Re: Fiber terminations -- UPC vs APC

[Carlos Alcantar]

+1 here on going all APC on the panels, note we run a gpon network so
making that choice was fairly easy for us.  You do end up having to use a
lot of sc or lc/upc - sc/apc patch cables on the colo equipment side of
things but everything out in the field is 100% sc/apc.

Carlos Alcantar
Race Communications / Race Team Member
1325 Howard Ave. #604, Burlingame, CA. 94010
Phone: +1 415 376 3314 / car...@race.com / http://www.race.com





-Original Message-
From: Lamar Owen lo...@pari.edu
Date: Monday, November 19, 2012 2:30 PM
To: Jeff Kell jeff-k...@utc.edu
Cc: nanog@nanog.org nanog@nanog.org
Subject: Re: Fiber terminations -- UPC vs APC


On Nov 19, 2012, at 4:37 PM, Jeff Kell wrote:

 Looking for some guidance/references on the use of UPC versus APC
 terminations on fiber
 cabling.  Traditionally we have done all of our fiber plant
 targeting data usage with
 UPC connectors.  We are also looking at proposals for fiber
 distribution plant for
 video, and the possibility of using some of the existing fiber plant
 for that purpose;
 as well as any new fiber plant that gets installed for video
 potentially as data.

 The video folks are set, determined, and insistent that they need
 APC terminations.

APC is pretty much the standard for high-power video distribution, and
for very good reasons.  The return loss is much better for APC than
for UPC, for instance, and that can be very significant depending upon
the equipment being used to drive.  Much video distribution gear,
including passive splitters and EDFA's, are only available with APC
connectors.

Mating an APC to a UPC will result in an 'air-gap attenuator' being
created, and that may be a problem.  A significant problem for some
gear, in fact.

Really high-power long-haul gear may need APC as well, even for
networking stuff.

Your choice boils down to parallel plants or only APC with UPC jumpers
for non-APC equipment.  You really really don't want to have any UPC
connectors in a really high-power path that needs APC all the way; I
have actually seen some warranty statements, for some older equipment,
primarily EDFA modules, that indicate that the warranty would be
voided if any non-APC connectors were in the path anywhere.  The
reflections from a UPC end can detune some of these lasers, and can,
in theory at least, cause permanent transmitter damage that won't be
under warranty.

You could, though, provision half APC and half UPC, since the color
coding is pretty clear.  You can even use, say, all LC on your UPC
patches and all SC on you APC patches or similar, and get both with
little danger of intermating.  I think I'd personally rather just
provision all APC in the backbone fiber runs and install APC to UPC
distribution runs to your network gear.

But you'll have to train people to always plug green connectors into
green connectors, and blue into blue, and never should green and blue
mix.





smime.p7s
Description: S/MIME cryptographic signature

Big day for IPv6 - 1% native penetration

[Tomas Podermanski]

Hi,

It seems that today is a big day for IPv6. It is the very first
time when native IPv6 on google statistics
(http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
might say it is tremendous success after 16 years of deploying IPv6 :-)

T.

Re: Long and unabbreviatable IPv6 addresses with random overloaded bits, vs. tunnelbroker

[Dan Luedtke]

On Sun, 18 Nov 2012 21:40:45 -0800
Owen DeLong o...@delong.com wrote:

 Setting up a proper IPv6 subnet and unique gateway for each VM is
 probably insane, but, potentially less insane than some other
 alternatives.
I second that! I give out a proper configured /64 to every customer
regardless of he has one, two or more VMs in his network. The
alternatives did not work for us, furthermore scaling the networks is
reduced to drop in more VMs until the /64 runs out of addresses (read:
never) OR the situation calls for other setups anyway.

Receiving a /112 should make one at least thinking about the underlying
network design for a minute. It just looks awkward!

Cheers

Dan

Re: Big day for IPv6 - 1% native penetration

[Aaron Toponce]

On Tue, Nov 20, 2012 at 10:14:18AM +0100, Tomas Podermanski wrote:
 It seems that today is a big day for IPv6. It is the very first
 time when native IPv6 on google statistics
 (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
 might say it is tremendous success after 16 years of deploying IPv6 :-)

And given the rate on that graph, we'll hit 2% before year-end 2013.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o


pgpfVNAIV5UfP.pgp
Description: PGP signature

Re: Big day for IPv6 - 1% native penetration

[Owen DeLong]

It is entirely possible that Google's numbers are artificially low for a number
of reasons.

Owen

On Nov 20, 2012, at 5:31 AM, Aaron Toponce aaron.topo...@gmail.com wrote:

 On Tue, Nov 20, 2012 at 10:14:18AM +0100, Tomas Podermanski wrote:
It seems that today is a big day for IPv6. It is the very first
 time when native IPv6 on google statistics
 (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
 might say it is tremendous success after 16 years of deploying IPv6 :-)
 
 And given the rate on that graph, we'll hit 2% before year-end 2013.
 
 -- 
 . o .   o . o   . . o   o . .   . o .
 . . o   . o o   o . o   . o o   . . o
 o o o   . o .   . o o   o o .   o o o

Re: Big day for IPv6 - 1% native penetration

[Ray Soucy]

Or artificially high ...

On Tue, Nov 20, 2012 at 8:45 AM, Owen DeLong o...@delong.com wrote:
 It is entirely possible that Google's numbers are artificially low for a 
 number
 of reasons.

 Owen

 On Nov 20, 2012, at 5:31 AM, Aaron Toponce aaron.topo...@gmail.com wrote:

 On Tue, Nov 20, 2012 at 10:14:18AM +0100, Tomas Podermanski wrote:
It seems that today is a big day for IPv6. It is the very first
 time when native IPv6 on google statistics
 (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
 might say it is tremendous success after 16 years of deploying IPv6 :-)

 And given the rate on that graph, we'll hit 2% before year-end 2013.

 --
 . o .   o . o   . . o   o . .   . o .
 . . o   . o o   o . o   . o o   . . o
 o o o   . o .   . o o   o o .   o o o





-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net

Re: Big day for IPv6 - 1% native penetration

[William F. Maton Sotomayor]

APNIC labs have an interesting set of numbers on IPv6 uptake as well.

http://labs.apnic.net/measureipv6/

On Tue, 20 Nov 2012, Owen DeLong wrote:


It is entirely possible that Google's numbers are artificially low for a number
of reasons.

Owen

On Nov 20, 2012, at 5:31 AM, Aaron Toponce aaron.topo...@gmail.com wrote:


On Tue, Nov 20, 2012 at 10:14:18AM +0100, Tomas Podermanski wrote:

   It seems that today is a big day for IPv6. It is the very first
time when native IPv6 on google statistics
(http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
might say it is tremendous success after 16 years of deploying IPv6 :-)


And given the rate on that graph, we'll hit 2% before year-end 2013.

--
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o






wfms

RE: Big day for IPv6 - 1% native penetration

[Tony Hain]

Tomas Podermanski wrote:
 
 Hi,
 
 It seems that today is a big day for IPv6. It is the very first time
when
 native IPv6 on google statistics
 (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
 might say it is tremendous success after 16 years of deploying IPv6 :-)
 
 T.

Or one could look at it as; despite 16 years of lethargy and lack of
deployment by access networks, the traffic still finds a way.  ;)

Tony

Re: Big day for IPv6 - 1% native penetration

[Oliver Garraux]

So, I assume 6in4 tunnels like HE.net are included in the native percentage?

Oliver

-

Oliver Garraux
Check out my blog:  www.GetSimpliciti.com/blog
Follow me on Twitter:  twitter.com/olivergarraux


On Tue, Nov 20, 2012 at 9:02 AM, William F. Maton Sotomayor
wma...@ottix.net wrote:

 APNIC labs have an interesting set of numbers on IPv6 uptake as well.

 http://labs.apnic.net/measureipv6/


 On Tue, 20 Nov 2012, Owen DeLong wrote:

 It is entirely possible that Google's numbers are artificially low for a
 number
 of reasons.

 Owen

 On Nov 20, 2012, at 5:31 AM, Aaron Toponce aaron.topo...@gmail.com
 wrote:

 On Tue, Nov 20, 2012 at 10:14:18AM +0100, Tomas Podermanski wrote:

It seems that today is a big day for IPv6. It is the very first
 time when native IPv6 on google statistics
 (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
 might say it is tremendous success after 16 years of deploying IPv6 :-)


 And given the rate on that graph, we'll hit 2% before year-end 2013.

 --
 . o .   o . o   . . o   o . .   . o .
 . . o   . o o   o . o   . o o   . . o
 o o o   . o .   . o o   o o .   o o o





 wfms

Re: Big day for IPv6 - 1% native penetration

[Sander Steffann]

Hi,

 So, I assume 6in4 tunnels like HE.net are included in the native percentage?

As the traffic is delivered as native traffic to Google I don't think Google 
can even see that there is a tunnel between them and the user. They might see a 
lower MTU, but to Google the traffic is native IPv6.

- Sander

Re: Big day for IPv6 - 1% native penetration

[bmanning]

Dr. Frederick Frankenstein: LIFE! DO YOU HEAR ME? GIVE MY CREATION... LIFE! 

 
  On Tue, Nov 20, 2012 at 10:14:18AM +0100, Tomas Podermanski wrote:
 
 It seems that today is a big day for IPv6. It is the very first
  time when native IPv6 on google statistics
  (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
  might say it is tremendous success after 16 years of deploying IPv6 :-)
 
 
  And given the rate on that graph, we'll hit 2% before year-end 2013.
 

Re: Big day for IPv6 - 1% native penetration

[Tore Anderson]

* Oliver Garraux

 So, I assume 6in4 tunnels like HE.net are included in the native
 percentage?

Probably. Fortunately, they are a drop in the ocean (at least from my
point of view).

-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com

Re: Big day for IPv6 - 1% native penetration

[Owen DeLong]

On Nov 20, 2012, at 7:06 AM, Sander Steffann san...@steffann.nl wrote:

 Hi,
 
 So, I assume 6in4 tunnels like HE.net are included in the native 
 percentage?
 
 As the traffic is delivered as native traffic to Google I don't think Google 
 can even see that there is a tunnel between them and the user. They might see 
 a lower MTU, but to Google the traffic is native IPv6.
 
 - Sander
 

That's only really true of the 6in4 (tunnel broker) tunnels. The 6to4 traffic 
that comes through our 6to4 or any other 6to4 gateways, OTOH, will have 
2002::/16 addresses which makes it just as obvious as Teredo.

