Re: Visio-fu
Subject: Visio-fu Date: Mon, Feb 25, 2013 at 08:20:34PM + Quoting Warren Bailey (wbai...@satelliteintelligencegroup.com): All, I have been searching our beloved internet endlessly for months on information regarding Visio technique. Does anyone have a good resource(s) for advanced visio drawings, or more to the point a good place for high quality connectors? There is some great quality work out there, this is something I found just a little while ago http://www.parallels.com/r/upload/figure2-1.gif This may not be a visio drawing (do not have any background on it), but I would really dig some resources that you guys out there may or may not use. The cables in that drawing look fantastic to me, so I would really appreciate any guidance you all have in helping me improve my output. I'd just quit beating the rotting carcass of Visio into producing anything not appalling and go with OmniGraffle instead. http://www.omnigroup.com/products/omnigraffle/ -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 DON'T go!! I'm not HOWARD COSELL!! I know POLISH JOKES ... WAIT!! Don't go!! I AM Howard Cosell! ... And I DON'T know Polish jokes!! signature.asc Description: Digital signature
Re: Visio-fu
On 25 February 2013 23:22, Michael Hallgren m.hallg...@free.fr wrote: Le 25/02/2013 23:15, Warren Bailey a écrit : I've seen smart draw. I wish these drawing software companies would port their application over to mac.. Every big design guy I know is a mac fanboy, Adobe has it figured out but smart draw and visio have no excuse. Omni is about the only thing out there, but it is hell to use in my opinion. :) Hell is quite structured in the TeX related list I just proposed. :) mh other tool idea: graphviz could be used to generate braincandy, but not eyecandy (most graphics generated by graphviz are awesome, but ugly). also this was cool: http://www.youtube.com/watch?feature=player_embeddedv=RCa2sjyrUdQ -- -- ℱin del ℳensaje.
Re: 10 Mbit/s problem in your network
Owen DeLong o...@delong.com writes: N on 5Ghz takes advantage of the increased bandwidth of the 5Ghz channel where A merely replicated G on 5Ghz for all practical purposes. You have that backwards, actually, but the legacy support in 802.11g for 802.11b clients does represent a performance hit even in the absence of b-only clients, so claiming that a and g are equivalent is only true on paper. -r (802.11a user before 802.11g, still love the relatively unoccupied 5 ghz spectrum)
Re: NYT covers China cyberthreat
On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote: [a number of very good points ] Geoblocking, like passive OS fingerprinting (another technique that reduces attack surface as measured along one axis but can be defeated by a reasonably clueful attacker), doesn't really solve problems, per se. If you have a web app that's vulnerable to SQL injection attacks, then it's still just as hackable -- all the attacker has to do is try from somewhere else, from something else. But... 1. It raises the bar. And it cuts down on the noise, which is one of the security meta-problems we face: our logs capture so much cruft, so many instances of attacks and abuse and mistakes and misconfigurations and malfunctions, that we struggle to understand what they're trying to tell us. That problem is so bad that there's an entire subindustry built around the task of trying to reduce what's in the logs to something that a human brain can process in finite time. Mountains of time and wads of cash have been spent on the thorny problems that arise when we try to figure out what to pay attention to and what to ignore... and we still screw it up. Often. So even if the *only* effect of doing so is to shrink the size of the logs: that's a win. (And used judiciously, it can be a HUGE win, as in several orders of magnitude.) So if your security guy is as busy as you say...maybe this would be a good idea. And let me note in passing that by raising the bar, it ensures that you're faced with a somewhat higher class of attacker. It's one thing to be hacked by a competent, diligent adversary who wields their tools with rapier-like precision; it's another to be owned by a script kiddie who has no idea what they're doing and doesn't even read the language your assets are using. That's just embarassing. 2. Outbound blocks work too, y'know. Does anybody in your marketing department need to reach Elbonia? If not, then why are you allowing packets from that group's desktops to go there? Because either (a) it's someone doing something they shouldn't or (b) it's something doing something it shouldn't, as in a bot trying to phone home or a data exfiltration attack or something else unpleasant. So if there's no business need for that group to exchange packets with Elbonia or any of 82 other countries, why *aren't* you blocking that? 3. Yes, this can turn into a moderate-sized matrix of inbound and outbound rules. That's why make(1) and similar tools are your friends, because they'll let you manage this without needing to resort to scotch by 9:30 AM. And yes, sometimes things will break (because something's changed) -- but the brokeness is the best kind of brokeness: obvious, deterministic, repeatable, fixable. It's not hard. But it does require that you actually know what your own systems are doing and why. 4. We were hacked from China is wearing awfully damn thin as the feeble whining excuse of people who should have bidirectionally firewalled out China from their corporate infrastructure (note: not necessarily their public-facing servers) years ago. And our data was exfiltrated to Elbonia is getting thin as an excuse too: if you do not have an organizational need to allow outbound network traffic to Elbonia, then why the hell are you letting so much as a single packet go there? Like I said: at least make them work for it. A little. Instead of doing profoundly idiotic things like the NYTimes (e.g., infrastructure reachable from the planet, using M$ software, actually believing that anti-virus software will work despite a quarter-century of uninterrupted failure, etc.). That's not making them work for it: that's inviting them in, rolling out the red carpet, and handing them celebratory champagne. ---rsk
Re: NYT covers China cyberthreat
