Re: Cellular enabled console server
Hi, > OpenGear all the way. Models for every need. +1 OpenGear all the time - just ensure you are patching/manageing them(!) alan
Re: PSN download speeds
Hi, really not the right place for this... however, its pretty well documented elsewhere, eg https://www.reddit.com/r/PS4/comments/5drvcc/an_update_on_psn_download_speeds/ alan
Re: PlayStationNetwork blocking of CGNAT public addresses
Hi, as others have said, need to engage with one of their other units to get this sorted out - as a network provider, their customers are relying on YOU to access their service, PSN should care. technically, you could start looking at netflows to the PSN and see if anyone is engaged in DDoS via that route...and , if you offer IPv6 native service to end users, ask PSN when they are going to be offer an IPv6 service to their users - so this CGNAT stuff can go ;-) alan
Re: Don't press the big red buttom on the wall!
Hi, whilst we're posting YouTube clips. maybe they'd have been better off keeping a copy of the Internet https://www.youtube.com/watch?v=iDbyYGrswtg ;-) alan
Re: Don't press the big red buttom on the wall!
Hi, > https://www.youtube.com/watch?v=NITBfc1EOBo#t=27s "This video contains content from B_Viacom, who has blocked it in your country on copyright grounds." I love YouTube and copyright regional laws :/ alan
Re: Why the internal network delays, Gmail?
Hi, > I was working within the limits of what I had available. Google offer several trouble shooting tools for their service too, you might want to look at their toolbox eg https://toolbox.googleapps.com/apps/messageheader/ (part of their 'why is my email slow to deliver?' process) alan
Re: Why the internal network delays, Gmail?
Hi, > administrator reaching out to peers for assistance with a particular > problem that is clearly network related is inappropriate for a network clearly network related? people have an interesting expectation of email - expecting instant delivery. you might check their level of expectationthe SLA etc define service availability but email delivery is pretty much 'best efforts of all parties involved in the transaction' - ideally it gets there quickly...but it could take up to 72 hours. google have several status dashboards that you can check/monitor. generally, if you have an issue with a particular service on the internet, contact them directly. dont use a 3rd party mail list - they *might* be aroudn on it but its not their official service desk contact point ;-) alan
Re: Speedtest.net not accessible in Chrome due to deceptive ads
Hi, > Since this morning Speedtest.net is not accessible in Chrome > Reason: > https://www.google.com/transparencyreport/safebrowsing/diagnostic/#url=c.speedtest.net someones complained about the URL based on them stupidly installing 'cleanmymac' or such? use the non flash junk HTML5 version instead http://beta.speedtest.net/ still bleats about "Deceptive site ahead" and PS "is not accessible in Chrome" - not true. click DETAILS, then click on visit this unsafe site. (with the pre-condition of " if you understand the risks to your security" I personally dont want or need Google to start being my nanny on the internet :/ alan PS you may have other interests involved here given your affiliation to speedchecker.xyz
Re: Leap Second planned for 2016
Hi, > Leap second handling code is not well-tested and is an ultimate corner > case. There's been debate about abolishing leap seconds; with all the well, we've gone through a few of these now...so if it was all okay before its likely to be again... exception: any NEW code that you are running since last time - THAT hasnt been tested ;-) alan
Re: Bitcoin mining reward halved
Hi, > This is pretty O/T for this list, isn't it? not if he's using his routers ASICs to do it! ;-) (or maybe its related to the bitcoin network traffic volumes...but thats too logical...) alan
Re: NAT firewall for IPv6?
Hi, > Right. But how long is it going to take to secure the Palo Alto firewall? around 5 minutes? recover password, restart, log in, fix rules. https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Reset-the-Administrator-Password/ta-p/57581 obviously the firewall is also blocking google access! ;-) alan
Re: NAT firewall for IPv6?
Hi, > > The Palo-Alto's also don't support anything but NAT64, > > They don't support proper dual-stack?? Or NAT64 is the only NAT flavor of course they support native IPv6 ...or IPv4 with IPv6 in dual-stack. i believe the comment was related to the 6/4 xlat stuff - ie just NAT64 and not 464XLAT etc - I've not looked into that myself as we do dual stack alan
Re: NAT firewall for IPv6?
