RE: OOB core router connectivity wish list
CMP this is what we need. +1000
Re: OOB core router connectivity wish list
On Jan 10, 2013, at 2:15 AM, Saku Ytti wrote: That is task for on-band interfaces, which attach to your forwarding-logic. No it isn't, any more than SNMP is a task for those interfaces. To export flow, you need port to be connected to your forwarding hardware, not control-plane and certainly not OOB management-plane. Again, the analogy is with SNMP. There's no requirement to be part of the data-plane, it's quite possible to get the flow telemetry to the management processor, same as with SNMP. Cheack Cisco's CMP this is what we need. I'm quite familiar with it, thanks. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: OOB core router connectivity wish list
On Thu, 10 Jan 2013, Dobbins, Roland wrote: No it isn't, any more than SNMP is a task for those interfaces. Well, then what you're looking for is not what we're looking for (?). You seem to want the type of classic mgmt ethernet currently residing on high end router platforms (on the RP) and not a ILO/CMP type interface that we're looking for. I definitely do not want SNMP and netflow on my disaster recovery OOB network. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: OOB core router connectivity wish list
On Jan 10, 2013, at 6:15 AM, Mikael Abrahamsson wrote: I definitely do not want SNMP and netflow on my disaster recovery OOB network. Of course you do - else you're deaf, dumb, and blind at precisely the time you most need complete network visibility, i.e., during a disruptive event of some sort. The ability to type commands via ssh and/or console ports isn't very helpful if one lacks enough context to know what to type, heh. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: OOB core router connectivity wish list
On Thu, 10 Jan 2013, Dobbins, Roland wrote: Of course you do - else you're deaf, dumb, and blind at precisely the time you most need complete network visibility, i.e., during a disruptive event of some sort. You and me seem to talk about different types of disasters. In my type of disaster, SNMP and netflow doesn't work because the RP is out of commission or seriously malfunctioning. The ability to type commands via ssh and/or console ports isn't very helpful if one lacks enough context to know what to type, heh. I don't know what to respond to this because I don't understand what you're getting at. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: OOB core router connectivity wish list
On (2013-01-10 10:48 +), Dobbins, Roland wrote: No it isn't, any more than SNMP is a task for those interfaces. Sending flowrecords to your slow ppc CPU just to allow export in non-HW interface is silly, when HW can export it directly, without ever hitting your control-plane. Polling SNMP is low volume, so you easily allow RP to poll for them from HW. But implementing this also in HW would be interesting for low-interval SNMP polling, then it also would stop working in your non-HW interfaces. Again, the analogy is with SNMP. There's no requirement to be part of the data-plane, it's quite possible to get the flow telemetry to the management processor, same as with SNMP. Sure, if performance is not important and if you're too poor to buy interface in your router. -- ++ytti
Re: [SHAME] Spam Rats
On Thu, Jan 10, 2013 at 01:10:48PM +1000, Julian DeMarchi wrote: On 01/10/2013 01:06 PM, Suresh Ramasubramanian wrote: Who uses it? Or did you see your IP listed in one of those multiple dnsbl query sites and contacted them on general principles even though you didn't see any actual bounced email that could be traced to a spam rats listing? Customers use the range. They had a complaint to us that the IP was listed by spamrats and thus the issue made it to my queue. That said, it is best practice to set ptr records even for your unassigned ip space Mail servers do need to have PTRs, but it is my _choice_ if my hosts that do not send mail have PTRs or not. I would not expect anyone to block my /24 for lack of PTRs on non-mail-sending hosts. If you believe that BCP for your own servers is to have PTRs, are you giving the caveat to your customers that they shouldn't be running mail service without dealing with you for PTRs? Are you accepting their mail without these PTRs? :-) That bit of customer service philosophy aside, two obvious answers are wildcard (weak) or to hand the customers the keys to their own fate (best). Just delegate to them. Hopefully you are at least handing them addresses in clumps to make it less annoying on your zone files. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NANOG
Re: [SHAME] Spam Rats
On Wed, Jan 09, 2013 at 09:27:17PM -0600, Chris Boyd wrote: We're small shop, but our policy is not to accept email from addresses without PTRs. And we have a long list of pool/dhcp/dyn/resnet PTRs we don't accept mail from as well. This is (and has been) a best practice for most of a decade, ever since the rise of the zombies. Real mail servers have matching A and PTR records, and real (i.e., non-generic) FQDN hostnames. They also HELO/EHLO with real, non-generic FQDN hostnames that resolve, and which (preferably) match that in the A record. Everything else is at best suspect and probably either (a) a zombie or (b) incompetently run. Thus -- and these are examples seen in a local spamtrap in the last few hours -- none of these should be permitted to even *attempt* to deliver mail to real live addresses: 2.132.135.33(no rdns) 37.44.121.227 (no rdns) 41.97.154.184 (no rdns) 41.191.104.24 (no rdns) 46.177.235.253 ppp046177235253.access.hol.gr 60.254.50.150 50.254.60.150.hathway.com 64.25.225.52(no rdns) 74.7.101.50 (no rdns) 77.126.116.112 (no rdns) 79.180.105.90 bzq-79-180-105-90.red.bezeqint.net 80.232.221.197 (no rdns) 81.248.60.11lcayenne-151-5-11.w81-248.abo.wanadoo.fr 85.30.103.215 (no rdns) 88.77.212.175 dslb-088-077-212-175.pools.arcor-ip.net 89.223.2.149ip-149.2.223.89.net.unnet.ru 93.86.110.126 93-86-110-126.dynamic.isp.telekom.rs 95.140.197.66 host-95-140-197-66.customers.adc.am 110.49.235.132 (no rdns) 117.6.200.103 (no rdns) 117.212.210.190 (no rdns) 120.61.90.56triband-mum-120.61.90.56.mtnl.net.in 122.163.226.123 abts-north-dynamic-123.226.163.122.airtelbroadband.in 122.166.232.127 abts-kk-static-127.232.166.122.airtelbroadband.in 123.24.97.69dynamic.vdc.vn 123.24.198.246 (no rdns) 178.126.109.101 (no rdns) 190.66.167.111 (no rdns) 195.128.253.152 ip253-152.dl.uz.ua 200.56.5.180200-56-5-180.dynamic.axtel.net 200.67.199.254 dsl-200-67-199-254-sta.prod-empresarial.com.mx 201.230.49.12 client-201.230.49.12.speedy.net.pe 206.55.180.8(no rdns) 213.175.137.146 (no rdns) 220.227.74.69 (no rdns) 222.124.11.26 26.subnet222-124-11.astinet.telkom.net.id 222.253.178.173 localhost ---rsk
Re: [SHAME] Spam Rats
On 10 Jan 2013, at 6:41 AM, Mark Andrews ma...@isc.org wrote: No. A /64 has 18,446,744,073,709,551,616 addresses. Even if you had machines that supported zettabytes of data the zone would never load in human lifetimes. Because hitting things in memory is the only way we can ever respond to a data request. This wording is about as excellent as those who've been quoted on record to say people wouldn't want TVs (boxes of wood) in their living rooms, etc. -J
Re: OOB core router connectivity wish list
