Re: Favorite GPON Vendor?

[Tarko Tikan]

hey,


I used Huawei GPON gear at previous job.


+1 for the MA5600 series. They are decent boxes compared to most of the 
other vendors that tend to be hardcore telco with (undocumented) TL1 
management plane.


--
tarko

RE: Favorite GPON Vendor?

[Scott Helms]

Frank,

Take a look at this webinar.

https://www.webcaster4.com/Webcast/Page?companyId=116=10264
On Nov 12, 2015 7:03 PM, "Frank Bulk"  wrote:

> What does ADTRAN's NG-PON2 upgrade path have over Calix's?
>
> Frank
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Reynolds
> Sent: Wednesday, November 11, 2015 8:49 PM
> To: NANOG 
> Subject: Re: Favorite GPON Vendor?
>
> We are about do deploy Calix, but after hearing about $company
> deploying Adtran and liking their chassis features and NG-PON2 upgrade
> path, we are now open to other vendors. Price IS a concern for us, but
> not THE concern.
>
> This may sound "wacky" to some, but if anybody on here is using Huawei
> GPON gear, could you contact me off list? Thanks
> (josh AT kyneticwifi.com)
>
> On Mon, Nov 9, 2015 at 8:49 AM, Jay Patel  wrote:
> > Who is your favorite GPON  OLT/ONU Vendor? Why?   I am looking for
> > recommendations
> >
> > I apologize in advance , if you feel my question is inappropriate for
> this
> > mailing list ( feel free to point me to right forum/mailing list).
> >
> > Regards,
> > Jay.
>
>
>

RE: Favorite GPON Vendor?

[Jason Baugher]

Too bad they require registration, don't need yet another sales person
calling me.

The abstract reads more or less like what Calix is promoting with their
product development.
On Nov 12, 2015 6:25 PM, "Scott Helms"  wrote:

> Frank,
>
> Take a look at this webinar.
>
> https://www.webcaster4.com/Webcast/Page?companyId=116=10264
> On Nov 12, 2015 7:03 PM, "Frank Bulk"  wrote:
>
> > What does ADTRAN's NG-PON2 upgrade path have over Calix's?
> >
> > Frank
> >
> > -Original Message-
> > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Reynolds
> > Sent: Wednesday, November 11, 2015 8:49 PM
> > To: NANOG 
> > Subject: Re: Favorite GPON Vendor?
> >
> > We are about do deploy Calix, but after hearing about $company
> > deploying Adtran and liking their chassis features and NG-PON2 upgrade
> > path, we are now open to other vendors. Price IS a concern for us, but
> > not THE concern.
> >
> > This may sound "wacky" to some, but if anybody on here is using Huawei
> > GPON gear, could you contact me off list? Thanks
> > (josh AT kyneticwifi.com)
> >
> > On Mon, Nov 9, 2015 at 8:49 AM, Jay Patel  wrote:
> > > Who is your favorite GPON  OLT/ONU Vendor? Why?   I am looking for
> > > recommendations
> > >
> > > I apologize in advance , if you feel my question is inappropriate for
> > this
> > > mailing list ( feel free to point me to right forum/mailing list).
> > >
> > > Regards,
> > > Jay.
> >
> >
> >
>

Re: Favorite GPON Vendor?

[Mark Tinka]

On 12/Nov/15 20:42, Josh Reynolds wrote:

> Did you guys use them for core and distribution switching/routing as
> well, or just on the GPON access side?

Just GPON.

All IP/MPLS/Ethernet kit was Cisco and Juniper.

Mark.

RE: Favorite GPON Vendor?

[Frank Bulk]

What does ADTRAN's NG-PON2 upgrade path have over Calix's?

Frank

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Reynolds
Sent: Wednesday, November 11, 2015 8:49 PM
To: NANOG 
Subject: Re: Favorite GPON Vendor?

We are about do deploy Calix, but after hearing about $company
deploying Adtran and liking their chassis features and NG-PON2 upgrade
path, we are now open to other vendors. Price IS a concern for us, but
not THE concern.

