Re: Fixing Google geolocation screwups
Honestly, I lost patience the system learning the proper location of the IPv6 block. I have a very similar problem to the OP since 4-5 months, submitted this IP correction form multiple times... nothing changed. This is *very* annoying. Yes, my whois/SWIP is perfectly fine, every other geo ip database is showing correct location. On 06.05.2015 at 03:36 Matt Palmer wrote: On Wed, May 06, 2015 at 10:56:22AM +1000, Mark Andrews wrote: In message 20150505210746.gh22...@hezmatt.org, Matt Palmer writes: On Tue, May 05, 2015 at 12:03:23PM -0400, Luan Nguyen wrote: There's a form here - https://support.google.com/websearch/contact/ip But google is pretty smart, its systems will learn the correct geolocation over time... That'd be quite a trick, given that the netblock practically can't be used at all with Google services. One would expect support.google.com to not be geo blocked just like postmaster@ should not be filtered. That said they can always disable IPv6 temporarially (or just firewall off the IPv6 instance of support.google.com and have the browser fallback to IPv4) and reach support.google.com over IPv4 to lodge the complaint. I was specifically responding to the suggestion that Google would automagically learn the correct location of the netblock, presumably based on the characteristics of requests coming from the range. Being explicitly told that a given netblock is in a given location (as effective, or otherwise, as that may be) doesn't really fit the description of systems [learning] the correct geolocation over time. - Matt
disadvantages of peering with own IP transit customers
Hi, what are the disadvantages of peering(announcing own and all customers prefixes) with own IP transit customers? One disadvantage is obviously that amount of traffic on IP transit link is lower and thus customer pays for smaller amount of Mbps. On the other hand, this can be somewhat compensated with higher price per Mbps if the amount of traffic on the IP transit connection is lower. However, are there any other disadvantages/concerns when peering with own IP transit customers? regards, Martin
Re: disadvantages of peering with own IP transit customers
On 6/May/15 11:20, Martin T wrote: Hi, what are the disadvantages of peering(announcing own and all customers prefixes) with own IP transit customers? One disadvantage is obviously that amount of traffic on IP transit link is lower and thus customer pays for smaller amount of Mbps. On the other hand, this can be somewhat compensated with higher price per Mbps if the amount of traffic on the IP transit connection is lower. However, are there any other disadvantages/concerns when peering with own IP transit customers? - Potentially odd routing if customers are unfamiliar with how BGP really works, i.e., upload from customer hits the commercial link, but return traffic to customer follows the peering link since peering links generally have a higher LOCAL_PREF than commercial links. - Since more traffic is return to (eyeball-heavy) customers, you increase investment on your peering side with no corresponding gain in revenue, as peering is, well, free. - Any special policies you accord to peers will now be enjoyed by this customer also, since they also are a peer. - Issues that could be caused by deliberate inconsistent routing from the customer's part in an effort to direct more traffic into the peering link. - Complicated controls you may put in place to ensure the customer does not abuse your network from a peering standpoint (or vice versa), e.g., Internet in VRF's, peering in VRF's, e.t.c., and the issues that come with all that complexity. - Complications with the commercial contract - a growth in your customer's traffic out of balance with how much money you're earning from them. - Confusion between your customer, their account manager, the engineering team and the operations teams on how the service is meant to be delivered, operated, billed for, e.t.c. - A host of other things I haven't thought about. All in all, don't peer with customers if you don't have to. That should be your #1 and #2 peering policy rules. Too much commercial and technical confusion will surely ensue. Mark.
Re: IP DSCP across the Internet
But don't trust that's going to be the rule. I recently had a situation where traffic across a congested public peering link between 2 large tier-2 carriers was honoring DSCP, resulting in some unexpected inconsistent behavior. Joel Mulkey Founder and CEO Bigleaf Networks Direct: +1 (503) 985-6964 | Support: +1 (503) 985-8298 | www.bigleaf.net On May 5, 2015, at 5:30 PM, Roland Dobbins rdobb...@arbor.net wrote: On 5 May 2015, at 17:27, Ramy Hashish wrote: Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other? The BCP is to re-color on ingress. --- Roland Dobbins rdobb...@arbor.net
Hulu, ABC, Disney have blocked my entire subnet!
Anyone know any good contacts with any of these companies so I can get this resolved? As an ISP, having my entire subnet blocked prevents my customers from being able to use these services they pay for. We are getting the outside of the U.S. or going through hosted proxy issue. I have never used proxies, but even if one of my customers did shouldn't it block just the one IP address? Thank you, Brett A Mansfield
Re: Hulu, ABC, Disney have blocked my entire subnet!