I think it is safe to say that finding a foothold inside of the United States from which to perform/proxy an attack is not the hardest thing in the world. I don't understand why everyone expects that major corporations and diligent operators blocking certain countries' prefixes will help. That being said, you make a solid point to which people should absolutely listen: applying an understanding of your business-needs-network-traffic baseline to your firewall rules and heuristic network detections (in a more precise fashion than just IPs from country $x) is a SOLID tactic that yields huge security benefits. Nobody who cares about security should really be able to argue with it (plenty of those who care don't will hate it, though), and makes life _awful_ for any attackers. On Tue, Feb 26, 2013 at 3:43 AM, Rich Kulawiec r...@gsp.org wrote: On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote: [a number of very good points ] Geoblocking, like passive OS fingerprinting (another technique that reduces attack surface as measured along one axis but can be defeated by a reasonably clueful attacker), doesn't really solve problems, per se. If you have a web app that's vulnerable to SQL injection attacks, then it's still just as hackable -- all the attacker has to do is try from somewhere else, from something else. But... 1. It raises the bar. And it cuts down on the noise, which is one of the security meta-problems we face: our logs capture so much cruft, so many instances of attacks and abuse and mistakes and misconfigurations and malfunctions, that we struggle to understand what they're trying to tell us. That problem is so bad that there's an entire subindustry built around the task of trying to reduce what's in the logs to something that a human brain can process in finite time. Mountains of time and wads of cash have been spent on the thorny problems that arise when we try to figure out what to pay attention to and what to ignore... and we still screw it up. Often. So even if the *only* effect of doing so is to shrink the size of the logs: that's a win. (And used judiciously, it can be a HUGE win, as in several orders of magnitude.) So if your security guy is as busy as you say...maybe this would be a good idea. And let me note in passing that by raising the bar, it ensures that you're faced with a somewhat higher class of attacker. It's one thing to be hacked by a competent, diligent adversary who wields their tools with rapier-like precision; it's another to be owned by a script kiddie who has no idea what they're doing and doesn't even read the language your assets are using. That's just embarassing. 2. Outbound blocks work too, y'know. Does anybody in your marketing department need to reach Elbonia? If not, then why are you allowing packets from that group's desktops to go there? Because either (a) it's someone doing something they shouldn't or (b) it's something doing something it shouldn't, as in a bot trying to phone home or a data exfiltration attack or something else unpleasant. So if there's no business need for that group to exchange packets with Elbonia or any of 82 other countries, why *aren't* you blocking that? 3. Yes, this can turn into a moderate-sized matrix of inbound and outbound rules. That's why make(1) and similar tools are your friends, because they'll let you manage this without needing to resort to scotch by 9:30 AM. And yes, sometimes things will break (because something's changed) -- but the brokeness is the best kind of brokeness: obvious, deterministic, repeatable, fixable. It's not hard. But it does require that you actually know what your own systems are doing and why. 4. We were hacked from China is wearing awfully damn thin as the feeble whining excuse of people who should have bidirectionally firewalled out China from their corporate infrastructure (note: not necessarily their public-facing servers) years ago. And our data was exfiltrated to Elbonia is getting thin as an excuse too: if you do not have an organizational need to allow outbound network traffic to Elbonia, then why the hell are you letting so much as a single packet go there? Like I said: at least make them work for it. A little. Instead of doing profoundly idiotic things like the NYTimes (e.g., infrastructure reachable from the planet, using M$ software, actually believing that anti-virus software will work despite a quarter-century of uninterrupted failure, etc.). That's not making them work for it: that's inviting them in, rolling out the red carpet, and handing them celebratory champagne. ---rsk -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: 10 Mbit/s problem in your network
Perhaps I don't understand.. Generally in wireless we look at two things; bits to hertz and noise components. If the noise is LESS and the carrier is the same power spectral density, you will have a greater c/n. I've always wondered why wifi didn't implement an array of modcods which can be used with a given system. That way, when you attenuate you have lower efficiency modulation and coding which will allow you to deal with fades better. Maybe they do us it and I'm just not hip to 802.11? From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Rob Seastrom r...@seastrom.com Date: 02/26/2013 3:40 AM (GMT-08:00) To: Owen DeLong o...@delong.com Cc: Warren Bailey wbai...@satelliteintelligencegroup.com,NANOG nanog@nanog.org Subject: Re: 10 Mbit/s problem in your network Owen DeLong o...@delong.com writes: N on 5Ghz takes advantage of the increased bandwidth of the 5Ghz channel where A merely replicated G on 5Ghz for all practical purposes. You have that backwards, actually, but the legacy support in 802.11g for 802.11b clients does represent a performance hit even in the absence of b-only clients, so claiming that a and g are equivalent is only true on paper. -r (802.11a user before 802.11g, still love the relatively unoccupied 5 ghz spectrum)
Re: Visio-fu
I purchased omni, but it is pretty difficult to get the hang of.. :/ From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Måns Nilsson mansa...@besserwisser.org Date: 02/26/2013 12:01 AM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: North American Network Operators Group nanog@nanog.org Subject: Re: Visio-fu Subject: Visio-fu Date: Mon, Feb 25, 2013 at 08:20:34PM + Quoting Warren Bailey (wbai...@satelliteintelligencegroup.com): All, I have been searching our beloved internet endlessly for months on information regarding Visio technique. Does anyone have a good resource(s) for advanced visio drawings, or more to the point a good place for high quality connectors? There is some great quality work out there, this is something I found just a little while ago http://www.parallels.com/r/upload/figure2-1.gif This may not be a visio drawing (do not have any background on it), but I would really dig some resources that you guys out there may or may not use. The cables in that drawing look fantastic to me, so I would really appreciate any guidance you all have in helping me improve my output. I'd just quit beating the rotting carcass of Visio into producing anything not appalling and go with OmniGraffle instead. http://www.omnigroup.com/products/omnigraffle/ -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 DON'T go!! I'm not HOWARD COSELL!! I know POLISH JOKES ... WAIT!! Don't go!! I AM Howard Cosell! ... And I DON'T know Polish jokes!!