This may sound "wacky" to some, but if anybody on here is using Huawei
GPON gear, could you contact me off list? Thanks
(josh AT kyneticwifi.com)

On Mon, Nov 9, 2015 at 8:49 AM, Jay Patel  wrote:
> Who is your favorite GPON  OLT/ONU Vendor? Why?   I am looking for
> recommendations
>
> I apologize in advance , if you feel my question is inappropriate for this
> mailing list ( feel free to point me to right forum/mailing list).
>
> Regards,
> Jay.

Re: Environmental Graph Interpretation

[Jussi Peltola]

If there are heat producing devices in the room, it sounds implausible
for condensation to occur in significant amounts unless the climate is
very, very humid. 

RH sensors are often very inaccurate, but you can get the indoor dew
point from the RH and the temperature[1], and if the floor is warmer
than the dew point there can be no condensation. If it is below the dew
point, there will be condensation - but the outside air cannot be colder
than its own dewpoint, so in this case something must be adding water
vapor to increase the absolute humidity in the room, or the floor must
be cooled by something other than outside air. (Or the temperature [and
dew point] of the outside air must be constantly falling while the indoor
air is lagging behind. This can only be a transient situation, and the
reverse should happen at some point, drying the floor again)

1: http://andrew.rsmas.miami.edu/bmcnoldy/Humidity.html

Re: Fwd: Updated Ookla Speedtest Server Requirements

[Eliezer Croitoru]

On 10/11/2015 03:19, Lorell Hathcock wrote:

Currently using IBM/LENOVO x3550  / 12 GB RAM / 2 x Xeon E5620


What This is an overkill for this tiny task.



10GbE uplink currently handling ~2gbps peak traffic.

These services are not meant to sustain 10Gbe for a very long time.
The specs from:
http://www.ookla.com/support/a26461638/

Are pretty good and accurate.
As long you won't use ATOM CPUs you will probably max the 10Gbe.

Eliezer

Re: Favorite GPON Vendor?

[Carlos Alcantar]

I believe with any of these arms dealers (gpon vendors) they all have there 
goods and bads, it really comes down to what poison you feel you can deal with. 
 The one place I can speak on with calix is there consumer connect with there 
800 series ont's has pushed it to a totally different level, it's not perfect 
but it's getting there. 

​
Carlos Alcantar
Race Communications / Race Team Member
1325 Howard Ave. #604, Burlingame, CA. 94010
Phone: +1 415 376 3314 / car...@race.com / http://www.race.com



From: NANOG  on behalf of Scott Helms 

Sent: Thursday, November 12, 2015 4:24 PM
To: Frank Bulk (iname.com)
Cc: NANOG
Subject: RE: Favorite GPON Vendor?

Frank,

Take a look at this webinar.

https://www.webcaster4.com/Webcast/Page?companyId=116=10264
On Nov 12, 2015 7:03 PM, "Frank Bulk"  wrote:

> What does ADTRAN's NG-PON2 upgrade path have over Calix's?
>
> Frank
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Reynolds
> Sent: Wednesday, November 11, 2015 8:49 PM
> To: NANOG 
> Subject: Re: Favorite GPON Vendor?
>
> We are about do deploy Calix, but after hearing about $company
> deploying Adtran and liking their chassis features and NG-PON2 upgrade
> path, we are now open to other vendors. Price IS a concern for us, but
> not THE concern.
>
> This may sound "wacky" to some, but if anybody on here is using Huawei
> GPON gear, could you contact me off list? Thanks
> (josh AT kyneticwifi.com)
>
> On Mon, Nov 9, 2015 at 8:49 AM, Jay Patel  wrote:
> > Who is your favorite GPON  OLT/ONU Vendor? Why?   I am looking for
> > recommendations
> >
> > I apologize in advance , if you feel my question is inappropriate for
> this
> > mailing list ( feel free to point me to right forum/mailing list).
> >
> > Regards,
> > Jay.
>
>
>

Another puck.nether.net Outage?