I don't think you mentioned the out of country error on the other list. ;-) Have you verified with any and all IP geolcoation services that you can find that your network is properly located? Maybe they think you're in Iran? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Brett A Mansfield li...@silverlakeinternet.com To: nanog@nanog.org Sent: Tuesday, May 5, 2015 9:38:38 PM Subject: Hulu, ABC, Disney have blocked my entire subnet! Anyone know any good contacts with any of these companies so I can get this resolved? As an ISP, having my entire subnet blocked prevents my customers from being able to use these services they pay for. We are getting the outside of the U.S. or going through hosted proxy issue. I have never used proxies, but even if one of my customers did shouldn't it block just the one IP address? Thank you, Brett A Mansfield
Re: IP DSCP across the Internet
On 6 May 2015, at 8:22, Joel Mulkey wrote: But don't trust that's going to be the rule. Yes, that's always the caveat. Just do what you can within your own span of administrative control. --- Roland Dobbins rdobb...@arbor.net
Re: Alcatel-Lucent 7750 Service Router (SR)
They are definitely good for that. We use them in part of our network for something very similar. I am not sure why they aren't mentioned that much. I know that they have been pretty popular in the past couple years. We are planning on using 7750 SR-a4's in the future but right now we mainly have 7750SR7/12s. Sent from my iPhone On May 6, 2015, at 6:00 PM, Colton Conor colton.co...@gmail.com wrote: Taking full BGP routes from 4+ carriers on 10G connections. Why is ALU never mentioned, but Juniper MX and Cisco are all day long? The new 7750 SR-a4 looks like a Juniper MX80 or MX104 killer. On Wed, May 6, 2015 at 4:58 PM, Dan Snyder sliple...@gmail.com wrote: We have been using them for almost 8 years now and have been pretty happy. What are you looking to use them for? Sent from my iPhone On May 6, 2015, at 5:48 PM, Colton Conor colton.co...@gmail.com wrote: I was wondering if anyone was using a Alcatel-Lucent 7750 Service Router (SR) in their network? How does this platform compare the the Cisco ASR, Brocade MLXe, and Juniper MX line?
Re: Alcatel-Lucent 7750 Service Router (SR)
I am worried as most tech's know Cisco and Juniper, so going to ALU would be a learning curve based on replies I am getting off list. On Wed, May 6, 2015 at 5:22 PM, Dan Snyder sliple...@gmail.com wrote: They are definitely good for that. We use them in part of our network for something very similar. I am not sure why they aren't mentioned that much. I know that they have been pretty popular in the past couple years. We are planning on using 7750 SR-a4's in the future but right now we mainly have 7750SR7/12s. Sent from my iPhone On May 6, 2015, at 6:00 PM, Colton Conor colton.co...@gmail.com wrote: Taking full BGP routes from 4+ carriers on 10G connections. Why is ALU never mentioned, but Juniper MX and Cisco are all day long? The new 7750 SR-a4 looks like a Juniper MX80 or MX104 killer. On Wed, May 6, 2015 at 4:58 PM, Dan Snyder sliple...@gmail.com wrote: We have been using them for almost 8 years now and have been pretty happy. What are you looking to use them for? Sent from my iPhone On May 6, 2015, at 5:48 PM, Colton Conor colton.co...@gmail.com wrote: I was wondering if anyone was using a Alcatel-Lucent 7750 Service Router (SR) in their network? How does this platform compare the the Cisco ASR, Brocade MLXe, and Juniper MX line?
Re: Question about co-lo in APAC region
I would support this. I've had a hand in supporting infrastructure located in India and even with a relatively competent partner, some challenges in timely issue resolution. My current employer operate facilities in Singapore, Malaysia and China with a lot more success (comparitively speaking). Singapore and Malaysia are heavily favoured due to their large ICT and financial service industries as noted, also their english tends to be excellent and from a telecommunications perspective, they are reasonably well-served. If you want a reference to someone who can help you in SG, MY or CN, you're welcome to contact me off-list. I've also in a past-life worked with a partner in Japan, their service was excellent but there were more language challenges there for us poor sods limited to English. Cheers, Mark. On 7/05/2015 7:39 a.m., Rafael Possamai wrote: Personal opinion: developing countries tend to have unstable utility service (power is what matters here), so your DC of choice in India should be Tier 4 preferably, which are hard to find and really expensive. Budget allowing, I'd stick to Hong Kong, Shangai or Singapore as you mentioned initially. These cities have pretty large financial services industries (which rely heavily on IT telco in general) and large companies like Equinix/Digital Realty have already done the heavy lifting for you in terms of scoping a good location for an APAC datacenter. On Wed, May 6, 2015 at 11:28 AM, c b bz_siege...@hotmail.com wrote: This is a pre-project discovery question... any help would be greatly appreciated. We have upcoming partnerships (opportunities) in APAC. The original plan was to place the hub in Singapore. Just weeks before everyone was ready to begin the RFP, it turns out that one of our partner businesses owns a Co-Lo in India. Not sure what the name or the size of this business is yet. While it would be nice to take advantage of this, we have potential partnerships in China and other areas of APAC in development... we are hesitating to put our APAC hub in India just based on latency and where the undersea cables run. So, I'm reaching out to NANOG... some of you guys have either worked with businesses (or work in provider space) in both India and Singapore (and elsewhere, such as Japan). Is there a clear reason to use/not-use India as a hub? What would the pros/cons be? Is there a clear advantage to using Singapore as we originally planned? Again, we appreciate the feedback. LFoD
link avoidance
a fellow researcher wants to make the case that in some scenarios it is very important for a network operator to be able to specify that traffic should *not* traverse a certain switch/link/group of switches/group of links (that's true right?). Could you give some examples? Perhaps point me to relevant references? if so, why? security? congestion? other? but is it common? and, if so, how do you do it? randy
