Re: 10Gb iPerf kit?
On (2014-12-07 09:24 +1300), Pete Mundy wrote: Hey, I've done loads of 1Gbit testing using the entry-level MacBook Air and a Thunderbolt Gigabit Ethernet adapter though, and I disagree with Saku's statement of 'You cannot use UDPSocket like iperf does, it just does not work, you are lucky if you reliably test 1Gbps'. I find iperf testing at 1Gbit on Mac Air with Thunderbolt Eth extremely reliable (always 950+mbit/sec TCP on a good network, and easy to push right to the 1gbit limit with UDP. In my experience majority of people using iperf in UDP mode do not monitor for packet loss. And once they start doing, they notice they can't go very fast. For me 1 packet loss due to host issues is absolutely too much,I need flat 0, and in optimal scenario, I'd get microsecond resolution jitter statistics. Granted I've not tried on OSX, perhaps by default it has deeper buffers for UDP. But on Linux, top of the shelf Cisco UCS server with 10GE interfaces running RHEL, and 1Gbps is simply too much, you'll get packet loss. You can observe the packets arriving, but they'll be registered as UDP errors on 'netstat -s', because your program isn't picking them up fast enough. Things iperf could do to perform better - setsockopt for deeper buffers - recvmmsg to pick up multiple messages with single context switch - raw sockets to reduce overhead But ultimately you're still going to be very far from 10Gbps, which is doable, if you'll use something like DPDK. -- ++ytti
Re: 10Gb iPerf kit?
I find nuttcp very useful in those situations. Be sure to use one of the recent betas, I have been using 7.2.1 for UDP with excellent results (decent loss stats and jitter calc) http://nuttcp.net/nuttcp/beta/nuttcp-7.2.1.c As I understand it, it's still developed, 7.3.2 is now out. M On 7 Dec 2014 16:49, Saku Ytti s...@ytti.fi wrote: On (2014-12-07 09:24 +1300), Pete Mundy wrote: Hey, I've done loads of 1Gbit testing using the entry-level MacBook Air and a Thunderbolt Gigabit Ethernet adapter though, and I disagree with Saku's statement of 'You cannot use UDPSocket like iperf does, it just does not work, you are lucky if you reliably test 1Gbps'. I find iperf testing at 1Gbit on Mac Air with Thunderbolt Eth extremely reliable (always 950+mbit/sec TCP on a good network, and easy to push right to the 1gbit limit with UDP. In my experience majority of people using iperf in UDP mode do not monitor for packet loss. And once they start doing, they notice they can't go very fast. For me 1 packet loss due to host issues is absolutely too much,I need flat 0, and in optimal scenario, I'd get microsecond resolution jitter statistics. Granted I've not tried on OSX, perhaps by default it has deeper buffers for UDP. But on Linux, top of the shelf Cisco UCS server with 10GE interfaces running RHEL, and 1Gbps is simply too much, you'll get packet loss. You can observe the packets arriving, but they'll be registered as UDP errors on 'netstat -s', because your program isn't picking them up fast enough. Things iperf could do to perform better - setsockopt for deeper buffers - recvmmsg to pick up multiple messages with single context switch - raw sockets to reduce overhead But ultimately you're still going to be very far from 10Gbps, which is doable, if you'll use something like DPDK. -- ++ytti
Re: 10Gb iPerf kit?