BGP RIB Collection
Hello all, I have an application that needs to gather BGP RIB data from the routers that connect to all of our upstream providers. Basically I need to know all the routes available from a particular provider. Currently I'm gathering this data via SNMP. While this works it has its draw backs, it takes approximately 20 minutes per view, its nowhere near real-time, and I'm unable to gather information for IPv6. SNMP, however, is faster than screen scraping. All of the XML based access methods seem to take about the same time as well. I've been watching, with keen interest, the i2rs ietf workings, but the project is still in its infancy. BMP seems to be a good solution but I've not found a working client implementation yet. I see that you can actually configure this on some Juniper gear but I can't seem to locate a client to ingest the data the router produces. The BGP Add Paths implementation seems to be the best choice at the moment and exabgp has a working implementation. Are there any other technologies or methods of accessing this data that I've missed or that you've found useful? Thanks! --chip -- Just my $.02, your mileage may vary, batteries not included, etc
Re: BGP RIB Collection
Personally, I would just use BGP on a PC to collect this information. Place some import/input policy on your eBGP sessions on your edge routers to add communities to the routes such that you can recognize which peers gave you the route. Then, use an iBGP session to a BIRD or Quagga instance from which you can dump the routes and filter based on the communities. Cheers, jof On Tue, Feb 26, 2013 at 6:24 PM, chip chip.g...@gmail.com wrote: Hello all, I have an application that needs to gather BGP RIB data from the routers that connect to all of our upstream providers. Basically I need to know all the routes available from a particular provider. Currently I'm gathering this data via SNMP. While this works it has its draw backs, it takes approximately 20 minutes per view, its nowhere near real-time, and I'm unable to gather information for IPv6. SNMP, however, is faster than screen scraping. All of the XML based access methods seem to take about the same time as well. I've been watching, with keen interest, the i2rs ietf workings, but the project is still in its infancy. BMP seems to be a good solution but I've not found a working client implementation yet. I see that you can actually configure this on some Juniper gear but I can't seem to locate a client to ingest the data the router produces. The BGP Add Paths implementation seems to be the best choice at the moment and exabgp has a working implementation. Are there any other technologies or methods of accessing this data that I've missed or that you've found useful? Thanks! --chip -- Just my $.02, your mileage may vary, batteries not included, etc
Re: Should host/domain names travel over the internet with a trailing dot?
On Mon, 25 Feb 2013 19:07:20 -0600, Jimmy Hess said: If the domain in a certificate were not interpreted as a FQDN by the client, this would mean, that the certificate for CN=bigbank.example.com might be used to authenticate a connection to https://bigbank.example.com which do the local resolver search order, is in fact a DNS lookup of bigbank.example.com.intranet.example.com Which might be captured by a Wildcard A record for *.com found in the intranet.example.com. zone and pointed to a server containing a phishing attack against bigbank.example.com; with a DNS cache poisoned by a false negative cache NXDOMAIN entry for bigbank.example.com. I am *sooo* tempted to say I recommend my competitors do DNS lookups this way :) pgpSfHv8CeX0W.pgp Description: PGP signature
Re: 10 Mbit/s problem in your network
On 26/02/13 17:19, Warren Bailey wrote: Perhaps I don't understand.. Generally in wireless we look at two things; bits to hertz and noise components. If the noise is LESS and the carrier is the same power spectral density, you will have a greater c/n. I've always wondered why wifi didn't implement an array of modcods which can be used with a given system. That way, when you attenuate you have lower efficiency modulation and coding which will allow you to deal with fades better. Maybe they do us it and I'm just not hip to 802.11? They do it, all right, and much, much more, including MIMO -- 802.11 has evolved into something only marginally less complex than the mobile phone wireless stack in the process. -- N.