Re: Network Segmentation Approaches
It depends on the software used and implementation. Many rulesets for pf on BSD start with 'block in on interfaceX' for instance, because it uses a last match wins system, unless you use the 'quick' keyword to make rule processing stop if that rule matches. Andrew On 07.05.2015 08:30, Scott Weeks wrote: --- r...@gsp.org wrote: From: Rich Kulawiec r...@gsp.org The first rule in every firewall is of course deny all and subsequent rulesets permit only the traffic that is necessary. I think you got this backward? That way all traffic is blocked, so none is allowed through. Also, deny by default at the end of the rule set is not the best thing for every network that needs a firewall. Some just want to block bad stuff they see and allow everything else. (And some have stated here that they will block entire countries until their culture changes!) scott
Re: Alcatel-Lucent 7750 Service Router (SR)
If you know Juniper and Cisco, the learning curve isn't so bad to pick up the ALU CLI, after working with it for a brief time, you catch on quickly. Their products are quite impressive, and a # of the carriers, are moving to them and some have already moved to them and are quite happy with their decision. On Wed, May 6, 2015 at 6:24 PM, Colton Conor colton.co...@gmail.com wrote: I am worried as most tech's know Cisco and Juniper, so going to ALU would be a learning curve based on replies I am getting off list. On Wed, May 6, 2015 at 5:22 PM, Dan Snyder sliple...@gmail.com wrote: They are definitely good for that. We use them in part of our network for something very similar. I am not sure why they aren't mentioned that much. I know that they have been pretty popular in the past couple years. We are planning on using 7750 SR-a4's in the future but right now we mainly have 7750SR7/12s. Sent from my iPhone On May 6, 2015, at 6:00 PM, Colton Conor colton.co...@gmail.com wrote: Taking full BGP routes from 4+ carriers on 10G connections. Why is ALU never mentioned, but Juniper MX and Cisco are all day long? The new 7750 SR-a4 looks like a Juniper MX80 or MX104 killer. On Wed, May 6, 2015 at 4:58 PM, Dan Snyder sliple...@gmail.com wrote: We have been using them for almost 8 years now and have been pretty happy. What are you looking to use them for? Sent from my iPhone On May 6, 2015, at 5:48 PM, Colton Conor colton.co...@gmail.com wrote: I was wondering if anyone was using a Alcatel-Lucent 7750 Service Router (SR) in their network? How does this platform compare the the Cisco ASR, Brocade MLXe, and Juniper MX line?
Re: link avoidance
On 5/6/2015 3:56 PM, Randy Bush wrote: a fellow researcher wants to make the case that in some scenarios it is very important for a network operator to be able to specify that traffic should *not* traverse a certain switch/link/group of switches/group of links (that's true right?). Could you give some examples? Perhaps point me to relevant references? if so, why? security? congestion? other? but is it common? and, if so, how do you do it? randy I don't think it is common, but I have a microwave network made up of a combination of license-free links and amateur radio band links (where no commercial traffic is permitted). For now the ham-band links are stubs, so that's easy. But we're looking at using MPLS with link coloring so that as we do start to get redundant paths available, we can ensure that non-ham-radio traffic stays off the ham-band links. Matthew Kaufman
Re: Alcatel-Lucent 7750 Service Router (SR)
We have been using them for almost 8 years now and have been pretty happy. What are you looking to use them for? Sent from my iPhone On May 6, 2015, at 5:48 PM, Colton Conor colton.co...@gmail.com wrote: I was wondering if anyone was using a Alcatel-Lucent 7750 Service Router (SR) in their network? How does this platform compare the the Cisco ASR, Brocade MLXe, and Juniper MX line?
Re: Alcatel-Lucent 7750 Service Router (SR)
Taking full BGP routes from 4+ carriers on 10G connections. Why is ALU never mentioned, but Juniper MX and Cisco are all day long? The new 7750 SR-a4 looks like a Juniper MX80 or MX104 killer. On Wed, May 6, 2015 at 4:58 PM, Dan Snyder sliple...@gmail.com wrote: We have been using them for almost 8 years now and have been pretty happy. What are you looking to use them for? Sent from my iPhone On May 6, 2015, at 5:48 PM, Colton Conor colton.co...@gmail.com wrote: I was wondering if anyone was using a Alcatel-Lucent 7750 Service Router (SR) in their network? How does this platform compare the the Cisco ASR, Brocade MLXe, and Juniper MX line?
Re: Alcatel-Lucent 7750 Service Router (SR)
What's the price point of an SR-A4? Comparable to the MX104 or ASR9001? -- Stephen On 2015-05-06 7:13 PM, Craig wrote: If you know Juniper and Cisco, the learning curve isn't so bad to pick up the ALU CLI, after working with it for a brief time, you catch on quickly. Their products are quite impressive, and a # of the carriers, are moving to them and some have already moved to them and are quite happy with their decision. On Wed, May 6, 2015 at 6:24 PM, Colton Conor colton.co...@gmail.com wrote: I am worried as most tech's know Cisco and Juniper, so going to ALU would be a learning curve based on replies I am getting off list. On Wed, May 6, 2015 at 5:22 PM, Dan Snyder sliple...@gmail.com wrote: They are definitely good for that. We use them in part of our network for something very similar. I am not sure why they aren't mentioned that much. I know that they have been pretty popular in the past couple years. We are planning on using 7750 SR-a4's in the future but right now we mainly have 7750SR7/12s. Sent from my iPhone On May 6, 2015, at 6:00 PM, Colton Conor colton.co...@gmail.com wrote: Taking full BGP routes from 4+ carriers on 10G connections. Why is ALU never mentioned, but Juniper MX and Cisco are all day long? The new 7750 SR-a4 looks like a Juniper MX80 or MX104 killer. On Wed, May 6, 2015 at 4:58 PM, Dan Snyder sliple...@gmail.com wrote: We have been using them for almost 8 years now and have been pretty happy. What are you looking to use them for? Sent from my iPhone On May 6, 2015, at 5:48 PM, Colton Conor colton.co...@gmail.com wrote: I was wondering if anyone was using a Alcatel-Lucent 7750 Service Router (SR) in their network? How does this platform compare the the Cisco ASR, Brocade MLXe, and Juniper MX line?