On 06/12/2014 20:24, Pete Mundy wrote: I've done loads of 1Gbit testing using the entry-level MacBook Air and a Thunderbolt Gigabit Ethernet adapter though, and I disagree with Saku's statement of 'You cannot use UDPSocket like iperf does, it just does not work, you are lucky if you reliably test 1Gbps'. I find iperf testing at 1Gbit on Mac Air with Thunderbolt Eth extremely reliable (always 950+mbit/sec TCP on a good network, and easy to push right to the 1gbit limit with UDP. i've found that the tb gigabit ethernet adapter starts dropping udp packets at around 600-650mbit/sec on iperf (mbp, MC976xx/A model). Nick
RE: possible twtelecom routing issue
Date: Fri, 5 Dec 2014 02:19:46 -1000 From: t...@lavanauts.org To: nanog@nanog.org Subject: possible twtelecom routing issue Trying to gather information on a connectivity issue between TW Telecom and a specific government web server. If one of your upstream providers is TW Telecom, could you report back whether you have connectivity to https://safe.amrdec.army.mil. Thanks. I can reach it through Level3.Is your TW Telecom routing hops L3 already? Or still legacy?Whats your aspath/hops to destination? Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Chicago Amazon
Is anyone else seeming issues reaching Amazon through Zayo in Chicago? 8 37 ms 44 ms 27 ms 64.125.204.11.allocated.above.net [64.125.204.11] 9 28 ms 13 ms 44 ms ge-11-1-2.mpr2.ord6.us.above.net [64.125.172.81] 10 28 ms 46 ms 27 ms ae11.cr2.ord2.us.above.net [64.125.22.130] 11 95 ms 34 ms 41 ms ae11.cr1.ord2.us.above.net [64.125.20.245] 12 41 ms 54 ms 34 ms ae4.er1.ord7.us.above.net [64.125.28.50] 13 * * * Request timed out. 14 * * * Request timed out. 15 * * * Request timed out. Looks like HE is having difficulty as well. 7 20.243 ms 21.120 ms 19.500 ms 72.21.220.175 205.251.244.93 72.21.220.183 8 97.293 ms 21.906 ms 22.774 ms 205.251.245.242 72.21.222.157 205.251.245.53 9 * * * - 10 * * * - 11 * * * - Well, I guess unless they're dropping ICMP... - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Re: Chicago Amazon
I retract my statement. *sigh* First post in many many years and I'm a putz... - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Mike Hammett na...@ics-il.net To: North American Network Operators' Group nanog@nanog.org Sent: Sunday, December 7, 2014 10:24:49 AM Subject: Chicago Amazon Is anyone else seeming issues reaching Amazon through Zayo in Chicago? 8 37 ms 44 ms 27 ms 64.125.204.11.allocated.above.net [64.125.204.11] 9 28 ms 13 ms 44 ms ge-11-1-2.mpr2.ord6.us.above.net [64.125.172.81] 10 28 ms 46 ms 27 ms ae11.cr2.ord2.us.above.net [64.125.22.130] 11 95 ms 34 ms 41 ms ae11.cr1.ord2.us.above.net [64.125.20.245] 12 41 ms 54 ms 34 ms ae4.er1.ord7.us.above.net [64.125.28.50] 13 * * * Request timed out. 14 * * * Request timed out. 15 * * * Request timed out. Looks like HE is having difficulty as well. 7 20.243 ms 21.120 ms 19.500 ms 72.21.220.175 205.251.244.93 72.21.220.183 8 97.293 ms 21.906 ms 22.774 ms 205.251.245.242 72.21.222.157 205.251.245.53 9 * * * - 10 * * * - 11 * * * - Well, I guess unless they're dropping ICMP... - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
RE: 10Gb iPerf kit?
From: p...@fiberphone.co.nz Subject: Re: 10Gb iPerf kit? Date: Sun, 7 Dec 2014 09:24:41 +1300 To: nanog@nanog.org On 11/11/2014, at 1:35 PM, Randy Carpenter rcar...@network1.net wrote: I have not tried doing that myself, but the only thing that would even be possible that I know of is thunderbolt. A new MacBook Pro and one of these maybe: http://www.sonnettech.com/product/echoexpresssel_10gbeadapter.html Or one of these ones for dual-10Gbit links (one for out of band management or internet?): http://www.sonnettech.com/product/twin10g.html I haven't tried one myself, but they're relatively cheap (for 10gig) so not that much outlay to grab one and try it (esp if you already have an Apple laptop you can test with). How would you use it? with iperf still?I don't think you will go nearly close to 14.8Mpps per port this way.Unless you are talking about bandwidth testing with full sized packet frames and low pps rate. I personally tested a 1Gbit/s port over a MBP retina 15 thunderbot gbe with BCM5701 chipset. I had only 220kpps on a single TX flow.Later I tried another adapter with a marvel yukon mini port. Had better pps rate, but nothing beyond 260kpps. I've done loads of 1Gbit testing using the entry-level MacBook Air and a Thunderbolt Gigabit Ethernet adapter though, and I disagree with Saku's statement of 'You cannot use UDPSocket like iperf does, it just does not work, you are lucky if you reliably