Re: scaling linux-based router hardware recommendations
[snip] To inject science into the discussion: http://bsdrp.net/documentation/examples/forwarding_performance_lab_of_an_ibm_system_x3550_m3_with_10-gigabit_intel_x540-at2 And he maintains a test setup to check for performance regressions: http://bsdrp.net/documentation/examples/freebsd_performance_regression_lab Now, this is using the in-kernel stack, not netmap/pfring/etc that uses all the batching-y, stack-shallow-y implementations that the kernel currently doesn't have. But, there are people out there doing science on it and trying very hard to kick things along. The nice thing about what has come out of the DPDK related stuff is, well, the bar is set very high now. Now it's up to the open source groups to stop messing around and do something about it. If you're interested in more of this stuff, go poke Jim at pfsense/netgate. -adrian (This and RSS work is plainly in my stuff I do for fun category, btw.)
Re: abha ahuja
[resurrecting this thread, as it's been a while since I read nanog-ml, and this is surprisingly important to me...] On 19 October 2013 15:36, Randy Bush ra...@psg.com wrote: abha ahuja, researcher and operator, died this day in 2001 at a tragically early age. if you did not know her, search a bit. she did a lot, and with an open mind and heart. I met Abha whilst working in Amsterdam (on Squid, doing (consentual!) transparent reverse proxying for customer websites at a transit provider. Yes, I know, evil.) I was a bit star struck - I had been using GateD for three or four years at various ISPs before Europe, and then one day she casually strolls into the office. I remember one of our excursions into the city centre (likely to a RIPE meeting day) and she wondered why the heck anyone would want to teach a web proxy about AS numbers. She was always energetic and passionate about whatever we talked about. It was inspiring. I had just turned 21 shortly before this happened. I had just moved back to Australia and we had been keeping in touch. Then, this. It was very sobering. Sigh. -adrian (hi all!)
Re: New vyatta-nsp list
On Fri, May 27, 2011, George Bonser wrote: It's actually rather hard with current pc hardware to get to multiple cores engaged in paralell per input interfaces. while you can plan for various cases the the one to account for is the small packet performance not overwhelming the capabilities of a single cpu core. Not anymore. Linux will do processor per flow and it will remember which processor handed it traffic outgoing and try to route the reply back to the same CPU so you reduce cache misses. FreeBSD is doing much the same, both for TCP flows and for packet routing. The real fun will be when open source freebsd/linux stops trying to do per-flow tracking and optimises their forwarding paths. From what I've heard on the lists, NICs are certainly doing small packet linerate now. Adrian
Re: Ham Radio Networking (was Re: Rogers Canada using 7.0.0.0/8 for internal address space)
On Thu, May 26, 2011, Lyndon Nerenberg wrote: Sorry, poorly worded. What I was wondering is there is an equivalent of KA9Q for IPv6. I believe one of the comments we got back when we were trying to reclaim 44/8 was that folks couldn't migrate to IPv6 because no software was available... We've come a little way since NOS. Linux has native AX25, and it's pretty simple to write a KISS adapter for any version of UNIX with a tun driver. .. except at such low bit rates, the extra IPv6 header size is not insignificant? Adrian
Re: Had an idea - looking for a math buff to tell me if it's possible with today's technology.
On Thu, May 19, 2011, Warren Kumari wrote: Just wanted to say yes, this is entirely what I meant. Of course the smaller the file the more pointless it gets but still... If the file was 1GB instead of just 7 bytes I'm wondering if a regular old workstation could put it back together in any reasonable amount of time with the equation. While many folk have said You've just invented compression, I'm going to be a little more specific -- Wavelet compression. Well, yes. There's other types of function driven compression rather than dictionary driven compression (which is just function driven compression :-), eg iterated function systems. The problem is finding a method that works for a variety of data. From what I understand, (lossless) wavelet compression isn't fantastic for arbitrary types of data. I'd suggest the original poster pull up some literature introducing them to information theory and compression techniques in general. Heck, even the wikipedia article on lossless compression is a good starting point. I think once the original poster understands some of the basics of information theory and coding as it relates to representing say 1GB from 7 bytes as given above, they may be better equipped to ask more specific (and useful!) questions. HTH, Adrian
Re: coprorations using BGP for advertising prefixes in mid-1990s
On Fri, May 13, 2011, Hank Nussbacher wrote: I always liked seeing the string tli in the IOS bundle in those days. Whoa, you mean Cisco IOS images have built by names other than prod rel team ? (heh.) Adrian
Re: OPERATIONAL: Royal Wedding expected to break traffic records
On Fri, Apr 29, 2011, Jay Ashworth wrote: (cough)multicast(cough) But... but... how do we count the viewers, then? With HTML cookies and AJAX, like everyone else[1]. Adrian [1] and small embedded flash apps in small frames. Hi Facebook.
Re: Bandwidth growth
If it's a true research project, wouldn't you really be interested in both evidence for/against? :-) Just my 2c here, Adrian On Wed, Apr 20, 2011, Patrick W. Gilmore wrote: On Apr 20, 2011, at 9:35 PM, Curran, David wrote: I'm interested in any evidence (even anecdotal) that general Internet usage (and more importantly, link utilization) has increased at higher rates in the last 6-12 months than in previous periods. Any graphs or otherwise would be greatly appreciated. The purpose is for an internal research project and this data will only be used internally and will not be shared, nor will the sources. https://stats.linx.net/aggregate.html http://www.ams-ix.net/historical-traffic-data/ http://de-cix.net/content/network.html http://www.seattleix.net/agg.htm http://www.torix.net/stats.php Etc. I don't know if that proves your theory. And one could argue public IX stats are actually not representative of growth, since many networks move peers to private connections as they grow. But it is data, and it is available. -- TTFN, patrick -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: The growth of municipal broadband networks
On Fri, Mar 25, 2011, Leo Bicknell wrote: Having looked around the world I personally believe most communities would be best served if the government provided layer-1 distribution, possibly with some layer 2 switching, but then allowed any commercial entity to come in and offer layer 3 services. For simplicity of argument I like people to envision the local government fiber agency (like your water authority) dropping off a 1 port fiber 4 port copper switch in your basement. On that device they can create a layer 2 VLAN/VPN/Tunnel from any of the copper ports to any provider in the town CO. You could buy video from one, voice from one, and internet from another, on three different ports. You could buy everything from one provider. And the natural question is - how will this differ from the way the government services like water, power and transportation have been run, privatised-but-not-quite, etc? Adrian
AS7007 incident - would someone please fix the article?
There's a wikipedia article: http://en.wikipedia.org/wiki/AS_7007_incident .. that a post I wrote up for a local computer club magazine somehow suffices as primary reference material for. Even though I think this is partially hilarious, would someone mind making it a little more authoritive and well-referenced? My article was definitely not written to be used as any form of source, primary or otherwise. :-) Thanks! Adrian
Re: US Warships jamming Lebanon Internet
On Tue, Feb 08, 2011, Denys Fedoryshchenko wrote: I try to install C-Band bandpass filter, no effect at all, so it is in-band interference. Putting foil (yes i try almost everything) near LNB doesn't affect interference level too. Can you get access to some kind of spectrum analyser kit to see what the kind of interference is? Adrian
Re: US Warships jamming Lebanon Internet
On Tue, Feb 08, 2011, Denys Fedoryshchenko wrote: On Tuesday 08 February 2011 14:18:59 Adrian Chadd wrote: On Tue, Feb 08, 2011, Denys Fedoryshchenko wrote: I try to install C-Band bandpass filter, no effect at all, so it is in-band interference. Putting foil (yes i try almost everything) near LNB doesn't affect interference level too. Can you get access to some kind of spectrum analyser kit to see what the kind of interference is? Adrian Yes, on short (few minutes) sweeps it is clean. During long time run, with 100 Khz resolution, if we run few hours we can catch anomalies on the carrier. Important note: this snapshot done on spectrum analyser in Europe, same transponder, and results similar, so it looks like interference is on transponder. Issue start to affect us at same time when people in Lebanon got local interference issues. Here is snapshot of carrier spectrum with anomaly: http//www.nuclearcat.com/PICTURES/interference.jpg And does this interference similarly screw up being able to RX data from the transponder whilst in Europe? (eg, if you stick a modem on RX-only in Europe (ie, no uplink) and then just lock onto the signal and decode whatever happens, do you suffer the same problem?) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: 802.11g with WPA-PSK
if it's running a recent net80211 stack, you'll need to create a vap sttion interface first eg, ifconfig wlan0 create wlandev rum0 then do stuff to wlan0, not rum0. Adrian On Sun, Feb 06, 2011, Atticus wrote: Im not familiar with wpa_supplicant, but you can preface external commands to execute in ifconfig.* with ! On Feb 6, 2011 1:08 PM, Andrew Ball ab...@students.prairiestate.edu wrote: Hello, I have a NetBSD host that I would like to connect to an existing wireless LAN using a rum(4) interface (Belkin F5D7050B USB 802.11g adaptor). I have tried configuring wpa_supplicant via rc.conf but it does not seem to start and I don't know why. Is there some other way to launch wpa_supplicant, perhaps via ifconfig.rum0? - Andy Ball -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: ipv4's last graph
On Tue, Feb 01, 2011, Randy Bush wrote: with the iana free pool run-out, i guess we won't be getting those nice graphs any more. might we have one last one for the turnstiles? :-)/2 and would you mind doing the curves now for each of the five rirs? gotta give us all something to repeat endlessly on lists and in presos. I think having a graph that reached full and stays there will be quite powerful. :) Adrian
Re: quietly....
