites under a managed contract with latency averaging
75-85 ms without any load.  These sites are only 45 minutes away.  What is
considered normal/acceptable?







Coast-to-coast latency is around 60-65msec, so that's high.



scott

Re: MPLS acceptable latency?

[Scott Weeks]

--- ja...@puck.nether.net wrote:
On Nov 15, 2012, at 2:15 PM, Scott Weeks wrote:
 --- mikeal.cl...@gmail.com wrote:

 I have some ATT MPLS sites under a managed contract with latency
 averaging 75-85 ms without any load.  These sites are only 45 minutes
 away.  What is considered normal/acceptable?
 

 Coast-to-coast latency is around 60-65msec, so that's high.

What link speed?

Perhaps he's using ISDN or a T1?

Serialization delay is not to be ignored.
-


I believe serialization delay is so small as to not be
very noticeable.  A coast-to-coast T1 (that is not full)
should have no more latency than a coast-to-coast DS-3
or any other circuit.  After all, the T1 is muxed up and
then down crossing the same BACs in the middle.  The only 
serialization delay that is different is at the end points.

scott

(BAC = Big Ass Circuit :)

Fwd: MPLS acceptable latency?

[david peahi]

-- Forwarded message --
From: david peahi davidpe...@gmail.com
Date: Thu, Nov 15, 2012 at 12:15 PM
Subject: Re: MPLS acceptable latency?
To: Mikeal Clark mikeal.cl...@gmail.com



Assuming no configuration errors, this underscores the need to negotiate
SLAs, and serious SLA penalties, with the telcos, and to always request a
telco network map, with the telco path that data will be transitting
end-to-end.. My rule of thumb in network design is that data over copper or
fiber takes 10 ms per 1000 miles, which is governed by the speed of light.
Network devices along the path add serialization/de-serialization delay,
but with modern network devices this delay is negligible. So according to
this rule of thumb 85 ms is almost enough time for data to traverse the USA
3 times.
I have found that telcos have been setting round trip SLAs so high that
they are meaningless (e.g. 50 ms for a GigE MEF ELAN service, 20 ms for
Gold MEF EVPL service), and border on being  fraudulent. In one case I
also noted 100 ms round trip times between sites less than 1 mile away, and
discovered that every packet was being sent back to east Texas from
Southern California, almost a 5000 mile detour.




On Thu, Nov 15, 2012 at 10:54 AM, Mikeal Clark mikeal.cl...@gmail.comwrote:

 Hello!

 I have some ATT MPLS sites under a managed contract with latency
 averaging 75-85 ms without any load.  These sites are only 45 minutes
 away.  What is considered normal/acceptable?

 Thanks,

re: Fwd: MPLS acceptable latency?

[eric-l...@truenet.com]

boldMy humble opinion/bold
SLAs are more for accountants and lawyers.  Get the right tech support on 
the phone and you can solve most issues without all the hassle.  SLAs 
really are minimal if you can contact the right people and work through the 
problem.  +1 to Level3 and Cogent as I have had some of the best trouble 
shooting for even minimal problems...


 From: david peahi davidpe...@gmail.com
Sent: Thursday, November 15, 2012 3:31 PM
To: nanog@nanog.org
Subject: Fwd: MPLS acceptable latency?

-- Forwarded message --
From: david peahi davidpe...@gmail.com
Date: Thu, Nov 15, 2012 at 12:15 PM
Subject: Re: MPLS acceptable latency?
To: Mikeal Clark mikeal.cl...@gmail.com

Assuming no configuration errors, this underscores the need to negotiate
SLAs, and serious SLA penalties, with the telcos, and to always request a
telco network map, with the telco path that data will be transitting
end-to-end.. My rule of thumb in network design is that data over copper 
or
fiber takes 10 ms per 1000 miles, which is governed by the speed of light.
Network devices along the path add serialization/de-serialization delay,
but with modern network devices this delay is negligible. So according to
this rule of thumb 85 ms is almost enough time for data to traverse the 
USA
3 times.
I have found that telcos have been setting round trip SLAs so high that
they are meaningless (e.g. 50 ms for a GigE MEF ELAN service, 20 ms for
Gold MEF EVPL service), and border on being  fraudulent. In one case I
also noted 100 ms round trip times between sites less than 1 mile away, 
and
discovered that every packet was being sent back to east Texas from
Southern California, almost a 5000 mile detour.