test 1Gbps'. I find iperf testing at 1Gbit on Mac Air with Thunderbolt Eth extremely reliable (always 950+mbit/sec TCP on a good network, and easy to push right to the 1gbit limit with UDP. Again, with 64byte packet size? Or are you talking MTU? With MTU size you can try whatever you want and it will seem to be reliable. A wget/ftp download of a 1GB file will provide similar results, but I dont think this is useful anyway since it won't test anything close to rfc2544 or at least an ordinary internet traffic profile with a mix of 600bytes pkg size combined with a lower rate of smaller packets (icmp/udp, ping/dns/ntp/voice/video). I am also interested in a cheap and reliable method to test 10GbE connections. So far I haven't found something I trust. Pete
Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs
All, Could someone from Google public DNS and from GoDaddy contact me off-list? I'm getting SERVFAIL when trying to resolve any record in any domain whose NSs are pdns01.domaincontrol.com/pdns02.domaincontrol.com/pdns05.domaincontrol.com/pdns06.domaincontrol.com (GoDaddy premium DNS), only when using Google's 8.8.8.8 / 8.8.4.4 resolvers, from multiple locations/networks. Resolution is normal using various other public and non-public resolvers, as well as by querying the authoritative name servers directly. You can look at targetly.co as one example (should be just an A record to 184.168.221.38 but getting SERVFAIL when querying 8.8.8.8). Thanks -- Erik Levinson CTO, Uberflip 416-900-3830 1183 King Street West, Suite 100 Toronto ON M6K 3C5 www.uberflip.com
Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs
On Sun, Dec 07, 2014 at 12:01:40PM -0500, Erik Levinson erik.levin...@uberflip.com wrote a message of 25 lines which said: I'm getting SERVFAIL when trying to resolve any record in any domain whose NSs are pdns01.domaincontrol.com/pdns02.domaincontrol.com/pdns05.domaincontrol.com/pdns06.domaincontrol.com (GoDaddy premium DNS), only when using Google's 8.8.8.8 / 8.8.4.4 resolvers, from multiple locations/networks. Since Google Public DNS validates, and Go Daddy supports DNSSEC, it would be useful to test with dig +cd (Checking Disabled) to determine if it is a DNSSEC problem or not. You can look at targetly.co as one example (should be just an A record to 184.168.221.38 but getting SERVFAIL when querying 8.8.8.8). Works for me % dig @8.8.8.8 a targetly.co ; DiG 9.8.4-rpz2+rl005.12-P1 @8.8.8.8 a targetly.co ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4056 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;targetly.co. IN A ;; ANSWER SECTION: targetly.co.242 IN A 184.168.221.38 ;; Query time: 67 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Dec 7 18:07:58 2014 ;; MSG SIZE rcvd: 56
Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs
Agree on blendive.com and blendedperspectives.com Not sure how to identify which chunk of google is failing, but here's a trace for a nonworking query on the above domains: 5. 209.85.241.127 6. google-public-dns-a.google.com (thru TorIX thus the short path). EC2 east is succesful (but I cant trace easily, client restrictions in place grumble). blendive.com name server pdns04.domaincontrol.com. blendive.com name server pdns03.domaincontrol.com. /kc On Sun, Dec 07, 2014 at 06:19:22PM +0100, Stephane Bortzmeyer said: On Sun, Dec 07, 2014 at 12:01:40PM -0500, Erik Levinson erik.levin...@uberflip.com wrote a message of 25 lines which said: I'm getting SERVFAIL when trying to resolve any record in any domain whose NSs are pdns01.domaincontrol.com/pdns02.domaincontrol.com/pdns05.domaincontrol.com/pdns06.domaincontrol.com (GoDaddy premium DNS), only when using Google's 8.8.8.8 / 8.8.4.4 resolvers, from multiple locations/networks. Since Google Public DNS validates, and Go Daddy supports DNSSEC, it would be useful to test with dig +cd (Checking Disabled) to determine if it is a DNSSEC problem or not. You can look at targetly.co as one example (should be just an A record to 184.168.221.38 but getting SERVFAIL when querying 8.8.8.8). Works for me % dig @8.8.8.8 a targetly.co ; DiG 9.8.4-rpz2+rl005.12-P1 @8.8.8.8 a targetly.co ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4056 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;targetly.co.IN A ;; ANSWER SECTION: targetly.co. 242 IN A 184.168.221.38 ;; Query time: 67 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Dec 7 18:07:58 2014 ;; MSG SIZE rcvd: 56 -- Ken Chase - m...@sizone.org - Toronto Canada
Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs
On 07/12/14 12:19 PM, Stephane Bortzmeyer wrote: Since Google Public DNS validates, and Go Daddy supports DNSSEC, it would be useful to test with dig +cd (Checking Disabled) to determine if it is a DNSSEC problem or not. Tried, still SERVFAIL. I succeeds with +trace though... You can look at targetly.co as one example (should be just an A record to 184.168.221.38 but getting SERVFAIL when querying 8.8.8.8). Works for me Maybe a geo-specific issue then, which is even more weird, because it's still not working for me from two different ASs, though both in Toronto, and a traceroute makes it appear like they're not hitting the same nodes (but maybe they are). What's even more weird is I can actually resolve one domain, startupong.com, but still not targetly.co and others. -- Erik Levinson CTO, Uberflip 416-900-3830 1183 King Street West, Suite 100 Toronto ON M6K 3C5 www.uberflip.com
Re: Chicago Amazon
Interesting traceroute from Comcast in Chicago: Goes from Chicago to Seattle to New York inside the Comcast network. Lyle Giese LCR Computer Services, Inc. traceroute to www.amazon.com (176.32.98.166), 30 hops max, 40 byte packets using UDP 1 lancomcast.lcrcomputer.com (192.168.250.252) 0.165 ms 0.142 ms 0.139 ms 2 c-98-206-192-1.hsd1.il.comcast.net (98.206.192.1) 9.226 ms 15.067 ms 13.166 ms 3 te-0-3-0-13-sur03.mchenry.il.chicago.comcast.net (68.85.131.5) 12.778 ms 11.690 ms 10.688 ms 4 te-2-3-0-1-ar01.elmhurst.il.chicago.comcast.net (68.86.197.165) 16.734 ms te-2-3-0-0-ar01.elmhurst.il.chicago.comcast.net (69.139.235.109) 16.518 ms te-3-1-ur01.mchenry.il.chicago.comcast.net (68.87.210.61) 19.275 ms 5 he-1-6-0-0-11-cr01.seattle.wa.ibone.comcast.net (68.86.92.33) 18.112 ms 12.269 ms 14.449 ms 6 be-10406-cr01.350ecermak.il.ibone.comcast.net (68.86.84.210) 19.087 ms 18.882 ms 17.678 ms 7 be-10206-cr01.newyork.ny.ibone.comcast.net (68.86.86.225) 35.173 ms 34.970 ms 36.902 ms 8 c-eth-0-2-0-pe04.111eighthave.ny.ibone.comcast.net (68.86.87.98) 34.642 ms 34.394 ms 33.321 ms 9 50.242.148.122 (50.242.148.122) 36.920 ms 35.969 ms 33.625 ms 10 54.240.229.84 (54.240.229.84) 33.564 ms 32.941 ms 36.129 ms 11 54.240.228.186 (54.240.228.186) 43.054 ms 54.240.228.204 (54.240.228.204) 42.900 ms 54.240.228.202 (54.240.228.202) 41.204 ms 12 54.240.229.219 (54.240.229.219) 45.652 ms 54.240.229.221 (54.240.229.221) 45.447 ms 54.240.229.223 (54.240.229.223) 44.213 ms 13 54.240.228.163 (54.240.228.163) 40.113 ms 54.240.228.161 (54.240.228.161) 43.994 ms 54.240.228.181 (54.240.228.181) 43.778 ms 14 205.251.244.99 (205.251.244.99) 43.681 ms 205.251.244.91 (205.251.244.91) 42.487 ms 46.121 ms 15 205.251.245.232 (205.251.245.232) 43.837 ms 43.749 ms 205.251.245.226 (205.251.245.226) 43.723 msOn 12/07/14 10:24, Mike Hammett wrote: Is anyone else seeming issues reaching Amazon through Zayo in Chicago? 8 37 ms 44 ms 27 ms 64.125.204.11.allocated.above.net [64.125.204.11] 9 28 ms 13 ms 44 ms ge-11-1-2.mpr2.ord6.us.above.net [64.125.172.81] 10 28 ms 46 ms 27 ms ae11.cr2.ord2.us.above.net [64.125.22.130] 11 95 ms 34 ms 41 ms ae11.cr1.ord2.us.above.net [64.125.20.245] 12 41 ms 54 ms 34 ms ae4.er1.ord7.us.above.net [64.125.28.50] 13 * * * Request timed out. 14 * * * Request timed out. 15 * * * Request timed out. Looks like HE is having difficulty as well. 7 20.243 ms 21.120 ms 19.500 ms 72.21.220.175 205.251.244.93 72.21.220.183 8 97.293 ms 21.906 ms 22.774 ms 205.251.245.242 72.21.222.157 205.251.245.53 9 * * * - 10 * * * - 11 * * * - Well, I guess unless they're dropping ICMP... - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs
Maybe a geo-specific issue then, which is even more weird, because it's still not working for me from two different ASs, though both in Toronto, and a traceroute makes it appear like they're not hitting the same nodes (but maybe they are). What's even more weird is I can actually resolve one domain, startupong.com, but still not targetly.co and others. Last time we had weird DNS issues with GoDaddy, it was dependent on the querying IP address due to load-balancing issues on their side. Try issuing queries from even and odd IP addresses to see if that makes any difference. Rubens
Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs
it just started working properly I think. yes, tested from 6 even and odd ips on 3 different AS's (that all go through Torix though). /kc On Sun, Dec 07, 2014 at 03:51:16PM -0200, Rubens Kuhl said: Maybe a geo-specific issue then, which is even more weird, because it's still not working for me from two different ASs, though both in Toronto, and a traceroute makes it appear like they're not hitting the same nodes (but maybe they are). What's even more weird is I can actually resolve one domain, startupong.com, but still not targetly.co and others. Last time we had weird DNS issues with GoDaddy, it was dependent on the querying IP address due to load-balancing issues on their side. Try issuing queries from even and odd IP addresses to see if that makes any difference. Rubens -- Ken Chase - m...@sizone.org - Toronto Canada
Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs
Nope, it's just super intermittent now...it resolved once and cached it apparently, but still SERVFAIL most of the time if you try repeatedly... Try uberflip.net too. On 07/12/14 12:58 PM, Ken Chase wrote: it just started working properly I think. yes, tested from 6 even and odd ips on 3 different AS's (that all go through Torix though). /kc On Sun, Dec 07, 2014 at 03:51:16PM -0200, Rubens Kuhl said: Maybe a geo-specific issue then, which is even more weird, because it's still not working for me from two different ASs, though both in Toronto, and a traceroute makes it appear like they're not hitting the same nodes (but maybe they are). What's even more weird is I can actually resolve one domain, startupong.com, but still not targetly.co and others. Last time we had weird DNS issues with GoDaddy, it was dependent on the querying IP address due to load-balancing issues on their side. Try issuing queries from even and odd IP addresses to see if that makes any difference. Rubens -- Ken Chase - m...@sizone.org - Toronto Canada -- Erik Levinson CTO, Uberflip 416-900-3830 x2009 1183 King Street West, Suite 100 Toronto ON M6K 3C5 www.uberflip.com
RE: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs
Just failed for me, too. Traceroute suggests I'm testing against Google in Chicago. 1027 ms24 ms24 ms ae5.cr1.ord2.us.above.net [64.125.30.89] 1129 ms49 ms25 ms ae4.er1.ord7.us.above.net [64.125.28.50] 1230 ms25 ms25 ms 72.14.217.53 1334 ms32 ms26 ms 209.85.243.99 1426 ms25 ms25 ms google-public-dns-a.google.com [8.8.8.8] C:\Users\Frank Bulkdig @8.8.8.8 a targetly.co ; DiG 9.8.0-P1 @8.8.8.8 a targetly.co ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 47892 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;targetly.co. IN A ;; Query time: 2077 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Dec 07 12:10:22 2014 ;; MSG SIZE rcvd: 29 C:\Users\Frank Bulk -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Erik Levinson Sent: Sunday, December 07, 2014 12:07 PM To: Ken Chase; Rubens Kuhl Cc: Nanog Subject: Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs Nope, it's just super intermittent now...it resolved once and cached it apparently, but still SERVFAIL most of the time if you try repeatedly... Try uberflip.net too. On 07/12/14 12:58 PM, Ken Chase wrote: it just started working properly I think. yes, tested from 6 even and odd ips on 3 different AS's (that all go through Torix though). /kc On Sun, Dec 07, 2014 at 03:51:16PM -0200, Rubens Kuhl said: Maybe a geo-specific issue then, which is even more weird, because it's still not working for me from two different ASs, though both in Toronto, and a traceroute makes it appear like they're not hitting the same nodes (but maybe they are). What's even more weird is I can actually resolve one domain, startupong.com, but still not targetly.co and others. Last time we had weird DNS issues with GoDaddy, it was dependent on the querying IP address due to load-balancing issues on their side. Try issuing queries from even and odd IP addresses to see if that makes any difference. Rubens -- Ken Chase - m...@sizone.org - Toronto Canada -- Erik Levinson CTO, Uberflip 416-900-3830 x2009 1183 King Street West, Suite 100 Toronto ON M6K 3C5 www.uberflip.com
Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs
Heh...when it succeeds for me sometimes now, if I do it repeatedly, I can see two different TTL sets each time, so I know I'm hitting at least two nodes / sets of nodes... One of my traceroutes from 151 Front suggests the node is in the building, as the latency is well under 1ms. On 07/12/14 01:15 PM, Frank Bulk wrote: Just failed for me, too. Traceroute suggests I'm testing against Google in Chicago. 