s/IPv6/ATM/g Just saying... Adrian On Tue, Feb 01, 2011, Iljitsch van Beijnum wrote: On 1 feb 2011, at 13:01, Owen DeLong wrote: IPv4 is very dead in the sense that it's not going to go anywhere in the future. taking the long view - your statement applies equally to IPv6. IPv6 has many places to go in the future. Of course the future is long, and there will be a point when IPv6 is no longer what's needed. But we're nowhere close to that point now. I disagree. I think there is little, if any, innovation that will continue to be put into IPv4 hence forth. I think there will be much innovation in IPv6 in the coming years. I'm afraid it may be the other way around: lots of IPv4 innovation just so IPv6 can be avoided a few more years. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
(Top-posting because the whole message is context. Oh, and I'm lazy.) I do indeed love it when people break out IPv6 addressing as there's so many addresses, we'll never ever go through them! Sure, if they're only used as end-point identifiers. Say you want to crack out that 64k-port space into something bigger, because say p2p becomes so wide-spread and ingrained in our society, that 64k port space per IP becomes silly. So we say, break off another 16 bits and have a host just listen on not a /128, but on a /112. Cool, 4 billion ports. That fixes the port space. Then someone comes along with a bright idea. Hi! she says, Since hosts are already listening on a /112 of space (and thus all those pesky ND cache problems have been fixed!), we can start allocating cloud identifiers on peoples' hosts, so each cloud application instance gets a separate address prefix; thus any given host can run multiple cloud instances! Let's call that a 32 bit address space, because I bet a 16 bit cloud ID doesn't scale. A 16 bit cloud identifier takes it down to a /96. A 32 bit cloud identifier takes it down to /80. Cool. Now you've got all these end-hosts all happily doing p2p between each other over a 16-bit extended port space, then running p2p and other apps inside a 32-bit cloud identifier so they can both run their own distributed apps/vms (eg diaspora), or donate/sell/whatever their clock cycles to others. What did that just do to your per-site /64? That you have no hope of ever seeing a user use up? It just turned that /64 into a /112 (16 bits of port space, 32 bits of cloud identifier space.) What's the next killer app that'll chew up more of your IPv6 space? I'm all for IPv6. And I'm all for avoiding conjecture and getting to the task at hand. But simply assuming that the IPv6 address space will forever remain that - only unique host identifiers - I think is disingenious at best. :-) Adrian On Tue, Jan 25, 2011, Owen DeLong wrote: I love this term... repetitively sweeping a targets /64. Seriously? Repetitively sweeping a /64? Let's do the math... 2^64 = 18,446,744,073,709,551,616 IP addresses. Let's assume that few networks would not be DOS'd by a 1,000 PPS storm coming in so that's a reasonable cap on our scan rate. That means sweeping a /64 takes 18,446,744,073,709,551 sec. (rounded down). There are 86,400 seconds per day. 18,446,744,073,709,551 / 86,400 = 213,503,982,334 days. Rounding a year down to 365 days, that's 584,942,417 years to sweep the /64 once. If we increase our scan rate to 1,000,000 packets per second, it still takes us 584,942 years to sweep a /64. I don't know about you, but I do not expect to live long enough to sweep a /64, let alone do so repetitively. Owen -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Routing Suggestions
On Wed, Jan 12, 2011, Jon Lewis wrote: On Wed, 12 Jan 2011, Jared Mauch wrote: I suggest using one of the reserved/private BGP asns for this purpose. ASNumber: 64512 - 65535 It sounds to me like Company B isn't doing BGP (probably has no experience with it) and if there's only a single prefix per side of the cross connect, especially if the cross connect is going into routers smart enough to remove a route from the table if the destination interface is down, static would do just fine. Unless you'd like to ensure the sensitive traffic doesn't cross an unsafer default rout path if the XC is down. (Assuming the prefixes are both public IPv4/6 space to begin with.) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Routing Suggestions
On Wed, Jan 12, 2011, Jon Lewis wrote: Unless you'd like to ensure the sensitive traffic doesn't cross an unsafer default rout path if the XC is down. BGP would have that same issue since B is default routing to their provider. [config for B] ip route A's prefix mask gw to A ip route A's prefix mask null0 250 ip route 0.0.0.0 0.0.0.0 B's provider problem solved. If the gw to A is reachable, traffic goes via the cross connect. If the gw is down, traffic goes nowhere. I was just making the observation; the solution is pretty simple. (Yes, I've seen secure network cross-connects get bitten by this. :-) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: The tale of a single MAC
So along simlar lines, Ubiquiti sell routerstation pro boards with sequential MAC addresses. The trouble is they've allocated a single MAC for the first port - the second ethernet port (also attached to the bridge) doesn't get a second MAC. So in a purchase of a few hundred boards, we had plenty that were sequential. Since the FreeBSD driver allocated MAC+1 to the second NIC, this caused duplcate MAC addresses and this caused hilarity to ensue. The fix was to just get this company to apply for some MAC space and then use -that- on the second NIC and the bridge interfaces. Ah, vendors.. :-) Adrian On Sat, Jan 01, 2011, Graham Wooden wrote: Hi there, I encountered an interesting issue today and I found it so bizarre ? so I thought I would share it. I brought online a spare server to help offload some of the recent VMs that I have been deploying. Around the same time this new machine (we?ll call it Server-B) came online, another machine which has been online for about a year now stopped responding to our monitoring (and we?ll name this Server-A). I logged into the switch and saw that the machine that stopped responding was in the same VLAN as this newly deployed, and then quickly noticed that Server-A?s MAC address was now on Server-B?s switch port. ?What the ...? was my initial response. I went ahead and moved Server-B?s to another VLAN, updated the switchport, cleared the ARP, and Server-A came back to life. Happy new year to me. So ? here is the interesting part... Both servers are HP Proliant DL380 G4s, and both of their NIC1 and NIC2 MACs addresses are exactly the same. Not spoofd and the OS drivers are not mucking with them ... They?re burned-in ? I triple checked them in their respective BIOS screen. I acquired these two machines at different times and both were from the grey market. The ?What the ...? is sitting fresh in my mind ... How can this be? In the last 15 years of being in IT, I have never encountered a ?burned-in? duplicated MACs across two physically different machines. What are the odds, that HP would dup?d them and that both would eventually end up at my shop? Or maybe this type of thing isn?t big of deal... ? -graham -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Muni Fiber Last Mile - a contrary opinion
On Sun, Dec 26, 2010, Owen DeLong wrote: [Frank Bulk] Some MSOs (including ourselves) have power systems (e.g. Alpha) in place throughout the plant to provide backup power for at least some time. Does that back up the cablemodem in the residence? If not, game over. Thing is, not enough noise was made about that in the Australian National Broadband Plan until late in the game. I'm patiently waiting for a time when a major power outage incident occurs and the cellular network system locally fails. Adrian
[OT]: WCCPv2 and gige?
Hi all, I have a customer who is looking for examples of WCCPv2 deployments for traffic levels 3 gige (and above, up to 10ge.) Now I know that theoretically there's no reason why this shouldn't be the case, but as I don't have a lab of 10GE capable Cisco L3 devices, I'm unable to verify that level of behaviour. So, is anyone using WCCPv2 redirection on gige and 10ge interfaces, and mind sharing with me the equipment/configuration/IOS version? Thanks, Adrian
Re: Some truth about Comcast - WikiLeaks style
On Mon, Dec 20, 2010, Aaron C. de Bruyn wrote: The private sector (FedEx/UPS, etc...) brought us overnight delivery where USPS couldn't... ...and next-day air ...and freight delivery ...and package tracking that reports more than just We don't know where it is/It's at the post office When was the last time USPS delivered you a 100 pound UPS unit over night from across the country while letting you track it's progress? Trouble is, now they can't. Why? Because they'd be threatening the jobs of hard working Fedex/UPS/etc. employees. :-) Adrian (only half tongue in cheek here.)