Re: Alcatel-Lucent 7750 Service Router (SR)
On May 6, 2015, at 5:48 PM, Colton Conor colton.co...@gmail.com wrote: I was wondering if anyone was using a Alcatel-Lucent 7750 Service Router (SR) in their network? How does this platform compare the the Cisco ASR, Brocade MLXe, and Juniper MX line? - I haven't used them for nearly 5 years now, but at the time they were really good. Likely, they're still the same. Search the NANOG archives, there have been discussions before. Pay attention to the after the sale service stuff in the archives. Also Jared Mauch has a ML for them at puck.nether.net, but it's a really low volume list. ALU engineers hang out there. scott
Re: Alcatel-Lucent 7750 Service Router (SR)
--- colton.co...@gmail.com wrote: From: Colton Conor colton.co...@gmail.com Why is ALU never mentioned, but Juniper MX and Cisco are all day long? - Because they're really expensive, mostly bell head networks use them and we're mostly bell head free on NANOG... ;-) scott
Re: Network Segmentation Approaches
On Wed, May 06, 2015 at 03:30:01PM -0700, Scott Weeks wrote: --- r...@gsp.org wrote: From: Rich Kulawiec r...@gsp.org The first rule in every firewall is of course deny all and subsequent rulesets permit only the traffic that is necessary. I think you got this backward? That way all traffic is blocked, so none is allowed through. Nope, I said exactly what I intended (and what I do, in practice). Doing so forces one to understand in detail what traffic actually needs to pass in/out and to craft specific rules for it. This in turn helps avoid making mistake #1: The Six Dumbest Ideas in Computer Security http://www.ranum.com/security/computer_security/editorials/dumb/ ---rsk
Re: Network Segmentation Approaches
--- r...@gsp.org wrote: From: Rich Kulawiec r...@gsp.org The first rule in every firewall is of course deny all and subsequent rulesets permit only the traffic that is necessary. I think you got this backward? That way all traffic is blocked, so none is allowed through. Also, deny by default at the end of the rule set is not the best thing for every network that needs a firewall. Some just want to block bad stuff they see and allow everything else. (And some have stated here that they will block entire countries until their culture changes!) scott
Re: link avoidance
On Wed, May 6, 2015 at 6:56 PM, Randy Bush ra...@psg.com wrote: a fellow researcher wants to make the case that in some scenarios it is very important for a network operator to be able to specify that traffic should *not* traverse a certain switch/link/group of switches/group of links (that's true right?). Could you give some examples? Perhaps point me to relevant references? if so, why? security? congestion? other? but is it common? and, if so, how do you do it? Hi Randy, Depends on the context of the question. There's a simple concept a surprising number of routing researchers don't fully grasp: we like to be paid. Scenario: a free peer and a paying customer can swap packets via my links but two free peers may not. A free peer definitely should not have access to the upstream transit links I have to buy. If nobody is paying me for that packet, I'd like it to take the long way around. Any way but through my network. And yes, as you know it is very common for ISPs to strenuously disapprove of unpaid transit. And we mainly do it by limiting the propagation of free peer routes we received via BGP. Seems like this should be so obvious as to need no mention. It's not. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/
Re: link avoidance
The most common place where I have encountered that would involve differing AUPs on different links. For example, if one has a link which is built on an amateur radio layer 1, one cannot carry commercial, pornographic, encrypted, or certain other kinds of traffic on that link. I believe Internet2 vs. public transit may also pose some such requirements. Other situations I’ve seen involve data privacy concerns and/or security zone issues. Common? Not in my experience. Usually done with a combination of ACLs, Routing Policy, etc. Owen On May 6, 2015, at 3:56 PM, Randy Bush ra...@psg.com wrote: a fellow researcher wants to make the case that in some scenarios it is very important for a network operator to be able to specify that traffic should *not* traverse a certain switch/link/group of switches/group of links (that's true right?). Could you give some examples? Perhaps point me to relevant references? if so, why? security? congestion? other? but is it common? and, if so, how do you do it? randy
Alcatel-Lucent 7750 Service Router (SR)
I was wondering if anyone was using a Alcatel-Lucent 7750 Service Router (SR) in their network? How does this platform compare the the Cisco ASR, Brocade MLXe, and Juniper MX line?