1027 ms24 ms24 ms ae5.cr1.ord2.us.above.net [64.125.30.89] 1129 ms49 ms25 ms ae4.er1.ord7.us.above.net [64.125.28.50] 1230 ms25 ms25 ms 72.14.217.53 1334 ms32 ms26 ms 209.85.243.99 1426 ms25 ms25 ms google-public-dns-a.google.com [8.8.8.8] C:\Users\Frank Bulkdig @8.8.8.8 a targetly.co ; DiG 9.8.0-P1 @8.8.8.8 a targetly.co ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 47892 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;targetly.co. IN A ;; Query time: 2077 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Dec 07 12:10:22 2014 ;; MSG SIZE rcvd: 29 C:\Users\Frank Bulk -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Erik Levinson Sent: Sunday, December 07, 2014 12:07 PM To: Ken Chase; Rubens Kuhl Cc: Nanog Subject: Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs Nope, it's just super intermittent now...it resolved once and cached it apparently, but still SERVFAIL most of the time if you try repeatedly... Try uberflip.net too. On 07/12/14 12:58 PM, Ken Chase wrote: it just started working properly I think. yes, tested from 6 even and odd ips on 3 different AS's (that all go through Torix though). /kc On Sun, Dec 07, 2014 at 03:51:16PM -0200, Rubens Kuhl said: Maybe a geo-specific issue then, which is even more weird, because it's still not working for me from two different ASs, though both in Toronto, and a traceroute makes it appear like they're not hitting the same nodes (but maybe they are). What's even more weird is I can actually resolve one domain, startupong.com, but still not targetly.co and others. Last time we had weird DNS issues with GoDaddy, it was dependent on the querying IP address due to load-balancing issues on their side. Try issuing queries from even and odd IP addresses to see if that makes any difference. Rubens -- Ken Chase - m...@sizone.org - Toronto Canada -- Erik Levinson CTO, Uberflip 416-900-3830 1183 King Street West, Suite 100 Toronto ON M6K 3C5 www.uberflip.com
Carrier-grade DDoS Attack mitigation appliance
Have anyone tried any DDoS attack mitigation appliance rather than Arbor PeakFlow TMS? I need it to be carrier-grade in terms of capacity and redundancy, and as far as I know, Arbor is the only product in the market which offers a clean pipe volume of traffic, so if the DDoS attack volume is, for example, 1Tbps, they will grant you for example 50Gbps of clean traffic. Anyway, I'm open to other suggestions, and open-source products that can do the same purpose, we have network development team that can work on this. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
Re: Carrier-grade DDoS Attack mitigation appliance
Hi, A lot of new vendors have entered the DDoS attack prevention market other than Arbor, I've seen carrier grade devices made by Huawei, NSFocus, RioRey and many others. If you're looking at something software based, I've used Andrisoft WanGuard and would recommend it. Ammar. On 8 Dec 2014, at 12:09 am, Mohamed Kamal mka...@noor.net wrote: Have anyone tried any DDoS attack mitigation appliance rather than Arbor PeakFlow TMS? I need it to be carrier-grade in terms of capacity and redundancy, and as far as I know, Arbor is the only product in the market which offers a clean pipe volume of traffic, so if the DDoS attack volume is, for example, 1Tbps, they will grant you for example 50Gbps of clean traffic. Anyway, I'm open to other suggestions, and open-source products that can do the same purpose, we have network development team that can work on this. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
Re: Carrier-grade DDoS Attack mitigation appliance
I've heard good things about the A10 Networks appliances. I have not used them personally, but do use their ADC appliances and they do work well. Jordan Medlen Network Engineer Bisk Education Sent from my iPhone On Dec 7, 2014, at 15:12, Mohamed Kamal mka...@noor.net wrote: Have anyone tried any DDoS attack mitigation appliance rather than Arbor PeakFlow TMS? I need it to be carrier-grade in terms of capacity and redundancy, and as far as I know, Arbor is the only product in the market which offers a clean pipe volume of traffic, so if the DDoS attack volume is, for example, 1Tbps, they will grant you for example 50Gbps of clean traffic. Anyway, I'm open to other suggestions, and open-source products that can do the same purpose, we have network development team that can work on this. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
Re: CAs with dual stacked CRL/OCSP servers