Re: Mastercard problems
On Thu, Dec 09, 2010, Ben McGinnes wrote: On 9/12/10 7:49 PM, William Pitcock wrote: On Thu, 2010-12-09 at 18:34 +1100, Ben McGinnes wrote: On 9/12/10 8:04 AM, Christopher Morrow wrote: On Wed, Dec 8, 2010 at 3:06 PM, Philip Dorr tagn...@gmail.com wrote: The problem is that they were also slashdotted. The logs would also have a large number of unrelated. pro-tip: the tool has a pretty easy to spot signature. What is that signature? The tool makes HTTP/1.0 requests, most browsers make HTTP/1.1 requests. Is there anything else to it, or just the protocol version? Be careful - plenty of Squid's make HTTP/1.0 version. ProTip: be careful. :-) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Mastercard problems
On Thu, Dec 09, 2010, Adrian Chadd wrote: Be careful - plenty of Squid's make HTTP/1.0 version. make HTTP/1.0 requests, not version. Tsk. (And here I am, studying linguistics. Pshaw.) Adrian
Re: Over a decade of DDOS--any progress yet?
Botnets are the symptom. The real problem is people. Adrian On Wed, Dec 08, 2010, Dobbins, Roland wrote: On Dec 8, 2010, at 11:26 AM, Sean Donelan wrote: Other than trying to hide your real address, what can be done to prevent DDOS in the first place. DDoS is just a symptom. The problem is botnets. Preventing hosts from becoming bots in the first place and taking down existing botnets is the only way to actually *prevent* DDoS attacks. Note that prevention is distinct from *defending* oneself against DDoS attacks. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Over a decade of DDOS--any progress yet?
On Wed, Dec 08, 2010, Dobbins, Roland wrote: On Dec 8, 2010, at 11:52 AM, Adrian Chadd wrote: The real problem is people. Well, yes - but short of mass bombardment, eliminating people doesn't scale very well, and is generally frowned upon. ; I think history can conclusively state we're much, much better at eliminating people then we are hacked boxes; that politicians seem much happier somehow about the former than the latter; and our collective clue at being able to do so is growing much faster than our electronic toolkits. :-) (Oh god. :-) Adrian
Re: U.S. officials deny technical takedown of WikiLeaks
On Sat, Dec 04, 2010, Ken Chase wrote: And if they come and ask the same but without a court order is a bit trickier and more confusing, and this list is a good place to track the frequency of and responce to that kind of request. Except of course when you're asked not to share what has occured with anyone. I hear that kind of thing happens today. Adrian
Re: Want to move to all 208V for server racks
On Fri, Dec 03, 2010, Joel Jaeggli wrote: (OK, so it's not as practical when you have other customers to worry about... but it might not be so crazy when you're looking at the efficiency numbers for 100,000 small 1u power supplies vs a set of much larger ones.) Ohm's law is a bitch. 10kamp -48v DC plants are bad enough as far as the amount of copper required, running 12v for significant distance is comical, this is the reason small boats airplanes and diesel trucks adopt 24v systems. There's probably some model where top of rack rectifiers makes sense but that's really pretty much what a blade server is. When you look at a motherboard in a server a big chunk of of real-estate is devoted to taking 12v and switching it down to 1.2-1.8 for distribution to the CPU/memory, a 4 socket server might have to carry 400amp around in a space of around 300cm^2 on a layer of the pcb. The justification for running 208 or 480 all the way to a cabinet is all about smaller conductors. Isn't this one area where Google have already (re-)pioneered recently? Besides, there's a reason why AC won over DC for carrying 0 x few hundred (or thousand? Amps) over a reasonable distance. IANA-PowerEngineer, but ISTR the behaviour/efficiency of voltage/current over distance for both AC and DC is well understood. (And no, ISTR it isn't AC wins. :-) If you're at all serious about discussing this, I bet spending 15 minutes doing some research and then an hour or so crafting some simultaneous equations to solve/graph would be very very eye-opening. Come on guys/girls, you're a bright bunch, post some models and discuss those rather than un-substantiated datapoints! :-) 2c, Adrian
Re: wikileaks unreachable
On Sun, Nov 28, 2010, Ken Chase wrote: This is always the best way to deal with disagreement. But I think this is the wrong list to tender such contracts. Also, it's odd you hate DDOS's more than murder. Time to take some time off work perhaps? For the first time I'm hoping to not meet some of the nanog members in person at a Nanog conference should I ever attend I think you've got it backwards. See if he's actively like this in person. Email ... changes things with communication. Adrian
Re: Emulating a cellular interface
On Sat, Nov 06, 2010, Andy Davidson wrote: Not withstanding Mikael's comments that it shouldn't be lossy, at times when you want to simulate lossy (and jittery, and shaped, and ) conditions, the best way I have found to do this is FreeBSD's dummynet : http://www.freebsd.org/cgi/man.cgi?query=ipfwsektion=8#TRAFFIC_SHAPER_(DUMMYNET)_CONFIGURATION And cellular networks are bursty, depending upon (from what I can gather) how busy the cell is and how many people are currently doing data. Someone more cellular-oriented should drop in their 2c. So to be completely accurate, you may way to script some per-node shaping rules that watch traffic flow and adjust the rules to emulate this. I recall seeing a few apps that behaved poorly when their UDP data exchange timed out because my 3G connection was in a slow mode and didn't recover well. It required a background ICMP to keep the damned session nailed up to fast. :-) Adrian
Re: Token ring? topic hijack: was Re: Mystery open source switching
On Wed, Nov 03, 2010, Jacob Broussard wrote: Wow... Reading this thread I feel like some sort of time traveler, what with my cable internet, multicore processor, and smartphone. Hi, I'm from the year 2000. I've got my cable internet, some prototype DSP/CPU combination cores that I've been playing with, and some weird attempt at shoe-horning in a cell phone into a Palm Pilot (or the other way around? I'm not sure. I'm still not sure.) Oh you mean, your apple airport, apple macbook, and apple iphone? AH. Now I see why you think you're in the future. :-) Adrian
Re: IPv6 rDNS
On Sat, Oct 30, 2010, Randy Bush wrote: http://www.fpsn.net/?pg=toolstool=ipv6-inaddr windows mentality, wrap it all in a complex gui that also washes your car. use simple hack that just takes an ipv6 address and makes the bleeping reversed dotted to death lhs of the ptr record. rmac.psg.com:/Users/randy host 2001:418:1::61 Host 1.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.4.0.1.0.0.2.ip6.arpa not found: 3(NXDOMAIN) But Randy, everyone has a web browser installed. Not everyone has perl, python, cc, or such installed. :-) Adrian (I wonder if FreeBSD-1.0's complete, non-X install footprint (sub-40meg) was smaller than an install of Firefox. :-)
Re: DDOS attack via as702 87.118.210.122
On Tue, Oct 26, 2010, Cutler James R wrote: Jack, I agree that whois is hard. Please explain how you knew to query AS701 when Serg asked about AS702. Brainfart. I understand why people confuse 701 with 702. $ whois -h whois.ripe.net AS702 % Information related to 'AS702' aut-num:AS702 as-name:AS702 descr: Verizon Business EMEA - Commercial IP service provider in Europe ... Adrian computer:~ me$ whois as702 SNIP No match for AS702. Last update of whois database: Tue, 26 Oct 2010 13:47:47 UTC Regards. Cutler On Oct 26, 2010, at 9:22 AM, Jack Carrozzo wrote: Whois is hard, let's go shopping: ja...@anna ~ $ whois as701 SNIP/ -Jack Carrozzo On Tue, Oct 26, 2010 at 7:51 AM, Serg Shubenkov s...@macomnet.net wrote: Hello, list. Please send me off-list abuse contact for as702. -- Serg Shubenkov, MAcomnet, Internet Dept., Head of Inet Department phone: +7 495 7969392/9079, +7 916 5316625, mailto:s...@macomnet.net icq uin: 101964103, Skype: serg.v.shubenkov James R. Cutler james.cut...@consultant.com -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Failover IPv6 with multiple PA prefixes (Was: IPv6 fc00::/7 - Unique local addresses)
On Thu, Oct 21, 2010, Leo Bicknell wrote: If you could number your internal network out of some IPv6 space (possibly 1918 style, possibly not), probably a /48, and then get from your two (or more) upstreams /48's of PA space you could do 1:1 NAT. No PAT, just pure address translation, 1:1. You can renumber by configuring a new outside translation. The NAT box can do the load distribution functions discussed here, some users out one provider, others out the second provider. There is no port complication, so incoming connections are much simpler. You assume the protocol(s) don't include IP addresses inside the payload. You also assume the protocol(s) don't do things like checksum application payloads, which include IP addresses. Both of which I've seen, today. Some of which I occasionally see inside, hm, over-enthusiastic HTTP procotol/application designers. NAT's going to be needed, but it's going to be more stateful inspection-y than most of the vocal nanog+ipv6 people desire. :) Adrian