Hi, I would go through the password recovery options on the PaloAlto. as a next gen firewall you need to ensure you are getting all the latets rulesets and detection code through - check your subscription with them once you've sorted out access you can look at the policies and ensure that the IPv6 AV filtering rules match that for IPv4 - fairly easy with their interface. (check your codebase version for feature abilitiesonce again, you may need to deal with PA to ensure your codebase is current. these things get OLD quickly as for NAT for IOV6. nope. and turning it off ISNT the answer (yes, its an answer...just the wrong one! ;-) ) alan
Re: NANOG67 - Tipping point of community and sponsor bashing?
Hi, well, you an say one thing - the talk got a lot of conversation going - most of it useful and positive and informational.isnt that the sign of a good talk? ;-) seriously, this thread has been very active/alive based on the initial trigger of his talk. as for the talk itselfeveryone has their viewsand people should feel free to provide their opinion when on the soapbox/presentation stage - as long as its within the law (in some doamins being offensive / testing boundaries is part of the territory - eg comedians - but I wouldnt accept that sort of boundary/officensiveness at an IT/networking presentation). theres an old adage about opinions and everyone having oneits a tru-ism for sure - but whilst he might not have had a full picture the resulting conversation on this mailing list has provided much information. Now, just need similar talk on the topic of BGP peering security ;-) alan
Re: Firewall list recommendations (config conversion options)
Hi, > > Looking for options on converting a large amount of Fortinet rules to > > Checkpoint. Ultimately converting the entire configuration to Checkpoint > > would be nice. theres a post online asking the same question back in early 2010 with no responses... there are also a lost of tools that do Checkpoint TO Fortinet - says something? ;-) but actually, looking for firewall conversion tools does give you a picture of typical/common moves :) alan
Re: Stop IPv6 Google traffic
Hi, > The problem is IPv6-enabled customers complaints see captcha, and Google > NOC refuses to help solve it saying like find out some of your customer > violating some of our policy. As you can imagine, this is not possible. your customers are getting addresses when looking up google addresses...so their clients are trying to use IPv6 to talk to google. so doing anything to that traffic - blackholing or just denying it, WILL affect the clients. give clients their own bigger blocks - or identify the clients violating policy (what the policy they are violating?) - you'll probably find the ones getting the captchas are the ones violating! ;-) alan
Re: DataCenter color-coding cabling schema
Hi, I'm not sure I'm keen on a colour standard - especially given our recent difficulties sourcing cabling to our spec in certain colours...or lengths!however, what we do - and others do based on this thread - is have our own internal colour scheme for purposes/systems/customers. fibre is far more difficult for this - coloured labels (and a decent labelling regime in the first place) win in that arena. (obviously the copper plant has labelling too but the choice of colours means that function/purpose is already known from many metres away ;-) ) alan
Re: Equipment Supporting 2.5gbps and 5gbps
Hi, > Fortunately the two groups came together in the IEEE, and there are no > competing standards. right! so why do both keep updating their own marketing and web pages each month? ;-) thanks for the info though - our future world isnt messed up for multigig > - Optional Energy Efficient Ethernet (EEE) support *optional* - in our current energy efficiency/green aligned world this should be mandatory > - Standard expected in September 2016 okay.. so buying now is like buying pre-N 802.11 kit - it should work with final standard but theres no cast-iron guaranteenew silicon might be required ? thanks for the info though! :) alan
Re: Equipment Supporting 2.5gbps and 5gbps