On 12/5/2014 07:06, Rob Seastrom wrote: At $DAYJOB, we have some applications that we would like to be all hipster and *actually check* for certificate revocation. I know this is way out there in terms of trendiness and may offend some folks. Difficulty: the clients are running on single stacked IPv6. We have recently been advised by our existing CA that they do not currently have IPv6 support plan (sic). OCSP Stapling sounds like it could be a winner here. Unfortunately, the software support is not quite ready yet on the platform on either end of the connection (client or server). So... we're looking around for a vendor that's taken the time to dual stack its servers. Any leads? -r GlobalSign does. ~# host ocsp2.globalsign.com ocsp2.globalsign.com has address 108.162.232.200 ocsp2.globalsign.com has address 108.162.232.202 ocsp2.globalsign.com has address 108.162.232.207 ocsp2.globalsign.com has address 108.162.232.197 ocsp2.globalsign.com has address 108.162.232.198 ocsp2.globalsign.com has address 108.162.232.205 ocsp2.globalsign.com has address 108.162.232.203 ocsp2.globalsign.com has address 108.162.232.199 ocsp2.globalsign.com has address 108.162.232.196 ocsp2.globalsign.com has address 108.162.232.201 ocsp2.globalsign.com has address 108.162.232.204 ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c7 ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c6 ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cc ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cd ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c5 ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8ca ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c4 ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cf ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cb ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c9 ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c8 crl.globalsign.com has address 108.162.232.205 crl.globalsign.com has address 108.162.232.197 crl.globalsign.com has address 108.162.232.203 crl.globalsign.com has address 108.162.232.204 crl.globalsign.com has address 108.162.232.198 crl.globalsign.com has address 108.162.232.200 crl.globalsign.com has address 108.162.232.202 crl.globalsign.com has address 108.162.232.196 crl.globalsign.com has address 108.162.232.201 crl.globalsign.com has address 108.162.232.207 crl.globalsign.com has address 108.162.232.199 crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8ca crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c8 crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cb crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cf crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c4 crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c6 crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c9 crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cc crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cd crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c5 crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c7 -- staticsafe https://staticsafe.ca
Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs
On Sun, Dec 07, 2014 at 02:24:33PM -0500, Jim Popovitch said: FWIW, in the past GoDaddy has periodically blocked queries from Google Public DNS infrastructure. Heavily discussed and documented here: https://groups.google.com/forum/#!searchin/public-dns-discuss/godaddy from that, if this is to be believed: GoDaddy's two nameservers ns29.domaincontrol.com and ns30.domaincontrol.com have been blocking Google Public DNS. We contacted GoDaddy and they have lifted the blockage. The issue has resolved. then it's godaddy. Godaddy: comments? /kc -- Ken Chase - m...@sizone.org - Toronto Canada
Re: Carrier-grade DDoS Attack mitigation appliance
On Dec 7, 2014, at 12:10 PM, Mohamed Kamal mka...@noor.net wrote: so if the DDoS attack volume is, for example, 1Tbps, they will grant you for example 50Gbps of clean traffic. Please feel free to contact me off-list if I can assist, as it seems you've been provided with incorrect information. Roland Dobbins rdobb...@arbor.net
Followup: Survey results for the ARIN RPA
There have been 28 response to the survey I put out last week. The key numbers are: We have read and will not sign the agreement 10 36% We are considering signing the agreement 1 4% We haven't yet read it 5 18% and Our legal staff has reviewed and rejected the agreement. 7 25% We have provided specific legal feedback to ARIN on the agreement. 2 7% I'll draw the obvious conclusion: While not scientific, these numbers, combined with the, well, lively, discussion the past few days show some serious dissatisfaction with the agreement required in order to access, and therefore validate, ROAs in the ARIN region. And there in lies my interest in all of this- there is little value in signing my org's routes if no one is going to validate them. It's a bit of an odd position in that I have a very high interest in what the rest of the community thinks of and how they act with respect to the RPA. In other words, your relationship with ARIN is now of concern to me. Maybe I'm being naively optimistic in thinking that these are solvable problems.