[Crist Clark]

There hasn't been a any traffic on the puck.nether.net list to which I am
subscribed since the 10th. I sent something to cisco-nsp yesterday and
retried today, and nothing has come through.

Is it me or puck?

I apologize for using NANOG for this, but jared's email is puck.nether.net
too; something OOB is needed. I know there are many, many people here who
also follow puck.nether.net lists and some may have another way to reach
him.

Re: DNSSEC and ISPs faking DNS responses

[Owen DeLong]

> On Nov 12, 2015, at 20:50 , John Levine  wrote:
> 
> In article <56455885.8090...@vaxination.ca> you write:
>> The Québec government is wanting to pass a law that will force ISPs to
>> block and/or redirect certain sites it doesn't like.  (namely sites that
>> offer on-line gambling that compete against its own Loto Québec).
> 
> Blocking is prettty easy, just don't return the result, or fake an
> NXDOMAIN.  For a signed domain, a DNSSEC client will see a SERVERFAIL
> instead, but they still won't get a result.
> 
> Redirecting is much harder -- as others have explained there is a
> chain of signatures from the root to the desired record, and if the
> chain isn't intact, it's SERVERFAIL again.  Inserting a replacement
> record with a fake signature into the original chain is intended to be
> impossible.  (If you figure out how, CSIS would really like to talk to
> you.)  It is possible to configure an ISP's DNS caches to trust
> specific signatures for specific parts of the tree, but that is kludgy
> and fragile and is likely to break DNS for everyone.

If you know that the client is using ONLY your resolver(s), couldn’t you
simply fake the entire chain and sign everything yourself?

Or, alternatively, couldn’t you just fake the answers to all the “is this
signed?” requests and say “Nope!” regardless of the state of the authoritative
zone in question?

Sure, if the client has any sort of independent visibility it can verify that
you’re lying, but if it can only talk to your resolvers, doesn’t that pretty
much mean it can’t tell that you’re lying to it?

> 
> And anyway, it's pointless.  What they're saying is to take the
> gambling sites out of the phone book, but this is the Internet and
> there are a million other phone books available, outside of Quebec,
> such as Google's 8.8.8.8 located in the US, that people can configure
> their computers to use with a few mouse clicks.  Or you can run your
> own cache on your home network like I do, just run NSD or BIND on a
> linux laptop.

I believe the traditional statement is “This type of regulation is considered
damage and will be routed around.”

> 
> They could insist that ISPs block the actual web traffic to the sites,
> by blocking IP ranges, but that is also a losing battle since it's
> trivial to circumvent with widely available free VPN software.  If
> they want to outlaw VPNs, they're outlawing telework, since VPNs is
> how remote workers connect to their employers' systems, and the
> software is identical.

It’s also fairly easy for the gambling sites to become somewhat IP Agile
creating a game of Whack-a-mole for the regulators and the ISPs they
are inflicting this pain on.

Owen

Re: DNSSEC and ISPs faking DNS responses

[John Levine]

>> Redirecting is much harder -- ...

>If you know that the client is using ONLY your resolver(s), couldn’t you
>simply fake the entire chain and sign everything yourself?

I suppose, although doing that at scale in a large provider like Videotron
(1.5M subscribers) would be quite a challenge.

>Or, alternatively, couldn’t you just fake the answers to all the “is this
>signed?” requests and say “Nope!” regardless of the state of the authoritative
>zone in question?

No, those responses are signed too.

>Sure, if the client has any sort of independent visibility it can verify that
>you’re lying, but if it can only talk to your resolvers, doesn’t that pretty
>much mean it can’t tell that you’re lying to it?

At this point very few client resolvers check DNSSEC, so something
that stripped off all the DNSSEC stuff and inserted lies where
required would "work" for most clients.  At least until they realized
they couldn't get to PokerStars and switched their DNS to 8.8.8.8.