Hi, > I've a couple 10 port Cisco switches that support 2.5 and 5gbps over cat5e, > just wondering if there are any other vendors out there with offerings that > support these newer ethernet speeds. Supporting cat5e for these multi-gig > speeds is a real boon in many circumstances given the wide popularity of it > in many buildings. > > Does anyone have any experience with or knowledge of other products, switches > in particular, supporting 2.5 and 5 gbps? well, until the standard is ratified, these Multi-Gig offerings are quite proprietary.. there are 2 competing campshopefully they will be compatible and not end up like beta/vhs once the dust settles camp 1 - http://www.nbaset.org/ camp 2 - http://www.mgbasetalliance.org/ look at those vendors. I think they hope by avoiding IEEE int he early stages and taping silicon they'll get the job done quicker - the drive mainly being faster wireless APs and cheaper data centre interconnects... alan
Re: Another Big day for IPv6 - 10% native penetration
Hi, > I'm wondering when we reach another significant milestone - 50% :-) half of us will celebrate, the other half will cry ;-) alan
Re: Nat
Hi, > > > persuading people to move to IPv6. Especially when everyone > > > already understands DHCP in the v4 world. > > enterprise) and once they stop thinking "I want to do everything > > in IPv6 in exactly the same way as I have always done in IPv4" exactly. as my thoughts often gather at any IPv6 deployment event I go to "stop trying to shape IPv6 into your IPv4 model" yes, there are annoyances...like older routers/clients not supporting extensions to allow DNS/NTP etc from being fed in SLAAC...and clients only supporting SLAAC and not DHCPv6 etc etc but if you just SLAAC/DHCPv6 into your dual-stack environment then silly clients still get things via DHCPv4and you start getting IPv6 connectivity...and then work through the NEXT part. more effort should be spent on eg address management and network topology. the client stuff is easy THEN we get to the stuff we should be looking at and expending more effort on... not 'how do I deploy IPv6?' but 'how do i switch off IPv4?' ;-) hopefully 2016 will be the year when more sites have IPv6-only networks on their enterprise networks with eg 464XLAT etc alan
Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS
Hi, > > Should we blame Juniper for letting a git repository open to > > "unauthorized code" or should we congratulate them for their frankness > > (few corporations would have admitted the problem)? 'un-authorized' - not authorized. this could be code/idea by some/one engineer for eg debugging purpose etc that just didnt get ANY signoff by anyone - so during code review they've questioned its presence and not found the relevant sign-off etc. take VW here...they are now blaming a small set of engineers who rigged the emissions systemif they can say that no managers/execs knew about this and it was purely in some small code team etc then that too is unauthorized code - but its internal, not an external bad guy (it will be interesting however, in that case, whether that really was the case and it WASNT known about by someone else...thus 'authorized' in that it wasnt stopped) alan
Re: Questions regarding equipment for a large LAN event
hi okay...so lots of gig connections with 10g interconnects etc - have you actually done network analysis/flows of the events in the past to see what you actually require to run the event? what sort of stuff are they doing - multiplayer PvP stuff or are they shipping images/ISOs across to each other? as well as the data requirements what sort of protection do you put into place (that would affect choice of edge switch). as others will probably say, this is really more suited to eg c-nsp alan
Re: Ransom DDoS attack - need help!
Hi, > F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos > protection. Don't pay up, use ddos protection. you know how many ponder whether AV companies write some of the viruses ;-) alan
Re: Is there a DNS lookup, traceroute, ping and HTTP GET as a service?
hi, ...and SamKnows? alan
Re: Is there a DNS lookup, traceroute, ping and HTTP GET as a service?
