Fw: new message
Hey! New message, please read <http://battersandco.com/gave.php?p5tle> Blake T. Pfankuch
RE: accessing multiple devices via a script
I have been using PLINK (putty's lesser known sibling) scripts for some of our smaller customers to execute information gathering before a project in case of excellent documentation. I can usually whip up a script in a few minutes to get sh ru, sh ver and sh diag from 20 devices. Also been using it for a couple of small customers for config backup from webservers, switches, routers, firewalls and anything else with a telnet/ssh login. Blake -Original Message- From: Abdullah Al-Malki [mailto:a.almalki1...@gmail.com] Sent: Sunday, January 15, 2012 10:53 AM To: nanog@nanog.org Subject: accessing multiple devices via a script Hi fellows, I am supporting a big service provider and sometimes I face this problem. Sometimes I want to access my customer network and want to extract some verification output show commands from a large number of devices. What kind of scripting solutions you guys are using this case. Appreciate the feedback, Abdullah
RE: SSL Certificates
We have been using GoDaddy for quite some time as they offer good deals if you call them in and buy in bulk. Mind you we manage certs for about 50-100 customers as well. Haven't had any issues with them not being trusted on mobile devices except for old windows mobile 5 and early 6 devices. -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Friday, January 06, 2012 7:32 AM To: 'Michael Carey'; nanog@nanog.org Subject: RE: SSL Certificates I've had good experience with Entrust. One thing to be careful with is some mobile devices (especially older Android ones) have limited root certificates. Network Solutions and Entrust work, some others, not so much. From my experience Android 2.3+ has most of the common root certs, but previous versions don't. I wonder if someone has a list comparing root certificate support across platforms? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Michael Carey [mailto:mca...@kinber.org] Sent: Friday, January 06, 2012 9:15 AM To: nanog@nanog.org Subject: SSL Certificates Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use. Thanks, -- Michael D. Carey KINBER Network Engineer mca...@kinber.org M: 814.777.5027 GV: (814) 205-6773 https://www.google.com/voice#phones Skype: KINBER.Mike.Carey KINBER - Keystone Initiative for Network Based Education and Research - www.kinber.org PennREN - Pennsylvania's Research and Education Network
RE: AD and enforced password policies
I would very much agree with this as far as the user annoyance side. We have had customers enforce 12 characters and complexity for all users, and you end up with sticky notes under the keyboard or other objects on the desk. I would also make sure to set a reasonable timeout to force a workstation locking as well. However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. Depending on your AD structure, you can easily enforce different policies for different types of users. Meaning you can give your average minion a 8 character password with 90 day expiration, 4 password history and 3 of 4 groups for characters. Then you can give your domain admin accounts (your normal support staff doesn't have domain admin on their day to day accounts do they??) a more restrictive policy like 12+ characters, 30 day expiration 24 history and full complexity (via third party modules). -- Blake -Original Message- From: Jimmy Hess [mailto:mysi...@gmail.com] Sent: Monday, January 02, 2012 3:33 PM To: Jones, Barry Cc: Nanog@nanog.org Subject: Re: AD and enforced password policies On Mon, Jan 2, 2012 at 2:27 PM, Jones, Barry bejo...@semprautilities.comwrote: I have a requirement to enforce password policies on AD (a tacacs and windows domain). I don't have a great deal of Windows AD knowledge - so a newbie ;-) this is a little off topic, but I thought I'd ask... This is very basic built-in functionality of AD, that those maintaining an AD implementation really ought to already be aware of; to implement it, you edit or create applicable group policy to apply a Password policy in the security section of the applicable group policy for the Computer account configuration at the domain level, specify the minimum length and, either check the password must meet complexity requirements box, or supply a custom filter -- http://technet.microsoft.com/en-us/library/cc875814.aspx#ECAA http://technet.microsoft.com/en-us/library/cc786468%28WS.10%29.aspx My recommendation would be to not go too far with password policies. Implement only the least restrictive requirements in AD to achieve the best security benefits per unit of user annoyance; e.g. a minimum length of 8 is a good choice; if you try and force users to pick a minimum of 15, with complexity, and expire their password every 10 days, you'll actually get users with simple passwords (or password sticky notes on the monitor). The sole root cause for easily guessable passwords is not lack of technical restrictions. It's also: lazy or limited memory humans who need