Re: IPv4 sunset date revised : 2009-02-05
On Fri, Oct 22, 2010, bmann...@vacation.karoshi.com wrote: The IPv4 space here was retired in 2009. We love the IVI translator code. Whats keeping the rest of you? Just hazarding a guess: router# conf t router(config)# ipv6 ivi enable router(config)# ^Z Adrian
Re: IPv6 fc00::/7 ? Unique local addresses
On Thu, Oct 21, 2010, Graham Beneke wrote: I've seen this too. Once again small providers who pretty quickly get caught out by collisions. The difference is that ULA could take years or even decades to catch someone out with a collision. By then we'll have a huge mess. You assume that people simply select ULA prefixes randomly and don't start doing linear allocations from the beginning of the ULA range. Adrian
Re: Routers in Data Centers
On Sun, Sep 26, 2010, ym1r...@gmail.com wrote: As far as I know open source solutions doesn't have support for fabric or high speed asics. So the throughput will always be a big difference. Unless you are comparing a pure packet software interrupt platform. Hasn't there been a post about this to the contrary? Isn't someone from Google presenting at NANOG about this? Adrian
Re: Routers in Data Centers
On Sun, Sep 26, 2010, Rubens Kuhl wrote: Not high speed ASICs, but there are hardware-forwarding open-source(in a broad definition) solutions: http://netfpga.org There are 3 related presentations on NANOG 50, which suggests these solutions are reaching real ops quality. I hate to sound (more) like a broken record but if people want to see open source hardware forwarding platforms succeeding (and the software platforms get better), then look at trying to be involved in their development. Too many companies seem to think open source equates to free stuff that I can use and not pay for; rather than thinking of it as a normal product (with development cycles, resources, etc that any commercial development requires) that gives them the ability to choose their own direction rather than be beholden to the whims of a vendor. One of the fun divides in open source at times is the big gap between works and works in practice. The only way to get ops ready stuff is to work with open source people to make it actually work in your environment rather than what works for them. :-) (Or you could wait for Google - but doesn't that make you beholden to them as your vendor? :) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Online games stealing your bandwidth
On Sat, Sep 25, 2010, Matthew Walster wrote: I once read an article talking about making BitTorrent scalable by using anycasted caching services at the ISP's closest POP to the end user. Given sufficient traffic on a specified torrent, the caching device would build up the file, then distribute that direct to the subscriber in the form of an additional (preferred) peer. Similar to a CDN or Usenet, but where it was cached rather than deliberately pushed out from a locus. Was anything ever standardised in that field? I imagine with much of P2P traffic being (how shall I put this...) less than legal, it's of questionable legality and the ISPs would not want to be held liable for the content cached there? I don't recall any protocols being standard. Plenty of people sell p2p caches but they all work using magic, smoke and mirrors. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Complain to your vendors (was Re: Did your BGP crash today?)
Guys/girls/furry-creatures-from-!Earth, Complaining on nanog-ml is likely to only achieve personal stress relief. This is something you should bring up with your vendor. Say that you'll move vendors if they don't start making better BGP implementations and adding the features you guys want. Make the list of better features open, public, and actively solicit alternatives. Follow up on your threat. This is your business bottom line after all. Don't just use it as a reason to get lower prices from your current vendor and then continue complaining when dumb crap like this occurs. It would be great if vendor(s) participated in a public interoperability test suite where researchers could test their stuff against it before unleashing it on the public internet. I'd love to see something public -and- cross institutional, -and- include access to things like CRS-level equipment. Go on, I dare you. :) 2c, Adrian
Re: Appliance Vs Software based routers
The official answer: commodity hardware doesn't handle all the features needed at line rate. The (more often than not) unofficial answer: using a custom platform raises the entry barrier for cloning/abuse/etc. It's a bit hard to run your appliance MIPS software on an off-the-shelf PC; but it (used) to be possible to run PIX software on a PC (and in a VM too, IIRC.) Fun times, Adrian On Sun, Jul 25, 2010, Tarig Yassin wrote: Dear all Greetings I'm wondering why the software based router is not preferable in business even if they have high featured Processers, and high capcity of memory. What is the main deferent between Appliance router and Software based routers? thank you all in adavance. -- Tarig Y. Adam _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: U.S. Plans Cyber Shield for Utilities, Companies
On Wed, Jul 07, 2010, Patrick Giagnocavo wrote: Why does it cost $100 million to install and configure OpenBSD on a bunch of old systems? I think you've misunderstood the question if you think openbsd on old systems is the answer. :) Adrian
Re: Question about Manycore processor- Tilera
There's been plenty of multi-dimensional processor interconnects over the years. You should do some further research. :) Adrian (hypercube-connected O2000, anyone?) On Tue, Jul 06, 2010, ?? wrote: Hello, all. I am not sure is it suitable or not that I ask this question here. My question is about Tilera, a new multi-core processor provider, however, they call themselves Many-Core to separate from RMI, Cavium, etc. Tilera claims that their processor have a 2D mesh so they can put more Cores(from 36,64 to 1K) in one Chip, while Cavium only with 1D bus, so Tilera think they have a much higher performance. My question is: 1 Is it true that Tilera revolutionarily improve the performance of multi-core(or Many-core) processor? 2 If you make the choice between Tilera and Cavium, what do you prefer? Why? Devin. BTW, its website is http://www.tilera.com/ -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Mikrotik OC-3 Connection
On Sun, Jul 04, 2010, Michael Sokolov wrote: OK, I'll bite and add my 2 Russian kopecks to the Cisco vs. Linux router thread. It's ok. I'll trade you Russian for Australian currency. I don't know which is going to be better in the long run. With non-Ethernet WAN interfaces one really needs an extra layer of highly configurable software functionality sandwiched in between the hardware interface unit and the ifconfig layer. The physical hardware interface is a synchronous serial bit stream processor that sends and receives either HDLC frames or ATM cells, and that is where the Hey, sounds like FreeBSD's NetGraph! hardware-dictated part ends. Let's take the case of HDLC as it's more pleasant than ATM: in the case of HDLC the software layer between the HDLC controller and the ifconfig layer needs to do the following: * Let the user choose the encapsulation, and there are many choices: Cisco HDLC, straight PPP (RFC 1662), Frame Relay, PPP over FR (RFC 1973), ATM FUNI, etc. ng_encapsulation_module * If it's a Frame Relay encapsulation, let the user configure DLCIs. Oh, and there can be more than one, hence there may be multiple ifconfig-able entities on the same FR interface. ng_some other module * RFC 1490 (FR) and RFC 1483 (ATM) both allow bridged/MAC-encapsulated and true routed circuits; our software layer should support both, as as well as the possibility of mixing the two on different FR interfaces or different DLCIs on the same interface. These two modes need to look different to the ifconfig layer: if it's a bridged encapsulation, ifconfig needs to see a virtual Ethernet interface (virteth0 or macwan0); if it's a true routed encapsulation, ifconfig needs to see a MAC-less and ARP-less point-to-point interface like ipwan0. ng_bridge, IIRC * Now let's support both HDLC and serial ATM (bit-by-bit cell delineation) if the underlying hardware is capable of both (like Freescale MPC862 and MPC866). Let's provide a user to switch between the two with a simple software command, and let's provide as much commonality as possible between the two configurations: let's support all RFC 1483 encapsulations on HDLC via FUNI, but make the configuration commands look just like ATM. Let's also support FRF.5 by allowing one to take an ATM PVC and treat its payload as a virtual HDLC interface, with possibly many FR DLCIs inside. I think there's ng_atm stuff; I could be wrong. There should be functional ATM code in FreeBSD and if so, I'd be surprised to find it isn't linked into netgraph. I would love to be corrected on this, but I am not aware of anyone having implemented all of the above for Linux (or for any BSD variant) in a clean and generalized manner. Instead what we see is that each vendor of a PCI card for some non-Ethernet WAN interface has their own ad hoc solution which typically comes nowhere close