Re: Network Segmentation Approaches
this is really a form of: A subnet should contain all things of a like purpose/use. that way you don't have to compromise and say: Well... tcp/443 is OK for ABC units but deadly for XYZ ones! block to the 6 of 12 XYZ and permit to all ABC... wait, can you bounce off an ABC and still kill an XYZ? crap... pwned. segregation by function/purpose... best bet you can get. On Wed, May 6, 2015 at 3:59 PM, char...@thefnf.org wrote: Consider setting up a separate zone or zones (via VLAN) for devices with embedded TCP/IP stacks. I have worked in several shops using switched power units from APC, SynAccess, and TrippLite, and find that the TCP/IP stacks in those units are a bit fragile when confronted with a lot of traffic, even when the traffic is not addressed to the embedded devices. Yes! This. I used to have my PDUs/term serves/switches all on one VLAN. As growth occurred, they get broken out to dedicated VLANs. With that, the amount of false positives from Zenoss went way down (frequently port 80 would report down, then clear). I still get some alerts, but far less frequently.
Re: Network Segmentation Approaches
Consider setting up a separate zone or zones (via VLAN) for devices with embedded TCP/IP stacks. I have worked in several shops using switched power units from APC, SynAccess, and TrippLite, and find that the TCP/IP stacks in those units are a bit fragile when confronted with a lot of traffic, even when the traffic is not addressed to the embedded devices. Yes! This. I used to have my PDUs/term serves/switches all on one VLAN. As growth occurred, they get broken out to dedicated VLANs. With that, the amount of false positives from Zenoss went way down (frequently port 80 would report down, then clear). I still get some alerts, but far less frequently.
Question about co-lo in APAC region
This is a pre-project discovery question... any help would be greatly appreciated. We have upcoming partnerships (opportunities) in APAC. The original plan was to place the hub in Singapore. Just weeks before everyone was ready to begin the RFP, it turns out that one of our partner businesses owns a Co-Lo in India. Not sure what the name or the size of this business is yet. While it would be nice to take advantage of this, we have potential partnerships in China and other areas of APAC in development... we are hesitating to put our APAC hub in India just based on latency and where the undersea cables run. So, I'm reaching out to NANOG... some of you guys have either worked with businesses (or work in provider space) in both India and Singapore (and elsewhere, such as Japan). Is there a clear reason to use/not-use India as a hub? What would the pros/cons be? Is there a clear advantage to using Singapore as we originally planned? Again, we appreciate the feedback. LFoD
Re: Question about co-lo in APAC region
Personal opinion: developing countries tend to have unstable utility service (power is what matters here), so your DC of choice in India should be Tier 4 preferably, which are hard to find and really expensive. Budget allowing, I'd stick to Hong Kong, Shangai or Singapore as you mentioned initially. These cities have pretty large financial services industries (which rely heavily on IT telco in general) and large companies like Equinix/Digital Realty have already done the heavy lifting for you in terms of scoping a good location for an APAC datacenter. On Wed, May 6, 2015 at 11:28 AM, c b bz_siege...@hotmail.com wrote: This is a pre-project discovery question... any help would be greatly appreciated. We have upcoming partnerships (opportunities) in APAC. The original plan was to place the hub in Singapore. Just weeks before everyone was ready to begin the RFP, it turns out that one of our partner businesses owns a Co-Lo in India. Not sure what the name or the size of this business is yet. While it would be nice to take advantage of this, we have potential partnerships in China and other areas of APAC in development... we are hesitating to put our APAC hub in India just based on latency and where the undersea cables run. So, I'm reaching out to NANOG... some of you guys have either worked with businesses (or work in provider space) in both India and Singapore (and elsewhere, such as Japan). Is there a clear reason to use/not-use India as a hub? What would the pros/cons be? Is there a clear advantage to using Singapore as we originally planned? Again, we appreciate the feedback. LFoD
RE: Hulu, ABC, Disney have blocked my entire subnet!