Re: BGP RIB Collection
On 26/02/2013 17:24, chip wrote: Currently I'm gathering this data via SNMP. whoa, you must really hate your router to do that to it. While this works it has its draw backs, it takes approximately 20 minutes per view, its nowhere near real-time, and I'm unable to gather information for IPv6. SNMP, however, is faster than screen scraping. All of the XML based access methods seem to take about the same time as well. cisco: -- term len 0 show bgp ipv4 unicast neigh x.y.z.w received-routes -- juniper: -- show route receive-protocol bgp x.y.z.w | no-more -- Easily scriptable using rancid or something similar. Of course, this sucks because you're only seeing the route summary, not any of the attributes. project is still in its infancy. BMP seems to be a good solution but I've not found a working client implementation yet. I see that you can actually configure this on some Juniper gear but I can't seem to locate a client to ingest the data the router produces. Can you provide a list of the clients that you have tried? It would save people the effort of going through them and finding out the same things as you did. Nick
Re: BGP RIB Collection
I'll chime in with what we are doing with quagga and bgpmon. The question though would be for how many peers? If it is for the sake of discussion, less than 20, something like this might work. http://bgpmon.netsec.colostate.edu/download/src/bgpmon-7.2.4.tar.gz http://rmcwic.ucar.edu/sites/default/files/posters/csuconf-final19.pdf We do some of this. The pure BGPmon way is to have neighbors peer directly with a BGPmon server. We've extended this a bit and we can stream quagga MRT update files into a bgpmon server as well. Then the BGPmon server internally constructs RIBs per session. Output format is XML, and the paper linked above describes some of the perl tools there are to look at xml streams. So you can get a RIB stream or an UPDATE stream from the BGPmon server. At some scale, this might give you what you need. I think the BMP solution looks pretty nice as well, since you are as close to your true platform as you can get. So I would also be interested in hearing if you find existing client code to parse the BMP. John Kemp (k...@routeviews.org) project is still in its infancy. BMP seems to be a good solution but I've not found a working client implementation yet. I see that you can actually configure this on some Juniper gear but I can't seem to locate a client to ingest the data the router produces. Can you provide a list of the clients that you have tried? It would save people the effort of going through them and finding out the same things as you did. Nick
Re: 10 Mbit/s problem in your network
On 02/09/2013 07:55 PM, Constantine A. Murenin wrote: When you are staying at a 3* hotel, should you have no expectations that you'll be getting at least a 3Mbps pipe and at least an under 100ms average latency, and won't be getting a balancer that would be breaking up your ssh sessions? Correct, one should not have expectations of fast reliable internet with low latency in a hotel. For many reasons: - internet connectivity at a hotel is just another free amenity like after shyave or a hair net, be glad you can at least check your email :-) - a hotel room is (should be) used for sleeping, having sex, watching the tv idly, not for work (except emergencies and the likes), even when you're on a work trip. Use an actual office for work. - such internet connectivity doesn't exist to begin with for the average consumer in the USA Granted if a hotel markets itself as a business hotel in a business area it should include at least half decent internet connectivity, otherwise forget it and be glad you can spend some time away from the hedonistic attractions of the net. Greetings, Jeroen -- Earthquake Magnitude: 4.2 Date: Tuesday, February 26, 2013 22:33:45 UTC Location: Gulf of Alaska Latitude: 59.6203; Longitude: -142.6829 Depth: 1.00 km
Re: 10 Mbit/s problem in your network
On Tue, 26 Feb 2013 17:45:18 -0800, Jeroen van Aart said: Correct, one should not have expectations of fast reliable internet with low latency in a hotel. The part that always puzzled me is why a major high-tier chain like Hilton can't get it right, but a Motel 6 can... :) pgp_nmdk5jzCn.pgp Description: PGP signature
Re: 10 Mbit/s problem in your network
- Original Message - From: Jeroen van Aart jer...@mompl.net - internet connectivity at a hotel is just another free amenity like after shyave or a hair net, be glad you can at least check your email :-) It is like hell. It is very often not one paid, but *unreasonably* expensive ($5-10 a *day*). If you don't know this, it's because you either 1) never looked, 2) were always in hotels on group rates where free access was negotiated in the contract or 3) were very very lucky. Granted if a hotel markets itself as a business hotel in a business area it should include at least half decent internet connectivity, otherwise forget it and be glad you can spend some time away from the hedonistic attractions of the net. One word: Conventions. No, it really *isn't* acceptable for a hotel not to have decent connectivity these days; would you tolerate a hotel where the power went out from 8-midnight every day? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: 10 Mbit/s problem in your network