On Jan 9, 2013, at 11:18 AM, William Herrin b...@herrin.us wrote: [P1]: It should be possible to transfer data using tftp, ftp and scp (ftp client on the OOB device, scp being used to transfer data *to* the device (OOB being scp server). For security and performance reasons, FTP has no place in a modern network. If you're still using it anywhere, you're borrowing grief. Replace with an http/https client. TFTP has such a strong legacy of use on routers that its presence remains just barely tolerable. For now. We have encountered cases where a vendor TFTP implementation + latency from the ROMMON can take a few hours to load images. I'm for ditching TFTP and replacing it with HTTP. This forces them to put in a TCP stack, and hopefully something that can window-scale and deal with the latency vs 'wait for block', ok, req next block.. The testers involved in their labs are never loading an image from 1600km away so don't get to enjoy this 'fun'. - Jared
Re: OOB core router connectivity wish list
On Jan 9, 2013, at 12:34 PM, Saku Ytti s...@ytti.fi wrote: Having RS232 or USB console on forwarding-plane is not OOB. And even OOB version of these is of limited value, you can't send images over them, you can't multiplex over them and RS232 OOB 'server' costs more than switch. So you get less and you pay more. HW + SW wise it's extremely simple contraption, all the code and HW needed is proven. I am very much against USB consoles. there can be a whole plethora of issues involved from OS-level to the device-level. When I'm on the console, things have already gone bad. I don't need to find out if the vendor has the right 'entitlement' established for me to download and load the driver or anything else.. It *needs* to work, I can't wait for the device on the other end to negotiate with the host system, etc.. I understand why people want it, but USB as it exists today isn't the way. (I can screw down a rs232 connector and it can be secure, I can't attach USB with the same certainty). - Jared
Re: OOB core router connectivity wish list
On (2013-01-10 08:57 -0500), Jared Mauch wrote: I am very much against USB consoles. there can be a whole plethora of issues involved from OS-level to the device-level. When I'm on the console, things have already gone bad. I don't need to find out if the vendor has the right 'entitlement' established for me to download and load the driver or anything else.. I'm certainly not rooting for USB console, I don't want to fix broken solution with another broken solution. I'm all for Ethernet OOB (true OOB, not fate-sharing control-plane), exactly like CMP in Cisco. -- ++ytti
Re: OOB core router connectivity wish list
I absolutely agree that USB is a bad way to go with this, as well as web management. I have no interest in trying to use some terrible web app to bring a network back up when simple 300 baud would suffice. I've got no problem with telnet/ssh, although I hate the idea of needing to know an ip address to emergency jack in to a device instead of just a bit rate, but please no web app. -Blake On Thu, Jan 10, 2013 at 8:00 AM, Saku Ytti s...@ytti.fi wrote: On (2013-01-10 08:57 -0500), Jared Mauch wrote: I am very much against USB consoles. there can be a whole plethora of issues involved from OS-level to the device-level. When I'm on the console, things have already gone bad. I don't need to find out if the vendor has the right 'entitlement' established for me to download and load the driver or anything else.. I'm certainly not rooting for USB console, I don't want to fix broken solution with another broken solution. I'm all for Ethernet OOB (true OOB, not fate-sharing control-plane), exactly like CMP in Cisco. -- ++ytti
Re: OOB core router connectivity wish list
On 10/01/2013 13:51, Jared Mauch wrote: We have encountered cases where a vendor TFTP implementation + latency from the ROMMON can take a few hours to load images. I'm for ditching TFTP and replacing it with HTTP. This forces them to put in a TCP stack, and hopefully something that can window-scale and deal with the latency vs 'wait for block', ok, req next block.. The testers involved in their labs are never loading an image from 1600km away so don't get to enjoy this 'fun'. From a hotel bedroom. At 03:00 in the morning. Re: other comments: - tftp: I've run into enough problems with stupid tftp incompatibilities that I'd be really happy never having to use it again in my life. - netflow: seriously, this is not an appropriate sort of port of exporting netflow. this is a your RP is toast recovery mechanism, at which point netflow is probably long gone. - rs232: please no. it's 2013. I don't want or need a protocol which was designed for access speeds appropriate to the 1980s. - USB: no. can you route USB? No. DNW. - original list: sounds great, except that I want ipv4 and ipv6 given equal priority for mgmt access. Nick
Re: OOB core router connectivity wish list
On Thu, Jan 10, 2013 at 9:10 AM, Nick Hilliard n...@foobar.org wrote: - netflow: seriously, this is not an appropriate sort of port of exporting netflow. this is a your RP is toast recovery mechanism, at which point netflow is probably long gone. it's possible that roland was saying that the oob network should collect flow records and export them to 'something' so you'd have an idea about what traffic was on the network... I can see some value in that. I don't think roland was really saying that normal netflow from a device in production pushing a few hundred gbps of traffic would be appropriate to ship out the OOB network... or I hope that wasn't his point. I don't think oob networks need to be sized for that. I do think that having a reliable OOB Ethernet would be nice, having it not be part of the forwarding plane (and not reachable from the forwarding plane) of the device in the field would also be nice. iLO/DRAC are good analogies... - rs232: please no. it's 2013. I don't want or need a protocol which was designed for access speeds appropriate to the 1980s. I don't think you can get ethernet and transport out-of-the-area in some places at a reasonable cost, so having serial-console I think is still a requirement. -chris
Re: OOB core router connectivity wish list
I don't think you can get ethernet and transport out-of-the-area in some places at a reasonable cost, so having serial-console I think is still a requirement. TDM is disappearing quickly in at least some parts of the world. We may not be quite there yet, but I think it's entirely reasonable to start asking for Ethernet console in procurement documents. Steinar Haug, Nethelp consulting, sth...@nethelp.no
Re: [SHAME] Spam Rats
On 1/9/2013 10:06 PM, Suresh Ramasubramanian wrote: Who uses it? Or did you see your IP listed in one of those multiple dnsbl query sites and contacted them on general principles even though you didn't see any actual bounced email that could be traced to a spam rats listing? That said, it is best practice to set ptr records even for your unassigned ip space What label would you suggest be used for PTR records in unassigned space? If it is a standard best practice, why don't the RIRs do it for space that they have not yet assigned? Would this apply to IPv6 as well? -- Dave
Re: OOB core router connectivity wish list