Re: What is BCP re De-Aggregation: strict filtering /48s out of /32 RIR minimums.

[Matthew Petach]

On Thu, Nov 15, 2012 at 2:15 AM, Ben S. Butler
ben.but...@c2internet.net wrote:
 Hi,
...
 snip
...
 What we need is a way to filter that says throw this prefix away if I can see 
 it inside of another prefix.  Ie discard this /48 if it is part of a /32 (or 
 bigger) that I also have in my RIB and then insert the /32 into FIB and 
 discard the /48.

Would you want this logic to still apply if you have ::/0 in your table
anywhere?  It really is the ultimate covering route for everything
else, and for some set of sites that advertise non-aggregated /48s,
their thought process may wander into the territory of it doesn't
matter so much if you don't see the more specifics, you'll just
follow your default route to your upstream provider, and it'll reach
me that way.

It seems that this particular problem space only occurs for networks
that want to implement strict filters to limit their routing table size,
but also want to run completely default-free.  It sounds a little bit
like such people may be trying to shift the cost burden around in
an odd fashion.

I don't want to listen to your more specifics; I worry about my
routing table resources, and whether or not I can keep up with
the rest of the internet.  But I also want to look like I'm one of
the big default-free providers, which means I'm creating reachability
problems to your network through my own choices.  Won't you
help me solve my self-created problem by altering how you
build and configure your network?

I have no issues with people filtering out more specific prefixes
to limit the size of their view of the routing table; I do it for
routers I administer that don't have adequate resources to
take a full view.  But I also ensure that those devices have
a covering default route towards something that *does* know
how to get closer to the destination.

[more snippage...]

 So I guess the logic becomes

 /48 Routes tagged with an island community permit as long as there is not a 
 less specific covering route in the RIB.

 /48 Routes tagged with a TE community can be permitted or denied as chosen by 
 the recipient end AS but should be carried in the DFZ by transit providers.

If you're having reachability problems to /48s that you're filtering
out, you must be trying to play in the DFZ; otherwise, your default
route would cover you, and this would be a non-issue.  And if you're
playing in the DFZ, by your own rule here, you should be carrying
those routes rather than filtering them out.

 /48 Routes that are not tagged should be assessed against RIR netblock 
 minimums as being valid or invalid.

 Future RIR assignments should rigorously explore if the assignment is 
 intended to be going to have an aggregate route or not, so for island 
 networks that will not be aggregated are moved to a separate /12 with a /48 
 minimum and /40 maximum announced prefix size - rather than carried in the 
 same block as PA (Aggregated) / ISP blocks that have a /32 minimum.

 If we do that, it keeps the existing problem the size it is currently and 
 solves it for future assignments, allows the island networks to work, 
 prevents people cheating by trying to sneak a TE route in as an island route 
 when there is covering /32 route, dumps off the rubbish from spurious 
 announcements and hijacking, while allowing PI end user /48s to continue to 
 work...  I think that would address the problem.


I think your use of the term cheating here is misapplied.

You've stated that the more specifics *must* be accepted
by the DFZ providers, so that downstreams can make their
own decisions as to whether to accept and use them or not.
You're implying that your network is default free, and thus
by not accepting the more specific prefixes, you would see
reachabiliity issues:

 It is not my place to judge your business, nor is it anyone elses to expect 
 the rest of us to accept TE routes without a coverall and expect to be 
 reachable.

Contrary to that line, you've stated you _do_ expect that
DFZ providers should accept those TE routes with or
without a coverall, in order to provide reachability.  I don't
think it's reasonable for you to expect to have it both ways.
It really sounds like you want every other DFZ provider to
have to carry the longer prefixes *except you*--and I don't think
you'll see much support from the rest of the community
for a proposal like that.