R's,
John

Re: DNSSEC and ISPs faking DNS responses

[Mark Andrews]

In message <5ca68a46-2f63-466a-b418-30da71b2b...@delong.com>, Owen DeLong write
s:
>
> > On Nov 12, 2015, at 20:50 , John Levine  wrote:
> >
> > In article <56455885.8090...@vaxination.ca> you write:
> >> The Québec government is wanting to pass a law that will force ISPs to
> >> block and/or redirect certain sites it doesn't like.  (namely sites
> >> that offer on-line gambling that compete against its own Loto Québec).
> >
> > Blocking is prettty easy, just don't return the result, or fake an
> > NXDOMAIN.  For a signed domain, a DNSSEC client will see a SERVERFAIL
> > instead, but they still won't get a result.
> >
> > Redirecting is much harder -- as others have explained there is a
> > chain of signatures from the root to the desired record, and if the
> > chain isn't intact, it's SERVERFAIL again.  Inserting a replacement
> > record with a fake signature into the original chain is intended to be
> > impossible.  (If you figure out how, CSIS would really like to talk to
> > you.)  It is possible to configure an ISP's DNS caches to trust
> > specific signatures for specific parts of the tree, but that is kludgy
> > and fragile and is likely to break DNS for everyone.
>
> If you know that the client is using ONLY your resolver(s), couldn’t you
> simply fake the entire chain and sign everything yourself?

Which is exactly how we test validation in nameservers.  If you
tell the validator to use a bogus trust anchor you get bogus trust.

> Or, alternatively, couldn’t you just fake the answers to all the “is this
> signed?” requests and say “Nope!” regardless of the state of the
> authoritative zone in question?

No.  You can detect that.

> Sure, if the client has any sort of independent visibility it can verify
> that
> you’re lying, but if it can only talk to your resolvers, doesn’t that
> pretty
> much mean it can’t tell that you’re lying to it?

No.  The root's trust anchor are published independently of whatever
your ISP does.  This isn't something you learn via DHCP.

> > And anyway, it's pointless.  What they're saying is to take the
> > gambling sites out of the phone book, but this is the Internet and
> > there are a million other phone books available, outside of Quebec,
> > such as Google's 8.8.8.8 located in the US, that people can configure
> > their computers to use with a few mouse clicks.  Or you can run your
> > own cache on your home network like I do, just run NSD or BIND on a
> > linux laptop.
>
> I believe the traditional statement is “This type of regulation is
> considered
> damage and will be routed around.”
>
> >
> > They could insist that ISPs block the actual web traffic to the sites,
> > by blocking IP ranges, but that is also a losing battle since it's
> > trivial to circumvent with widely available free VPN software.  If
> > they want to outlaw VPNs, they're outlawing telework, since VPNs is
> > how remote workers connect to their employers' systems, and the
> > software is identical.
>
> It’s also fairly easy for the gambling sites to become somewhat IP Agile
> creating a game of Whack-a-mole for the regulators and the ISPs they
> are inflicting this pain on.
>
> Owen

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Favorite GPON Vendor?

[Tiago Arnold]

To me the best solution in GPON is http://www.parks.com.br/ from Brazil.
Good support and innovation.

RE: Favorite GPON Vendor?

[nanog-isp]

> Too bad they require registration

Direct download link:

http://www.webcaster4.com/Player/Material?uid=2305846=5f4478fb-d75f-4ef6-93f3-e25b67862c7a

Or login with d...@sharklasers.com. 

Jared

Re: Environmental Graph Interpretation

[Marcin Wojcik]

My guess is that your floor is not insulated. The air temperature in
the room is higher than a temperature of the floor, hence, the floor
starts sweating. Where are your temperature sensors installed? Do you
have one of them measuring the air temperature in the room and the
other located on the floor? What readings they show? I'd use a temp.
gun to measure the floor temp (if you have only one sensor installed).
and see if you have a considerable temp. difference between those two
readings.