On Thu, 10 Jan 2013, Christopher Morrow wrote: - rs232: please no. it's 2013. I don't want or need a protocol which was designed for access speeds appropriate to the 1980s. I don't think you can get ethernet and transport out-of-the-area in some places at a reasonable cost, so having serial-console I think is still a requirement. I don't understand this argument. Are you connecting your CON directly to something that transports it out-of-the-area? Modem? If you have a consolerouter there with T1 interface as link to outside world, what's wrong with having ethernet port from that T1 router to the ethernet OOB port on the router needing OOB access, instead of having RS232 port on them. It's cheaper and easier to cable ethernet compared to RS232. RS232 has much shorter cable length compared to ethernet (9600 reaches 20 meters or so). -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: [SHAME] Spam Rats
Unused space generally gets a $generate type generic scripted runs which could be whatever, like ip-ad-dr-ess.example.com Not rid unallocated space, not that there's much of it in v4 As for v6 how popular do you see it getting for mail? On Thursday, January 10, 2013, Dave Sparro wrote: On 1/9/2013 10:06 PM, Suresh Ramasubramanian wrote: Who uses it? Or did you see your IP listed in one of those multiple dnsbl query sites and contacted them on general principles even though you didn't see any actual bounced email that could be traced to a spam rats listing? That said, it is best practice to set ptr records even for your unassigned ip space What label would you suggest be used for PTR records in unassigned space? If it is a standard best practice, why don't the RIRs do it for space that they have not yet assigned? Would this apply to IPv6 as well? -- Dave -- --srs (iPad)
Re: OOB core router connectivity wish list
On Jan 10, 2013, at 9:35 AM, Christopher Morrow morrowc.li...@gmail.com wrote: - rs232: please no. it's 2013. I don't want or need a protocol which was designed for access speeds appropriate to the 1980s. I don't think you can get ethernet and transport out-of-the-area in some places at a reasonable cost, so having serial-console I think is still a requirement. I think it does beg a few questions though: Some of the POTS carriers are trying to jettison their equipment before the end of this decade. In the absence of a modem + console server, I think that IP transport is going to become increasingly important for this function, but honestly - the vendors aren't mature in this space for core equipment. Without the ability to access the removable media in the 2010 timeframe at boot time is a major oversight. There is no consistent learning or 'continual improvement' in this space. I tried to give some focus to this about a decade ago for one vendor and it led to interesting discussions at first, but it is often so low in acquisition priorities it doesn't show up. Anyone dealing with modern servers will know of the experience with the few seconds to sync up to the VGA signal and how that can allow you to miss the Press DEL/F1/F2/F8/F12 messages. The modernization of equipment in this space has led to side-effects. I'm … (wanted to say fearful, but…) concerned with what they will concoct given their independent thought at times. Now that being said, the idea of an industry document may be something we can collaborate on as a group to list what doesn't work and why. (e.g.: I think Roland is confusing ROMMON w/ management ethers.. these can be the same physical port, but not always). - Jared
Re: OOB core router connectivity wish list
On (2013-01-10 09:35 -0500), Christopher Morrow wrote: I don't think you can get ethernet and transport out-of-the-area in some places at a reasonable cost, so having serial-console I think is still a requirement. I don't understand this point. Where does your RS232 port go? It goes to Console server in POP, which is ethernet connected? At least this is how vast majority to do it, maybe you have CON2AUX between neighbouring devices, then you could have OOB ETH to ETH between neighbouring devices. Console server costs more than ethernet switch, so it's actually cheaper to do it right. -- ++ytti
Re: OOB core router connectivity wish list
On Jan 10, 2013, at 9:51 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: On Thu, 10 Jan 2013, Christopher Morrow wrote: - rs232: please no. it's 2013. I don't want or need a protocol which was designed for access speeds appropriate to the 1980s. I don't think you can get ethernet and transport out-of-the-area in some places at a reasonable cost, so having serial-console I think is still a requirement. I don't understand this argument. Are you connecting your CON directly to something that transports it out-of-the-area? Modem? Yes, we have done this in a site with one device. If you have a consolerouter there with T1 interface as link to outside world, what's wrong with having ethernet port from that T1 router to the ethernet OOB port on the router needing OOB access, instead of having RS232 port on them. It's cheaper and easier to cable ethernet compared to RS232. RS232 has much shorter cable length compared to ethernet (9600 reaches 20 meters or so). I certainly want to use something more modern, having run Xmodem to load images into devices or net-booted systems with very large images in the past… I've seen all sorts of creative ways to do this (e.g.: DSL for OOB, 3G, private VPLS network via outside carrier). It is a challenge in the modern network space. Plus I have to figure that 9600 modems are going to be harder to find as time goes by.. at some point folks will stop making them. - Jared
Re: OOB core router connectivity wish list
On Thu, Jan 10, 2013 at 9:44 AM, sth...@nethelp.no wrote: I don't think you can get ethernet and transport out-of-the-area in some places at a reasonable cost, so having serial-console I think is still a requirement. TDM is disappearing quickly in at least some parts of the world. We may not be quite there yet, but I think it's entirely reasonable to start asking for Ethernet console in procurement documents. don't disagree... I was saying that the cost of higher speed transport in some regions is 'very high', as compared to dialup, and that the networking in question here is purely overhead costs, so keeping the cost down is important.
Re: OOB core router connectivity wish list
On Thu, Jan 10, 2013 at 9:51 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: On Thu, 10 Jan 2013, Christopher Morrow wrote: - rs232: please no. it's 2013. I don't want or need a protocol which was designed for access speeds appropriate to the 1980s. I don't think you can get ethernet and transport out-of-the-area in some places at a reasonable cost, so having serial-console I think is still a requirement. I don't understand this argument. Are you connecting your CON directly to something that transports it out-of-the-area? Modem? sure If you have a consolerouter there with T1 interface as link to outside i may not have a T1, because a T1 is ~2k/month or more in some places. I may have dialup to a 'console server' that services the items in the pop/location. I do hope to improve that solution with some networked thing, so I do want ethernet... I'm just saying that today it's not cost effective everywhere. You seem to agree with this, in previous posts at least. world, what's wrong with having ethernet port from that T1 router to the ethernet OOB port on the router needing OOB access, instead of having RS232 port on them. It's cheaper and easier to cable ethernet compared to RS232. RS232 has much shorter cable length compared to ethernet (9600 reaches 20 meters or so). odd, I could swear I've used 9600 baud over a couple hundred feet, though that's less of an issues, really.