- Original Message - From: Valdis Kletnieks valdis.kletni...@vt.edu On Tue, 26 Feb 2013 17:45:18 -0800, Jeroen van Aart said: Correct, one should not have expectations of fast reliable internet with low latency in a hotel. The part that always puzzled me is why a major high-tier chain like Hilton can't get it right, but a Motel 6 can... :) Ironically, I suspect that it's for the same reason that East Germany has right up to the minute telephony services these days, while West German is still sucking hind tit: The big properties are, over all, likely to skew somewhat older in building construction, and because of that, they're not built/wired for the internal transport; too much rebar in the walls blocking wifi and stuff like that. Plus they have more corporate inertia in actually getting it done. Or, they just don't care. They don't have to. They're... oh, nevermind. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: 10 Mbit/s problem in your network
--- On Tue, 2/26/13, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: From: valdis.kletni...@vt.edu valdis.kletni...@vt.edu Subject: Re: 10 Mbit/s problem in your network To: Jeroen van Aart jer...@mompl.net Cc: nanog@nanog.org Date: Tuesday, February 26, 2013, 6:30 PM On Tue, 26 Feb 2013 17:45:18 -0800, Jeroen van Aart said: Correct, one should not have expectations of fast reliable internet with low latency in a hotel. The part that always puzzled me is why a major high-tier chain like Hilton can't get it right, but a Motel 6 can... :) ...sure they can but don't want to because *customers* will still come! Motel 6 on the otherhand, does not have that cachet and have to try-harder! Just Economics; nothing personal...;-) ./Randy
Re: BGP RIB Collection
*received-routes*? If you still enable soft-reconfig-inbound on your routers(customer-facing sessions not withstanding), you most certainly hate your routers more than OP...;-) ./Randy --- On Tue, 2/26/13, Nick Hilliard n...@foobar.org wrote: From: Nick Hilliard n...@foobar.org Subject: Re: BGP RIB Collection To: chip chip.g...@gmail.com Cc: North American Network Operators Group nanog@nanog.org Date: Tuesday, February 26, 2013, 11:21 AM On 26/02/2013 17:24, chip wrote: Currently I'm gathering this data via SNMP. whoa, you must really hate your router to do that to it. While this works it has its draw backs, it takes approximately 20 minutes per view, its nowhere near real-time, and I'm unable to gather information for IPv6. SNMP, however, is faster than screen scraping. All of the XML based access methods seem to take about the same time as well. cisco: -- term len 0 show bgp ipv4 unicast neigh x.y.z.w received-routes -- juniper: -- show route receive-protocol bgp x.y.z.w | no-more -- Easily scriptable using rancid or something similar. Of course, this sucks because you're only seeing the route summary, not any of the attributes. project is still in its infancy. BMP seems to be a good solution but I've not found a working client implementation yet. I see that you can actually configure this on some Juniper gear but I can't seem to locate a client to ingest the data the router produces. Can you provide a list of the clients that you have tried? It would save people the effort of going through them and finding out the same things as you did. Nick
Re: 10 Mbit/s problem in your network
On Feb 26, 2013, at 5:45 PM, Jeroen van Aart jer...@mompl.net wrote: On 02/09/2013 07:55 PM, Constantine A. Murenin wrote: When you are staying at a 3* hotel, should you have no expectations that you'll be getting at least a 3Mbps pipe and at least an under 100ms average latency, and won't be getting a balancer that would be breaking up your ssh sessions? Correct, one should not have expectations of fast reliable internet with low latency in a hotel. For many reasons: - internet connectivity at a hotel is just another free amenity like after shyave or a hair net, be glad you can at least check your email :-) This argument fails when compared to my real world observations. In general, my experience has been that the hotels that offer wifi as a free amenity have relatively uncomplicated systems, you get a password (if one is required at all) when you check in or when you ask for it and it just works. In contrast, the more expensive hotels that charge have elaborate systems designed to make sure they can capture that revenue and that nobody gets on without paying. These systems are often poorly implemented, poorly managed and extremely prone to various forms of failure resulting in a loss of connectivity. The people at the other end of the phone when one calls about such problems tend to think nothing of rebooting WAPs, etc. in order to try and shotgun the user's problem, creating a multitude of additional failures for all the other users. - a hotel room is (should be) used for sleeping, having sex, watching the tv idly, not for work (except emergencies and the likes), even when you're on a work trip. Use an actual office for work. This is a rather arrogant value judgment for you to think that you have a right to inflict on everyone else. - such internet connectivity doesn't exist to begin with for the average consumer in the USA I'm not sure I go quite that far, but, yes, it is not uncommon for people to have less than this level of connectivity in their residential environments in the US. Granted if a hotel markets itself as a business hotel in a business area it should include at least half decent internet connectivity, otherwise forget it and be glad you can spend some time away from the hedonistic attractions of the net. Yet my experience has been that to a large extent, the reverse is true. I am more likely to get better internet connectivity from a low-budget tourist motel in a tourist area than from a business hotel in a business area. Hilton owned properties are among the worst in this respect and my recent experience at the Hilton LAX has confirmed that they haven't gotten any better. Owen