to what I've outlined above in terms of generality and flexibility. FreeBSD netgraph. It's clean, it's generalised, it's just not very well documented. Now here is something I'd like to build which will attempt to solve this mess. I'd like to build a modular WAN router based on the MPC866 chip from Freescale, former Motorola. MPC866 is a PowerPC with one very neat twist: it has 4 serial communication controller (SCC) cores on chip. Each SCC has a traditional 7-wire serial interface coming out of it (Rx data, Rx clock, Tx data, Tx clock, RTS, CTS and CD) and supports both HDLC and serial ATM. (The serial ATM mode supports both bit-by-bit cell delineation for a raw bit stream and octet-by-octet cell delineation for use with a framer that provides octet boundaries.) Have a chat to the FreeBSD community. There's a powerpc port. Shoehorn FreeBSD into it somehow, help tidy up the code to do whateveer you need and start leveraging the very powerful network stack FreeBSD has. FreeBSD-head has support for multiple routing tables which I believe you can just dump netgraph interface nodes into to support VRFs. I'm peripehrally doing something similar as a prototype using FreeBSD/MIPS on ubiquiti hardware - but I'm mostly squeezing my squid fork onto it and making it work right. :) Adrian My modular router would be rather unique in that the interface to the pluggable WAN modules would not be PCI or anything of that sort, instead it would be the 7-wire serial interface coming from an MPC866 SCC, and there would be 4 possible daughtercard slots corresponding to the 4 SCCs. When the interface for pluggable WAN modules is something like PCI, the HDLC or ATM (including SAR) core has to be reimplemented anew by everyone who wants to build a new WAN module for a different flavor of Layer 1 physical interface, and I find it wasteful. The proliferation of such reinvented-wheel HDLC/ATM reimplementations is precisely the reason why there is no universally-accepted standardized framework for non-Ethernet WAN
Re: [Nanog-futures] Membership, was Transition update
On Sat, Jun 12, 2010, Adrian Chadd wrote: Hypothetically speaking, if I were currently engaged in this business, I'd pay. Both for the ability to ask questions and the ability to be asked questions by a sensible group of people with similar goals (ie, non-trolling) in mind[1]. And to follow up on my follow-up - too often have I seen people comment on the apparently occasional lack of clue that shows up, after you filter out the noisy stuff. Another possibility is nanog-help, where netadmins -can- ask dumb questions and get some community feedback. I also believe having a clue distilled service available to mailing list members would be really helpful. Sometimes forums get turned into that - ie, helpful posts get voted up (by clueful people who know what they're doing); then you can craft forum queries to pull out questions that have been answered highly. That could be another paid service. I've had quite positive feedback from when I occasionally manually do this from the nanog-ml contents. (another) 2c, Adrian ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: Nato warns of strike against cyber attackers
On Wed, Jun 09, 2010, Larry Sheldon wrote: You might not have the state inspection rip-off, but I'll bet that if your state accepts federal highway money, you have mechanical condition standards that include tires, brakes, seat belts and a lot of other things. .. and a change in the minimum drinking age? Adrian (Before you go That's not relevant to the discussion, think again. Hard.)
Re: Junos Asymmetric Routing
On Fri, May 28, 2010, Ken Gilmour wrote: Yes sir I have used SSG for several years but mainly used BSD for the last decade and most recently OpenBSD. There is an easy fix for this on PF for OpenBSD and that is to tag the packets from each provider (as in not using 802.1q but a specific function in PF). This works extremely well That keeps per-connection state. Be aware of the repercussions! Adrian
Re: Junos Asymmetric Routing
We replaced our OpenBSD routers with these SRXes since they were supposed to be multifunction devices (gateways and routers at the same time) which was the selling point. So we expected them to do asymmetric routing and were told they could, easily, but apparently they are not acting normally and also the configuration is perfect according to JTAC. It sounds like a mis-communication on everyones' parts. I've come across plenty of systems-oriented people who believe the behaviour of network edge devices is what you've said - because various hosts (eg Linux) treat sockets, routing, ethernet active/standby, etc a specific way and this is not how traditional routing/edge devices behave. :) Adrian
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, Apr 27, 2010, Matthew Kaufman wrote: Fortunately, the IPv6 address space is so large and sparse, that scanning it would be quite a feat, even if a random outside attacker already knew for a fact that a certain /64 probably contains a vulnerable host. All I need to do is run a popular web site on the IPv6 Internet, and I get all the addresses of connected hosts I want. That address-space-scanning is hard is nearly irrelevant. or troll popular IPv6 bittorent end points when that becomes popular. Adrian
Re: Books for the NOC guys...
On Mon, Apr 26, 2010, Joly MacFie wrote: I also grabbed the list http://isoc-ny.org/wiki/Networking Thanks to all who contributed. Please feel free to add a link to the above url in the nanog wiki. j On Sat, Apr 3, 2010 at 6:52 AM, Adrian Chadd adr...@creative.net.au wrote: On Fri, Apr 02, 2010, Robert E. Seastrom wrote: So, what are you having your up-and-coming NOC staff read? Since I thought this was worthwhile summarising, I've dumped it on the mail topics page in the Wiki: http://nanog.cluepon.net/index.php/MailTopics I specifically left out the programming language related ranting. Adrian -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com Secretary - ISOC-NY - http://isoc-ny.org --- -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Rate of growth on IPv6 not fast enough?
On Tue, Apr 20, 2010, Perry Lorier wrote: One of my colleagues here (Shane Alcock) did some research into Service Provider NAT based off passive traces from a New Zealand Residential ISP[1]. By passively looking at connections he investigated how you could dimension a NAT box for an ISP. His research is available here http://www.wand.net.nz/~salcock/spnat/tech_report.pdf . If walls of text scare you (why are you reading this mailing list then?) skip through and look at the graphs (page 3 onwards) Interesting. Only a few days, and not really any analysis for worst case scenarios and how to possibly gracefully recover from those. (eg, I've done some NAT hacks to detect idle HTTP pconns and toss those before tossing the others.) Adrian
Re: Rate of growth on IPv6 not fast enough?
On Sun, Apr 18, 2010, joel jaeggli wrote: my load balancer needs 16 ips for every million simultaneous connections, so does yours. Only because it hasn't broken the spec further. :) adrian
Re: [Nanog-futures] Transition FAQ
On Sun, Apr 18, 2010, Randy Bush wrote: i figure it'll be a fun community meeting i sf. i suggest we go back to serving the alcohol first. :) Two scotch minimum before participating in discussions? Adrian ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: ARIN IP6 policy for those with legacy IP4 Space
On Thu, Apr 08, 2010, Joe Greco wrote: Because a legacy holder doesn't care about ARIN; a legacy holder has usable space that cannot be reclaimed by ARIN and who is not paying anything to ARIN. The point here is that this situation does not encourage adoption of IPv6, where suddenly there'd be an annual fee and a contract for the space. ARIN is incidental, simply the RIR responsible in this case. Out of curiousity, I wonder whether the adoption of the internet in the 90s would have occured if IPv4 addresses were allocated, managed and controlled like they are today. Adrian
Re: legacy /8
On Sat, Apr 03, 2010, Vadim Antonov wrote: Step 1: specify an IP option for extra low order bits of source destination address. Add handling of these to the popular OSes. Don't IP options translate to handle in slow path on various routing platforms? :) THat makes leave backbones unchanged not happen. Adrian
Re: Books for the NOC guys...
On Fri, Apr 02, 2010, Robert E. Seastrom wrote: So, what are you having your up-and-coming NOC staff read? Since I thought this was worthwhile summarising, I've dumped it on the mail topics page in the Wiki: http://nanog.cluepon.net/index.php/MailTopics I specifically left out the programming language related ranting. Adrian
Re: D/DoS mitigation hardware/software needed.
On Tue, Jan 05, 2010, Dobbins, Roland wrote: None of the large, well-known Web properties on the Internet today - at least, the ones which stay up and running, heh - have stateful firewalls in front of them. Including prominent vendors of said stateful firewall solutions. But as you said, they're willing to sell them to you. Then claim that the traffic you're receiving is out of profile. :) (I'm not jaded about this, oh no..) Adrian
Re: D/DoS mitigation hardware/software needed.