And if you *do* carry ::/0 in your network from an upstream,
this is all a moot point; filter away to whatever level your
heart desires, you won't be creating a reachability problem;
at worst, you'll create some inefficient routing, but the
packets will still flow.

 /snip

 Thoughts...?

 Ben

tl;dr -- this is what those HE sessions are for.

Matt
probably way off in the weeds in left field at this point...I should
never try to reply to messages during the day; so many distractions,
I never remember what it was I was trying to say back when I started
the sentence.  ^_^;

Re: MPLS acceptable latency?

[William Herrin]

On Thu, Nov 15, 2012 at 1:54 PM, Mikeal Clark mikeal.cl...@gmail.com wrote:
 I have some ATT MPLS sites under a managed contract with latency
 averaging 75-85 ms without any load.  These sites are only 45 minutes
 away.

I've noticed this with ATT's MPLS product when dealing with the
internal corporate network here. I don't know what they're doing wrong
but it is so very wrong.

  What is considered normal/acceptable?

Less than 10ms unless you're using a sub-T1 interface or going a very
long distance.

Regards,
Bill Herrin


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

Re: MPLS acceptable latency?

[Randy]

--- On Thu, 11/15/12, William Herrin b...@herrin.us wrote:

 From: William Herrin b...@herrin.us
 Subject: Re: MPLS acceptable latency?
 To: Mikeal Clark mikeal.cl...@gmail.com
 Cc: NANOG [nanog@nanog.org] nanog@nanog.org
 Date: Thursday, November 15, 2012, 1:23 PM
 On Thu, Nov 15, 2012 at 1:54 PM,
 Mikeal Clark mikeal.cl...@gmail.com
 wrote:
  I have some ATT MPLS sites under a managed
 contract with latency
  averaging 75-85 ms without any load.  These sites
 are only 45 minutes
  away.
 
 I've noticed this with ATT's MPLS product when dealing
 with the
 internal corporate network here. I don't know what they're
 doing wrong
 but it is so very wrong.

circa 2007, noticed same thing: never below 90ms coast-to-coast across as13979. 
atm ds3 handoffs on both ends.

 
   What is considered normal/acceptable?
 
 Less than 10ms unless you're using a sub-T1 interface or
 going a very
 long distance.
 
 Regards,
 Bill Herrin
 
 
 -- 
 William D. Herrin  her...@dirtside.com 
 b...@herrin.us
 3005 Crane Dr. .. Web: http://bill.herrin.us/
 Falls Church, VA 22042-3004
 

Re: MPLS acceptable latency?

[Alex]

Perhaps the network is oldish and there are BW bottlenecks that lead 
to queues on the switches/routers that results in higher latency.
This would depend alot on the internal QoS strategy used by ATT, the 
type of equipment used and the load in different parts of the network.


The only way to know what happens inside their MPLS cloud is to get past 
support and ask someone from the technical staff.


On 11/16/2012 12:06 AM, Randy wrote:

--- On Thu, 11/15/12, William Herrin b...@herrin.us wrote:


From: William Herrin b...@herrin.us
Subject: Re: MPLS acceptable latency?
To: Mikeal Clark mikeal.cl...@gmail.com
Cc: NANOG [nanog@nanog.org] nanog@nanog.org
Date: Thursday, November 15, 2012, 1:23 PM
On Thu, Nov 15, 2012 at 1:54 PM,
Mikeal Clark mikeal.cl...@gmail.com
wrote:

I have some ATT MPLS sites under a managed

contract with latency

averaging 75-85 ms without any load.  These sites

are only 45 minutes

away.

I've noticed this with ATT's MPLS product when dealing
with the
internal corporate network here. I don't know what they're
doing wrong
but it is so very wrong.

circa 2007, noticed same thing: never below 90ms coast-to-coast across as13979. 
atm ds3 handoffs on both ends.


   What is considered normal/acceptable?

Less than 10ms unless you're using a sub-T1 interface or
going a very
long distance.