Re: OOB core router connectivity wish list
On (2013-01-10 09:54 -0500), Jared Mauch wrote: I don't think you can get ethernet and transport out-of-the-area in some places at a reasonable cost, so having serial-console I think is still a requirement. Some of the POTS carriers are trying to jettison their equipment before the end of this decade. In the absence of a modem + console server, If modem to RS232 is what OP meant. Then obviously he can do this with OOB ETH also. Just buy modem with ethernet port. I'd need this in hundreds of pops, I'm not going to build second non-revenue generating network just to get OOB. I'm going to each pop check what I can get, which does not use my network. Sometimes it's ADSL, cablemodem, ISDN, 3G, WLAN maybe even PSTN. Today: Router_RS232 - ConsoleServer - Cisco CPE (DMVPN+IPSEC) ---random_access Tomorrow Router OOB - Cisco CPE(DMVPN+IPSEC) ---random_access I'm not changing my access at all. I'm removing devices, I'm gaining ability to send images. I'm gaining ability to fix box when control-plane is fucked up. What ever access you have, it won't stop working. And people who cry 'oh my analog PSTN modem never breaks, cisco ISR will'. Availability of OOB network is irrelevant, you maybe need it long-term 5min per device per year. So as long as it is up then, you're golden. Rest of the year, have your nagios SSH into the OOB ETH every 5min, and raise alarm if shit is broken, then fix the broken shit. -- ++ytti
Re: [SHAME] Spam Rats
On Thu, January 10, 2013 7:53 am, Suresh Ramasubramanian wrote: As for v6 how popular do you see it getting for mail? Are you implying that when the internet otherwise moves on to IPv6, we'll still inexplicably use IPv4 for mail? Jima
PTRs for IPv6 (was Re: [SHAME] Spam Rats)
RE: PTRs for IPv6, see http://tools.ietf.org/html/draft-howard-isp-ip6rdns-05 I've had many excellent suggestions for updates to it, which I intend to treat in the next couple of weeks. I don¹t cover PTRs for servers, because I don't see a scalability problem. However, I don't think I understand the conversation below. Pointers to make me smarter? Thanks, Lee On 1/10/13 1:22 AM, Mark Andrews ma...@isc.org wrote: In message alpine.bsf.2.00.1301100106560.55...@joyce.lan, John R. Levine wr ites: One is a stunt rDNS server that synthesizes the records on demand. (Bonus points for doing DNSSEC, too. Double bonus points for doing NSEC3.) NSEC3 is a waste of time in ip6.arpa or any similarly structured zone so -100 for doing NEC3 and effectively doing a DoS attack against yourself and the client resolvers. I know, but figuring out on the fly what order the hashes are would be quite a coding feat. subtract labels until you have one which fits the namespace pattern. that is the closest encloser ce. hash that name for the closest encloser. hash label.ce add/subtact one for the second half of the noqname proof. hash *.ce add/subtact one for the no wildcard proof. R's, John -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: [SHAME] Spam Rats
On Jan 10, 2013, at 10:17 AM, Jima na...@jima.tk wrote: On Thu, January 10, 2013 7:53 am, Suresh Ramasubramanian wrote: As for v6 how popular do you see it getting for mail? Are you implying that when the internet otherwise moves on to IPv6, we'll still inexplicably use IPv4 for mail? IMHO mail is one of the easiest first things to turn on for IPv6. Nobody is going to really notice a 1s delay if they connect() and you're not listening on IPv6 but are on IPv4. There are concerns from the spam/blacklist communities that IPv6 will make it too hard to roll-up spam information, so many enterprises will likely stick to IPv4 along the long-tail of deployment as it will nearly always work. I also see lots of people with 2002: address in my mail-log relying on 6to4 gateways, e.g.: puck:~$ host doors.huapi.net.ar doors.huapi.net.ar has address 190.136.177.222 doors.huapi.net.ar has address 168.83.68.202 doors.huapi.net.ar has IPv6 address 2002:be88:b1de::1 puck:~$ host warner.fm warner.fm has address 66.59.109.136 warner.fm has IPv6 address 2002:423b:6d88::1 warner.fm mail is handled by 10 argo.pyxos.net. puck:~$ host x25.se. x25.se has address 83.227.190.248 x25.se has IPv6 address 2002:53e3:bef8::1 x25.se mail is handled by 1 x25.se. I suspect folks will run these sorts of gateways for some time.. - Jared
Re: [SHAME] Spam Rats
On Thu, Jan 10, 2013 at 3:45 PM, Dave Sparro dspa...@gmail.com wrote: What label would you suggest be used for PTR records in unassigned space? Some fixed string like unassigned.yourdomain? This would make it obvious that something is wrong if ever it leaks out. -- Matthias
Re: OOB core router connectivity wish list
On 01/10/2013 07:02 AM, Jared Mauch wrote: On Jan 10, 2013, at 9:51 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: I certainly want to use something more modern, having run Xmodem to load images into devices or net-booted systems with very large images in the past… I've seen all sorts of creative ways to do this (e.g.: DSL for OOB, 3G, private VPLS network via outside carrier). It is a challenge in the modern network space. Plus I have to figure that 9600 modems are going to be harder to find as time goes by.. at some point folks will stop making them. Isn't the biggest issue here resilience? If you have ethernet/IP as your OOB mechanism, how sure can you be that it's really OOB? This is, I'm assuming the fallback for when things are really, really hosed. What would happen if you needed to physically get hands into many, many pops? Mike
Re: [SHAME] Spam Rats
On 1/10/2013 9:53 AM, Suresh Ramasubramanian wrote: Unused space generally gets a $generate type generic scripted runs which could be whatever, like ip-ad-dr-ess.example.com http://ip-ad-dr-ess.example.com If the IP address hasn't been assigned to example.com, why would make a DNS entry that implies that it has? Not rid unallocated space, not that there's much of it in v4 Why not? As for v6 how popular do you see it getting for mail? What does mail have to do with DNS policy for unassigned IP addresses?