On Tue, Jan 05, 2010, Stefan Fouant wrote: Almost all of the scalable DDoS mitigation architectures deployed in carriers or other large enterprises employ the use of an offramp method. These devices perform a lot better when you can forward just the subset of the traffic through as opposed to all. It just a simple matter of using static routing / RTBH techniques / etc. to automate the offramp. Has anyone deployed a DDoS distributed enough to inject ETOOMANY routes into the hardware forwarding tables of routers? I mean, I assume that there's checks and balances in place to limit then number of routes being injected into the network so one doesn't overload the tables, but what's the behaviour if/when this limit is reached? Does mitigation cease being as effective? Adrian
Re: Chinese bgp metering story
On Sat, Dec 19, 2009, Dobbins, Roland wrote: Existing hardware does this today with NetFlow, et. al. .. not only that, we've been doing this for a bloody long time in internet years. About all that really matter is figuring out how to engineer your network to allow for netflow based billing without having subtle duplicate flows everywhere.. Adrian (Ah, thinking about this stuff brings back memories, and I'm only 30..)
Re: Small guys with BGP issues
On Mon, Nov 02, 2009, Richard A Steenbergen wrote: If you don't like the service you're getting, vote with your money and buy from someone else. This is quite simply not a NANOG issue, but in the interests of being helpful the best advice I can give you is this: Your request is unreasonable, and you should adjust your expectations that you'll ever get it from the service you are purchasing. Sorry if that's not the answer you want. :) Or you could look at alternatives with your provider, ie: Ok, so we can't speak BGP over that particular link. May I colocate some router with you at extra cost and connect to you via -that-, so I may then speak BGP to you over that and then tunnel my data back to me over your DSL network? That way you don't require your ISP to speak BGP over a DSL link and all of the headaches they may not be prepared for, and you get control over your own network. 2c, Adrian
Re: Strip AS in BGP peer
Take a read of the quagga documentation. There's a BGP neighbor option for stripping out the local AS when speaking eBGP. Adrian On Wed, Oct 28, 2009, Sherwin Ang wrote: Hello Nanog, am not sure if i should have placed this on the cisco-nsp or the juniper-nsp but someone may have a direct answer. well here it goes. we'll soon form a new internet exchange and i would like to suggest a model in the route-server wherein the route-server would strip out it's own AS and give the neighbors/peers the AS's of the members. I have seen this in Any2IX but i have no idea on how to implement it as if i am the Any2 route-server. if you could point me to the right direction or reading, i could take it from there.
Re: IPv6 could change things - Was: DMCA takedowns of networks
On Tue, Oct 27, 2009, Jeroen Massar wrote: But yes, the network stack itself is a different question, then again, you can just route a /64 into the loopback device and let your apache listen there... (which also allows you to do easy-failover as you can move that complete /64 to a different box ;) Funny you should mention that. A couple of tricks I've seen: * instead of a linked list and O(n) searching of interface aliases, use some kind of tree to map local IP - interface. * hacks to do a bind to all damned IP addresses and let userspace sort it out. I've done the former for a few thousand aliases with no degredation in performance. The hacks available for freebsd-4.x for the Web Polygraph software did something similar. 2c, Adrian
Re: IPv6 Deployment for the LAN
On Thu, Oct 22, 2009, Iljitsch van Beijnum wrote: What does that have to with anything? IPv6 stateless autoconfig predates the widespread use of DHCPv4. So does IPX and IPX/RIP. Why does this thread seem to rehash some big disconnect between academics, IETF and actual deployment-oriented people who have a job to do? Silly architecture groups.. Adrian (Glad I'm not involved. I'd lose patience and punch people.)
Re: ISP/VPN's to China?
On Wed, Oct 21, 2009, Alex Balashov wrote: oh my goodness. You're behind on your reading... I didn't mean DPI. I meant in a way that can be inferred from the headers themselves, and aside from the port number. You don't think that statistical analysis of traffic patterns of your UDP traffic wouldn't identify it as a likely tunnel? :) Adrian
Re: ISP/VPN's to China?
On Wed, Oct 21, 2009, Alex Balashov wrote: I was not aware that tools or techniques to do this are widespread or highly functional in a way that would get them adopted in an Internet access control application of a national scope. Tell me more? It's been a while since I tinkered with this for fun, but a quick abuse of google gives one relatively useful starting paper: http://ccr.sigcomm.org/online/files/p7-v37n1b-crotti.pdf Now, if you were getting multiple overlapping fingerprints inside a UDP packet stream you may conclude that it is a VPN tunnel of some sort. Just randomly padding the tunnel with a few bytes either side will probably just fuzz the classifier somewhat. Aggregating the packets up into larger packets may fuzz the classification methods but it certainly won't make the traffic look like something else. It'll likely still stick out as being different. :) Adrian
Re: Science vs. bullshit
On Mon, Oct 19, 2009, Patrick W. Gilmore wrote: Corner cases like the one above are barely noise, so the curve it still valid. Strictly speaking, with the subject of Science vs bullshit, you and msa have named a hypothesis, no? Can either of you think of a way to disprove that, and if so, where's your data? :) Adrian
Re: multicast nightmare #42
On Wed, Oct 14, 2009, Adrian Minta wrote: 1 sender 1 mcast group 2+ receivers on same VLAN and physical segment = data loss Probably a crappy switch. specifically, is your switch doing frame replication on ingress or egress? :) adrian
Re: ISP customer assignments
Nathan Ward, please stand up. Adrian On Tue, Oct 13, 2009, TJ wrote: -Original Message- From: Justin To go along with Dan's query from above, what are the preferred methods that other SPs are using to deploy IPv6 with non-IPv6-capable edge hardware? We too have a very limited number of dialup customers and will never sink another dollar in the product. Unfortunately I also have brand-new ADSL2+ hardware that doesn't support IPv6 and according to the vendors (Pannaway) never will. We also have CMTSs that don't support IPv6, even though they too are brand-new. Those CMTSs top out at DOCSIS 2.0 and the vendor decided not to allow IPv6 to the CPEs regardless of the underlying CM's IPv6 support or lack thereof (like Cisco allowed for example). Are providers implementing tunneling solutions? Pros/cons of the various solutions? My first (potentially ignorant) response would be to get your acquisitions people aligned with your business, and by that I mean they should be making a concerted effort to only buy IPv6 capable gear, especially when IPv6 is coming to you within that gears lifecycle. I guess your customers will need to tunnel, as long as you give them a public IP they have 6to4 (and possibly Teredo, tunnel broker) - but native is better. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: IPv6 internet broken, Verizon route prefix length policy
On Mon, Oct 12, 2009, Seth Mattinen wrote: It's not the RIR's fault. IPv6 wasn't designed with any kind of workable site multihoming. The only goal seems to have been to limit /32's to an ISP but screw you if you aren't one. There was no alternative and it's been how long now? PI, multihoming, multicast, etc. is reality because the internet is now Very Serious Business for many, many people. IPv6 -policy- wasn't initially designed for any workable site multihoming. The addressing and BGP stuff works fine for it. Its just not different to the issues faced with IPv4. adrian
Re: IPv6 internet broken, Verizon route prefix length policy
On Tue, Oct 13, 2009, valdis.kletni...@vt.edu wrote: You get some substantial wins for the non-TE case by being able to fix the legacy cruft. For instance, AS1312 advertises 4 prefixes: 63.164.28.0/22, 128.173.0.0/16, 192.70.187.0/24, 198.82.0.0/16 but on the IPv6 side we've just got 2001:468:c80::/48. And we're currently advertising *more* address space in one /48 than we are in the 4 IPv4 prefixes - we have a large chunk of wireless network that is currently NAT'ed into the 172.31 space because we simply ran out of room in our 2 /16s - but we give those users globally routed IPv6 addresses. I suggest you're not yet doing enough IPv6 traffic to have to care about IPv6 TE. 2c, Adrian
Re: Does Internet Speed Vary by Season?
On Sat, Oct 10, 2009, Fred Baker wrote: Are we talking about bit rate, which one might expect to be modified by environmental characteristics and is in fact very tightly controlled to prevent that, or traffic volume? Not true with modem type technologies, where the available transmission rate is a function of how many available frequency space slices are deemed to be good at any one time. This isn't really like SDH (from what I've read of SDH, anyway.) Adrian
wanted: facebook technical contact
howdy, I'm chasing a technical contact at Facebook. There's some broken HTTP being served which is confusing Squid in a way that isn't easily, cleanly worked around. Please feel free to contact me off-list. Thanks, Adrian
Re: wanted: facebook technical contact
A few people have asked what the specific problem is. http://www.squid-cache.org/mail-archive/squid-dev/200910/0089.html Adrian On Sat, Oct 10, 2009, Adrian Chadd wrote: howdy, I'm chasing a technical contact at Facebook. There's some broken HTTP being served which is confusing Squid in a way that isn't easily, cleanly worked around. Please feel free to contact me off-list.