Regards,
Bill Herrin


--
William D. Herrin  her...@dirtside.com
b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

RE: What is BCP re De-Aggregation: strict filtering /48s out of /32 RIR minimums.

[Ben S. Butler]

Hi,

Ok. I am trying to encourage an inclusive exploration of an issue that seems to 
be emergent.  I am trying to get the community to articulate BCP not dictate it.

Would you want this logic to still apply if you have ::/0 in your table 
anywhere?

Yes obviously limits would apply to the filter on min and max in a recursive 
filter.

It sounds a little bit like such people may be trying to shift the cost burden 
around in an odd fashion.

I am seeking community input before we manage to screw things up.  I do not 
want a route table with 10M+ prefixes.  One of the points of v6 is aggregation, 
would it not be silly to adopt a liaise a faire view to route pollution and 
associated security considerations.

But I also want to look like I'm one of the big default-free providers

I struggle to not use direct language here. Firstly I never asserted I was DFZ 
or want to be, quiet the opposite, seeking clarification of BCP.

default route towards something that *does* know how to get closer to the 
destination.

Filtering exists for internet security not route table size, your default 
return path trashes that.

you must be trying to play in the DFZ

Lol, understand the issue at hand

I think your use of the term cheating here is misapplied.

Read my suggestion, if you deliberately falsely tag a route with the wrong 
community under my proposed model, what would you call it?

You're implying that your network is default free

Nope, I am trying to find a solution that works for everyone that empowers the 
recipient AS with the choice of what they filter in an informed fashion for 
mutual benefit.

DFZ provider to have to carry the longer prefixes *except you*

Firstly that was a comment to the sub informed way some people work, however, 
my point is we have a legacy that can not be solved by new policy.  We have to 
accommodate that legacy and the answer is not to say lets just go with a /48 no 
questions asked.  Networks involve design and engineering, we can accommodate 
all peoples needs within a structure.

And if you *do* carry ::/0 in your network from an upstream, this is all a 
moot point; filter away to whatever level your heart desires,

You just agreed with me.

#

We are at the start of a new network, lets learn from the past.  My posts are 
open and non judgemental, please, keep to the issue, if you don't get it yet 
then clue up.  Arms open here, can anyone else see the future cast issue I am 
tryin to raise if all the aggregate deag without control, we were all worried 
about PI multihoming a year ago and route table bloat.

Lets try to stay on point.

Ben

Re: authority to route?

[Kyle Creyts]

Jeez, isn't RPKI supposed to solve this problem?

On Thu, Nov 15, 2012 at 10:36 AM, Schiller, Heather A
heather.schil...@verizon.com wrote:

 ..for some blocks I've taken over admin for.

   Make sure you are visibly listed as a Point of Contact on those records in 
 the appropriate RIR, so that folks who get your request can verify you.  Even 
 better, register in your RIR's RPKI program and generate a ROA for it.  Info 
 about ARIN's here: https://www.arin.net/resources/rpki/index.html

  Then yes, notify their upstreams/peers if needed and post here if things get 
 really desperate - have your records in order first.

  --Heather

 -Original Message-
 From: Jim Mercer [mailto:j...@reptiles.org]
 Sent: Monday, November 12, 2012 2:44 PM
 To: nanog@nanog.org
 Subject: authority to route?

 Hi,

 Is there a common practice of providers to vet / validate requests to 
 advertise blocks?

 Who is the authority when it comes to determining if a request for routing 
 is valid?

 Is it the WHOIS data maintained by the various RIR?

 It seems I'm playing whack-a-mole to get some routes shut down for some 
 blocks I've taken over admin for.

 If I email the contacts for the AS in WHOIS, and get no response, or a 
 negative response, should I start going to their peers?

 Some practical advice would be appreciated.

 --
 Jim Mercer Reptilian Research  j...@reptiles.org+1 416 410-5633
 He who dies with the most toys is nonetheless dead





-- 
Kyle Creyts

Information Assurance Professional
BSidesDetroit Organizer