Owen

Re: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan

[Christopher Morrow]

On Tue, Nov 20, 2012 at 2:35 AM, Derek Ivey de...@derekivey.com wrote:
 I saw this on Reddit and thought it was fascinating. I figured I'd share it
 here too since no one else did.

 http://www.theverge.com/2012/11/17/3655442/restoring-verizon-service-manhattan-hurricane-sandy


hey lookie! 'free uprades'!

also, one wonders what the bill is for such upgrades, and what the
implications are for state-run-disaster relief vs
national-level-disaster-relief? Also, how much of the VZ issue (phone
stuff) is going to end up being caught in VZ's financials vs
disaster-relief-funds ?

-chris

Re: Big day for IPv6 - 1% native penetration

[ポール・ロラン]

Hello,

On Tue, 20 Nov 2012 10:14:18 +0100
Tomas Podermanski tpo...@cis.vutbr.cz wrote:

 It seems that today is a big day for IPv6. It is the very first
 time when native IPv6 on google statistics
 (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
 might say it is tremendous success after 16 years of deploying IPv6 :-)

Funny enough, the peaks are indicating... week-ends !
Do people use more google during the WE, or do they have more IPv6 @ home ?

Paul


signature.asc
Description: PGP signature

Re: NTP Issues Today

[Sid Rao]

We had multiple servers synchronized with Windows/MS time change their clock to 
the year 2000 today.  It broke many things, including AD authentication. 

These servers had been properly synchronized for years. 

They were synchronized with Microsoft and NIST NTP servers. 

This may not be isolated. 

Sid Rao | CTI Group | +1 (317) 262-4677

On Nov 19, 2012, at 10:29 PM, George Herbert george.herb...@gmail.com wrote:

 crossreplying to outages list.
 
 Is anyone ELSE seeing GPS issues?  This could well have been an
 unrelated issue on that particular PBX.
 
 If this was real, then the mother of all infrastructure attacks might
 be underway...
 
 One glitch on tick and tock and one malfunctioning PBX is not
 sufficient evidence of pattern - much less hostile activity - to
 induce panic, but it would perhaps be a wise time to check
 time-related logs?
 
 
 -george
 
 On Mon, Nov 19, 2012 at 6:08 PM, Wallace Keith
 kwall...@pcconnection.com wrote:
 Just got paged with a pbx alarm that had 1970 as the year. By the time I 
 logged in , it was showing 2012.  Using GPS for time and date.
 
 -Original Message-
 From: Mark Andrews [mailto:ma...@isc.org]
 Sent: Monday, November 19, 2012 8:42 PM
 To: Van Wolfe
 Cc: nanog@nanog.org
 Subject: Re: NTP Issues Today
 
 
 In message 
 cameggd4cdqwhxqe_jbvpnr-pkke9lxqa+kzj97anhfonjwz...@mail.gmail.com
 , Van Wolfe writes:
 Hello,
 
 Did anyone else experience issues with NTP today?  We had our server
 times update to the year 2000 at around 3:30 MT, then revert back to 2012.
 
 Thanks,
 Van
 
 NTP should be immune from this sort of behaviour unless you did a ntpdate at 
 the wrong moment.  The clocks should have been marked as insane.
 
 Mark
 --
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
 
 
 
 
 
 -- 
 -george william herbert
 george.herb...@gmail.com
 
 

RE: Technical help required to check routing or filtering of Gobal IP routing range: 1.128.0.0 - 1.159.255.255 in the Level 3 Network Space.

[Scott, Robert D.]

http://lookingglass.level3.net/

Should get U what U need.

Robert D. Scottrob...@ufl.edu
Senior Network Engineer352-273-0113 Phone
UF Information Technology  352-392-2061 CNS Phone Tree
CNS - Network Services 352-273-0743 FAX
University of Florida  352-294-3571 FLR NOC
Florida Lambda Rail321-663-0421 Cell
Gainesville, FL  32611 3216630...@messaging.sprintpcs.com


-Original Message-
From: Attila Vekas [mailto:attilave...@gmail.com] 
Sent: Tuesday, November 20, 2012 1:18 AM
To: NANOG@nanog.org
Subject: Technical help required to check routing or filtering of Gobal IP 
routing range: 1.128.0.0 - 1.159.255.255 in the Level 3 Network Space.

Hi All,

I need technicial assistance with either a routing or ip restrication
problem impacting our mobile ip customers in Australia.

Customers using our Mobile Network are allocated an address in the
1.128.0.0 - 1.159.255.255 range to allow communication on the internet.

I have a customer's who can't reach websites hosted oversea where the like
cause appears to be some were in the Level 3 routing domain (I suspect).
1. Customer A trying to get www.readingeggs.com.au fails when using a
Mobile Internet connection.

C:\Documents and Settings\c832677tracert www.readingeggs.com.au



Tracing route to readingeggs.com.au [209.251.186.131]

over a maximum of 30 hops:



  1   458 ms   419 ms   539 ms  10.5.81.50

  2 *** Request timed out.

  3 *** Request timed out.

  4   350 ms   659 ms   659 ms  bundle-ether12.pie8.perth.telstra.net[120.151.2
55.17]

  5   578 ms   629 ms   449 ms  bundle-ether1.pie-core1.perth.telstra.net[203.5
0.6.221]

  6   448 ms   509 ms   539 ms  bundle-ether6.way-core4.adelaide.telstra.net[20
3.50.11.16]

 7   457 ms   549 ms   529 ms  bundle-ether9.exi-core1.melbourne.telstra.net[2
03.50.11.93]

  8   468 ms   509 ms   539 ms  bundle-ether12.chw-core2.sydney.telstra.net[203
.50.11.74]

  9   458 ms   709 ms   559 ms  bundle-ether1.oxf-gw2.sydney.telstra.net[203.50
.6.90]

10   448 ms   519 ms   789 ms  203.50.13.174

11   597 ms   759 ms   709 ms  i-0-0-0-0.paix-core01.bx.telstraglobal.net[202.
84.140.145]

12   649 ms   659 ms   730 ms  i-0-0-0-0.eqnx-core01.bi.telstraglobal.net[202.
84.140.142]

13   579 ms   719 ms   709 ms  i-0-0-0-3.eqnx03.bi.telstraglobal.net[202.84.25
1.126]

14   599 ms   689 ms   689 ms  l3-peer.eqnx03.pr.telstraglobal.net[134.159.61.
6]

15   618 ms   689 ms   689 ms  ae-22-70.car2.SanJose1.Level3.net[4.69.152.68]

16 *** Request timed out.

17 *** Request timed out.

18 *** Request timed out.

19 *** Request timed out.

20 *** Request timed out.

21 *** Request timed out.

22 *** Request timed out.

23 *** Request timed out.

24 *** Request timed out.

25 *** Request timed out.

26 *** Request timed out.

27 *** Request timed out.

28 *** Request timed out.

29 *** Request timed out.

30 *** Request timed out.

 Trace complete.
A successful traceroute to www.readingeggs.com is shown below and was
obtained from a fix-line connection to the internet:

C:\Documents and Settings\c832677tracert www.readingeggs.com.au



Tracing route to readingeggs.com.au [209.251.186.131]

over a maximum of 30 hops:



  11 ms1 ms1 ms  10.0.0.1

  2 1 ms 1 ms 1 ms
gigabitethernet2-16.lon69.melbourne.telstra.net[139.130.43.29]

  3 4 ms 2 ms 3 ms
bundle-ether3.exi-core1.melbourne.telstra.net [203.50.80.1]

  423 ms23 ms23 ms  bundle-ether12.chw-core2.sydney.telstra.net[203
.50.11.74]

  522 ms23 ms23 ms  bundle-ether1.oxf-gw2.sydney.telstra.net[203.50
.6.90]

  616 ms16 ms16 ms
tengigabitethernet14-0.sydo-core01.sydney.reach.com [203.50.13.42]

  7   159 ms   158 ms   158 ms  i-0-6-2-0.paix-core01.bx.telstraglobal.net[202.
84.140.90]

  8   193 ms   192 ms   192 ms  i-0-7-2-0.eqnx-core01.bi.telstraglobal.net[202.
84.140.30]

  9   193 ms   193 ms   193 ms  i-0-0-0-1.eqnx03.bi.telstraglobal.net[202.84.25
1.50]

10   208 ms   191 ms   208 ms  l3-peer.eqnx03.pr.telstraglobal.net[134.159.61.
6]

11   209 ms   209 ms   209 ms  ae-42-90.car2.SanJose1.Level3.net[4.69.152.196]

12   193 ms   193 ms   193 ms  DATA-RETURN.car2.SanJose1.Level3.net[4.53.18.13
4]

13   234 ms   234 ms   234 ms  t0-0-0-1.br1.stc.terremark.net[66.165.161.169]

14   235 ms   234 ms   234 ms  po14.br1.mia.terremark.net [66.165.160.225]

15   359 ms   248 ms   250 ms  t8-1.gw1.mia.terremark.net [66.165.161.82]

16   234 ms   234 ms   237 ms  66.165.170.14

17   229 ms   229 ms   229 ms  72.46.239.94

18   233 ms   233 ms   232 ms  209.251.186.131



In the 

Re: Big day for IPv6 - 1% native penetration

[Patrick W. Gilmore]

On Nov 20, 2012, at 08:45 , Owen DeLong o...@delong.com wrote:

 It is entirely possible that Google's numbers are artificially low for a 
 number
 of reasons.

AMS-IX publishes stats too:
https://stats.ams-ix.net/sflow/

This is probably a better view of overall percentage on the Internet than a 
specific company's content.  It shows order of 0.5%.

Why do you think Google's numbers are lower than the real total?

-- 
TTFN,
patrick


 On Nov 20, 2012, at 5:31 AM, Aaron Toponce aaron.topo...@gmail.com wrote:
 On Tue, Nov 20, 2012 at 10:14:18AM +0100, Tomas Podermanski wrote:
 It seems that today is a big day for IPv6. It is the very first
 time when native IPv6 on google statistics
 (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
 might say it is tremendous success after 16 years of deploying IPv6 :-)
 
 And given the rate on that graph, we'll hit 2% before year-end 2013.
 
 -- 
 . o .   o . o   . . o   o . .   . o .
 . . o   . o o   o . o   . o o   . . o
 o o o   . o .   . o o   o o .   o o o
 
 

Re: Technical help required to check routing or filtering of Gobal IP routing range: 1.128.0.0 - 1.159.255.255 in the Level 3 Network Space.

[Tom Paseka]

G'day!

On Mon, Nov 19, 2012 at 10:18 PM, Attila Vekas attilave...@gmail.com wrote:

 Regards,

 Attila Vekas

 Telstra

I'd say its AS23148 / Terremark with a bogon filter.

your fixed line traceroute shows the next-hop being the connection
between level3 and AS23148.