Re: wanted: facebook technical contact
It is a HTTP/1.0 vs HTTP/1.1 thing (Chunked encoding for HTTP/1.1 doesn't require you to calculate and send a Content-Length.) Adrian On Fri, Oct 09, 2009, Jared Mauch wrote: I've been having the same issue when going through my Linux+Squid+WCCP setup, but if the browser is configured to go direct to the proxy it does not seem to have the same issue. (At least so far). - Jared On Oct 9, 2009, at 2:48 PM, Adrian Chadd wrote: A few people have asked what the specific problem is. http://www.squid-cache.org/mail-archive/squid-dev/200910/0089.html Adrian On Sat, Oct 10, 2009, Adrian Chadd wrote: howdy, I'm chasing a technical contact at Facebook. There's some broken HTTP being served which is confusing Squid in a way that isn't easily, cleanly worked around. Please feel free to contact me off-list. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: ISP customer assignments
On Mon, Oct 05, 2009, Antonio Querubin wrote: On Mon, 5 Oct 2009, robert.e.vanor...@frb.gov wrote: The address space is daunting in scale as you have noted, but I don't see any lessons learned in address allocation between IPv6 and IPv4. Consider A lesson learned is that thinking about address allocation is something you do not want to spend too many precious seconds of your life on. That's one reason why the space was designed to be so big. Being penny-wise and pound-foolish doesn't really save you much in the IPv6 address space. .. address aggregation? .. convergence time? I'm sorry, but seeing a good fraction of my local IX simply containing a few ISP's deaggregated view of their local internal networks versus a sensible allocation policy makes me cry. IPv6 may just make this worse. IPv6 certainly won't make it better. adrian
Re: ISP customer assignments
On Mon, Oct 05, 2009, Joe Greco wrote: I'm sorry, but seeing a good fraction of my local IX simply containing a few ISP's deaggregated view of their local internal networks versus a sensible allocation policy makes me cry. IPv6 may just make this worse. IPv6 certainly won't make it better. That would seem to be an IX administrative problem. Sure, if you don't want to see those local networks. But since the cost of getting from Perth to ! Perth is (was?) a lot higher than what you guys even pay for international transit at non-Cogent rates, we have some sort of desire to keep as much traffic local as possible. Hence Local only announcements. As it stands, there are lots and lots and lots of AS's that advertise multiple blocks of space. Ideally, one would rather see a large ISP get a single delegation, rather than advertising 50 or 500. .. and what about their customers with portable address space? What if every single customer decides they now want to multihome, dynamic endpoint resolution stuff (LISA?) isn't ready, and companies simply join the RIR and buy their own IP space? :) Adrian
Re: UDP and IP fragmentation
On Tue, Sep 22, 2009, Philip Lavine wrote: To all, I am running a Windows based high performance computing application that uses reliable multicast (29West) on a gigabit LAN. All systems are logically on the same VLAN and even on the same physical switch The application is set to use an 8k buffer and therefore results in IP fragmentation when datagrams are transmitted. The application is sensitive to any latency or data loss (of course) and uses a proprietary mechanism to create TCP-like retransmissions in case there is any actual data loss. Unfortunately, becasue of the fragmentation during the retransmission window all ip fragments must be resent even though only one may have been lost. If the buffer size is tweeked to the ~1460 this may fix the fragmentation but will the side effects be less throughput and possibly more latency. Is there a sweet spot for UDP on an ethernet segment? First, figure out whether all of the above matters. :) Invest in a switch and NIC infrastructure that lets you stuff said 8k frames into an 8k jumbo frame. Then make sure you've read and understood QoS basics, including the generic stuff (packet scheduling, queuing/dequeuing concepts); investigate what various vendors claim their switches do and then actually look around for feedback about what others have -seen-. Finally, use all of that clue to make sure that the consultant you then hire to do the work is actually doing their job. No, I'm not (mostly) being facetious. It is mostly easy to get it right when it works, but it is -not- right to get it right enough when it doesn't work. Adrian
Re: Google Pagerank and Class-C Addresses
On Mon, Sep 21, 2009, Jeffrey Lyon wrote: We used to have a lot of people buying IP's in bulk for SEO. They would all cancel within one or two months citing that they couldn't afford it or the project failed, etc. Guess they realized that the whole thing is a myth. .. or, which is more likely given my brief exposure to this crap, the search engines cottoned on and changed the metrics again. adrian
Re: What is good in modular routers these days?
On Tue, Jul 21, 2009, Petersen, Mark wrote: FreeBSD provides support for 802.11q, bgpd, ospfd, pf(firewall) and ALTQ(QOS) but since I haven't tested it I have no idea what kind of real world performance you can get with all these features in use. This is one group trying to pony up at least with support of many major vendors. The main current funding source for work being committed back to FreeBSD's 10GE performance has a very big focus on server performance, not forwarding performance. Hence the flow cache, which benefits TCP stream performance. Adrian
Re: What is good in modular routers these days?
On Mon, Jul 20, 2009, William Pitcock wrote: I don't need any of that stuff, just BGP, OSPF and fast packet forwarding for IPv4. But the point is that I need only routing functionality, I don't need switching functionality like on a Cisco 6500-class system. I bet if you went and spoke to the right people in the correct open source kernel/distribution project, -given the right clue-, very fast forwarding and QoS could start appearing in *NIX OSes. The problem I see is there's a lot of demand -once it is done-, but no one org or group willing to pony up to see it happen. The clue is out there. They're just looking for a way to pay the rent. Adrian (Not looking to do this, I have enough going on atm..)
Re: Request for contact and procedure information
On Thu, Jul 09, 2009, Charles Wyble wrote: I did. Still getting pounded. And its not covered by your SLA? Adrian
Re: Using twitter as an outage notification
On Sun, Jul 05, 2009, Roland Perry wrote: Unfortunately, the number of students polling the website for news means it can't cope with the traffic. I don't believe they can justify paying more for better web hosting, just to manage this once-a-year half hour event. Is Twitter making a profit or not? This discussion about (ab)using a publicly available message system which isn't currently being charged for would makes me worried^Wamused as hell. (Not that I can't see possible ways of making money off twitter - especially if you offer reliable message dissemination services to companies for a fee, but AFAIK they aren't doing this at the moment.) Adrian
Re: tor
On Thu, Jun 25, 2009, Suresh Ramasubramanian wrote: On Thu, Jun 25, 2009 at 9:44 AM, Adrian Chaddadr...@creative.net.au wrote: On Thu, Jun 25, 2009, Suresh Ramasubramanian wrote: Rod - you wouldnt qualify as an ISP - or even a provider of an interactive computer service to go by the language in 47 USC 230, by simply running a TOR exit node. Ah, but would an ISP which currently enjoys whatever the current definition of common carrier is these days, running a TOR node, still be covered by said provisions? ISPs are not common carriers. Geoff Huston is - as always - the guy who explains it best. http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_5-3/uncommon_carrier.html Fine; re-phrase my question as an organisation currently enjoying common carrier status. Adrian (Apologies for off-topic noise.)
Re: White House net security paper
On Mon, Jun 01, 2009, Randy Bush wrote: and why do we think that throwing a jillion bodies at the problem is a useful approach? No, but it does keep people employed. Sorry, I think I reached a new low in my stabby, jaded level when a past employer (a network consulting firm) blasted me for being too efficient at solving a problem. Adrian
Re: NAT64/NAT-PT update in IETF, was: Re: Important New Requirement for IPv4 Requests [re impacting revenue]
On Thu, Apr 23, 2009, William Allen Simpson wrote: Some wag around here re-christened it the IVTF (V stands for Vendor, not Victory). ;-) I haven't bothered to go in years If the people with operational experience stop going, you can't blame the group for being full of vendors. Methinks its time a large cabal of network operators should represent at IETF and make their opinions heard as a collective group. That would be how change is brought about in a participative organisation, no? :) Adrian
Re: IXP
On Thu, Apr 23, 2009, Leo Bicknell wrote: It's the technological equvilient of bringing everyone into a conference room and then having them use their cell phones to call each other and talk across the table. Why are you all in the same room if you don't want a shared medium? Because you don't want to listen to what others have to say to you. Adrian (The above statement has network operational relevance at an IP level.)
Re: IXP
On Wed, Apr 22, 2009, Holmes,David A wrote: But I recollect that FORE ATM equipment using LAN Emulation (LANE) used a broadcast and unknown server (BUS) to establish a point-to-point ATM PVC for each broadcast and multicast receiver on a LAN segment. As well as being inherently unscalable (I think the BUS ran on an ASX1000 cpu), this scheme turned the single stream concept of multicast on its head, creating essentially a unicast stream for each multicast PVC client. IIRC, plenty of popular ethernet switches do this across their backplane for multicast .. Adrian
Re: REVERSE DNS Practices.