Re: OOB core router connectivity wish list
On Thu, Jan 10, 2013 at 1:24 AM, Randy Carpenter rcar...@network1.net wrote: On Wed, 9 Jan 2013, Randy Carpenter wrote: My main requirements would be: 1. Something that is *not* network (ethernet or otherwise) (isn't that the point of OOB?) I don't understand this at all. Why can't an OOB network be ethernet based towards the equipment needing management? How do I connect to it from many miles away when the network is down? I have connected to a misbehaving border device at a remote network via dial-up before, and was able to get it back up and running. I would not have been able to do that if the only options were ethernet or ethernet. Dial up with PPP and then cross the ethernet? Drop off a cellular modem with IP service instead of a dialup modem? Perhaps you haven't noticed but IP over circuit-switched voice lines is giving way to voice over IP packet switched systems. That POTS line the dialup modem needs doesn't have a lot of future left. But having a console-serial is significantly less complex than console-IP_Stack-ethernet. So many more things to go wrong. I've never had a device that had a faulty serial port. I have seen numerous faulty or misbehaving network ports. I've had faulty serial consoles more than once but that's beside the point. Yes, ethernet-based OOB is more complex than a simple serial console. It's also a lot more effective. At this point the server vendors have gotten it down to a science where it's just as reliable and not especially expensive. Time I'd say for the big iron router vendors to follow suit. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: OOB core router connectivity wish list
On 1/10/2013 11:18 AM, William Herrin wrote: On Thu, Jan 10, 2013 at 1:24 AM, Randy Carpenter rcar...@network1.net wrote: On Wed, 9 Jan 2013, Randy Carpenter wrote: My main requirements would be: 1. Something that is *not* network (ethernet or otherwise) (isn't that the point of OOB?) I don't understand this at all. Why can't an OOB network be ethernet based towards the equipment needing management? How do I connect to it from many miles away when the network is down? I have connected to a misbehaving border device at a remote network via dial-up before, and was able to get it back up and running. I would not have been able to do that if the only options were ethernet or ethernet. Dial up with PPP and then cross the ethernet? Drop off a cellular modem with IP service instead of a dialup modem? Perhaps you haven't noticed but IP over circuit-switched voice lines is giving way to voice over IP packet switched systems. That POTS line the dialup modem needs doesn't have a lot of future left. Nothing beats POTS in a broad power outage scenario. Numerous power outages have taken down mobile service completely while the POTS lines stayed up as it carries its own power by design. -- Randy
Re: OOB core router connectivity wish list
On (2013-01-10 11:41 -0500), Randy Whitney wrote: Nothing beats POTS in a broad power outage scenario. Numerous power outages have taken down mobile service completely while the POTS lines stayed up as it carries its own power by design. Is your RS232 Modem POTS powered? If POP is powerless, where will be POTS powered RS232 Modem connect to? -- ++ytti
Re: OOB core router connectivity wish list
On Thu, Jan 10, 2013 at 11:41 AM, Randy Whitney randy.whit...@verizon.com wrote: Nothing beats POTS in a broad power outage scenario. Numerous power outages have taken down mobile service completely while the POTS lines stayed up as it carries its own power by design. Carries it from somewhere that has to remain powered which typically isn't a building with an automatic generator any more. Access to the POTS lines of yesteryear is dwindling and not all that slowly. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: OOB core router connectivity wish list
On Jan 10, 2013, at 11:52 AM, Saku Ytti s...@ytti.fi wrote: On (2013-01-10 11:41 -0500), Randy Whitney wrote: Nothing beats POTS in a broad power outage scenario. Numerous power outages have taken down mobile service completely while the POTS lines stayed up as it carries its own power by design. Is your RS232 Modem POTS powered? If POP is powerless, where will be POTS powered RS232 Modem connect to? Not sure about you, but I've used the ability for a POTS line to either ring or give me a modem tone to determine the power status at the site. - Jared
Re: OOB core router connectivity wish list
On Thu, Jan 10, 2013 at 11:41 AM, Randy Whitney randy.whit...@verizon.comwrote Nothing beats POTS in a broad power outage scenario. Numerous power outages have taken down mobile service completely while the POTS lines stayed up as it carries its own power by design. -- Randy It's been a while since I've tried, but it used to be an absolute nightmare to get POTS service in many colos. Has that changed? -Steve
Re: OOB core router connectivity wish list
Why is Satellite not a good OOB option? From my Galaxy Note II, please excuse any mistakes. Original message From: William Herrin b...@herrin.us Date: 01/10/2013 8:20 AM (GMT-08:00) To: Randy Carpenter rcar...@network1.net Cc: nanog@nanog.org Subject: Re: OOB core router connectivity wish list On Thu, Jan 10, 2013 at 1:24 AM, Randy Carpenter rcar...@network1.net wrote: On Wed, 9 Jan 2013, Randy Carpenter wrote: My main requirements would be: 1. Something that is *not* network (ethernet or otherwise) (isn't that the point of OOB?) I don't understand this at all. Why can't an OOB network be ethernet based towards the equipment needing management? How do I connect to it from many miles away when the network is down? I have connected to a misbehaving border device at a remote network via dial-up before, and was able to get it back up and running. I would not have been able to do that if the only options were ethernet or ethernet. Dial up with PPP and then cross the ethernet? Drop off a cellular modem with IP service instead of a dialup modem? Perhaps you haven't noticed but IP over circuit-switched voice lines is giving way to voice over IP packet switched systems. That POTS line the dialup modem needs doesn't have a lot of future left. But having a console-serial is significantly less complex than console-IP_Stack-ethernet. So many more things to go wrong. I've never had a device that had a faulty serial port. I have seen numerous faulty or misbehaving network ports. I've had faulty serial consoles more than once but that's beside the point. Yes, ethernet-based OOB is more complex than a simple serial console. It's also a lot more effective. At this point the server vendors have gotten it down to a science where it's just as reliable and not especially expensive. Time I'd say for the big iron router vendors to follow suit. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: OOB core router connectivity wish list
On Thu, Jan 10, 2013 at 12:16 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Why is Satellite not a good OOB option? inside iron boxes satellite signal is 'hard'. getting a roof mounted antenna is extra cost/complexity. or so some thinking goes.
Re: OOB core router connectivity wish list
On 10/01/2013 16:52, Saku Ytti wrote: If POP is powerless, where will be POTS powered RS232 Modem connect to? To the same power feed as the router you're trying to rescue. If that feed has no power, it's time to take out the gerbil wheel. Nick
Re: OOB core router connectivity wish list
On Thu, Jan 10, 2013 at 12:16 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Why is Satellite not a good OOB option? Sometimes it is, and a larger colo could probably make another few nickles selling connections to an OOB access network which included, as one of the ways in, a satellite link. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: OOB core router connectivity wish list
Antenna is pretty small now. Can back haul all alarms privately, single hop back to the teleport. Very low power consumption, and very decent throughput (we can run 100mbps+ these days, which is pricey). From my Galaxy Note II, please excuse any mistakes. Original message From: Christopher Morrow morrowc.li...@gmail.com Date: 01/10/2013 9:24 AM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: b...@herrin.us,rcar...@network1.net,nanog@nanog.org Subject: Re: OOB core router connectivity wish list On Thu, Jan 10, 2013 at 12:16 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Why is Satellite not a good OOB option? inside iron boxes satellite signal is 'hard'. getting a roof mounted antenna is extra cost/complexity. or so some thinking goes.