Hi, > About RIPE ATLAS, I already have one of their boxes and it never worked. > Simply doesn't appear as online. Their support just barely gave me some > tips but with no meaningful result. I need something reliable and I'm > willing to pay for this service. RIPE Atlas falls in the category of 'best > effort'. RIPE Atlas probes? you just plug them intoa working network with DHCP and away they go - I'd investigate why it doesnt work - RIPE expect probe users to be technically proficient and that the networks that the probes are on arent RIPEs to debug/troubleshoot. once you have a working one iy can do tests but you then also have access to the testing system that they offer allowing you to do on-demand tests for various things from probes around the world whever you want - depending on how many points you have. I have a few million or so points :-) alan
Re: Advance notice - H-root address change on December 1, 2015
Hi, > Just a heads up, even the latest CentOS 7 package has the wrong IPv4 and v6 > address. whilst the new H-ROOT is alive now, the official switch-over date is 1st December 2015 and the old address will be available for 6 months after thatso if any BIND package comes out AFTER 1st December with old addresses in it, THEN complain/warn ;-) alan
Re: DNSSEC and ISPs faking DNS responses
Hi, > BTW, the proposed law, being done by lawyers, will have the list of you say law but this idea of blocking all competitors to the states lotto sounds very unlawful and anti-competitive - yes, I can understand states or countries blocking ALL gambling , thats a simple 'we dont allow it here' , but to say 'yes, you can access just ours' well, in EU I dont think that would ever fly. > I know the Australian attempt to filter porn failed miserably. well, one could say people might be more determined to access porn than gambling sites so this gambling block might be more successful. either way, what you'll get are a host of DNS services based in other countries - some using VPN technology etc so blocking port 53 to other servers isnt going to work on that score either. it wont work. alan
Re: Uptick in spam
Hi, > not even close to more discussing than from the original spam. Not even > close. data volume wise, the discussion of spam is easily beating the volume of spam (which some people had issue with) as the SPAM emails were very small with just a URL - the discusions about it is now spread into around 6 threads with many pages of text in some messages. alan
Re: IGP choice
Hi, > The differences between the two protocols are so small, that people > really grasp at straws when 'proving' that one is better over the > other. 'IS-IS doesn't work over IP, so its more secure'. 'IS-IS uses > TLVs so new features are quicker to implement'. While these may be > vaguely valid arguments, they don't hold much water. If you don't > secure your routers to bad actors forming OSPF adjacencies with you, > you're doing something wrong.Who is running code that is so bleeding > edge that feature X might be available for IS-IS, but not OSPF? well, bleeding edge fearures in ISIS would also depend on your vendor... ours seems backwards for ISIS in most of their product line and we're always wanting more heck, I think they've even tried to ensure its not in their training courses either...just the briefest of mentions :/ as for IGP - ISIS - we moved to it from OSPF because we didnt want 2 seperate routing calculations and tables being kept for IPv4 and IPv6 and all routing config is under the one routing protocol. alan
Re: IPv6 and Android auto conf
Hi, > Sure, would be fun to try DHCPv6. Last time when I checked only OS X was > supporting it with limited sense. Windows.. alan
Re: Android and DHCPv6 again
Hi, > Android does not have a complete IPv6 implementation and should not be IPv6 > enabled. Please do your part and complain to Google that Android does not > support DHCPv6 for address assignment. no different to other devices historically it can get IPv6 connectivity via SLAAC and then rely on DHCP (v4!) for getting IPv4 DNS servers to which it can send records. very much like OSX used to be. alan
Re: ARIN Region IPv4 Free Pool Reaches Zero
Hi, > IPv6 traffic roughly doubled in my view of the internet in the past ~2 weeks > as the 9.0 GM image hit and the public release of 9.0 came out. 0.001% of traffic to 0.002% ;-) joking aside as I'm a big IPv6 champion IPv6 is picking up a lot recentlyand whilst the bahviour change of IOS9 has helped...clients themselves dont change the networks they are using - the networks themselves need to support this protocol, route it etc as we all know...so, if nothing else, IOS9 has revealed more that many parts of the internet are IPv6 enabled and ready to be used. alan
Re: IP's with jitter/packet loss and very far away
Hi, > my own experience is the misinterpretation of the above properties in > traceroute is pathological to the point of making it useless in the > hands of novices... correct. you should be looking at the output of other data transit systems such as iperf, bwctl etc - thats why such tools as PerfSONAR exist...allowing you to find the real problems in your IP path alan
Re: SMS Gateway
Hi, > Today we use a product from MultiTech Systems call MultiModem iSMS to send > SMS text messages from our monitoring system to our on call staff. This is a > 2G product and we need to replace it soon. I know there are more generic > cellular modems that can do texting if you are willing to put in the effort, > the product we use currently though has a simple HTTP based API specifically > to send SMS. Is anybody out there using something similar that can work on 3G > or 4G networks? we have a Linux box with a 3G device attached via serial port. some local scripts and a lookup table - sends SMS alerts for monitoring to the required people. very basic, very simple. RaspberryPI territory. alan
Re: SMS Gateway
Hi, > For most of us, the issue is that we don’t want to do this over the Internet, > since that’s what we are monitoring :) exactly :-) alan
Re: A simple perl script to convert Cisco IOS configuration to HTML with internal links for easier comprehension
Hi, very nice but I now have an urge to getting this integrated with RANCID and I just dont have the time, frustrating! ;-) alan
Re: GoDaddy : DDoS : : Contact
Hi, What would be the point of spoofing the source IPs to be identical? You're just making the attack trivial to block. Plus you could never do any kind of TCP session attack, since you can't complete a handshake. I would have to call this sort of attack a LAAADDoS (Lame Attempt At A DDoS). :) perhaps spoofing an IP that cannot be blocked as its one that needs to be allowed for the site IT to operate? some cloud service IP or such ? alan
Re: M$ no v6 or just me?