On Thu, Mar 26, 2009, Steven Champeon wrote: [snip interode related hostnames such as this] adsl.adelaide.on.net That's a safe assumption. Unfortunately, it's not. Even more unfortunately, we see more junk from their generic statics than we do from their obvious dynamics. Have you tried just contacting internode in Australia about this? Adrian
Re: SUP720 vs. SUP32
On Wed, Mar 18, 2009, Norrie, David wrote: article discussed below. I would appreciate it if someone does find the article if they can provide a copy/link to this : http://markmail.org/message/hzwfh27bgtitadpq (First hit from googling c-nsp rodney dunn NPE-G2 CPU) Make sure you read all the posts in the thread, the figures Rodney gives need some further explanation. Adrian
Re: Anyone using any Linux SSL proxies?
On Sun, Mar 15, 2009, Michael K. Smith wrote: We use Apache with mod_security and mod_proxy to do this, although the application is more as an application layer firewall than an SSL offloader. It works well for lower traffic applications; I haven't tested it under the loads that are advertised by the hardware vendors you mentioned. Don't forget Squid and its various project forks. Adrian
Re: SUP720 vs. SUP32
On Wed, Mar 11, 2009, Bill Blackford wrote: Can the 32 handle a full table? Start here: http://www.mail-archive.com/cisco-...@puck.nether.net/msg12492.html adrian
Re: SUP720 vs. SUP32
On Wed, Mar 11, 2009, Bill Blackford wrote: Thank you to everyone who offered advice. I thinks it's clearer what my path should be. Incidentally, I am using 7300/7200 based units with G1 RP and found that at 200M they start seeing 50% CPU load which is why I'm looking to go to the next step. Check the cisco-nsp archive, specifically from Rodney; he has talked about what the CPU load versus throughput implications are on the G1 and G2. It might surprise you a little. Adrian
Re: real hardware router VS linux router
On Sat, Feb 21, 2009, Leen Besselink wrote: If you had to choose, it's probably smarted to go with OpenBSD, it has a lot better integration of packet filter, bgpd-daemon, ospf, vrrp-like, etc. If you'd like a hope in hell of handling higher packet rates, where higher packet rates is more than an NPE-200, then evaluate all of the open source operating systems before making that choice. Evaluate means build test rig and test, not read blog articles about how cool OpenBSD + PF is and how it worked for one person who bothered to write a glowing review. Too often do I come across people who have setup OpenBSD + PF, put it into production, then wonder why things perform craptastically after a couple hundred megabits. Convert to FreeBSD + PF, or Linux + iptables; this mostly goes away. (Same with Linux and freeBSD with big firewall rulesets, because they followed blog posts and didn't bother reading the documentation..) 2c, Adrian
Re: IPv6 Confusion
On Thu, Feb 19, 2009, Bob Snyder wrote: Frank Bulk wrote: Considering that the only real IPv6-ready CPE at your favorite N.A. electronics store is Apple's AirPort, it seems to me that it will be several years before the majority (50% plus 1) of our respective customer bases has IPv6-ready or dual-stack equipment. Actually, out of the box my newish Linksys WRT610N started sending RAs and provides IPv6 connectivity via 6to4. Came as a bit of a surprise when it stole traffic away from my existing IPv6 tunnel. Couple of problems, though: 1) No switch to turn it off 2) No firewalling/filtering is done. This makes it somewhat less than ideal, and worse than the original Apple Airport default configuration which at least had clear and obvious knobs to make it do the right thing even if they had a poor default setting. Would you be willing to update the ARIN ipv6 info wiki page for this? http://www.getipv6.info/index.php/Broadband_CPE Whoever looks after this - would you please consider setting up some kind of feature/bug matrix that tries to capture a bit of how good these things are? Just saying Yup, supports IPv6 with no idea of how well, which bits work/don't, stuff like lacking firewalling (as above) would be good to know. Thanks! Adrian (Using a Cisco 827, speaks IPv6 real good..)
Re: Appropriate list for Linux routers (was: real hardware router VS linux router)
On Thu, Feb 19, 2009, Brian Keefer wrote: If anyone would like to drop me a line off-list to point me in the right direction, I'd be very grateful. So far the most useful information I've found on the topic has been via this list. PS I'm talking specifically about Linux. The FreeBSD and OpenBSD crowd seem to have lists that provide this sort of thing already. The people doing this commercially under Linux/FreeBSD, and have mods to do higher PPS in certain conditions, generally don't talk (much.) A few FreeBSD developers are pushing forward with higher PPS improvements. If this is inline with what you want, then I suggest talking to them and seeing how they can help. Migrating to a superior platform (where superior here is does what I want better isn't a -bad- idea. :) Adrian
Re: IPv6 Confusion
On Wed, Feb 18, 2009, Jack Bates wrote: Kevin Loch wrote: Just how DO we get the message to the IETF that we need all the tools we have in v4 (DHCP, VRRP, etc) to work with RA turned off? You don't, because there isn't really a technical reason for turning off RA. RA is used as a starting point. It can push you to DHCPv6 or any Welcome to the 2009 internet. I hate to say it, but the technical only argument belongs back in the era I got involved in this junk, mid-1990's. If the things stopping corporate adoption are A, B, and C (eg, DHCPv6 style host management, firewall and l2/l3 filter set parity (eg, cisco port lockdown features, I forget all of the crap involved there), and lack of parity in various application support) and the academic community keeps shouting out but damnit, our dogfood is better!, then you're going to lose. Being told by a group of network-y people that our dogfood is better sounds to me like the days where telco's kept saying this IP stuff is crap, our ATM/FR dogfood is better, why would you deploy IP end to end? Its amusing. Seriously. Someone needs to draw up some parallels between IPv6 adoption/advocacy and ATM/FR/ISDN stuff versus IP(v4) adoption back in the mid to late 1990's. I'd certainly have a laugh. my 2c, or 1.24c AUD; Adrian
Re: IPv6 Confusion
On Wed, Feb 18, 2009, Tony Hain wrote: No, the decision was to not blindly import all the excess crap from IPv4. If anyone has a reason to have a DHCPv6 option, all they need to do is specify it. The fact that the *nog community stopped participating in the IETF has resulted in the situation where functionality is missing, because nobody stood up and did the work to make it happen. Please explain where you think *nog community is today representative at all of the wider scale IPv6 deployment issues across the world? I'm assuming IETF and ARIN/RIPE/APNIC/etc are busy talking to end-users rather than just ISPs about the issues facing IPv6 adoption. Am I mistaken or not? Adrian
Re: IPv6 Confusion
On Thu, Feb 19, 2009, Nathan Ward wrote: So, those people don't use DHCP in IPv4 if this is a concern, so I'm guessing they are not hoping to use DHCPv6 either. Static configuration of IP addressing information and other configuration will work just fine for them. I wonder, do they use ARP? In the corporate world, you get wonderful L2/L3 features in switches, such as: * helper address stuff, to run centralised DHCP servers * dhcp sniffing/filtering * per port L2/L3 filters * dynamic arp inspection which are used on corporate LANs to both build out scalable address management platforms (ie, no need to run a DHCP server on each subnet, nor one DHCP server with seperate vlan if's to provide service), control access and mitigate security risks. I don't know what the IPv6 LAN snooping functionality is across vendors but the last time I checked this out (say, 2-3 years ago) it was pretty lacking. The things you are talking about are about protecting against misconfiguration, not about protecting against malicious people. See above. Adrian
Re: IPv6 Confusion
On Thu, Feb 19, 2009, Nathan Ward wrote: Yep. You asked your vendors to support equivalent IPv6 things at the time though, so when you roll out IPv6 the support is ready, right? The point is that these deficiencies exist in IPv4, and I'm not sure how you would solve them in IPv6 (assuming you can make all the changes you want, and get instant industry-wide support) any better than you solve them in IPv4. Who says the IPv6 solutions need to be better than IPv4? Adrian
Re: anyone else seeing very long AS paths?
On Tue, Feb 17, 2009, Etaoin Shrdlu wrote: On the other hand, the fact that various entities have gone out of their way to advertise that they're running old hardware/out-of-date software has been noted elsewhere. I'd strongly suggest, if you're reading NANOG, that you update, before someone less pleasant and friendly than myself finds you. Please. What, and the other, make sure you hard limit the max AS path length from customers and peers, in case of ${LINK_TO_THIS_NANOG_THREAD} ? Adrian