Brett, Please share the subnet with us. Have you followed through the list here, specifically checking Akamai, and seeing what it lists? http://nanog.cluepon.net/index.php/GeoIP Frank -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Hammett Sent: Wednesday, May 06, 2015 7:45 AM To: nanog@nanog.org Subject: Re: Hulu, ABC, Disney have blocked my entire subnet! I don't think you mentioned the out of country error on the other list. ;-) Have you verified with any and all IP geolcoation services that you can find that your network is properly located? Maybe they think you're in Iran? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Brett A Mansfield li...@silverlakeinternet.com To: nanog@nanog.org Sent: Tuesday, May 5, 2015 9:38:38 PM Subject: Hulu, ABC, Disney have blocked my entire subnet! Anyone know any good contacts with any of these companies so I can get this resolved? As an ISP, having my entire subnet blocked prevents my customers from being able to use these services they pay for. We are getting the outside of the U.S. or going through hosted proxy issue. I have never used proxies, but even if one of my customers did shouldn't it block just the one IP address? Thank you, Brett A Mansfield
RE: Question about co-lo in APAC region
Technical feasibility aside, you should consult with an attorney that specializes in International business and tax law. India is similar to China in that there are material challenges to doing business in those countries. For example, you can't get a license to operate as a foreign entity (although you can operate under someone else's license), you generally have to form a JV that is majority owned by a domestically owned company. By comparison, Singapore is a relatively easy country to get a license to operate a telecommunications business. Dave -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of c b Sent: Wednesday, May 06, 2015 10:28 AM To: nanog@nanog.org Subject: Question about co-lo in APAC region This is a pre-project discovery question... any help would be greatly appreciated. We have upcoming partnerships (opportunities) in APAC. The original plan was to place the hub in Singapore. Just weeks before everyone was ready to begin the RFP, it turns out that one of our partner businesses owns a Co-Lo in India. Not sure what the name or the size of this business is yet. While it would be nice to take advantage of this, we have potential partnerships in China and other areas of APAC in development... we are hesitating to put our APAC hub in India just based on latency and where the undersea cables run. So, I'm reaching out to NANOG... some of you guys have either worked with businesses (or work in provider space) in both India and Singapore (and elsewhere, such as Japan). Is there a clear reason to use/not-use India as a hub? What would the pros/cons be? Is there a clear advantage to using Singapore as we originally planned? Again, we appreciate the feedback. LFoD
Re: link avoidance
On Wed, May 6, 2015 at 6:41 PM, Matthew Kaufman matt...@matthew.at wrote: On 5/6/2015 3:56 PM, Randy Bush wrote: I don't think it is common, but I have a microwave network made up of a combination of license-free links and amateur radio band links (where no commercial traffic is permitted). For now the ham-band links are stubs, so Are such Ham links actually of any real use, since encoded traffic such as SSH/SSL would be verboten, due to Part97 rules against transmitting any message encoded in order to obscure the message? Also, with general network traffic.. If someone wants to request a Google search. There is no way of a router knowing if the requestor is sending the packet for a commercial purpose or for a non-pecuniary allowed usage, until TCP gets some new packet fields... You can be visiting somepizzaplace.example.com, And it's non-commercial allowed use, if you're ordering a pizza for personal consumption, But those same packets are prohibited pecuniary use, if sending those packets to order a pizza to share with a business client. that's easy. But we're looking at using MPLS with link coloring so that as Perhaps a browser plugin to add a 'Selection' dropdown for each Web Browser Tab and have a RESTful API to send connection information from the client to an Openflow controller for deciding which forwarding label to push at ingress. Matthew Kaufman -- -JH
Re: Question about co-lo in APAC region
On 7 May 2015, at 2:36, Siegel, David wrote: By comparison, Singapore is a relatively easy country to get a license to operate a telecommunications business. +1 From an overall connectivity, stability, and technical collaboration standpoint, Singapore is generally a better choice, as well. --- Roland Dobbins rdobb...@arbor.net
Re: link avoidance
On 5/6/15 15:56, Randy Bush wrote: a fellow researcher wants to make the case that in some scenarios it is very important for a network operator to be able to specify that traffic should *not* traverse a certain switch/link/group of switches/group of links (that's true right?). Could you give some examples? Perhaps point me to relevant references? if so, why? security? congestion? other? but is it common? and, if so, how do you do it? My experience has been with MPLS overlays. Availability: During maintenance windows, moving high-value traffic away from potential outages while keeping the tunnels full of BE; manually manipulating MPLS tunnel affinities (though this could be automated fairly easily). Congestion: Whenever traffic load spikes past a threshold; diffserv-aware TE to prevent certain classes of traffic from routing over links with limited bandwidth, handled automatically via auto-bw. Preventing non-optimal tunnel paths. No transoceanic trombones, please; MPLS link affinities designed into the network. -Scott
Re: Network Segmentation Approaches
From: Rich Kulawiec r...@gsp.org On Wed, May 06, 2015 at 03:30:01PM -0700, Scott Weeks wrote: From: Rich Kulawiec r...@gsp.org The first rule in every firewall is of course deny all and subsequent rulesets permit only the traffic that is necessary. I think you got this backward? That way all traffic is blocked, so none is allowed through. Nope, I said exactly what I intended (and what I do, in practice). Doing so forces one to understand in detail what traffic actually needs to pass in/out and to craft specific rules for it. This in turn helps avoid making mistake #1: The Six Dumbest Ideas in Computer Security http://www.ranum.com/security/computer_security/editorials/dumb/ - After reading your emails all these years, I figured you meant it the way you wrote it. When you wrote ...subsequent rulesets permit only the traffic that is necessary I misunderstood and thought you meant rules put in after the default deny, which are useless. But by subsequent rulesets you meant rule sets put in later in time and above the deny all not after the deny all. Small confusion over wording... :-) scott