Re: Followup: Survey results for the ARIN RPA
And there in lies my interest in all of this- there is little value in signing my org's routes if no one is going to validate them. It's a bit of an odd position in that I have a very high interest in what the rest of the community thinks of and how they act with respect to the RPA. In other words, your relationship with ARIN is now of concern to me. Maybe I'm being naively optimistic in thinking that these are solvable problems. there is the rest of the world, it is a global internet. the north american influence decreases continuously, some because of growth of the global internet, which is a good thing. some because of noam making itself less and less relevant, as you point out. take a look at http://archive.psg.com://rpki-rollout.jpg kinda tells you what's happening, eh? lacnic has more roll-out than arin, and proportionally it is even more impressive; over 20% of lacnic allocations have roas. and there is ripe, with the sheer numbers. randy
Re: DWDM Documentation
What have you found so far? On Thu, Dec 4, 2014 at 1:15 PM, Roy Hirst rhi...@xkl.com wrote: Replying offline to Theo. Schwer zu finden. Roy *Roy Hirst* | 425-556-5773 | 425-324-0941 cell XKL LLC | 12020 113th Ave NE, Suite 100 | Kirkland, WA 98034 | USA On 12/4/2014 5:21 AM, Theo Voss wrote: Hi guys, we, a Berlin / Germany based carrier, are looking for a smart documentation (shelfs, connections, fibers) and visualization tool for our ADVA-based DWDM-enviroment. Do you have any suggestions or hints for me? We’re testing „cableScout“, the only one I found, next week but. Unfortunately it isn’t easy to get any information about such tools! :( Thanks in advance! Best regards, Theo Voss (AS25291) The information contained in this e-mail message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please e-mail the sender at the above e-mail address.
Re: Followup: Survey results for the ARIN RPA
On Dec 7, 2014, at 9:40 PM, Randy Bush ra...@psg.com wrote: And there in lies my interest in all of this- there is little value in signing my org's routes if no one is going to validate them. It's a bit of an odd position in that I have a very high interest in what the rest of the community thinks of and how they act with respect to the RPA. In other words, your relationship with ARIN is now of concern to me. Maybe I'm being naively optimistic in thinking that these are solvable problems. there is the rest of the world, it is a global internet. the north american influence decreases continuously, some because of growth of the global internet, which is a good thing. some because of noam making itself less and less relevant, as you point out. take a look at http://archive.psg.com://rpki-rollout.jpg kinda tells you what's happening, eh? lacnic has more roll-out than arin, and proportionally it is even more impressive; over 20% of lacnic allocations have roas. and there is ripe, with the sheer numbers. One could easily presume the ARIN region RPKI deployment statistics are lower as a result of the RPA situation (and no doubt that it part of the issue), but as noted earlier, it's unlikely to be the full story since we also have a region (APNIC) where RPKI deployment also rather low that and yet does not have these RPA legal entanglements. It was suggested earlier that this may be due to a combination of factors (education, promotion) beyond the RPA legal issues that are now being worked - so that will also need to be addressed once the RPA is resolved. /John John Curran President and CEO ARIN
Re: Followup: Survey results for the ARIN RPA
One could easily presume the ARIN region RPKI deployment statistics are lower as a result of the RPA situation (and no doubt that it part of the issue), but as noted earlier, it's unlikely to be the full story since we also have a region (APNIC) where RPKI deployment also rather low that and yet does not have these RPA legal entanglements. It was suggested earlier that this may be due to a combination of factors (education, promotion) beyond the RPA legal issues that are now being worked - so that will also need to be addressed once the RPA is resolved. definitely agree. lacnic and ripe have put effort in their respective communities (yay alex!). heck, ripe even resolved the PI and legacy policy issues so everyone can play (speaking of sick arin legal documents). randy