Re: 10 Mbit/s problem in your network
Clearly a person making a comment about high speed Internet not being important in hotel rooms has not tried to stream the type of entertainment generally viewed in a hotel room. You view a movie that buffers every 10 seconds, it has a fantastic way of killing the moment.. ;) From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Jay Ashworth j...@baylink.com Date: 02/26/2013 6:47 PM (GMT-08:00) To: NANOG nanog@nanog.org Subject: Re: 10 Mbit/s problem in your network - Original Message - From: Jeroen van Aart jer...@mompl.net - internet connectivity at a hotel is just another free amenity like after shyave or a hair net, be glad you can at least check your email :-) It is like hell. It is very often not one paid, but *unreasonably* expensive ($5-10 a *day*). If you don't know this, it's because you either 1) never looked, 2) were always in hotels on group rates where free access was negotiated in the contract or 3) were very very lucky. Granted if a hotel markets itself as a business hotel in a business area it should include at least half decent internet connectivity, otherwise forget it and be glad you can spend some time away from the hedonistic attractions of the net. One word: Conventions. No, it really *isn't* acceptable for a hotel not to have decent connectivity these days; would you tolerate a hotel where the power went out from 8-midnight every day? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: 10 Mbit/s problem in your network
And the fact that a motel 6 is generally owned by a private owner, versus big box chains that are massively corporate. As Internet is free, it's a it a concern to them. The little guy has to Try harder, which leads to generally a better service. From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Randy randy_94...@yahoo.com Date: 02/26/2013 6:56 PM (GMT-08:00) To: Jeroen van Aart jer...@mompl.net,valdis.kletni...@vt.edu Cc: nanog@nanog.org Subject: Re: 10 Mbit/s problem in your network --- On Tue, 2/26/13, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: From: valdis.kletni...@vt.edu valdis.kletni...@vt.edu Subject: Re: 10 Mbit/s problem in your network To: Jeroen van Aart jer...@mompl.net Cc: nanog@nanog.org Date: Tuesday, February 26, 2013, 6:30 PM On Tue, 26 Feb 2013 17:45:18 -0800, Jeroen van Aart said: Correct, one should not have expectations of fast reliable internet with low latency in a hotel. The part that always puzzled me is why a major high-tier chain like Hilton can't get it right, but a Motel 6 can... :) ...sure they can but don't want to because *customers* will still come! Motel 6 on the otherhand, does not have that cachet and have to try-harder! Just Economics; nothing personal...;-) ./Randy
Re: 10 Mbit/s problem in your network
On Feb 26, 2013, at 6:49 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Valdis Kletnieks valdis.kletni...@vt.edu On Tue, 26 Feb 2013 17:45:18 -0800, Jeroen van Aart said: Correct, one should not have expectations of fast reliable internet with low latency in a hotel. The part that always puzzled me is why a major high-tier chain like Hilton can't get it right, but a Motel 6 can... :) Ironically, I suspect that it's for the same reason that East Germany has right up to the minute telephony services these days, while West German is still sucking hind tit: The big properties are, over all, likely to skew somewhat older in building construction, and because of that, they're not built/wired for the internal transport; too much rebar in the walls blocking wifi and stuff like that. In fact, many of the hotels that have solved this intelligently have simply placed DSLAMs in the phone room and run DSL to each room with a relatively inexpensive (especially when you buy 500 of them at a time) DSL modem in each room. Some also have wifi, some have wifi in the room from the DSL modem, but in most cases, these have been among the best functioning solutions in some of the larger properties. Plus they have more corporate inertia in actually getting it done. Hyatt does a consistently better job of this than Hilton in my experience. Same with Motel 6. I would expect them to have roughly equivalent corporate inertia. Or, they just don't care. They don't have to. They're... oh, never mind. I think this is the larger factor, yes. Owen
Re: 10 Mbit/s problem in your network