10   208 ms   191 ms   208 ms  
l3-peer.eqnx03.pr.telstraglobal.net[134.159.61.6]
11   209 ms   209 ms   209 ms  ae-42-90.car2.SanJose1.Level3.net[4.69.152.196]
12   193 ms   193 ms   193 ms  
DATA-RETURN.car2.SanJose1.Level3.net[4.53.18.134]

Cheers,
Tom

Re: NTP Issues Today

[Leo Bicknell]

In a message written on Mon, Nov 19, 2012 at 04:21:55PM -0700, Van Wolfe wrote:
 Did anyone else experience issues with NTP today?  We had our server
 times update to the year 2000 at around 3:30 MT, then revert back to 2012.

I'm surprised the various time geeks aren't all posting their logs, so
I'll kick off:

/tmp/parse-peerstats.pl peerstats.20121119
56250 76367.354 192.5.41.41 91b4 -378691200.312258363 0.088274002 0.014835425 
0.263515353
56250 77391.354 192.5.41.41 91b4 -378691200.312258363 0.088274002 0.018668790 
0.263749719
56250 78204.354 192.5.41.40 90b4 -378691200.785377324 0.088179350 0.014812585 
0.263668835
56250 78416.355 192.5.41.41 91b4 -378691200.785974681 0.088312507 0.014832943 
0.209966600
56250 79229.355 192.5.41.40 90b4 -378691200.785377324 0.088179350 0.018668723 
378691200.785523713
56250 79442.355 192.5.41.41 91b4 -378691200.785974681 0.088312507 0.018689918 
378691200.786114931

Or in more human readable form:
/tmp/parse-peerstats.pl peerstats.20121119
192.5.41.41 off by -378691200.312258363
192.5.41.41 off by -378691200.312258363
192.5.41.40 off by -378691200.785377324
192.5.41.41 off by -378691200.785974681
192.5.41.40 off by -378691200.785377324
192.5.41.41 off by -378691200.785974681

The script, if you want to run against your own stats:

#!/usr/bin/perl

while () {
  chomp;
  ($day, $second, $addr, $status, $offset, $delay, $disp, $skew) = split;
  if (($offset  10) || ($offset  -10)) {
#print $addr off by $offset\n; # More human friendly
print $_\n;   # Full details
  }
}

It just looks for servers off by more than 10 econds and then prints
the line.  378691200 seconds is ~12 years, which lines up with the
year 2000 dates some are reporting.

The IP's are tick.usno.navy.mil and tock.usno.navy.mil.

I can confirm from my vantage point that tick and tock both went about
12 years wrong on Nov 19th for a bit, I can also report that my NTP
server with sufficient sources correctly determined they were haywire
and ignored them.

If your machines switched dates yesterday it probably means you're
NTP infrastructure is insufficiently peered and diversified.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/


pgp9aMW4WaOuy.pgp
Description: PGP signature

Re: Big day for IPv6 - 1% native penetration

[Mike Jones]

On 20 November 2012 16:05, Patrick W. Gilmore patr...@ianai.net wrote:
 On Nov 20, 2012, at 08:45 , Owen DeLong o...@delong.com wrote:

 It is entirely possible that Google's numbers are artificially low for a 
 number
 of reasons.

 AMS-IX publishes stats too:
 https://stats.ams-ix.net/sflow/

 This is probably a better view of overall percentage on the Internet than a 
 specific company's content.  It shows order of 0.5%.

 Why do you think Google's numbers are lower than the real total?


They are also different stats which is why they give such different numbers.

In a theoretical world with evenly distributed traffic patterns if 1%
of users were IPv6 enabled it would require 100% of content to be IPv6
enabled before your traffic stats would show 1% of traffic going over
IPv6.

If these figures are representative (google saying 1% of users and
AMSIX saying 0.5% of traffic) then it would indicate that dual stacked
users can push ~50% of their traffic over IPv6. If this is even close
to reality then that would be quite an achievement.

- Mike

Re: Big day for IPv6 - 1% native penetration

[Patrick W. Gilmore]

On Nov 20, 2012, at 11:42 , Mike Jones m...@mikejones.in wrote:
 On 20 November 2012 16:05, Patrick W. Gilmore patr...@ianai.net wrote:
 On Nov 20, 2012, at 08:45 , Owen DeLong o...@delong.com wrote:
 
 It is entirely possible that Google's numbers are artificially low for a 
 number
 of reasons.
 
 AMS-IX publishes stats too:
https://stats.ams-ix.net/sflow/
 
 This is probably a better view of overall percentage on the Internet than a 
 specific company's content.  It shows order of 0.5%.
 
 Why do you think Google's numbers are lower than the real total?
 
 
 They are also different stats which is why they give such different numbers.
 
 In a theoretical world with evenly distributed traffic patterns if 1%
 of users were IPv6 enabled it would require 100% of content to be IPv6
 enabled before your traffic stats would show 1% of traffic going over
 IPv6.
 
 If these figures are representative (google saying 1% of users and
 AMSIX saying 0.5% of traffic) then it would indicate that dual stacked
 users can push ~50% of their traffic over IPv6. If this is even close
 to reality then that would be quite an achievement.

There is even more complexity.  Remember the 6-to-4 stuff?  Suppose a user on 
Network A used a tunnel broker on HE, and his traffic passed over AMS-IX 
encapsulated in v4?  He would show up as v4 to AMS-IX and v6 to Google.

Lies, damned lies, and graphs. :)

-- 
TTFN,
patrick

Re: [outages] NTP Issues Today

[Colin Johnston]

On 20 Nov 2012, at 15:38, Jeremy Chadwick j...@koitsu.org wrote:

 I'm still waiting for someone who was affected by this to provide
 coherent logs from ntpd showing exactly when the time change happened.
 Getting these, at least on an *IX system, is far from difficult folks.
 

from firewall ntp logs
Nov 19 09:58:06 [192.168.0.1.128.176] 2012:11:19-09:58:06 ntpd[21385]: ntpd 
exiting on signal 15
Nov 19 09:58:19 [192.168.0.1.128.176] 2012:11:19-09:58:19 selfmonng[3503]: W 
check Failed increment ntpd_running counter 3 - 3
Nov 19 09:58:22 [192.168.0.1.128.176] 2012:11:19-09:58:22 selfmonng[3503]: W 
NOTIFYEVENT Name=ntpd_running Level=INFO Id=147 sent
Nov 19 09:58:22 [192.168.0.1.128.176] 2012:11:19-09:58:22 selfmonng[3503]: W 
triggerAction: 'cmd'
Nov 19 09:58:22 [192.168.0.1.128.176] 2012:11:19-09:58:22 selfmonng[3503]: W 
actionCmd(+):  '/var/mdw/scripts/ntp restart'
Nov 19 09:58:25 [192.168.0.1.128.176] 2012:11:19-09:58:25 ntpd[24120]: ntpd 
4.2.4p8@1.1612-o Tue Feb  2 21:46:54 UTC 2010 (1)
Nov 19 09:58:25 [192.168.0.1.128.176] 2012:11:19-09:58:25 selfmonng[3503]: W 
child returned status: exit='0' signal='0'
Nov 19 09:58:35 [192.168.0.1.128.176] 2012:11:19-09:58:35 ntpd[24121]: kernel 
time sync status change 0001

was sync'd to 84.25.175.98, stratum 2 at the time I believe

Colin

Re: NTP Issues Today

[Steve Meuse]

On Tue, Nov 20, 2012 at 11:38 AM, Leo Bicknell bickn...@ufp.org wrote:


 If your machines switched dates yesterday it probably means you're
 NTP infrastructure is insufficiently peered and diversified.


If you take anything away from this thread, this is it

-Steve

RE: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan

[George, Wes]

 From: Christopher Morrow [mailto:morrowc.li...@gmail.com]
 
  http://www.theverge.com/2012/11/17/3655442/restoring-verizon-service-m
  anhattan-hurricane-sandy
 

 hey lookie! 'free uprades'!


[WEG] Better that than we're going to replace all of this old technology with 
exactly the same stuff because that's what the standards document says to do 
like happened in the rebuilding efforts for Katrina. I remember someone 
presenting about that rebuilding effort during NANOG years ago, and I asked 
about opportunities for improvement and upgrades and was really depressed at 
the missed opportunity it represented as they confirmed that they were in fact 
laying new copper...

Wes George

This E-mail and any of its attachments may contain Time Warner Cable 
proprietary information, which is privileged, confidential, or subject to 
copyright belonging to Time Warner Cable. This E-mail is intended solely for 
the use of the individual or entity to which it is addressed. If you are not 
the intended recipient of this E-mail, you are hereby notified that any 
dissemination, distribution, copying, or action taken in relation to the 
contents of and attachments to this E-mail is strictly prohibited and may be 
unlawful. If you have received this E-mail in error, please notify the sender 
immediately and permanently delete the original and any copy of this E-mail and 
any printout.

Re: [outages] NTP Issues Today

[Colin Johnston]

no idea, re sigterm cause
checked firewall system logs and could not see cause from that either
times are GMT

Colin

On 20 Nov 2012, at 17:05, Jeremy Chadwick j...@koitsu.org wrote:

 Colin,
 
 Signal 15 = SIGTERM, so something intentionally shut ntpd down on your
 side.  The logs I'd be interested in would be prior to what you've
 provided, i.e. what lead to the SIGTERM.
 
 Also, no timezone is mentioned anywhere in your timestamps, so please
 provide that (UTC offset would be best).
 