Re: OOB core router connectivity wish list
On (2013-01-10 12:08 -0500), Jared Mauch wrote: Not sure about you, but I've used the ability for a POTS line to either ring or give me a modem tone to determine the power status at the site. So the modem is not PSTN powered, so if it responds, pop must be powered? Wouldn't any old CPE on any access have same benefit, except you could ping it. However this has again nothing to do with the RS232 onband/eth oob on the router, you can still have your modem just fine and run the ETH OOB over it. Keeping any value you today extract from PSTN. Personally, I'd really love to see dying gasp over SNMP trap for powerloss. I was really happy when I saw ME3400 and ME3400E difference list 'dying gasp', but turns out it's some EOAM stuff which I didn't bother figuring out how to get all the way to NMS. Dying gasp trap to NMS would be neat way to see immediately in monitoring that box is down, due to losing electricity, can exclude many possible fault reasons right there. -- ++ytti
Re: OOB core router connectivity wish list
I have a Cyclades acs-48 console server. Direct power and Ethernet drop from the ceiling with a public ip. In my subnet, but not through my routers/switches or pdus. Completely out of band, except for relying on colo power/net, which if that's not up then oob is worthless to me anyway. I have every device hooked to this. Pdus, routers, switches, vm, storage servers. That allows me to get console and power cycle every device. What more would I want? Dialup means I need to be in a place I can hook up a modem. Not too many of those. If I make a configuration mistake, need to reboot a box etc, I want to be able to access my kit from anywhere with ip connectivity. If power or network in the colo is down, then oob does me no good, and I have a dr site for that scenario. That dr site also monitors production and emails my sms address. Michael Thomas m...@mtcc.com wrote: On 01/10/2013 07:02 AM, Jared Mauch wrote: On Jan 10, 2013, at 9:51 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: I certainly want to use something more modern, having run Xmodem to load images into devices or net-booted systems with very large images in the past… I've seen all sorts of creative ways to do this (e.g.: DSL for OOB, 3G, private VPLS network via outside carrier). It is a challenge in the modern network space. Plus I have to figure that 9600 modems are going to be harder to find as time goes by.. at some point folks will stop making them. Isn't the biggest issue here resilience? If you have ethernet/IP as your OOB mechanism, how sure can you be that it's really OOB? This is, I'm assuming the fallback for when things are really, really hosed. What would happen if you needed to physically get hands into many, many pops? Mike -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: OOB core router connectivity wish list
On (2013-01-10 11:52 -0600), Charles N Wyble wrote: I have every device hooked to this. Pdus, routers, switches, vm, storage servers. That allows me to get console and power cycle every device. What more would I want? Dialup means I need to be in a place I can hook up a modem. Not too many of those. If I make a configuration mistake, need to reboot a box etc, I want to be able to access my kit from anywhere with ip connectivity. If you fuck up your JunOS/IOS install and box does not have working image anymore, you need to go on-site. Otherwise you're pretty much there. But you've paid good money for the setup, especially the powercycle is expensive and introduces another place where power feed can break down. Cyclades is very good RS232 console server, supports multiplexing and maybe even persistent logging of console messages (to read what router puked out, before it hard crashed). Having ILO/DRAC/vPro style port (CMP in cisco) in your router, you'd get all this and more, cheaper. -- ++ytti
Re: [SHAME] Spam Rats
ARGH, ok, enough with: They can have any policy they like, it's their equipment and no one is being forced to use them. That's tacit, I'd hope. Doesn't mean people can't do dopey things well within their rights and maybe sounding it out would give them some clue, or at least warn others to stay away, tho I'd agree NANOG is probably not the right venue. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: [SHAME] Spam Rats
Just as a data point (and to initiate my semi-annual 'I'm still here' email), we of course check for and require PTRs for all of our email accreditation customers, many of which are ESPs, and you would be *shocked* (or maybe you wouldn't) how many otherwise relatively clueful and 'wanting to do it right' senders have no clue at all about PTR. Anne Anne P. Mitchell, Esq CEO/President Institute for Social Internet Public Policy http://www.ISIPP.com Member, Cal. Bar Cyberspace Law Committee How do you get to the inbox instead of the spam filter? SuretyMail! How do you protect your inboxes from spam while reducing false positives? SuretyMail! http://www.SuretyMail.com
Re: [SHAME] Spam Rats
On Wed, Jan 9, 2013 at 10:49 PM, Julian DeMarchi jul...@jdcomputers.com.au wrote: At least one company uses spamrats. That's how it got escalated to me. Hi Julian, A couple of thoughts for you: 1. Spam Rats is a non-entity and anyone blocking email solely on Spam Rats' information is a fool. You can't be responsible for what every damn fool does on the Internet, so if the problem is that the customer sending small amounts of mail has run afoul of a single fool, you should consider limiting your efforts to helping the customer get in touch with that fool. 2. If the customer sending small amounts of email decides that blocking of multiple mail destinations is because of Spam Rats, they're almost certainly mistaken. Not about being blocked, but about the cause. Find out what's really going on. 3. If the customer is sending mail without a valid PTR record then they're probably on lists similar to rfc-ignorant as well. Check in to it. And help them fix the PTR record. 4. If the customer is sending enough email to find multiple folks relying on Spam Rats' information and they're doing it without having asked for valid PTR records, that's enough of a red flag that it's time for you to scrutinize just what email your customer is sending. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: OOB core router connectivity wish list
On Thu, Jan 10, 2013 at 12:08 PM, Jared Mauch ja...@puck.nether.net wrote: Not sure about you, but I've used the ability for a POTS line to either ring or give me a modem tone to determine the power status at the site. - Jared When I worked in the BBN NOC, we used the customers fax line to determine if the site still had power :) Too many times the cleaners would blow fuses when using the vacuum on the same circuit as the router. -Steve
Re: [SHAME] Spam Rats
On Jan 9, 2013, at 20:18 , Mark Foster blak...@blakjak.net wrote: On 10/01/13 17:15, Karl Auer wrote: On Wed, 2013-01-09 at 21:14 -0600, Otis L. Surratt, Jr. wrote: FYI - I have a PTR for all IPs. Just general practice. All IPs actually in use, or all possible IPs in a network? If the latter, then it's not gunna fly for IPv6. Not at all. Not unless you synthesise the responses - in which case there is no point to requiring them anyway. Regards, K. $GENERATE, as someone else pointed out, solves that problem for you? (Does it scale for IPv6? I can't recall - but surely this could be scripted too.) Mental exercise... $GENERATE is a run-time macro which is parsed to create in-memory PTR records for all included entries. The end result in memory is identical to having typed in all of the PTR records in a zone file. If you're running a 64 bit architecture, you can, theoretically, address a 64-bit memory space. However, that would require each in-memory PTR record to fit in 1 byte and you would have no room remaining for little silly inconsequential things like forward zones, the DNS server software, the operating system, the network stack, etc. This assumes, of course, that you have maxed out your RAM to a full 18,000+ petabytes (which I tend to doubt). If not, then, you don;t even have enough RAM for 1 byte per PTR record. I know PTR records can theoretically be pretty compressible, but I doubt you can get below 1 byte/record even with the best of compression algorithms. Real time synthesis (synthesis on request) according to something similar to $GENERATE might be feasible, but $GENERATE as implemented does not scale to IPv6. I though the point of doing so was to establish with some degree of accuracy that there were 'real people' behind the administration of said IP, and that there was a somewhat increased level of accountability as a result - which suggests there is infact a point. I'll leave the flaws in that theory as an exercise to the reader. Owen
Re: [SHAME] Spam Rats
*.4.4.3.0.5.a.0.0.8.b.d.0.1.0.0.2.ip6.arpa. PTR a.node.on.vlan344.namn.se. ...will work just fine, for instance. Since there is no record for a.node.on.vlan344.namn.se., this won't work fine in any rDNS check I'm aware of. You are aware that useful rDNS has to have matching forward DNs, right?