I'd say you won't have this problem if you insulate the floor (if
possible). Another option is A/C - it will help to control the temp
and decrease humidity. A dehumidifier should help too but it wouldn't
be my choice...





On Tue, Nov 10, 2015 at 10:48 PM, Lorell Hathcock  wrote:
> NANOG:
>
>
>
> Are there any one the list that would care to take a look at some graphs of
> temperature, relative humidity and dew point that I have for two locations.
> In one of the two locations, I'm having a problem with the floor getting wet
> (condensation?).  At the other everything is just fine.
>
>
>
> I need to understand what these graphs are telling me about the problem and
> if a simple dehumidifier would solve my moisture problem.
>
>
>
> Any takers?
>
>
>
> Oh, the environmental monitor I installed in each location is the IT
> Watchdog from Geist Global.  I bought the POE version.  Installed like a
> charm and was $229 plus shipping.
>
>
>
> I do wonder if this question is off topic, but then I can hear myself saying
> "Hey, I'm Operating a Network, here!  In North America!"  And then I think,
> "Yep, on topic!"
>
>
>
> Thanks,
>
>
>
> Sincerely,
>
>
>
> Lorell Hathcock
>
>
>
>
>
>
> SolStar Network, LLC
>
> Communications
>
> FIBER - VOIP - SECURITY - TV
>
> FTTH - Commercial - Residential
>
> Burglar - Access Control
>
> 956-478-5955 (cell) - 956-316-4090 (main)
>
>   lor...@solstarnetwork.com
>
>   www.SolStarNetwork.com
>
> TX License #B19998
>
>
>
>
>
>
>
>
>
>
>

Re: DNSSEC and ISPs faking DNS responses

[Bob Evans]

This will only create an new private (non-public) DNS service in China or
Romania for Canadians to use. Imagine that someone in China starts a
business to help people get around censorship in countries other than
China.

You nailed it - "clueless politicians".

Bob Evans
CTO




>
> The Québec government is wanting to pass a law that will force ISPs to
> block and/or redirect certain sites it doesn't like.  (namely sites that
> offer on-line gambling that compete against its own Loto Québec).
>
> In order to make a good submission to government, once has to boil it
> donw to simple enough arguments that clueless politicians can
> understand. And for me to do that, I want to make sure I understand this
> correctly.
>
>
> I have tried to research DNSSEC and while I understand how a proper DNS
> server can validate the chain from the
>  - root server
>  - TLD server
>  - authoritative DNS server for that domain
>
> I remain in dark with regartds to clients, namely clients who cannot
> trust the DNS server supplied as part of DHCP/IPCP/PPPoE responses.
>
>
> Say a consumer wants to connect to lottery.com,  which, from the world
> outside the ISP, would result in a signed, verifiable response.
>
> Can't the ISP's DNS server just pretend it is authoritative for
> lottery.com and return to client a non-DNSSEC response that points to a
> fake IP address ?
>
> If the client gets an unsigned response for lottery.com from its ISP's
> DNS server,  how can it know it is a fake response, how can it know that
> lottery.com should have generated a signed DNSSEC response ?
>
>
> It seems to me that unless each client goes to the tld servers (they
> already have root signatures), get signature of the tld server and
> signed response of where "lotery.com" can be found, they have no way to
> know whether lottery.com should be signed or not, and whether the answer
> they got from their ISP is good or not.
>
> Is that a proper understanding ?
>
>
>
> So far, I have seen good explanations of what happens between DNS
> servers and the servers that are authoritative for domain, TLD and root.
> But I have seen nothing about clients who only have a resolver that
> talks to a DNS server.
>
>
> And while I am at it: when a client gets a legit response from ISP's DNS
> server with RRSIG records, how does the client obtain the public key
> against which to run the record to ensure its calculated signature
> matches that provided in RRSIG ?
>
> or do DNS servers return the full chain of records so that a request for
> lottery.com returns not only record for lottery.com but also .com,s
> reply on where lottery.com is and root's reply of where .com is ?
>
>
> Hopefully, I am only missing a small bit that would explain everything
> that happens at the client side.  But as long as I am told that the
> client only talks to the ISP's DNS server, I am at a loss.
>
> Any help appreciated. (I just watched an hour long youtube on subject
> which didn't deal with client much).
>