 -- 
 | Jeremy Chadwick   j...@koitsu.org |
 | UNIX Systems Administratorhttp://jdc.koitsu.org/ |
 | Mountain View, CA, US|
 | Making life hard for others since 1977. PGP 4BD6C0CB |
 
 On Tue, Nov 20, 2012 at 05:02:06PM +, Colin Johnston wrote:
 
 On 20 Nov 2012, at 15:38, Jeremy Chadwick j...@koitsu.org wrote:
 
 I'm still waiting for someone who was affected by this to provide
 coherent logs from ntpd showing exactly when the time change happened.
 Getting these, at least on an *IX system, is far from difficult folks.
 
 
 from firewall ntp logs
 Nov 19 09:58:06 [192.168.0.1.128.176] 2012:11:19-09:58:06 ntpd[21385]: ntpd 
 exiting on signal 15
 Nov 19 09:58:19 [192.168.0.1.128.176] 2012:11:19-09:58:19 selfmonng[3503]: W 
 check Failed increment ntpd_running counter 3 - 3
 Nov 19 09:58:22 [192.168.0.1.128.176] 2012:11:19-09:58:22 selfmonng[3503]: W 
 NOTIFYEVENT Name=ntpd_running Level=INFO Id=147 sent
 Nov 19 09:58:22 [192.168.0.1.128.176] 2012:11:19-09:58:22 selfmonng[3503]: W 
 triggerAction: 'cmd'
 Nov 19 09:58:22 [192.168.0.1.128.176] 2012:11:19-09:58:22 selfmonng[3503]: W 
 actionCmd(+):  '/var/mdw/scripts/ntp restart'
 Nov 19 09:58:25 [192.168.0.1.128.176] 2012:11:19-09:58:25 ntpd[24120]: ntpd 
 4.2.4p8@1.1612-o Tue Feb  2 21:46:54 UTC 2010 (1)
 Nov 19 09:58:25 [192.168.0.1.128.176] 2012:11:19-09:58:25 selfmonng[3503]: W 
 child returned status: exit='0' signal='0'
 Nov 19 09:58:35 [192.168.0.1.128.176] 2012:11:19-09:58:35 ntpd[24121]: 
 kernel time sync status change 0001
 
 was sync'd to 84.25.175.98, stratum 2 at the time I believe
 
 Colin

Re: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan

[Christopher Morrow]

On Tue, Nov 20, 2012 at 11:55 AM, George, Wes wesley.geo...@twcable.com wrote:
 From: Christopher Morrow [mailto:morrowc.li...@gmail.com]
 
  http://www.theverge.com/2012/11/17/3655442/restoring-verizon-service-m
  anhattan-hurricane-sandy
 

 hey lookie! 'free uprades'!


 [WEG] Better that than we're going to replace all of this old technology 
 with exactly the same stuff because that's what the standards document says 
 to do like happened in the rebuilding efforts for Katrina. I remember 
 someone presenting about that rebuilding effort during NANOG years ago, and I 
 asked about opportunities for improvement and upgrades and was really 
 depressed at the missed opportunity it represented as they confirmed that 
 they were in fact laying new copper...

yea. it's acutally kinda nice that at least from CO - building now
there maybe more highspeed links... and maybe lower long term costs?

Also, now VZ can sell the copper to all the rest of us for use in
fiber camouflage!

Re: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan

[joel jaeggli]

On 11/20/12 9:10 AM, Christopher Morrow wrote:

On Tue, Nov 20, 2012 at 11:55 AM, George, Wes wesley.geo...@twcable.com wrote:

From: Christopher Morrow [mailto:morrowc.li...@gmail.com]

http://www.theverge.com/2012/11/17/3655442/restoring-verizon-service-m
anhattan-hurricane-sandy


hey lookie! 'free uprades'!


[WEG] Better that than we're going to replace all of this old technology with 
exactly the same stuff because that's what the standards document says to do like 
happened in the rebuilding efforts for Katrina. I remember someone presenting about that 
rebuilding effort during NANOG years ago, and I asked about opportunities for improvement 
and upgrades and was really depressed at the missed opportunity it represented as they 
confirmed that they were in fact laying new copper...

yea. it's acutally kinda nice that at least from CO - building now
there maybe more highspeed links... and maybe lower long term costs?

Also, now VZ can sell the copper to all the rest of us for use in
fiber camouflage!
1200 pair is 5.5lbs per foot.  That's somewhere in the neighborhood of 
$100k per mile at retail scrap prices.

Re: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan

[Faisal Imtiaz]

On 11/20/2012 12:10 PM, Christopher Morrow wrote:

it's acutally kinda nice that at least from CO - building now
there maybe more highspeed links... and maybe lower long term costs?



Be careful of what you wish for, Yes, you get fiber from the CO to 
the Building... however there is also a very big side-effect...
Verizon is not obligated to provide equal access to Competitive 
providers (CLECs) on this Fiber


Thus, you are also looking a significantly reduced competition. 
which is very likely to equate to a higher cost for end users.


:)

Faisal Imtiaz
Snappy Internet  Telecom

Re: Big day for IPv6 - 1% native penetration

[TJ]

  On Tue, 20 Nov 2012 10:14:18 +0100
 Tomas Podermanski tpo...@cis.vutbr.cz wrote:

  It seems that today is a big day for IPv6. It is the very first
  time when native IPv6 on google statistics
  (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
  might say it is tremendous success after 16 years of deploying IPv6 :-)
 Funny enough, the peaks are indicating... week-ends !
 Do people use more google during the WE, or do they have more IPv6 @ home ?


 Purely anecdotally, I can say: Yes.
Atleast in my case I have native IPv6 at home and via my mobile devices,
but not at my client sites.
*Sidenote: That's why I am at those client sites, helping 'fix' that. ;) ...
*


/TJ

Re: NTP Issues Today

[Seth Mattinen]

On 11/19/12 6:08 PM, Wallace Keith wrote:
 Just got paged with a pbx alarm that had 1970 as the year. By the time I 
 logged in , it was showing 2012.  Using GPS for time and date. 
 


I use GPS for my NTP server and didn't notice anything, but it's PPS
disciplined after initial sync so it doesn't matter as long as the pulse
keeps going.

ntp0# ntpq -pn
 remote   refid  st t when poll reach   delay   offset
jitter
==
 127.127.1.0 .LOCL.  12 l   10   64  3770.0000.000
 0.015
+216.171.124.36  .ACTS.   1 u  167 1024  377   26.8012.387
 0.015
+127.127.20.0.GPS.0 l   45   64  3770.000   -0.048
 0.015
o127.127.22.0.PPS.0 l   27   64  3770.000   -0.048
 0.015


~Seth

Re: Plages d'adresses IP Orange

[Seth Mattinen]

On 11/19/12 9:16 AM, Jamie Bowden wrote:
 Actually, this is kind of an interesting aside.  Last time I checked, Canada 
 counts as North America and large parts of Quebec are inhabited by folks who 
 don't speak much, if any, English.  Having said that, I can't recall having 
 seen any Quebecois posting in French here, but I find it hard to believe 
 those folks don't have use for a list like this.
 


Quebecois French and French aren't exactly the same. My dad once had to
order le pancakes for breakfast because the waitress didn't understand
le crepes.

~Seth

Re: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan

[Christopher Morrow]

On Tue, Nov 20, 2012 at 12:49 PM, Faisal Imtiaz fai...@snappydsl.net wrote:

 On 11/20/2012 12:10 PM, Christopher Morrow wrote:

 it's acutally kinda nice that at least from CO - building now
 there maybe more highspeed links... and maybe lower long term costs?


 Be careful of what you wish for, Yes, you get fiber from the CO to the
 Building... however there is also a very big side-effect...
 Verizon is not obligated to provide equal access to Competitive providers
 (CLECs) on this Fiber

 Thus, you are also looking a significantly reduced competition. which is
 very likely to equate to a higher cost for end users.

right, so in the end vz gets what it wants... a return to monopoly.

conspiracy theories about verizon starting the floods?

AS 2379

[Eric C. Miller]

Does anybody know of a list of BGP communities for AS2379 (EMBARK-WNPK now 
CenturyLink)?



I haven't reached out to Centurylink yet, but I'm used to just finding them 
through Google Searches.





Eric Miller, CCNP

Network Engineering Consultant

(407) 257-5115

Re: Big day for IPv6 - 1% native penetration

[Blair Trosper]

I've found myself becoming a snob about IPv6.  I almost look down on
IPv4-only networks in the same way that I won't go see a film that isn't
projected on DLP unless my arm is twisted.  I'm a convert, and I'm glad to
see the adoption rate edging up.

However, I still scratch my head on why most major US ISPs *have* robust
IPv6 peering and infrastructure and are ready to go, but they have not
turned it on for their fiber/cable/DSL customers for reasons that are not
clear to me.

I keep pestering my home ISP about turning it on (since their network is
now 100% DOCSIS 3), but they just seem to think I'm making up words.  One
can hope, though.

Blair

On Tue, Nov 20, 2012 at 11:53 AM, TJ trej...@gmail.com wrote:

   On Tue, 20 Nov 2012 10:14:18 +0100
  Tomas Podermanski tpo...@cis.vutbr.cz wrote:
 
   It seems that today is a big day for IPv6. It is the very first
   time when native IPv6 on google statistics
   (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
   might say it is tremendous success after 16 years of deploying IPv6 :-)
  Funny enough, the peaks are indicating... week-ends !
  Do people use more google during the WE, or do they have more IPv6 @
 home ?


  Purely anecdotally, I can say: Yes.
 Atleast in my case I have native IPv6 at home and via my mobile devices,
 but not at my client sites.
 *Sidenote: That's why I am at those client sites, helping 'fix' that. ;)
 ...
 *


 /TJ

Re: AS 2379

[Christopher Morrow]

On Tue, Nov 20, 2012 at 1:24 PM, Eric C. Miller e...@ericheather.com wrote:
 Does anybody know of a list of BGP communities for AS2379 (EMBARK-WNPK now 
 CenturyLink)?



 I haven't reached out to Centurylink yet, but I'm used to just finding them 
 through Google Searches.


http://onesc.net/communities/

bgp communities onesc  see AS209.




 Eric Miller, CCNP

 Network Engineering Consultant

 (407) 257-5115

Re: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan

[joel jaeggli]

On 11/20/12 10:20 AM, Christopher Morrow wrote:

On Tue, Nov 20, 2012 at 12:49 PM, Faisal Imtiaz fai...@snappydsl.net wrote:

On 11/20/2012 12:10 PM, Christopher Morrow wrote:

it's acutally kinda nice that at least from CO - building now
there maybe more highspeed links... and maybe lower long term costs?


Be careful of what you wish for, Yes, you get fiber from the CO to the
Building... however there is also a very big side-effect...
Verizon is not obligated to provide equal access to Competitive providers
(CLECs) on this Fiber

Thus, you are also looking a significantly reduced competition. which is
very likely to equate to a higher cost for end users.

right, so in the end vz gets what it wants... a return to monopoly.

conspiracy theories about verizon starting the floods?
The pressure on the regulatory front doesn't increase until the pain 
becomes acute...

Re: Big day for IPv6 - 1% native penetration

[Tim Chown]

On 20 Nov 2012, at 16:42, Mike Jones m...@mikejones.in wrote:

 
 If these figures are representative (google saying 1% of users and
 AMSIX saying 0.5% of traffic) then it would indicate that dual stacked
 users can push ~50% of their traffic over IPv6. If this is even close
 to reality then that would be quite an achievement.