Re: Network Segmentation Approaches
On 07.05.2015 08:30, Scott Weeks wrote: --- r...@gsp.org wrote: From: Rich Kulawiec r...@gsp.org The first rule in every firewall is of course deny all and subsequent rulesets permit only the traffic that is necessary. I think you got this backward? That way all traffic is blocked, so none is allowed through. Also, deny by default at the end of the rule set is not the best thing for every network that needs a firewall. Some just want to block bad stuff they see and allow everything else. (And some have stated here that they will block entire countries until their culture changes!) --- --- a...@jonesy.com.au wrote: From: Andrew Jones a...@jonesy.com.au It depends on the software used and implementation. Many rulesets for pf on BSD start with 'block in on interfaceX' for instance, because it uses a last match wins system, unless you use the 'quick' keyword to make rule processing stop if that rule matches. - I was assuming stop looking on first match. So, deny ip any any blocks everything at the very beginning. scott
Re: Alcatel-Lucent 7750 Service Router (SR)
I will be getting one to try. I am pretty sure it will support the ol' show ? ,config ? If not that might be a problem :-) Thank You Bob Evans CTO What's the price point of an SR-A4? Comparable to the MX104 or ASR9001? -- Stephen On 2015-05-06 7:13 PM, Craig wrote: If you know Juniper and Cisco, the learning curve isn't so bad to pick up the ALU CLI, after working with it for a brief time, you catch on quickly. Their products are quite impressive, and a # of the carriers, are moving to them and some have already moved to them and are quite happy with their decision. On Wed, May 6, 2015 at 6:24 PM, Colton Conor colton.co...@gmail.com wrote: I am worried as most tech's know Cisco and Juniper, so going to ALU would be a learning curve based on replies I am getting off list. On Wed, May 6, 2015 at 5:22 PM, Dan Snyder sliple...@gmail.com wrote: They are definitely good for that. We use them in part of our network for something very similar. I am not sure why they aren't mentioned that much. I know that they have been pretty popular in the past couple years. We are planning on using 7750 SR-a4's in the future but right now we mainly have 7750SR7/12s. Sent from my iPhone On May 6, 2015, at 6:00 PM, Colton Conor colton.co...@gmail.com wrote: Taking full BGP routes from 4+ carriers on 10G connections. Why is ALU never mentioned, but Juniper MX and Cisco are all day long? The new 7750 SR-a4 looks like a Juniper MX80 or MX104 killer. On Wed, May 6, 2015 at 4:58 PM, Dan Snyder sliple...@gmail.com wrote: We have been using them for almost 8 years now and have been pretty happy. What are you looking to use them for? Sent from my iPhone On May 6, 2015, at 5:48 PM, Colton Conor colton.co...@gmail.com wrote: I was wondering if anyone was using a Alcatel-Lucent 7750 Service Router (SR) in their network? How does this platform compare the the Cisco ASR, Brocade MLXe, and Juniper MX line?
RE: IP DSCP across the Internet
I presume nothing is honored. I just encapsulate everything if I'm crossing networks outside my corporate WAN. Amazing how handy openvpn with no crypto is. :) -Original Message- From: Mark Tinka mark.ti...@seacom.mu Sent: 5/6/2015 12:39 AM To: Ramy Hashish ramy.ihash...@gmail.com; nanog@nanog.org nanog@nanog.org Subject: Re: IP DSCP across the Internet On 5/May/15 12:27, Ramy Hashish wrote: Good day all, A simple question, does Internet trust IP DSCP marking? Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other? I wouldn't bet on it. Some providers honor, most remark. We remark. We can only honor DSCP values on private circuits (l2vpn, l3vpn, that sort o' thing). Mark. !DSPAM:5549a92270553521610807!
RE: IP DSCP across the Internet
I presume nothing is honored. I just encapsulate everything if I'm crossing networks outside my corporate WAN. Amazing how handy openvpn with no crypto is. :) -Original Message- From: Mark Tinka mark.ti...@seacom.mu Sent: 5/6/2015 12:39 AM To: Ramy Hashish ramy.ihash...@gmail.com; nanog@nanog.org nanog@nanog.org Subject: Re: IP DSCP across the Internet On 5/May/15 12:27, Ramy Hashish wrote: Good day all, A simple question, does Internet trust IP DSCP marking? Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other? I wouldn't bet on it. Some providers honor, most remark. We remark. We can only honor DSCP values on private circuits (l2vpn, l3vpn, that sort o' thing). Mark. !DSPAM:5549a92270553521610807!
Re: Alcatel-Lucent 7750 Service Router (SR)
that second command is admin display-config or admin display-config | match cheers On Thu, May 7, 2015 at 1:53 PM, Bob Evans b...@fiberinternetcenter.com wrote: I will be getting one to try. I am pretty sure it will support the ol' show ? ,config ? If not that might be a problem :-) Thank You Bob Evans CTO What's the price point of an SR-A4? Comparable to the MX104 or ASR9001? -- Stephen On 2015-05-06 7:13 PM, Craig wrote: If you know Juniper and Cisco, the learning curve isn't so bad to pick up the ALU CLI, after working with it for a brief time, you catch on quickly. Their products are quite impressive, and a # of the carriers, are moving to them and some have already moved to them and are quite happy with their decision. On Wed, May 6, 2015 at 6:24 PM, Colton Conor colton.co...@gmail.com wrote: I am worried as most tech's know Cisco and Juniper, so going to ALU would be a learning curve based on replies I am getting off list. On Wed, May 6, 2015 at 5:22 PM, Dan Snyder sliple...@gmail.com wrote: They are definitely good for that. We use them in part of our network for something very similar. I am not sure why they aren't mentioned that much. I know that they have been pretty popular in the past couple years. We are planning on using 7750 SR-a4's in the future but right now we mainly have 7750SR7/12s. Sent from my iPhone On May 6, 2015, at 6:00 PM, Colton Conor colton.co...@gmail.com wrote: Taking full BGP routes from 4+ carriers on 10G connections. Why is ALU never mentioned, but Juniper MX and Cisco are all day long? The new 7750 SR-a4 looks like a Juniper MX80 or MX104 killer. On Wed, May 6, 2015 at 4:58 PM, Dan Snyder sliple...@gmail.com wrote: We have been using them for almost 8 years now and have been pretty happy. What are you looking to use them for? Sent from my iPhone On May 6, 2015, at 5:48 PM, Colton Conor colton.co...@gmail.com wrote: I was wondering if anyone was using a Alcatel-Lucent 7750 Service Router (SR) in their network? How does this platform compare the the Cisco ASR, Brocade MLXe, and Juniper MX line?