Re: DNSSEC and ISPs faking DNS responses

[Mark Andrews]

In message <56455885.8090...@vaxination.ca>, Jean-Francois Mezei writes:
> 
> The Québec government is wanting to pass a law that will force ISPs to
> block and/or redirect certain sites it doesn't like.  (namely sites that
> offer on-line gambling that compete against its own Loto Québec).
> 
> In order to make a good submission to government, once has to boil it
> donw to simple enough arguments that clueless politicians can
> understand. And for me to do that, I want to make sure I understand this
> correctly.
> 
> 
> I have tried to research DNSSEC and while I understand how a proper DNS
> server can validate the chain from the
>  - root server
>  - TLD server
>  - authoritative DNS server for that domain
> 
> I remain in dark with regartds to clients, namely clients who cannot
> trust the DNS server supplied as part of DHCP/IPCP/PPPoE responses.
> 
> 
> Say a consumer wants to connect to lottery.com,  which, from the world
> outside the ISP, would result in a signed, verifiable response.
> 
> Can't the ISP's DNS server just pretend it is authoritative for
> lottery.com and return to client a non-DNSSEC response that points to a
> fake IP address ?

No.  If the client is validating the response it will fail validation.
 
> If the client gets an unsigned response for lottery.com from its ISP's
> DNS server,  how can it know it is a fake response, how can it know that
> lottery.com should have generated a signed DNSSEC response ?

Because it asks the ISP for DS lottery.com and that response tells
the client if it should be getting a signed response or not and
which DNSKEYs to trust.

> It seems to me that unless each client goes to the tld servers (they
> already have root signatures), get signature of the tld server and
> signed response of where "lotery.com" can be found, they have no way to
> know whether lottery.com should be signed or not, and whether the answer
> they got from their ISP is good or not.
> 
> Is that a proper understanding ?

DNSSEC was designed to allow a client to get answers from a recursive
server it does not trust and verify that the answer has not been
tampered with.  There are not many clients that do this yet but that
was the design goal and yes it was achieved.

> So far, I have seen good explanations of what happens between DNS
> servers and the servers that are authoritative for domain, TLD and root.
> But I have seen nothing about clients who only have a resolver that
> talks to a DNS server.

They make the same queries and verify the answers the same way.

For lottery.com they would ask for the DNSKEY records for lottery.com,
the DS records for lottery.com, the DNSKEY records for com, the DS
records for com and the DNSKEY records for the root.  It doesn't
matter if these come from a cache or directly from the authoritative
servers.  The crypto to verify the answers is the same.

> And while I am at it: when a client gets a legit response from ISP's DNS
> server with RRSIG records, how does the client obtain the public key
> against which to run the record to ensure its calculated signature
> matches that provided in RRSIG ?

It asks for the DNSKEY records and RRSIGs.  Verifies them against the DS
records whick it asks for.  Repeat all the way to the root.
 
> or do DNS servers return the full chain of records so that a request for
> lottery.com returns not only record for lottery.com but also .com,s
> reply on where lottery.com is and root's reply of where .com is ?
> 
> 
> Hopefully, I am only missing a small bit that would explain everything
> that happens at the client side.  But as long as I am told that the
> client only talks to the ISP's DNS server, I am at a loss.
> 
> Any help appreciated. (I just watched an hour long youtube on subject
> which didn't deal with client much).
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Favorite GPON Vendor?

[Aftab Siddiqui]

On Fri, 13 Nov 2015 at 08:43 Tarko Tikan  wrote:

> hey,
>
> > I used Huawei GPON gear at previous job.
>
> +1 for the MA5600 series.
>

+1 for MA5600. Very stable and inter-op is also possible.
-- 
Best Wishes,

Aftab A. Siddiqui

DNSSEC and ISPs faking DNS responses

[Jean-Francois Mezei]

The Québec government is wanting to pass a law that will force ISPs to
block and/or redirect certain sites it doesn't like.  (namely sites that
offer on-line gambling that compete against its own Loto Québec).