Which ties in with the 50% or so figure you can see at 
http://6lab.cisco.com/stats/.

tim

Re: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan

[Faisal Imtiaz]

On 11/20/2012 1:20 PM, Christopher Morrow wrote:

On Tue, Nov 20, 2012 at 12:49 PM, Faisal Imtiaz fai...@snappydsl.net wrote:

On 11/20/2012 12:10 PM, Christopher Morrow wrote:

it's acutally kinda nice that at least from CO - building now
there maybe more highspeed links... and maybe lower long term costs?


Be careful of what you wish for, Yes, you get fiber from the CO to the
Building... however there is also a very big side-effect...
Verizon is not obligated to provide equal access to Competitive providers
(CLECs) on this Fiber

Thus, you are also looking a significantly reduced competition. which is
very likely to equate to a higher cost for end users.

right, so in the end vz gets what it wants... a return to monopoly.


conspiracy theories about verizon starting the floods?
No Conspiracy theories... just the simple facts on where things stand, 
based on current regulatory environment.

(I / We have no horse in this race)

Faisal Imtiaz
Snappy Internet  Telecom.

Re: NTP Issues Today

[Leo Bicknell]

After some private replies, I'm going to reply to my own post with
some information here.

It appears many people don't understand how the NTP protocol works.
I suspect many people have configured a primary and a backup
NTP server on many of their devices.  It turns out this is the
_WORST_ possible configuration if you want accurate time:

http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers#Section_5.3.3.

To protect against two falseticking servers (tick and tock, as we saw on
the 19th) you need _FIVE_ servers minimum configured if they are both in
the list.  More importantly, if you want to protect against a source
(GPS, CDMA, IRIG, WWIV, ACTS, etc) false ticking, you need a minimum of
_FOUR_ different source technologies in the list as well.

It's not hard, my box that I posted the logs from peers with 18 servers
using 8 source technologies, all freely available on the Internet...

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/


pgpTEbSQgVa9z.pgp
Description: PGP signature

Re: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan

[Jay Ashworth]

- Original Message -
 From: Christopher Morrow morrowc.li...@gmail.com

 On Tue, Nov 20, 2012 at 2:35 AM, Derek Ivey de...@derekivey.com
 wrote:
  I saw this on Reddit and thought it was fascinating. I figured I'd
  share it here too since no one else did.
 
  http://www.theverge.com/2012/11/17/3655442/restoring-verizon-service-manhattan-hurricane-sandy
 
 hey lookie! 'free upgrades'!

Not having yet read the piece, I assume the upgrades are the same thing
that you'd get if you tried, today, to warranty a 5 year old 250GB Seagate
HD: They'd send you a 750G or 1T, simply because they don't have anything 
smaller in stock.  (If your system is embedded, and won't talk to larger
drives, their apologies. :-)

It's likely the same thing happens here: we don't have that older gear,
so you get the newer stuff with our compliments.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth  Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA   #natog  +1 727 647 1274

NTP problems - (one) root cause

[Jay Ashworth]

A subscriber to Outages who wishes to remain nameless passes along the
pointer to this story: Apparently, either tick or tock got rebooted 
yesterday, and came up with its local clock set to 2000.  And lots of
people believed it.

  https://isc.sans.edu/diary.html?nstoryid=14548

Did you believe it?  Why?

(Yes, those are just rhetorical questions, intended to make people examine
their NTP architecture more closely.  :-)

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth  Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA   #natog  +1 727 647 1274

Re: NTP Issues Today

[Jay Ashworth]

- Original Message -
 From: Leo Bicknell bickn...@ufp.org

 To protect against two falseticking servers (tick and tock, as we saw on
 the 19th) you need _FIVE_ servers minimum configured if they are both in
 the list. More importantly, if you want to protect against a source
 (GPS, CDMA, IRIG, WWIV, ACTS, etc) false ticking, you need a minimum of
 _FOUR_ different source technologies in the list as well.
 
 It's not hard, my box that I posted the logs from peers with 18
 servers using 8 source technologies, all freely available on the Internet...

I'm curious, Leo, what your internal setup looks like.  Do you have an
internal pair of masters, all slaved to those externals and one another, 
with your machines homed to them?  Full mesh?  Or something else?

In my last big gig, it was recommended to me that I have all the machines 
which had to speak to my DBMS NTP *to it*, and have only it connect to the
rest of my NTP infrastructure.  It coming unstuck was of less operational
impact than *pieces of it* going out of sync with one another...

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth  Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA   #natog  +1 727 647 1274

Re: NTP Issues Today

[Jared Mauch]

On Nov 20, 2012, at 2:28 PM, Jay Ashworth j...@baylink.com wrote:

 - Original Message -
 From: Leo Bicknell bickn...@ufp.org
 
 To protect against two falseticking servers (tick and tock, as we saw on
 the 19th) you need _FIVE_ servers minimum configured if they are both in
 the list. More importantly, if you want to protect against a source
 (GPS, CDMA, IRIG, WWIV, ACTS, etc) false ticking, you need a minimum of
 _FOUR_ different source technologies in the list as well.
 
 It's not hard, my box that I posted the logs from peers with 18
 servers using 8 source technologies, all freely available on the Internet...
 
 I'm curious, Leo, what your internal setup looks like.  Do you have an
 internal pair of masters, all slaved to those externals and one another, 
 with your machines homed to them?  Full mesh?  Or something else?
 
 In my last big gig, it was recommended to me that I have all the machines 
 which had to speak to my DBMS NTP *to it*, and have only it connect to the
 rest of my NTP infrastructure.  It coming unstuck was of less operational
 impact than *pieces of it* going out of sync with one another...


here's a sample ntp config from one of my systems.

-- snip --
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.fedora.pool.ntp.org
server 1.fedora.pool.ntp.org
server 2.fedora.pool.ntp.org
server 3.fedora.pool.ntp.org

#
server 0.us.pool.ntp.org iburst maxpoll 9
server 1.us.pool.ntp.org iburst maxpoll 9
server 2.us.pool.ntp.org iburst maxpoll 9
server 129.250.35.250 iburst maxpoll 9
server 129.250.35.251 iburst maxpoll 9

-- snip --

You can audit its operation like this:

nat:~$ ntpq -p -n -c ass
 remote   refid  st t when poll reach   delay   offset  jitter
==
-129.250.35.250  164.244.221.197  2 u   68  512  377   19.248   -0.135   3.195
+129.250.35.251  192.5.41.40  2 u  439  512  377   41.8171.109  15.660
-206.57.44.17204.123.2.5  2 u  126  512  377   37.133   -6.443   9.631
+4.53.160.75 209.81.9.7   2 u   48  512  377   25.2091.551   8.804
-64.73.32.135192.5.41.41  2 u  349  512  377   23.418   -0.703   1.721
*50.116.38.157   64.250.177.145   2 u  380  512  377   43.0211.267   2.136
+208.87.221.228  10.0.22.49   2 u  517  512  377   92.0000.974   0.678
-206.212.242.132 128.252.19.1 2 u  323  512  377   21.781   -2.873   1.304
+38.229.71.1 204.123.2.72 2 u  211  512  377   21.977   -0.055   2.274

ind assid status  conf reach auth condition  last_event cnt
===
  1 39973  931a   yes   yes  none   outlyersys_peer  1
  2 39974  941a   yes   yes  none candidatesys_peer  1
  3 39975  9324   yes   yes  none   outlyer   reachable  2
  4 39976  942a   yes   yes  none candidatesys_peer  2
  5 39977  931a   yes   yes  none   outlyersys_peer  1
  6 39978  961a   yes   yes  none  sys.peersys_peer  1
  7 39979  9414   yes   yes  none candidate   reachable  1
  8 39980  931a   yes   yes  none   outlyersys_peer  1
  9 39981  941a   yes   yes  none candidatesys_peer  1


What you would have seen is a falseticker from the impacted clocks.

This is a fairly reasonable setup.

I've also been looking at an item like this:

http://www.netburnerstore.com/ProductDetails.asp?ProductCode=PK70EX-NTP

which is about $300 + misc parts.

Should be well worth it to avoid a 'major outage' that some folks had with 
needing to reboot their servers, etc.

- Jared

RE: Big day for IPv6 - 1% native penetration

[Tony Hain]

Mike Jones wrote:
 
 On 20 November 2012 16:05, Patrick W. Gilmore patr...@ianai.net wrote:
  On Nov 20, 2012, at 08:45 , Owen DeLong o...@delong.com wrote:
 
  It is entirely possible that Google's numbers are artificially low
  for a number of reasons.
 
  AMS-IX publishes stats too:
  https://stats.ams-ix.net/sflow/
 
  This is probably a better view of overall percentage on the Internet than a
 specific company's content.  It shows order of 0.5%.
 
  Why do you think Google's numbers are lower than the real total?
 
 
 They are also different stats which is why they give such different numbers.
 
 In a theoretical world with evenly distributed traffic patterns if 1% of users
 were IPv6 enabled it would require 100% of content to be IPv6 enabled
 before your traffic stats would show 1% of traffic going over IPv6.
 
 If these figures are representative (google saying 1% of users and AMSIX
 saying 0.5% of traffic) then it would indicate that dual stacked users can 
 push
 ~50% of their traffic over IPv6. If this is even close to reality then that 
 would
 be quite an achievement.

If you assume that Youtube/Facebook/Netflix are 50% of the overall traffic, why 
wouldn't a dual stacked end point have half of its traffic as IPv6 after June???

Tony

Re: Big day for IPv6 - 1% native penetration

[Harald Koch]

While looking into the NTP chaos from Monday, I noticed that my personal
servers have an NTP peer running IPv6.

I have no idea how long that's been going on - it was a complete non-event
;).

-- 
Harald

Re: Big day for IPv6 - 1% native penetration

[Tomas Podermanski]

Hi,

On 11/20/12 7:24 PM, Blair Trosper wrote:
 I've found myself becoming a snob about IPv6.  I almost look down on
 IPv4-only networks in the same way that I won't go see a film that isn't
 projected on DLP unless my arm is twisted.  I'm a convert, and I'm glad to
 see the adoption rate edging up.

 However, I still scratch my head on why most major US ISPs *have* robust
 IPv6 peering and infrastructure and are ready to go, but they have not
 turned it on for their fiber/cable/DSL customers for reasons that are not
 clear to me.