Hi, however...this revelation is shocking...my users can access www.microsoft.com material via IPv6?? turn this filth off!! ;-) alan
Re: M$ no v6 or just me?
Hi, And there isn't its your DNS ;-) host e10088.dspb.akamaiedge.net e10088.dspb.akamaiedge.net has address 104.70.251.201 e10088.dspb.akamaiedge.net has IPv6 address 2a02:26f0:cb:2a4::2768 e10088.dspb.akamaiedge.net has IPv6 address 2a02:26f0:cb:29a::2768 alan
Re: M$ no v6 or just me?
Hi, No. My DNS (using the roots) gets it right. ;-) so if you choose google DNS you dont see the right stuff..in which case its your DNS and not microsoft or Akamai not doing IPv6 ;-)same true for OpenDNS? likely... alan
Re: Overlay broad patent on IPv6?
Hi, It is a stupid idea if you ask me, ..and thus, based on most of the current technology patents out there, perfectly patentable. dont worry, the rest of the internet will probably need something like this in the future... and whats happened here is some coffee-room tech chat or water cooler propeller-head conversation got captured and written-up by some over-zealous manager/techie combo to ensure that the world cant do something obvious later when needed (its probably not obvious to most people righ tnow as we havent even bothered looking at it...but if we did then it would probably be an obvious method and first one out of the wash). when it means is that most of those ISPs that do a captive portal answer for failed DNS responses are going to be violating this patent if the query was for IPv6 and didnt get an answer. ;-) alan
Re: Hotels/Airports with IPv6
Hi, I've done fairly extensive testing, and IPv6 support, while pretty solid on the carrier side, is still iffy on WiFi. Both iOS and Android have various reliability problems with IPv6 and WiFi, mostly related to acquiring a DNS address or maintaining a connection while roaming. Combine that with less-than-fully-baked IPv6 on some enterprise WiFi platforms, and it's easy to see that deploying WiFi IPv6 today is at least a challenge, and definitely a risk. Android, for example, doesn't yet support DHCPv6 on WiFi (it's not needed on the carrier side, which does DNS intercept), and intermittently looses its unicast address on some hardware devices (notably tablets, in my experience). Even when android gets DHCPv6, or these hardware problems get solved, there will be several years of legacy devices in the field to contend with. we had problems with IPv4 in the early days - people still adopted it. without adoption, the bugs/issues with clients dont get addressed. alan
Re: Overlay broad patent on IPv6?
Hi, This is actually a good idea. Roll out an IPV6 only network and only pass out an IPV4 address if it's needed based on actual traffic. yes...shame someones applied for a patent on that! ;-) alan
Re: ARIN just subdivided their last /17, /18, /19, /20, /21 and /22. Down to only /23s and /24s now. : ipv6
Hi, I knew several people who built their career path on the assumptions of IPX. Ouch. or DECnet ;-) alan
Re: How long will it take to completely get rid of IPv4 or will it happen at all?