In order to make a good submission to government, once has to boil it
donw to simple enough arguments that clueless politicians can
understand. And for me to do that, I want to make sure I understand this
correctly.


I have tried to research DNSSEC and while I understand how a proper DNS
server can validate the chain from the
 - root server
 - TLD server
 - authoritative DNS server for that domain

I remain in dark with regartds to clients, namely clients who cannot
trust the DNS server supplied as part of DHCP/IPCP/PPPoE responses.


Say a consumer wants to connect to lottery.com,  which, from the world
outside the ISP, would result in a signed, verifiable response.

Can't the ISP's DNS server just pretend it is authoritative for
lottery.com and return to client a non-DNSSEC response that points to a
fake IP address ?

If the client gets an unsigned response for lottery.com from its ISP's
DNS server,  how can it know it is a fake response, how can it know that
lottery.com should have generated a signed DNSSEC response ?


It seems to me that unless each client goes to the tld servers (they
already have root signatures), get signature of the tld server and
signed response of where "lotery.com" can be found, they have no way to
know whether lottery.com should be signed or not, and whether the answer
they got from their ISP is good or not.

Is that a proper understanding ?



So far, I have seen good explanations of what happens between DNS
servers and the servers that are authoritative for domain, TLD and root.
But I have seen nothing about clients who only have a resolver that
talks to a DNS server.


And while I am at it: when a client gets a legit response from ISP's DNS
server with RRSIG records, how does the client obtain the public key
against which to run the record to ensure its calculated signature
matches that provided in RRSIG ?

or do DNS servers return the full chain of records so that a request for
lottery.com returns not only record for lottery.com but also .com,s
reply on where lottery.com is and root's reply of where .com is ?


Hopefully, I am only missing a small bit that would explain everything
that happens at the client side.  But as long as I am told that the
client only talks to the ISP's DNS server, I am at a loss.

Any help appreciated. (I just watched an hour long youtube on subject
which didn't deal with client much).

Re: DNSSEC and ISPs faking DNS responses

[John Levine]

In article <56455885.8090...@vaxination.ca> you write:
>The Québec government is wanting to pass a law that will force ISPs to
>block and/or redirect certain sites it doesn't like.  (namely sites that
>offer on-line gambling that compete against its own Loto Québec).

Blocking is prettty easy, just don't return the result, or fake an
NXDOMAIN.  For a signed domain, a DNSSEC client will see a SERVERFAIL
instead, but they still won't get a result.

Redirecting is much harder -- as others have explained there is a
chain of signatures from the root to the desired record, and if the
chain isn't intact, it's SERVERFAIL again.  Inserting a replacement
record with a fake signature into the original chain is intended to be
impossible.  (If you figure out how, CSIS would really like to talk to
you.)  It is possible to configure an ISP's DNS caches to trust
specific signatures for specific parts of the tree, but that is kludgy
and fragile and is likely to break DNS for everyone.

And anyway, it's pointless.  What they're saying is to take the
gambling sites out of the phone book, but this is the Internet and
there are a million other phone books available, outside of Quebec,
such as Google's 8.8.8.8 located in the US, that people can configure
their computers to use with a few mouse clicks.  Or you can run your
own cache on your home network like I do, just run NSD or BIND on a
linux laptop.

They could insist that ISPs block the actual web traffic to the sites,
by blocking IP ranges, but that is also a losing battle since it's
trivial to circumvent with widely available free VPN software.  If
they want to outlaw VPNs, they're outlawing telework, since VPNs is
how remote workers connect to their employers' systems, and the
software is identical.

R's,
John

Re: Favorite GPON Vendor?