Re: [SHAME] Spam Rats
IMHO mail is one of the easiest first things to turn on for IPv6. You can certainly turn it on, and it will work at the current toy scale, but nobody has a clue how we're going to scale IPv4 spam management up for large scale IPv6. Anything that's obvious won't work.
Re: [SHAME] Spam Rats
On 01/10/2013 02:59 PM, John Levine wrote: IMHO mail is one of the easiest first things to turn on for IPv6. You can certainly turn it on, and it will work at the current toy scale, but nobody has a clue how we're going to scale IPv4 spam management up for large scale IPv6. Anything that's obvious won't work. It isn't a complete solution by itself, but SPF hardly breaks a sweat with IPv6 and helps with maintaining domain-name based blacklists. -- Daniel Taylor VP Operations Vocal Laboratories, Inc dtay...@vocalabs.com 612-235-5711
Re: [SHAME] Spam Rats
On 1/10/13 12:59 PM, John Levine wrote: IMHO mail is one of the easiest first things to turn on for IPv6. You can certainly turn it on, and it will work at the current toy scale, but nobody has a clue how we're going to scale IPv4 spam management up for large scale IPv6. Anything that's obvious won't it works just fine. I've been receiving spam over v6 for about 12 years at this point. work.
Re: [SHAME] Spam Rats
On Thu, 2013-01-10 at 20:23 +0530, Suresh Ramasubramanian wrote: Unused space generally gets a $generate type generic scripted runs which could be whatever, like ip-ad-dr-ess.example.com Nothing that actually stores actual RRs will scale to the number of addresses available in IPv6. If you want a PTR for every possible address in your network, or even just every possible address in a single /64 subnet then you are SOL as far as IPv6 is concerned. The only way to do it is to fake it - for example by synthesising responses on the fly. You can't cache the synthesised responses either, that would be inviting a DoS. I said this would be pointless because if providing RRs were as simple as synthesising one on request, then the presence of a PTR record would no longer be a meaningful indicator of cluefulness (not that it is now IMHO, but opinions clearly differ on that). As for v6 how popular do you see it getting for mail? Well - at least as popular as IPv4 - eventually :-) Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) http://www.biplane.com.au/kauer http://www.biplane.com.au/blog GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
Re: [SHAME] Spam Rats
Mail is all this discussion is in the context of On Friday, January 11, 2013, Karl Auer wrote: On Thu, 2013-01-10 at 20:23 +0530, Suresh Ramasubramanian wrote: Unused space generally gets a $generate type generic scripted runs which could be whatever, like ip-ad-dr-ess.example.com Nothing that actually stores actual RRs will scale to the number of addresses available in IPv6. If you want a PTR for every possible address in your network, or even just every possible address in a single /64 subnet then you are SOL as far as IPv6 is concerned. The only way to do it is to fake it - for example by synthesising responses on the fly. You can't cache the synthesised responses either, that would be inviting a DoS. I said this would be pointless because if providing RRs were as simple as synthesising one on request, then the presence of a PTR record would no longer be a meaningful indicator of cluefulness (not that it is now IMHO, but opinions clearly differ on that). As for v6 how popular do you see it getting for mail? Well - at least as popular as IPv4 - eventually :-) Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au javascript:;) http://www.biplane.com.au/kauer http://www.biplane.com.au/blog GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 -- --srs (iPad)
Re: [SHAME] Spam Rats
Date: 10 Jan 2013 20:57:25 - From: John Levine jo...@iecc.com Subject: Re: [SHAME] Spam Rats *.4.4.3.0.5.a.0.0.8.b.d.0.1.0.0.2.ip6.arpa. PTR a.node.on.vlan344.namn.se. ...will work just fine, for instance. Since there is no record for a.node.on.vlan344.namn.se., this won't work fine in any rDNS check I'm aware of. it works just fine, as long as there is one for that name (even in a different netblock), and -that- adderess has rDNS matching the You are aware that useful rDNS has to have matching forward DNs, right? Not exactly. grin The 'usual' test is 'rev-fwd-rev' and compare the results of the two 'rev' look-ups. This allows a host with multiple interfaces to have -one- name for all interfaces.
Microsoft Product Activation server reachability
Anybody else having a problem reaching (what appears to be) the sole Microsoft Product Activation server (wpa.one.microsoft.com)? $ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes 36 bytes from 213.199.189.41: Communication prohibited by filter I get this sourcing from our network, from ATT 3G, and from ye residential DSL connection located in the greater Seattle area. They aren't simply source-filtering. Either that or they are source-filtering for 0.0.0.0/0. This is apparently the only server/IP they have set up to respond to these requests. wpa.one.microsoft.com resolves to that IP via every DNS server I've tried (so no round-robin A records), Microsoft products that need to activate over the internet only try to resolve that FQDN, and I've looked for others without success (wpa.two.microsoft.com isn't valid, for example). -- Nathan Anderson First Step Internet, LLC nath...@fsr.com
Re: [SHAME] Spam Rats
Mail is all this discussion is in the context of On Friday, January 11, 2013, Karl Auer wrote: On Thu, 2013-01-10 at 20:23 +0530, Suresh Ramasubramanian wrote: Unused space generally gets a $generate type generic scripted runs which could be whatever, like ip-ad-dr-ess.example.com Nothing that actually stores actual RRs will scale to the number of addresses available in IPv6. If you want a PTR for every possible address in your network, or even just every possible address in a single /64 subnet then you are SOL as far as IPv6 is concerned. The only way to do it is to fake it - for example by synthesising responses on the fly. You can't cache the synthesised responses either, that would be inviting a DoS. I said this would be pointless because if providing RRs were as simple as synthesising one on request, then the presence of a PTR record would no longer be a meaningful indicator of cluefulness (not that it is now IMHO, but opinions clearly differ on that). As for v6 how popular do you see it getting for mail? Well - at least as popular as IPv4 - eventually :-) Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au javascript:;) http://www.biplane.com.au/kauer http://www.biplane.com.au/blog GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 -- --srs (iPad)
Re: Microsoft Product Activation server reachability
I have just tested from Singapore [root@trinity ~]# ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107) 56(84) bytes of data. From 213.199.189.37 icmp_seq=1 Packet filtered From 213.199.189.37 icmp_seq=6 Packet filtered [root@trinity ~]# telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... [root@trinity ~]# telnet wpa.one.microsoft.com 80 Trying 94.245.126.107... On 1/11/2013 12:24 PM, Nathan Anderson wrote: Anybody else having a problem reaching (what appears to be) the sole Microsoft Product Activation server (wpa.one.microsoft.com)? $ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes 36 bytes from 213.199.189.41: Communication prohibited by filter I get this sourcing from our network, from ATT 3G, and from ye residential DSL connection located in the greater Seattle area. They aren't simply source-filtering. Either that or they are source-filtering for 0.0.0.0/0. This is apparently the only server/IP they have set up to respond to these requests. wpa.one.microsoft.com resolves to that IP via every DNS server I've tried (so no round-robin A records), Microsoft products that need to activate over the internet only try to resolve that FQDN, and I've looked for others without success (wpa.two.microsoft.com isn't valid, for example).