Turning IPv6 on at the basic/core of the infrastructure is the easiest
part of the
job. However turning IPv6 for customers requires a lot of effort and
compromises. Some of the reasons are described in:   

http://6lab.cz/article/deploying-ipv6-practical-problems-from-the-campus-perspective/

and related presentation:

http://6lab.cz/wordpress/wp-content/uploads/2012/05/tnc2012_slides_TncPresentation.pdf


Tomas

Re: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan

[Christopher Morrow]

On Tue, Nov 20, 2012 at 1:48 PM, Faisal Imtiaz fai...@snappydsl.net wrote:

 On 11/20/2012 1:20 PM, Christopher Morrow wrote:

 On Tue, Nov 20, 2012 at 12:49 PM, Faisal Imtiaz fai...@snappydsl.net
 wrote:

 On 11/20/2012 12:10 PM, Christopher Morrow wrote:

 it's acutally kinda nice that at least from CO - building now
 there maybe more highspeed links... and maybe lower long term costs?

 Be careful of what you wish for, Yes, you get fiber from the CO to
 the
 Building... however there is also a very big side-effect...
 Verizon is not obligated to provide equal access to Competitive providers
 (CLECs) on this Fiber

 Thus, you are also looking a significantly reduced competition. which
 is
 very likely to equate to a higher cost for end users.

 right, so in the end vz gets what it wants... a return to monopoly.


 conspiracy theories about verizon starting the floods?

 No Conspiracy theories... just the simple facts on where things stand, based
 on current regulatory environment.
 (I / We have no horse in this race)

apologies, I forgot the emoticons after my last comment. i really did
mean it in jest... I don't think VZ has harnessed
weather-changing-powers. (yet).

Re: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan

[Faisal Imtiaz]

On 11/20/2012 2:58 PM, Christopher Morrow wrote:

On Tue, Nov 20, 2012 at 1:48 PM, Faisal Imtiaz fai...@snappydsl.net wrote:

On 11/20/2012 1:20 PM, Christopher Morrow wrote:

On Tue, Nov 20, 2012 at 12:49 PM, Faisal Imtiaz fai...@snappydsl.net
wrote:

On 11/20/2012 12:10 PM, Christopher Morrow wrote:

it's acutally kinda nice that at least from CO - building now
there maybe more highspeed links... and maybe lower long term costs?


Be careful of what you wish for, Yes, you get fiber from the CO to
the
Building... however there is also a very big side-effect...
Verizon is not obligated to provide equal access to Competitive providers
(CLECs) on this Fiber

Thus, you are also looking a significantly reduced competition. which
is
very likely to equate to a higher cost for end users.

right, so in the end vz gets what it wants... a return to monopoly.


conspiracy theories about verizon starting the floods?

No Conspiracy theories... just the simple facts on where things stand, based
on current regulatory environment.
(I / We have no horse in this race)

apologies, I forgot the emoticons after my last comment. i really did
mean it in jest... I don't think VZ has harnessed
weather-changing-powers. (yet).


No Worries, some of us here are players in the arena, and some of us are 
spectators
it is going to be interesting and fascinating at the same time to see 
how things develop.


Faisal Imtiaz

Re: NTP Issues Today

[Leo Bicknell]

In a message written on Tue, Nov 20, 2012 at 02:28:19PM -0500, Jay Ashworth 
wrote:
 I'm curious, Leo, what your internal setup looks like.  Do you have an
 internal pair of masters, all slaved to those externals and one another, 
 with your machines homed to them?  Full mesh?  Or something else?

My particular internal setup is a tad weird, and so rather than
answer your question, I'm going to answer with some generalities.
The right answer of course depends a lot on how important it is
that boxes have the right time.

If you have 4 or more physical sites, I believe the right answer
is to have on the order of 8 NTP servers.  2 each in 4 sites reaches
the minimum nicely with redundancy.  These boxes can have GPS, CDMA
or other technologies if you want, but MUST peer with at least 10
stratum-1 sources outside of your network.  Of course if you have
more sites, one server in each of 8 sites is peachy.  Those on a
budget could probably get by with 4 servers total, but never less!

All critical devices should then be synced to the full set of
internal servers.  4 boxes minimum, 8-10 preferred.  NTP will only
use the 10 best servers in it's calculations, so there is a steep
dropoff of diminishing returns beyond 10.  For most ISP's I would
include all routers in this list.

For the  non-critical devices?  Well, there it gets more complex.
For most I would only configure one server, their default gateway
router.  Of course, pushing out a set of 4+ to themm if that is
easy is a great thing to do.

The interesting thing here is that no devices except for your NTP
servers should ever peer with anything outside of your network.
Why?  Let's say your NTP servers all go crazy together.  The outside
world is cut off, GPS is spoofed, the world is ending.  All that
you have left is that all of your devices are in time to each
otherso at least your logs still coorelate and such.  So having
every device under your master set of NTP servers is important.
One guy with an external peer may choose to use that, and leave the
hive mind, so to speak.

For small players, less than 4 sites, typically just use the NTP
pool servers, configuring 4 per box minimum.  If you want the same
protection I just outlined in the paragraph before, make 4 of your
servers talk to the outside world, and make everything else talk
to those.  Want to give back to the community?  Get a GPS/CDMA/Whatever
box and make it part of the NTP pool.  Want to step up your game (which
is what I do), reach out to various Stratum-1's on the net (or find
free, open ones) and peer up 8-20 of them.

 In my last big gig, it was recommended to me that I have all the machines 
 which had to speak to my DBMS NTP *to it*, and have only it connect to the
 rest of my NTP infrastructure.  It coming unstuck was of less operational
 impact than *pieces of it* going out of sync with one another...

Yep, a prime example of the scenario I described above.  Depending on
your level of network redundancy, number of NTP servers, and so on, this
is a fine solution.  With one NTP server (the DBMS) the downstream will
always use it, and stay in sync.  It's a valid and good config in many
situations.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/


pgpkzZWO3GDPn.pgp
Description: PGP signature

Re: The Verge article about Verizon's Sandy Cleanup Efforts in Manhattan

[Miles Fidelman]

Christopher Morrow wrote:
apologies, I forgot the emoticons after my last comment. i really did 
mean it in jest... I don't think VZ has harnessed 
weather-changing-powers. (yet). 


Well, they ARE The Phone Company!

--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: NTP Issues Today

[George Herbert]

On Nov 20, 2012, at 11:39 AM, Jared Mauch ja...@puck.nether.net wrote:
.
 
 I've also been looking at an item like this:
 
 http://www.netburnerstore.com/ProductDetails.asp?ProductCode=PK70EX-NTP
 
 which is about $300 + misc parts.
 
 Should be well worth it to avoid a 'major outage' that some folks had with 
 needing to reboot their servers, etc.
 
 - Jared


Caution - that Netburner decice is just GPS synced, so if GPS ever does go 
insane you're out of luck.  It doesn't list a precision internal clock part.

I am not sure what all is in the dev kit version, but I know the company owner 
and can ask if anyone cares.




George William Herbert
Sent from my iPhone

Re: NTP Issues Today

[Darius Jahandarie]

On Tue, Nov 20, 2012 at 3:15 PM, Leo Bicknell bickn...@ufp.org wrote:
 For small players, less than 4 sites, typically just use the NTP
 pool servers, configuring 4 per box minimum.  If you want the same
 protection I just outlined in the paragraph before, make 4 of your
 servers talk to the outside world, and make everything else talk
 to those.  Want to give back to the community?  Get a GPS/CDMA/Whatever

Choosing the first four servers is usually pretty straightforward:
*.CC.pool.ntp.org

But beyond that, I'm honestly rather curious what server selections
are a good idea. A first thought would be an adjacent country, but
maybe there is a benefit to picking things outside of the pool.ntp.org
selection entirely?

I see that Jared used *.fedora.pool.ntp.org -- I wonder if there was a
specific reason for that or if my questions are even worth thinking
about at all :-).


Happy to hear thoughts.

-- 
Darius Jahandarie

Re: NTP Issues Today

[Mike Lyon]

I usually use time.nist.gov.

On Tue, Nov 20, 2012 at 1:00 PM, Darius Jahandarie djahanda...@gmail.comwrote:

 On Tue, Nov 20, 2012 at 3:15 PM, Leo Bicknell bickn...@ufp.org wrote:
  For small players, less than 4 sites, typically just use the NTP
  pool servers, configuring 4 per box minimum.  If you want the same
  protection I just outlined in the paragraph before, make 4 of your
  servers talk to the outside world, and make everything else talk
  to those.  Want to give back to the community?  Get a GPS/CDMA/Whatever

 Choosing the first four servers is usually pretty straightforward:
 *.CC.pool.ntp.org

 But beyond that, I'm honestly rather curious what server selections
 are a good idea. A first thought would be an adjacent country, but
 maybe there is a benefit to picking things outside of the pool.ntp.org
 selection entirely?

 I see that Jared used *.fedora.pool.ntp.org -- I wonder if there was a
 specific reason for that or if my questions are even worth thinking
 about at all :-).


 Happy to hear thoughts.

 --
 Darius Jahandarie




-- 
Mike Lyon
408-621-4826
mike.l...@gmail.com

http://www.linkedin.com/in/mlyon

RE: [outages] NTP Issues Today

[R. Benjamin Kessler]

Logs from a Juniper router in a customer network - we had hundreds of these 
affected.  They all synchronize to internal hosts (172.20.167.251 and .252) 
which are configured to get time from  NIST and USNO  

CORP-NTP-01#sh ntp as

  address ref clock st  when  poll reach  delay  offsetdisp
*~192.5.41.41  .IRIG.1   354   512  37734.20.36 1.4
+~132.163.4.101.ACTS.1   336   512  37735.0   -2.5418.7
 ~127.127.7.1  127.127.7.1  105964  377 0.00.00 0.0
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

CORP-NTP-02#sh ntp as

  address ref clock st  when  poll reach  delay  offsetdisp
*~192.5.41.41  .IRIG.165   512  37736.50.91 0.6
+~132.163.4.101.ACTS.195   512  37734.3   -1.3122.8
 ~127.127.7.1  127.127.7.1  104464  377 0.00.00 0.0
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

Here are the logs from one of the Junipers:

Nov 19 14:24:48   xntpd[912]: kernel time sync enabled 2001
Nov 19 15:50:11   xntpd[912]: synchronized to 172.20.167.252, stratum=2
Nov 19 16:41:23   xntpd[912]: no servers reachable
Nov 19 16:44:24   xntpd[912]: synchronized to 172.20.167.251, stratum=2
Nov 19 16:44:24   xntpd[912]: time correction of -378691200 seconds exceeds 
sanity limit (1000); set clock manually to the correct UTC time.
Nov 19 16:44:24   init: ntp (PID 912) exited with status=255
Nov 19 16:44:24   init: ntp (PID 70200) started
Nov 19 16:44:24   xntpd[70200]: ntpd 4.2.0-a Sat Apr 10 00:32:46 UTC 2010 
(1)
Nov 19 16:44:24   xntpd[70200]: mlockall(): Resource temporarily unavailable
Nov 19 16:44:24   xntpd[70200]: precision = 0.582 usec
Nov 19 16:44:24   xntpd[70200]: Listening on interface ggsn_vpn, 
128.0.0.1#123
Nov 19 16:44:24   xntpd[70200]: kernel time sync status 2040
Nov 19 16:44:24   xntpd[70200]: frequency initialized -64.931 PPM from 
/var/db/ntp.drift
Nov 19 16:44:24   xntpd[70200]: Configuring iburst flag for server
Nov 19 16:44:24   xntpd[70200]: Configuring iburst flag for server
Nov 19 16:44:33   xntpd[70200]: synchronized to 172.20.167.251, stratum=2
Nov 19 16:44:32   xntpd[70200]: time reset -378691200.411331 s
Nov 19 16:44:32   xntpd[70200]: kernel time sync disabled 2041
Nov 19 16:45:44   xntpd[70200]: synchronized to 172.20.167.251, stratum=2
Nov 19 16:45:51   xntpd[70200]: kernel time sync enabled 2001
Nov 19 16:45:56   xntpd[70200]: NTP Server Unreachable
Nov 19 16:53:25   xntpd[70200]: no servers reachable
Nov 19 17:03:09   xntpd[70200]: NTP Server Unreachable
Nov 19 17:13:00   xntpd[70200]: NTP Server Unreachable
Nov 19 17:20:27   xntpd[70200]: synchronized to 172.20.167.252, stratum=2
Nov 19 17:20:27   xntpd[70200]: time correction of 378691200 seconds 
exceeds sanity limit (1000); set clock manually to the correct UTC time.
Nov 19 17:20:27   init: ntp (PID 70200) exited with status=255
Nov 19 17:20:27   init: ntp (PID 70766) started
Nov 19 17:20:27   xntpd[70766]: ntpd 4.2.0-a Sat Apr 10 00:32:46 UTC 2010 
(1)
Nov 19 17:20:27   xntpd[70766]: mlockall(): Resource temporarily unavailable
Nov 19 17:20:27   xntpd[70766]: precision = 0.570 usec
Nov 19 17:20:27   xntpd[70766]: Listening on interface ggsn_vpn, 
128.0.0.1#123
Nov 19 17:20:27   xntpd[70766]: kernel time sync status 2040
Nov 19 17:20:27   xntpd[70766]: frequency initialized -64.931 PPM from 
/var/db/ntp.drift
Nov 19 17:20:27   xntpd[70766]: Configuring iburst flag for server
Nov 19 17:20:27   xntpd[70766]: Configuring iburst flag for server
Nov 19 17:20:35   xntpd[70766]: synchronized to 172.20.167.252, stratum=2
Nov 19 17:20:36   xntpd[70766]: time reset +378691200.387434 s
Nov 19 17:20:36   xntpd[70766]: kernel time sync disabled 6041
Nov 19 17:21:48   xntpd[70766]: synchronized to 172.20.167.252, stratum=2
Nov 19 17:21:48   xntpd[70766]: kernel time sync disabled 2041
Nov 19 17:21:52   xntpd[70766]: kernel time sync enabled 2001
Nov 20 00:02:29   xntpd[70766]: synchronized to 172.20.167.251, stratum=2
Nov 20 01:44:56   xntpd[70766]: kernel time sync enabled 6001
Nov 20 02:19:03   xntpd[70766]: kernel time sync enabled 2001
Nov 20 02:53:12   xntpd[70766]: kernel time sync enabled 6001
Nov 20 03:44:26   xntpd[70766]: kernel time sync enabled 2001
Nov 20 05:26:58   xntpd[70766]: kernel time sync enabled 6001
Nov 20 05:44:02   xntpd[70766]: kernel time sync enabled 2001
Nov 20 07:43:35   xntpd[70766]: kernel time sync enabled 6001
Nov 20 08:00:39   xntpd[70766]: kernel time sync enabled 2001
Nov 20 08:34:48   xntpd[70766]: kernel time sync enabled 6001
Nov 20 08:51:54   xntpd[70766]: kernel time sync enabled 2001
Nov 20 10:34:22   xntpd[70766]: synchronized to 

Re: NTP Issues Today

[Jared Mauch]

On Nov 20, 2012, at 4:00 PM, Darius Jahandarie djahanda...@gmail.com wrote:

 Choosing the first four servers is usually pretty straightforward:
 *.CC.pool.ntp.org
 
 But beyond that, I'm honestly rather curious what server selections
 are a good idea. A first thought would be an adjacent country, but
 maybe there is a benefit to picking things outside of the pool.ntp.org
 selection entirely?
 
 I see that Jared used *.fedora.pool.ntp.org -- I wonder if there was a
 specific reason for that or if my questions are even worth thinking
 about at all :-).

I'm by no means a time geek, but …. i have some ideas about what you want and 
can tell you why I picked the settings I did…

1) The 129.250 ones are my employer run clocks.  It is a good idea to know how 
accurate they are.

2) The pool ones, some were default (e.g.: fedora) from my OS distro on the 
machine I took the example from.  You will see freebsd, centOS and others based 
on your settings.  You may even see time.apple.com if you are MacOS.

3) CC ntp pool were selected to provide additional clock diversity.

4) You want low jitter to your clocks.  This will allow you to have an accurate 
timing source.  This means don't congest that path.  If you want something very 
reliable, don't run it on a server with the other misc functions you need 
(e.g.: DNS, etc).  If it's important, dedicate some hardware to it.  if it is 
of passing importance, use a fair number of peers.

I was playing with the OWAMP software.  Having consistent clocks is important 
for that, (even if they are all off by a few ms). It can be fun to play with 
and measure things… http://www.internet2.edu/performance/owamp/index.html

5) Monitor your NTP setup periodically.  You may see clocks be rejected or 
outliers.  Depending on how close your clocks are, you may see a fair number be 
unusable.  Take this output:

nat:~$ ntpq -n -p -c ass
 remote   refid  st t when poll reach   delay   offset  jitter
==
*129.250.35.250  164.244.221.197  2 u  507  512  377   18.8830.196  18.311
+129.250.35.251  209.51.161.238   2 u  366  512  377   41.3490.429   2.184
-206.57.44.17204.123.2.5  2 u   91  512  377   35.884   -5.982   7.099
-4.53.160.75 209.81.9.7   2 u5  512  377   24.2501.522   1.353
+64.73.32.135164.67.62.1942 u  296  512  377   26.405   -0.956  11.244
+50.116.38.157   64.250.177.145   2 u  897 1024  377   42.9780.685   1.211
-208.87.221.228  10.0.22.51   2 u  390  512  377   83.858   -2.717   0.814
-206.212.242.132 128.252.19.1 2 u  262  512  377   22.278   -1.640   1.150
+38.229.71.1 204.123.2.72 2 u   95  512  377   20.6880.113   1.878

ind assid status  conf reach auth condition  last_event cnt
===
  1 39973  961a   yes   yes  none  sys.peersys_peer  1
  2 39974  941a   yes   yes  none candidatesys_peer  1
  3 39975  9324   yes   yes  none   outlyer   reachable  2
  4 39976  932a   yes   yes  none   outlyersys_peer  2
  5 39977  941a   yes   yes  none candidatesys_peer  1
  6 39978  941a   yes   yes  none candidatesys_peer  1
  7 39979  9314   yes   yes  none   outlyer   reachable  1
  8 39980  931a   yes   yes  none   outlyersys_peer  1
  9 39981  941a   yes   yes  none candidatesys_peer  1

Only 5/9 clocks are 'candidate' for usage, or the actual reference clock.  The 
jitter on the reference clock is equal to the delay (!).  This is on a business 
class internet link/tier, but from one of the 'usual suspects' that offers 
residential services as well.  I haven't been able to find them operating any 
customer accessible clocks, but they may exist.

My config, or one resembling it will give you a fair amount of diversity of 
clocks.  Syncing to one can easily result in being lied to and resetting the 
clock as everyone observed that went back to 2000.

- Jared

Picking outside NTP servers (Re: NTP Issues Today)

[Jay Ashworth]

- Original Message -
 From: Darius Jahandarie djahanda...@gmail.com

 Choosing the first four servers is usually pretty straightforward:
 *.CC.pool.ntp.org
 
 But beyond that, I'm honestly rather curious what server selections
 are a good idea. A first thought would be an adjacent country, but
 maybe there is a benefit to picking things outside of the pool.ntp.org
 selection entirely?
 
 I see that Jared used *.fedora.pool.ntp.org -- I wonder if there was a
 specific reason for that or if my questions are even worth thinking
 about at all :-).

Ah; the question that has plagued mankind since the beginning of.. time.

:-)

There are a couple of documents on this topic at ntp.org, and there's the
traditional list -- of questionable accuracy at this point -- of open-acess
Strat 1 and 2 servers.

For myself, I usually pick the first three in us.pool.ntp.org, tick and tock,
time.nist.gov, and a couple of regionally appropriate large universities.

I have always aimed for 6 to 8 outside servers, and a pair inside,
preferably in different locations, both talking to one another.

If your site is in Internet Business, you should probably peer with 
your business partners.  If you deal with Google Docs or AWS, you should
probably peer with them, if they have servers for that.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth  Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA   #natog  +1 727 647 1274

Re: Picking outside NTP servers (Re: NTP Issues Today)

[George Herbert]

On Tue, Nov 20, 2012 at 1:53 PM, Jay Ashworth j...@baylink.com wrote:

 For myself, I usually pick the first three in us.pool.ntp.org, tick and tock,
 time.nist.gov, and a couple of regionally appropriate large universities.

As this week indicated, perhaps tick and tock are not sufficiently far
apart to be a good redundancy choice from a geographical failover
point of view or common mode failure point of view.

As part of a set of 8 servers as you indicate later, perhaps ok, but I
fear for people who think Ok, I want redundancy, so... Tick and
Tock.  Which, it turns out, was significant quantities.

-- 
-george william herbert
george.herb...@gmail.com

Re: Brasil/Mexico/Argentina connectivity

[Eduardo Casarero]

El jueves, 15 de noviembre de 2012 01:05:37 p.m., Jima escribió:

On Wednesday, November 14th, 2012, Olivier CALVANO wrote:

I am search one or more carrier for connect 3 sites in Brasil, Mexico
and Argentina to one of our pop
in USA or Spain.


  I don't deal with it directly, but my employer has used MPLS offerings
from (in alphabetical order) BT, Level 3/Global Crossing, and Verizon in
a number of countries.  I suspect any of the three have access in all of
the countries listed.  I imagine there are others, but those are the ones
that sprung to mind.