Original Message - From: Owen DeLong o...@delong.com [ quoting me ] Ironically, I suspect that it's for the same reason that East Germany has right up to the minute telephony services these days, while West German is still sucking hind tit: The big properties are, over all, likely to skew somewhat older in building construction, and because of that, they're not built/wired for the internal transport; too much rebar in the walls blocking wifi and stuff like that. A comment off list pointed out to me that sometimes, it's the reverse: The property jumped on-board in the late nineties, putting in a system worthy of the next decade... and has never updated it, cause it's good enough. Cheers, -- jr 'sorry to hijack your post to quote myself, Owen' a -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: 10 Mbit/s problem in your network
On 2/26/2013 10:57 PM, Owen DeLong wrote: In fact, many of the hotels that have solved this intelligently have simply placed DSLAMs in the phone room and run DSL to each room with a relatively inexpensive (especially when you buy 500 of them at a time) DSL modem in each room. Some also have wifi, some have wifi in the room from the DSL modem, but in most cases, these have been among the best functioning solutions in some of the larger properties. While other more brain-dead properties are streaming their TV content over wireless (have seen this more than once)... Jeff
RE: 10 Mbit/s problem in your network
On Tuesday, February 26, 2013 7:58 PM, Owen DeLong mailto:o...@delong.com wrote: In fact, many of the hotels that have solved this intelligently have simply placed DSLAMs in the phone room and run DSL to each room with a relatively inexpensive (especially when you buy 500 of them at a time) DSL modem in each room. ...or more likely (at least in my own probably limited experience), a CMTS and cable modems instead of a DSLAM and DSL modems. Probably because so many of these hotels have an existing digital PBX system that drives all the phones in the rooms which isn't going to take very kindly to sharing its copper with a DSLAM, and because they already have coax run throughout the place to drive the televisions. Easier to share the existing coax with a CMTS than it is to stretch a bunch of new telephone wire dedicated just to DSL; I mean, at that point, you might as well just pull some Ethernet. -- Nathan Anderson First Step Internet, LLC nath...@fsr.com
Hotel internet connectivity
- Original Message - From: Nathan Anderson nath...@fsr.com In fact, many of the hotels that have solved this intelligently have simply placed DSLAMs in the phone room and run DSL to each room with a relatively inexpensive (especially when you buy 500 of them at a time) DSL modem in each room. ...or more likely (at least in my own probably limited experience), a CMTS and cable modems instead of a DSLAM and DSL modems. I don't spend a lot of time in a lot of hotels, but every hardwire I have seen with my own personal eyeballs was indeed DSL. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: Hotel internet connectivity
On 2/26/2013 11:35 PM, Jay Ashworth wrote: I don't spend a lot of time in a lot of hotels, but every hardwire I have seen with my own personal eyeballs was indeed DSL. Cheers, -- jra Hrmm... Ramada Inn, Okaloosa Island resort outside Fort Walton Beach (kinda your neighborhood Jay) two years ago had Cisco LRE boxes in the room for wired connectivity (no wireless when I was there). And lots of actual ethernet elsewhere. Jeff
Question about FibroLAN Falcon-x
Hello All! Just a quick question. Anybody here had experience with Falcon-X of Fibrolan? How do you rate itas a MetroE ringswitch? They have a very competitive price and we are now considering using them. P.S. I'm not sure if this kind of questions are allowed to be on this list, if notI would appreciate even a private mail to me. Thanks! -- Rod Bio
Re: 10 Mbit/s problem in your network
On 26 February 2013 20:03, Jay Ashworth j...@baylink.com wrote: Original Message - From: Owen DeLong o...@delong.com [ quoting me ] Ironically, I suspect that it's for the same reason that East Germany has right up to the minute telephony services these days, while West German is still sucking hind tit: The big properties are, over all, likely to skew somewhat older in building construction, and because of that, they're not built/wired for the internal transport; too much rebar in the walls blocking wifi and stuff like that. A comment off list pointed out to me that sometimes, it's the reverse: The property jumped on-board in the late nineties, putting in a system worthy of the next decade... and has never updated it, cause it's good enough. Brand new Hyatt Place in NorCal, less than 2 years old, Fast Ethernet in every room: This is a smokeping of their SureWest (ADSL or FFTH) connection, all within NorCal, ~20ms latency on a good millisecond: http://www.dslreports.com/r3/smokeping.cgi?target=network.9b37669cada3f00d348b647453067844.CA1 (half-second latency is common, above 1s latency is not unheard of) This is a smokeping of their ATT (T1?), which seems to be only marginally better, but on a good millisecond, it's only 10ms: http://www.dslreports.com/r3/smokeping.cgi?target=network.bb79d93501996d88968e851234250c6a.CA1 Time on the graph is in dslr timezone (ET), not in hotel's time (PT), but the trends are pretty obvious. Now. Good luck typing and then editing that that rm -rf in your ssh! Or picking up that conference call through a VPN. C.