[Jonathan Falcão]

I thought I would see something about fiberhome here

Em sex, 13 de nov de 2015 00:04, Aftab Siddiqui 
escreveu:

> On Fri, 13 Nov 2015 at 08:43 Tarko Tikan  wrote:
>
> > hey,
> >
> > > I used Huawei GPON gear at previous job.
> >
> > +1 for the MA5600 series.
> >
>
> +1 for MA5600. Very stable and inter-op is also possible.
> --
> Best Wishes,
>
> Aftab A. Siddiqui
>

Re: DNSSEC and ISPs faking DNS responses

[Alejandro Acosta]

Hello,

El 11/13/2015 a las 12:20 AM, John Levine escribió:
> In article <56455885.8090...@vaxination.ca> you write:
>> The Québec government is wanting to pass a law that will force ISPs to
>> block and/or redirect certain sites it doesn't like.  (namely sites that
>> offer on-line gambling that compete against its own Loto Québec).
> Blocking is prettty easy, just don't return the result, or fake an
> NXDOMAIN.  For a signed domain, a DNSSEC client will see a SERVERFAIL
> instead, but they still won't get a result.
>
> Redirecting is much harder -- as others have explained there is a
> chain of signatures from the root to the desired record, and if the
> chain isn't intact, it's SERVERFAIL again.  Inserting a replacement
> record with a fake signature into the original chain is intended to be
> impossible.  (If you figure out how, CSIS would really like to talk to
> you.)  It is possible to configure an ISP's DNS caches to trust
> specific signatures for specific parts of the tree, but that is kludgy
> and fragile and is likely to break DNS for everyone.

I'm not a DNSSEC expert but I wonder what would be the behavior if the
ISP adds a specific trust anchor for the domain they wish to block?


>
> And anyway, it's pointless.  What they're saying is to take the
> gambling sites out of the phone book, but this is the Internet and
> there are a million other phone books available, outside of Quebec,
> such as Google's 8.8.8.8 located in the US, that people can configure
> their computers to use with a few mouse clicks.  Or you can run your
> own cache on your home network like I do, just run NSD or BIND on a
> linux laptop.
>
> They could insist that ISPs block the actual web traffic to the sites,
> by blocking IP ranges, but that is also a losing battle since it's
> trivial to circumvent with widely available free VPN software.  If
> they want to outlaw VPNs, they're outlawing telework, since VPNs is
> how remote workers connect to their employers' systems, and the
> software is identical.
>
> R's,
> John

Thanks,

Alejandro,

Colo space at Cermak

[Mike Hammett]

Has something happened the past couple months to cause a quick shortage of 
space at Cermak? I had an offer sent a few months ago (when I didn't need it) 
where a cab and five cross connects were cheaper than what five cross connects 
normally are, much less the cabinet value as well. Around that time I think 
cabinets were going for $700 or so for basic primary\redundant 20A. Now the 
cabinet is going for $1,800. It went from being the cheapest I've seen at 
Cermak to the most I've seen at Cermak in a matter of a few months. Two people 
with space in that building are citing an uptick in demand. Really? That much 
of a demand increase with hundreds of thousands of square feet coming online in 
the Chicago metro? 

Can anyone corroborate that story or are they just making stuff up hoping I 
agree to inflated cabinet prices? 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 

Re: Favorite GPON Vendor?

[Josh Reynolds]

Did you guys use them for core and distribution switching/routing as
well, or just on the GPON access side?

On Wed, Nov 11, 2015 at 11:41 PM, Mark Tinka  wrote:
>
>
> On 12/Nov/15 04:48, Josh Reynolds wrote:
>
>>
>> This may sound "wacky" to some, but if anybody on here is using Huawei
>> GPON gear, could you contact me off list?
>
> I used Huawei GPON gear at previous job.
>
> I won't lie, it worked great. A few bugs with the IGMP implementation,
> but nothing a plane full of Huawei engineers from China with a local
> translator couldn't fix.
>
> That network probably still uses Huawei today. I'm more into Active-E
> myself, these days.
>
> Mark.