passwords that they can remember. Firstname1234!is very easy to guess, and meets complexity and usual length requirements. There are password filters on the market that can perform a simple dictionary check, which is a better check to perform than number of character classes. Use the custom password filter and a 30 minute account lockout after the 3th failed login attempt, to prevent most password guessing attacks. An event log monitoring tool should be used to alert a sysadmin. Specifically, I need to enforce the use of length, special characters, and be able to validate the enforcement of such. You can ensure the enforcement by putting the password policy into effect; make sure it is enforced on all domain controllers. And then at a later date check the must change password at next login checkbox for all users you need to enforce against, and utilize the GPResult command for each user to ensure that the policy is applied. The last password change date will verify the user has updated their password at the time the policy was in effect Another thing to consider is to have user passwords expiring once every 365 days, with checks to prevent reuse of previously used passwords; then typical scripts to monitor applied policy and last password change times can be utilized to verify compliance. -- -JH
RE: Comcast IPv6 Update
This appears directed at the Home market. Any word on the Business Class market even as a /128? -Original Message- From: Brzozowski, John [mailto:john_brzozow...@cable.comcast.com] Sent: Wednesday, November 09, 2011 9:33 AM To: NANOG Subject: Comcast IPv6 Update Update from http://www.comcast6.net IPv6 Pilot Market Deployment Begins Wednesday, November 9, 2011 Comcast has started our first pilot market deployment of IPv6 in limited areas of California and Colorado. This first phase supports directly connected CPE, where a single computer is directly connected to a cable device. A subsequent phase will support home gateway devices. To learn more, check out FAQs on the pilot market deploymenthttp://www.comcast6.net/pilotfaq.php and the announcementhttp://blog.comcast.com/2011/11/ipv6-deployment.html and technical detailshttp://blog.comcast.com/2011/11/ipv6-deployment-technology.html on our blog. John = John Jason Brzozowski Comcast Cable e) mailto:john_brzozow...@cable.comcast.com o) 609-377-6594 m) 484-962-0060 w) http://www.comcast6.net =
RE: Firewalls - Ease of Use and Maintenance?
As Hammer stated, you hit all the big ones. ASA's are a classic fallback because of the stability implied by the cisco name. Complaints about them tend to be cost on getting all the shiny bits attached to them (IDS, IPS, Content filtering). This coming from a Cisco partner. I am not a Netscreen fan myself due to past experiences and sour tastes. Checkpoint's are OK, but I don't like the application need for configuring on SMB appliances. Add to the list Sonicwall. We use them primarily for our customers at work and are partners with them as well. They have appliances that go from 10 office size to Active/Active HA pairing that can do multi gbit of throughput. They support all the standard features you look for IPSEC VPN, SSLVPN, L2TP, VLAN Interfaces, Dynamic routing support (OSPF and RIP in small models, BGP in the larger) LDAP auth for all of the above, content filtering, IPS, IDS, Anti Spyware stateful blah blah and centralized management. Some of the newer things that are gaining popularity that you can license is the App Visualization (think netflow in a web UI with good filters), WAN Acceleration modules via a VMware Appliance, RBL Filtering (which can be applied to just about anything), DPI-SSL inspection for https traffic, Active/Active HA, Physical port redundancy per appliance, list goes on. Configuration logic is similar to a ASA, however takes a little to get used to. The nice thing is everything in the config is name based and searchable within the WebUI and you can talk non technical people through making changes in the config if you have to. The feature list is growing every day, and I almost prefer them anymore just because of the simplicity as well as the scalability. Ping me if you have more questions or want a few example setups. Blake -Original Message- From: Jones, Barry [mailto:bejo...@semprautilities.com] Sent: Tuesday, November 08, 2011 4:07 PM To: nanog@nanog.org Subject: Firewalls - Ease of Use and Maintenance? Hello all. I am potentially looking at firewall products and wanted suggestions as to the easiest firewalls to install, configure and maintain? I have a few small networks ( 50 nodes at one site, 50 odd at another, and maybe 20 at another. I have worked with Cisco Pix, ASA, Netscreen, and Checkpoint (Nokia), and each have strong and not as strong features for ease of use. Like everyone, I'm resource challenged and need an easy solution to stand up and operate. Feel free to ping me offline - and thank you for the assistance. Barry Jones - CISSP GSNA Project Manager II Sempra Energy Utilities (760) 271-6822 P please don't print this e-mail unless you really need to.