Re: link avoidance
On Wed, May 6, 2015 at 6:56 PM, Randy Bush ra...@psg.com wrote: a fellow researcher wants to make the case that in some scenarios it is very important for a network operator to be able to specify that traffic should *not* traverse a certain switch/link/group of switches/group of links (that's true right?). Could you give some examples? Perhaps point me to relevant references? if so, why? security? congestion? other? but is it common? and, if 'Level3 Maintenance for Fiber path X on date Y' where 'fiber path x' is one of your paths from A to B. Gracefully move traffic (isis/ospf/rip/etc metric jackery), return traffic when the crisis is past. so, how do you do it? randy
Re: Fixing Google geolocation screwups
On Wed, May 6, 2015 at 3:19 AM, Fred Hollis f...@web2objects.com wrote: Honestly, I lost patience the system learning the proper location of the IPv6 block. I have a very similar problem to the OP since 4-5 months, submitted this IP correction form multiple times... nothing changed. This is *very* annoying. Yes, my whois/SWIP is perfectly fine, every other geo ip database is showing correct location. which block fred? On 06.05.2015 at 03:36 Matt Palmer wrote: On Wed, May 06, 2015 at 10:56:22AM +1000, Mark Andrews wrote: In message 20150505210746.gh22...@hezmatt.org, Matt Palmer writes: On Tue, May 05, 2015 at 12:03:23PM -0400, Luan Nguyen wrote: There's a form here - https://support.google.com/websearch/contact/ip But google is pretty smart, its systems will learn the correct geolocation over time... That'd be quite a trick, given that the netblock practically can't be used at all with Google services. One would expect support.google.com to not be geo blocked just like postmaster@ should not be filtered. That said they can always disable IPv6 temporarially (or just firewall off the IPv6 instance of support.google.com and have the browser fallback to IPv4) and reach support.google.com over IPv4 to lodge the complaint. I was specifically responding to the suggestion that Google would automagically learn the correct location of the netblock, presumably based on the characteristics of requests coming from the range. Being explicitly told that a given netblock is in a given location (as effective, or otherwise, as that may be) doesn't really fit the description of systems [learning] the correct geolocation over time. - Matt
RE: Alcatel-Lucent 7750 Service Router (SR)
The show stuff is certainly there but the config is a bit different. You may have to get used to using the info command. :) They also use logical IP interfaces which are then tied to physical, you don't directly configure L3 on a physical interface. You also have designations between service and network physical interfaces, although nowadays they can be set as hybrid.. It's really pretty simple if you are used to a Cisco or Juniper. They have tab and ? completion now for both commands as well as elements similar to Junos which is helpful. Phil -Original Message- From: Bob Evans b...@fiberinternetcenter.com Sent: 5/6/2015 11:55 PM To: nanog@nanog.org nanog@nanog.org Subject: Re: Alcatel-Lucent 7750 Service Router (SR) I will be getting one to try. I am pretty sure it will support the ol' show ? ,config ? If not that might be a problem :-) Thank You Bob Evans CTO What's the price point of an SR-A4? Comparable to the MX104 or ASR9001? -- Stephen On 2015-05-06 7:13 PM, Craig wrote: If you know Juniper and Cisco, the learning curve isn't so bad to pick up the ALU CLI, after working with it for a brief time, you catch on quickly. Their products are quite impressive, and a # of the carriers, are moving to them and some have already moved to them and are quite happy with their decision. On Wed, May 6, 2015 at 6:24 PM, Colton Conor colton.co...@gmail.com wrote: I am worried as most tech's know Cisco and Juniper, so going to ALU would be a learning curve based on replies I am getting off list. On Wed, May 6, 2015 at 5:22 PM, Dan Snyder sliple...@gmail.com wrote: They are definitely good for that. We use them in part of our network for something very similar. I am not sure why they aren't mentioned that much. I know that they have been pretty popular in the past couple years. We are planning on using 7750 SR-a4's in the future but right now we mainly have 7750SR7/12s. Sent from my iPhone On May 6, 2015, at 6:00 PM, Colton Conor colton.co...@gmail.com wrote: Taking full BGP routes from 4+ carriers on 10G connections. Why is ALU never mentioned, but Juniper MX and Cisco are all day long? The new 7750 SR-a4 looks like a Juniper MX80 or MX104 killer. On Wed, May 6, 2015 at 4:58 PM, Dan Snyder sliple...@gmail.com wrote: We have been using them for almost 8 years now and have been pretty happy. What are you looking to use them for? Sent from my iPhone On May 6, 2015, at 5:48 PM, Colton Conor colton.co...@gmail.com wrote: I was wondering if anyone was using a Alcatel-Lucent 7750 Service Router (SR) in their network? How does this platform compare the the Cisco ASR, Brocade MLXe, and Juniper MX line?