Re: 10 Mbit/s problem in your network
On Feb 26, 2013, at 8:23 PM, Nathan Anderson nath...@fsr.com wrote: On Tuesday, February 26, 2013 7:58 PM, Owen DeLong mailto:o...@delong.com wrote: In fact, many of the hotels that have solved this intelligently have simply placed DSLAMs in the phone room and run DSL to each room with a relatively inexpensive (especially when you buy 500 of them at a time) DSL modem in each room. ...or more likely (at least in my own probably limited experience), a CMTS and cable modems instead of a DSLAM and DSL modems. Probably because so many of these hotels have an existing digital PBX system that drives all the phones in the rooms which isn't going to take very kindly to sharing its copper with a DSLAM, and because they already have coax run throughout the place to drive the televisions. Easier to share the existing coax with a CMTS than it is to stretch a bunch of new telephone wire dedicated just to DSL; I mean, at that point, you might as well just pull some Ethernet. I haven't encountered many CMTS-based systems in hotels where I've stayed (and I stay in quite a few every year). In most cases, the digital phone system uses 1 pair of the 2-pair wiring and the DSL modem uses the other pair. Owen
Re: NYT covers China cyberthreat
On Tue, Feb 26, 2013 at 8:39 AM, Kyle Creyts kyle.cre...@gmail.com wrote: I think it is safe to say that finding a foothold inside of the United States from which to perform/proxy an attack is not the hardest thing in the world. I don't understand why everyone expects that major corporations and diligent operators blocking certain countries' prefixes will help. That being said, you make a solid point to which people should absolutely listen: applying an understanding of your business-needs-network-traffic baseline to your firewall rules and heuristic network detections (in a more precise fashion than just IPs from country $x) is a SOLID tactic that yields huge security benefits. Nobody who cares about security should really be able to argue with it (plenty of those who care don't will hate it, though), and makes life _awful_ for any attackers. On Tue, Feb 26, 2013 at 3:43 AM, Rich Kulawiec r...@gsp.org wrote: On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote: [a number of very good points ] Geoblocking, like passive OS fingerprinting (another technique that reduces attack surface as measured along one axis but can be defeated by a reasonably clueful attacker), doesn't really solve problems, per se. If you have a web app that's vulnerable to SQL injection attacks, then it's still just as hackable -- all the attacker has to do is try from somewhere else, from something else. But... 1. It raises the bar. And it cuts down on the noise, which is one of the security meta-problems we face: our logs capture so much cruft, so many instances of attacks and abuse and mistakes and misconfigurations and malfunctions, that we struggle to understand what they're trying to tell us. That problem is so bad that there's an entire subindustry built around the task of trying to reduce what's in the logs to something that a human brain can process in finite time. Mountains of time and wads of cash have been spent on the thorny problems that arise when we try to figure out what to pay attention to and what to ignore... and we still screw it up. Often. So even if the *only* effect of doing so is to shrink the size of the logs: that's a win. (And used judiciously, it can be a HUGE win, as in several orders of magnitude.) So if your security guy is as busy as you say...maybe this would be a good idea. And let me note in passing that by raising the bar, it ensures that you're faced with a somewhat higher class of attacker. It's one thing to be hacked by a competent, diligent adversary who wields their tools with rapier-like precision; it's another to be owned by a script kiddie who has no idea what they're doing and doesn't even read the language your assets are using. That's just embarassing. 2. Outbound blocks work too, y'know. Does anybody in your marketing department need to reach Elbonia? If not, then why are you allowing packets from that group's desktops to go there? Because either (a) it's someone doing something they shouldn't or (b) it's something doing something it shouldn't, as in a bot trying to phone home or a data exfiltration attack or something else unpleasant. So if there's no business need for that group to exchange packets with Elbonia or any of 82 other countries, why *aren't* you blocking that? 3. Yes, this can turn into a moderate-sized matrix of inbound and outbound rules. That's why make(1) and similar tools are your friends, because they'll let you manage this without needing to resort to scotch by 9:30 AM. And yes, sometimes things will break (because something's changed) -- but the brokeness is the best kind of brokeness: obvious, deterministic, repeatable, fixable. It's not hard. But it does require that you actually know what your own systems are doing and why. 4. We were hacked from China is wearing awfully damn thin as the feeble whining excuse of people who should have bidirectionally firewalled out China from their corporate infrastructure (note: not necessarily their public-facing servers) years ago. And our data was exfiltrated to Elbonia is getting thin as an excuse too: if you do not have an organizational need to allow outbound network traffic to Elbonia, then why the hell are you letting so much as a single packet go there? Like I said: at least make them work for it. A little. Instead of doing profoundly idiotic things like the NYTimes (e.g., infrastructure reachable from the planet, using M$ software, actually believing that anti-virus software will work despite a quarter-century of uninterrupted failure, etc.). That's not making them work for it: that's inviting them in, rolling out the red carpet, and handing them celebratory champagne. ---rsk -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer I've been doing some thinking about the internet tonight and came across
Re: BGP RIB Collection
Hello, On Tue, 26 Feb 2013 12:24:00 -0500 chip chip.g...@gmail.com wrote: I have an application that needs to gather BGP RIB data from the routers that connect to all of our upstream providers. Basically I need to know all the routes available from a particular provider. Currently I'm gathering this data via SNMP. While this works it has its draw backs, it takes approximately 20 minutes per view, its nowhere near real-time, and I'm unable to gather information for IPv6. SNMP, however, is faster than screen scraping. All of the XML based access methods seem to take about the same time as well. To do that, I've set up a peering session between a router and a Linux running exabgp connected to a script in which I can do any kind of processing I want on BGP updates that are forwarded from the router to exabgp to the script. Best, Paul -- TelcoTV Awards 2011 - Witbe winner in Innovation in Test Measurement Paul RollandE-Mail : rol(at)witbe.net CTO - Witbe.net SA Tel. +33 (0)1 47 67 77 77 Les Collines de l'Arche Fax. +33 (0)1 47 67 77 99 F-92057 Paris La DefenseRIPE : PR12-RIPE LinkedIn : http://www.linkedin.com/in/paulrolland Skype: rollandpaul I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet?' --Mike Godwin, Electronic Frontier Foundation signature.asc Description: PGP signature