RE: XO blocking individual IP's
Oh yes! Good lord I about went insane with this. I was working with a customer single homed to cBeyond. I spent 3 hours on the phone with cBeyond to figure out what was going on, it looks like a broken route. Come to find out it was an XO security null. The engineer on the phone from cBeyond said to me Well, I have learned 2 things today. 1, XO nulls for 'security purposes' at random. 2, I am no longer shocked by any ridiculous policy I will ever come across again. In this case majority traffic was going from cBeyond to anywhere (via XO) and being eaten, however it was VERY tough to diagnose as all parties involved assumed this would not be occurring between source and destination without good public documentation or at least any record of this happening to someone else. Also I guess we all assumed that major bandwidth players don't filter anything. I personally think its good on paper, but very bad real life until there is a way to notify the end customer of the violation quickly. This issue literally took 3 full weeks to figure out what was going on. Yes this works great in a colo datacenter as you have the customer contact info (hopefully). But in the case where my customers provider was having the IP filtered by their transit it was hell to diagnose. In my case the customer had a single infected machine that was making outbound connections on TCP3389 in the range of about 100 connections every 5 minutes and because of this was entirely being security nulled. Blake -Original Message- From: clay...@haydel.org [mailto:clay...@haydel.org] Sent: Monday, November 07, 2011 7:43 PM To: nanog@nanog.org Subject: XO blocking individual IP's I'm hoping someone has had the same experiences, and is further toward a resolution on this than I am. About 6 months ago, we noticed that XO was blackholing one specific IP out of a /24. Traces to that IP stopped on XO's network, traces to anything else out of the block went through fine. XO finally admitted that they had a new security system that identifies suspicious traffic and automatically blocks the IP for 30 minutes. We had to get the IP in question whitelisted by their security guys. The traffic was all legit, it was just on a high port # that they considered suspicious. There have several more cases like this, and XO has not been forthcoming with information. We're either looking to be exempted from this filtering or at least get a detailed description of how the system works. I'm not sure how they think this is acceptable from a major transit provider. Anybody else had similar problems? Clayton Haydel
RE: Severe Packet loss
Understanding this is a little vague, I can say that I did see weirdness in connectivity from a datacenter in Seattle to LA, Dallas to LA and Amazon West US to Dallas, and Denver to Seattle about 2am to 3am MDT. If you could provide what carriers you are on, maybe we can compare notes? -Original Message- From: Gary Steers [mailto:gary.ste...@sharedband.com] Sent: Saturday, November 05, 2011 3:46 AM To: nanog@nanog.org Subject: Severe Packet loss Hi Guys, Is anyone else having major issue's tonight/this morning? We our having issue's and our upstream provider is reporting route flaps, the say its affecting quite a few networks but just checking if anyone else is having issue's??? Gary
RE: [outages] News item: Blackberry services down worldwide
Agreed. Had a customer during the timeframe of this week ditch 90 blackberries for iPhone/android devices. He actually sent me a video after BES finished uninstalling and he shut the server down so help me I'm never getting another one of these damn coasters. One user said when they got the phone where is the silly wheelie clicky thing. IT manager said oh no you just touch the screen. I'm told it was like watching an 8 year old with a box of fireworks and matches For those who complain about security on windows mobile, iPhone or android... you can do l2tp vpn and then ActiveSync on top of that over https. Mobile device policies in Exchange for user experience control. Overall much easier than Blackberry, not dependent on someone else's equipment for things like mail delivery and internet browsing, and one less server to care about. -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Thursday, October 13, 2011 6:44 AM To: 'Jamie Bowden'; 'Joe Abley' Cc: 'nanog@nanog.org' Subject: RE: [outages] News item: Blackberry services down worldwide It's called Microsoft Exchange ActiveSync :) It works with Android, Apple and Microsoft devices. I believe both Lotus and Groupwise have licensed and support it as well. We have a few (but now, very few) blackberry users remaining. They won't let it go until we rip it out of their hands. -Original Message- From: Jamie Bowden [mailto:ja...