Hi, I just ran a tcpdump looking for NTP packets going to 128.173.14.71. In 90 minutes, I got hits from 330 unique IP addresses, including some that were chatty enough to indicate there were dozens of hosts behind a NAT. ah yes. the joy of the usual 2 scenarios 1) your IP got used in some random equipment config/firmware 2) your IP got used in some documentation rather than using one the official IPv4 documentation address space the last scenario is the IP address was used in some long ago post or blog that google helps unearth whenever anyone asks for NTP. we had the same for DNS.learnt that lesson :/ without bothering to sanity check if a clock is still usable THAT is the scary part.they're not even checking its working (at least their kit wont crash and burn at the leap second if it hasnt got working NTP ;-) !) alan
Re: Android (lack of) support for DHCPv6
Hi, Ok, let's see how that goes, even among the few people on this thread. Question for everyone on this thread that has said that DHCPv6 NA is a requirement: suppose that Android supported stateful DHCPv6 addressing, requested a number of addresses, and did not use any of them if the number of addresses received was less than N. What does N need to be? well, from memory and a quick discussion with a colleague, our cisco wireless kit is only happy with devices having 8 IPv6 addresses at most - otherwise the older addresses get removed from the neighbour cache. is that a good starting point? :-) alan
Re: Android (lack of) support for DHCPv6
Hi, No, the premise is that from a user's point of view, DHCPv6-only networks what about DHCPv6 for IPv6 and DHCP for IPv4 - the client should still be able to pick up an IPv6 addressinstead of forcing the only option to be SLAAC ? alan
Re: Android (lack of) support for DHCPv6
Hi, Asking for more addresses when the user tries to enable features such as tethering, waiting for the network to reply, and disabling the features if the network does not provide the necessary addresses does not seem like it would provide a good user experience. talking of the user experience - any update on when Android will let the user acknowledge a private CA and thus stop the 'your network may be monitored' alert on each restart? :/ alan
Re: Android (lack of) support for DHCPv6
Hi, supporting DHCPv6 seems to be that mobile networks don't need it, but that totally ignores 802.11 which is equally important. ...and what about 802.3 for those Android boxes/systems on the wired? :-) I would hope we're past the religious arguments of SLAAC vs DHCPv6 but it seems like every time the topic comes up the entire conversation turns into a holy war on what method is the best. They're both valid, and both useful. agreedtoo many times I find out that DHCPv6 is chosen as a stateful method because they want to record/track MAC addresses like they do for DHCP a little bit of explaining the protocol differences and they soon take up the SLAAC ;-) alan
Re: Android (lack of) support for DHCPv6
Hi, Agreed - apparently the solution is to implement SLAAC + DNS advertisements *AND* DHCPv6. Because you need SLAAC + DNS advertisements for Android, and you need DHCPv6 for Windows. Windows has been dealing with SLAAC for ages...and OSX... DHCPv6 is relatively new in that arena... however in IPv6 your routers are sending RAs and can easily do prefix annoucements etc anyway so SLAAC makes quite a bit of sense...allowing the network to be more dynamic...no more having a gateway address stuck in a DHCP config and all those statically addressed clients needing to be changed etc. i think we're looking at the wrong place...the issue isnt handing out addresses.its the large gaps in IPv6 functionality at the edge versus whats in IPv4 space DHCP snooping, DAI, ARP flood protection etc are getting pretty standard and solid... FHS (first hop security) for IPv6 at the edge is often left wanting (RA guard, ND/DAD protection etc)... but hey, we could get quite active about the lack of multicast adoption across the internet too! ;-) alan
Re: Android (lack of) support for DHCPv6
Hi, and we wonder at the pitiful ipv6 deployment. if more network admins actually did network stuff then IPv6 deployment would be plentiful and we could even start the discussion about turning off IPv4 ;-) alan
Re: most accurate geo-IP source to build country-based access lists
Hi, Have you thought about application layer tests - e.g. is the client's character set/language set to Swedish? Has the user identified himself/herself/henself as living in or being from Sweeden? ...just waiting for someone to suggest checking their web cookies to see what area they've got defined in adultfriendfinder or whatever... ;-) alan
Re: most accurate geo-IP source to build country-based access lists
Hi, 2. There are no Russian soldiers in Crimea eh? we know there are as it got annexed last year. I think you meant There are no Russian soldiers in Ukraine ? alan