  Jima




I think Level3 is your best, as L3 bought Globalcrossing. Here in 
Argentina L3 has heavy weight in the carriers market, also in Brazil. 
What i dont know is in Mexico.

Re: Plages d'adresses IP Orange

[Mark Andrews]

In message 50abc681.5040...@rollernet.us, Seth Mattinen writes:
 On 11/19/12 9:16 AM, Jamie Bowden wrote:
  Actually, this is kind of an interesting aside.  Last time I checked, Canad
 a counts as North America and large parts of Quebec are inhabited by folks wh
 o don't speak much, if any, English.  Having said that, I can't recall having
  seen any Quebecois posting in French here, but I find it hard to believe tho
 se folks don't have use for a list like this.
  
 
 
 Quebecois French and French aren't exactly the same. My dad once had to
 order le pancakes for breakfast because the waitress didn't understand
 le crepes.

Well pancakes are not crepes.  Different receipe, different appearance,
different texture, similar taste.

If you ask for something that is not on the menu 

 ~Seth
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Picking outside NTP servers (Re: NTP Issues Today)

[Majdi S. Abbas]

On Tue, Nov 20, 2012 at 04:53:39PM -0500, Jay Ashworth wrote:
 For myself, I usually pick the first three in us.pool.ntp.org, tick and tock,
 time.nist.gov, and a couple of regionally appropriate large universities.

I'd advise going through the RR for a while, and pick servers
close to you.  ntpd won't select a server that's more than 128ms away.
It also degrades accuracy.  Select for minimum latency, as well as
a diverse set of sources.  [Watch their refid over time, and make sure
they aren't slaving to the same set of servers, as well as others
you may be using.]

It requires a bit of effort, but over time you get an idea what
public time servers are close to each of your locations, and diverse
from each other.

--msa

Re: Plages d'adresses IP Orange

[Seth Mattinen]

On 11/20/12 3:19 PM, Mark Andrews wrote:
 In message 50abc681.5040...@rollernet.us, Seth Mattinen writes:
 On 11/19/12 9:16 AM, Jamie Bowden wrote:
 Actually, this is kind of an interesting aside.  Last time I checked, Canad
 a counts as North America and large parts of Quebec are inhabited by folks wh
 o don't speak much, if any, English.  Having said that, I can't recall having
  seen any Quebecois posting in French here, but I find it hard to believe tho
 se folks don't have use for a list like this.



 Quebecois French and French aren't exactly the same. My dad once had to
 order le pancakes for breakfast because the waitress didn't understand
 le crepes.
 
 Well pancakes are not crepes.  Different receipe, different appearance,
 different texture, similar taste.
 
 If you ask for something that is not on the menu 
 


No, this was the Quebecois waitress not understanding the French word,
not semantics. It's probably illegal to print the word pancake in
Quebec anyway.

~Seth

Re: NTP Issues Today

[Jimmy Hess]

On 11/19/12, Van Wolfe vanwo...@gmail.com wrote:
 Did anyone else experience issues with NTP today?  We had our server
 times update to the year 2000 at around 3:30 MT, then revert back to 2012.

Are you sure that you are actually using NTP to set your clock?
For you to sync with 2000,  you should have had multiple confused
peers from multiple time sources;  possibly a false radio signal

NTP by default has a panic threshold of 1000 seconds.

This  _should_   have caused NTP to execute a panic shutdown,
instead of setting the clock back  30 million seconds.


 Thanks,
 Van
--
-JH

Re: NTP Issues Today

[Darius Jahandarie]

On Tue, Nov 20, 2012 at 7:49 PM, Jimmy Hess mysi...@gmail.com wrote:
 Are you sure that you are actually using NTP to set your clock?
 For you to sync with 2000,  you should have had multiple confused
 peers from multiple time sources;  possibly a false radio signal

 NTP by default has a panic threshold of 1000 seconds.

 This  _should_   have caused NTP to execute a panic shutdown,
 instead of setting the clock back  30 million seconds.

For VMWare at least, their official recommendation[1] for NTP is to

tinker panic 0

for suspend/resume reasons. I've seen it default in some places.

[1] 
http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=displayKCexternalId=1006427

-- 
Darius Jahandarie

Re: NTP Issues Today

[Damian Menscher]

On Tue, Nov 20, 2012 at 4:49 PM, Jimmy Hess mysi...@gmail.com wrote:

 On 11/19/12, Van Wolfe vanwo...@gmail.com wrote:
  Did anyone else experience issues with NTP today?  We had our server
  times update to the year 2000 at around 3:30 MT, then revert back to
 2012.

 Are you sure that you are actually using NTP to set your clock?
 For you to sync with 2000,  you should have had multiple confused
 peers from multiple time sources;  possibly a false radio signal

 NTP by default has a panic threshold of 1000 seconds.

 This  _should_   have caused NTP to execute a panic shutdown,
 instead of setting the clock back  30 million seconds.


From logs various people have posted, it appears NTPd saw the excessive
time shift and took the reasonable(?) step of killing itself.  The OS
detected ntpd's death and took the reasonable step of restarting it.  On
startup, ntpd can be reasonably(?) configured with the -g option to bypass
the 1000s limit to set the starting time before going into the regular ntpd
time adjustment code.

In this case that would have set them back to 2000

It's a good lesson on how a chain of reasonable decisions can lead to a bad
outcome, so you really need to understand the interactions of the whole
system.

Damian

Re: NTP Issues Today

[Alvaro Pereira]

Looks like something bad has happened:
Behind the Random NTP Bizarreness of Incorrect Year Being Set
https://isc.sans.edu/diary.html?nstoryid=14548

---
A few people have written in within the past 18 hours about their NTP
server/clients getting set to the year 2000.  The cause of this behavior is
that an NTP server at the US Naval Observatory (pretty much the
authoritative time source in the US) was rebooted and somehow reverted to
the year 2000.  This, then, propogated out for a limited time and
downstream time sources also got this value.  It's a transient problem and
should already be rectified.  Not much really to report except an error at
the top of the food chain causing problems to the layers below.  If you
have a problem, just fix the year or resync your NTP server.

Just goes to show how reliant NTP is that it is all but a fire and forget
service once configured until bad things happen. John Bambenek

---


Alvaro Pereira

Re: NTP Issues Today

[Blake Dunlap]

That's what happens when you just follow vendor recommendations blindly. If
you do follow that on vm's (which can actually be a good practice), make
sure they pull from your own time infrastructure, and not just the world at
large, and that those servers behave in a sane fashion with regard to time
jumps.


On Tue, Nov 20, 2012 at 6:56 PM, Darius Jahandarie djahanda...@gmail.comwrote:

 On Tue, Nov 20, 2012 at 7:49 PM, Jimmy Hess mysi...@gmail.com wrote:
  Are you sure that you are actually using NTP to set your clock?
  For you to sync with 2000,  you should have had multiple confused
  peers from multiple time sources;  possibly a false radio signal
 
  NTP by default has a panic threshold of 1000 seconds.
 
  This  _should_   have caused NTP to execute a panic shutdown,
  instead of setting the clock back  30 million seconds.

 For VMWare at least, their official recommendation[1] for NTP is to

 tinker panic 0

 for suspend/resume reasons. I've seen it default in some places.

 [1]
 http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=displayKCexternalId=1006427

 --
 Darius Jahandarie

Re: NTP Issues Today

[George Herbert]

As a reminder - time infrastructure is not recommended for
virtualization.  Make them physicals.


On Tue, Nov 20, 2012 at 5:03 PM, Blake Dunlap iki...@gmail.com wrote:
 That's what happens when you just follow vendor recommendations blindly. If
 you do follow that on vm's (which can actually be a good practice), make
 sure they pull from your own time infrastructure, and not just the world at
 large, and that those servers behave in a sane fashion with regard to time
 jumps.


 On Tue, Nov 20, 2012 at 6:56 PM, Darius Jahandarie 
 djahanda...@gmail.comwrote:

 On Tue, Nov 20, 2012 at 7:49 PM, Jimmy Hess mysi...@gmail.com wrote:
  Are you sure that you are actually using NTP to set your clock?
  For you to sync with 2000,  you should have had multiple confused
  peers from multiple time sources;  possibly a false radio signal
 
  NTP by default has a panic threshold of 1000 seconds.
 
  This  _should_   have caused NTP to execute a panic shutdown,
  instead of setting the clock back  30 million seconds.

 For VMWare at least, their official recommendation[1] for NTP is to

 tinker panic 0

 for suspend/resume reasons. I've seen it default in some places.

 [1]
 http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=displayKCexternalId=1006427

 --
 Darius Jahandarie





-- 
-george william herbert
george.herb...@gmail.com

Re: Big day for IPv6 - 1% native penetration

[Patrick W. Gilmore]

On Nov 20, 2012, at 14:44 , Tony Hain alh-i...@tndh.net wrote:

 If you assume that Youtube/Facebook/Netflix are 50% of the overall traffic, 
 why wouldn't a dual stacked end point have half of its traffic as IPv6 after 
 June???

If you assume  Kinda says it all right there.

But more importantly, those three combined are not 50% of overall traffic.  It 
_might_ be true in the US, for some times of the day, but certainly not 
world-wide overall traffic.  If for no better reason than you cannot get NF in 
all countries.

-- 
TTFN,
patrick

RE: Fiber terminations -- UPC vs APC

[Frank Bulk]

Good stuff here:
http://www.n2prise.org/fiber002.htm and http://www.n2prise.org/fiber003.htm

Frank

-Original Message-
From: Jeff Kell [mailto:jeff-k...@utc.edu] 
Sent: Monday, November 19, 2012 3:37 PM
To: nanog
Subject: Fiber terminations -- UPC vs APC

Looking for some guidance/references on the use of UPC versus APC
terminations on fiber
cabling.  Traditionally we have done all of our fiber plant targeting data
usage with
UPC connectors.  We are also looking at proposals for fiber distribution
plant for
video, and the possibility of using some of the existing fiber plant for
that purpose;
as well as any new fiber plant that gets installed for video potentially as
data.

The video folks are set, determined, and insistent that they need APC
terminations.

All data references I have found preach UPC.  Cisco's SFP reference page
even states (in
bold):

 *Note:* Only connections with patch cords with PC or UPC connectors are
supported.
 Patch cords with APC connectors are not supported. All cables and cable
assemblies
 used must be compliant with the standards specified in the standards
section.

So are we doomed to having physically separated fiber plants with suitable
connectors /
jumpers dedicated to video?  Anyone been down this snaky looking path?

Jeff