Re: Microsoft Product Activation server reachability
- Original Message - From: Nathan Anderson nath...@fsr.com To: nanog@nanog.org nanog@nanog.org Sent: Thursday, January 10, 2013 11:24:16 PM Subject: Microsoft Product Activation server reachability Anybody else having a problem reaching (what appears to be) the sole Microsoft Product Activation server (wpa.one.microsoft.com)? $ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes 36 bytes from 213.199.189.41: Communication prohibited by filter I get this sourcing from our network, from ATT 3G, and from ye residential DSL connection located in the greater Seattle area. They aren't simply source-filtering. Either that or they are source-filtering for 0.0.0.0/0. This is apparently the only server/IP they have set up to respond to these requests. wpa.one.microsoft.com resolves to that IP via every DNS server I've tried (so no round-robin A records), Microsoft products that need to activate over the internet only try to resolve that FQDN, and I've looked for others without success (wpa.two.microsoft.com isn't valid, for example). -- Nathan Anderson First Step Internet, LLC nath...@fsr.com I am seeing the same from NYC metro. According to MS (http://technet.microsoft.com/en-us/library/bb457159.aspx#ECAA), access to that host on 80 and 443 is all that should be required to activate. (and wpa.one.microsoft.com has no , go figure) [ben@razor ~]$ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107) 56(84) bytes of data. From 213.199.189.41 icmp_seq=2 Packet filtered ^C --- wpa.one.microsoft.com ping statistics --- 6 packets transmitted, 0 received, +1 errors, 100% packet loss, time 5260ms [ben@razor ~]$ telnet wpa.one.microsoft.com 80 Trying 94.245.126.107... ^C [ben@razor ~]$ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... ^C -- Ben
Re: Microsoft Product Activation server reachability
Working now, tested from 3 hosts on different networks on both 80 and 443 : $ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... Connected to wpa.one.microsoft.com. Escape character is '^]'. Scott On Fri, Jan 11, 2013 at 12:02 AM, Ben Carleton carle...@vanoc.net wrote: - Original Message - From: Nathan Anderson nath...@fsr.com To: nanog@nanog.org nanog@nanog.org Sent: Thursday, January 10, 2013 11:24:16 PM Subject: Microsoft Product Activation server reachability Anybody else having a problem reaching (what appears to be) the sole Microsoft Product Activation server (wpa.one.microsoft.com)? $ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes 36 bytes from 213.199.189.41: Communication prohibited by filter I get this sourcing from our network, from ATT 3G, and from ye residential DSL connection located in the greater Seattle area. They aren't simply source-filtering. Either that or they are source-filtering for 0.0.0.0/0 . This is apparently the only server/IP they have set up to respond to these requests. wpa.one.microsoft.com resolves to that IP via every DNS server I've tried (so no round-robin A records), Microsoft products that need to activate over the internet only try to resolve that FQDN, and I've looked for others without success (wpa.two.microsoft.com isn't valid, for example). -- Nathan Anderson First Step Internet, LLC nath...@fsr.com I am seeing the same from NYC metro. According to MS ( http://technet.microsoft.com/en-us/library/bb457159.aspx#ECAA), access to that host on 80 and 443 is all that should be required to activate. (and wpa.one.microsoft.com has no , go figure) [ben@razor ~]$ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107) 56(84) bytes of data. From 213.199.189.41 icmp_seq=2 Packet filtered ^C --- wpa.one.microsoft.com ping statistics --- 6 packets transmitted, 0 received, +1 errors, 100% packet loss, time 5260ms [ben@razor ~]$ telnet wpa.one.microsoft.com 80 Trying 94.245.126.107... ^C [ben@razor ~]$ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... ^C -- Ben
RE: Microsoft Product Activation server reachability
So the ICMP message communication prohibited by filter must be a normal response to ICMP ping through that gateway. Unfortunately, it's not completely fixed yet, but I'm guessing by this measure of progress that they must be working on it. I now get HTTP 403 in response to any request I send to it. Tried to reactive this copy of Windows Server once more anyway, and now get Online activation cannot be completed at this time. (Message number: 24579) Before, it simply claimed I must not have working internet connectivity. -- Nathan -Original Message- From: Scott Howard [mailto:sc...@doc.net.au] Sent: Thursday, January 10, 2013 10:55 PM To: Ben Carleton Cc: Nathan Anderson; nanog@nanog.org Subject: Re: Microsoft Product Activation server reachability Working now, tested from 3 hosts on different networks on both 80 and 443 : $ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... Connected to wpa.one.microsoft.com. Escape character is '^]'. Scott On Fri, Jan 11, 2013 at 12:02 AM, Ben Carleton carle...@vanoc.net wrote: - Original Message - From: Nathan Anderson nath...@fsr.com To: nanog@nanog.org nanog@nanog.org Sent: Thursday, January 10, 2013 11:24:16 PM Subject: Microsoft Product Activation server reachability Anybody else having a problem reaching (what appears to be) the sole Microsoft Product Activation server (wpa.one.microsoft.com)? $ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes 36 bytes from 213.199.189.41: Communication prohibited by filter I get this sourcing from our network, from ATT 3G, and from ye residential DSL connection located in the greater Seattle area. They aren't simply source-filtering. Either that or they are source-filtering for 0.0.0.0/0. This is apparently the only server/IP they have set up to respond to these requests. wpa.one.microsoft.com resolves to that IP via every DNS server I've tried (so no round-robin A records), Microsoft products that need to activate over the internet only try to resolve that FQDN, and I've looked for others without success (wpa.two.microsoft.com isn't valid, for example). -- Nathan Anderson First Step Internet, LLC nath...@fsr.com I am seeing the same from NYC metro. According to MS (http://technet.microsoft.com/en-us/library/bb457159.aspx#ECAA), access to that host on 80 and 443 is all that should be required to activate. (and wpa.one.microsoft.com has no , go figure) [ben@razor ~]$ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107) 56(84) bytes of data. From 213.199.189.41 icmp_seq=2 Packet filtered ^C --- wpa.one.microsoft.com ping statistics --- 6 packets transmitted, 0 received, +1 errors, 100% packet loss, time 5260ms [ben@razor ~]$ telnet wpa.one.microsoft.com 80 Trying 94.245.126.107... ^C [ben@razor ~]$ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... ^C -- Ben