@photon.com] Sent: Thursday, October 13, 2011 7:36 AM To: Joe Abley Cc: nanog@nanog.org Subject: RE: [outages] News item: Blackberry services down worldwide You are correct. The BES uses PSKs to talk to RIM's servers, which then uses them to talk to the devices over the carrier networks. All of this was in complete failure mode until sometime overnight when it appears to have all started flowing again. Someday either Google or Apple will get off their rear ends and roll out an end to end encrypted service that plugs into corporate email/calendar/workgroup services and we can all gladly toss these horrid little devices in the recycle bins where they belong. Jamie -Original Message- From: Joe Abley [mailto:jab...@hopcount.ca] Sent: Wednesday, October 12, 2011 6:06 PM To: Phil Regnauld Cc: nanog@nanog.org Subject: Re: [outages] News item: Blackberry services down worldwide On 2011-10-12, at 18:02, Phil Regnauld wrote: Joe Abley (jabley) writes: On 2011-10-12, at 13:05, Leigh Porter wrote: Email on my iPhone is working fine.. ;-) The blackberry message service is centralised with a lot of processing intelligence in the core. Messaging services that use the core as a simple transport and shift the processing intelligence to the edge have different, less-dramatic failure modes. This is not the case for corporate customers with dedicated servers, AFAIU. I'm no expert, but my understanding is that at some/most/all traffic between handhelds and a BES, carried from the handheld device through a cellular network, still flows through RIM. Joe
RE: [outages] News item: Blackberry services down worldwide
Pierce, Actually with Windows Mobile and Exchange Enterprise, you can force handheld encryption :) -Original Message- From: Pierce Lynch [mailto:p.ly...@netappliant.com] Sent: Thursday, October 13, 2011 8:35 AM To: 'nanog@nanog.org' Subject: RE: [outages] News item: Blackberry services down worldwide Like Blake mentioned, I for one will also be ditching Blackberry devices due to the poor, irregular service which Blackberry users continue to be subject to due to RIM's inability to provide a stable and reliable service. To add further insult to injury, it just simply is unacceptable to be subject to RIM's high service and licensing costs for BES to ultimately rely on a second-rate infrastructure that causes regular 'blackouts'. Time to more to a standalone device that then relies only on the carriers, which in most cases are just as unreliable. None the less, I for one can't justify paying for an 'enterprise service' to subject to incompetence and instability of the provider. These situations simply arise to often with RIM, yet as a service provider they chose to ignore that impact these outages have on their customers in the corporate arena. Real-time communications in the corporate/enterprise world have no become one of the primary methods of communication, due to the technology RIM et al offer. It is indeed a shame that the likes of Apple iOS Google Android are yet to provide features that compete with BlackBerrys, such as encryption etc. (I am not particular clued up with regards to Windows Mobile however...) All of which, to date, are features which are leveraged in terms of justifying the cost of implementing a Blackberry solution. Furthermore, I found RIM's somewhat patronising updates from RIM's CIOs and CEOs quite insulting, particularly when an official statement had already been released stating the issues were 'resolved' to later contradict this statement and simple refer to it as some kind of 'mistake'. Unacceptable, as I am sure many of you would agree. Regards, P. -Original Message- From: Blake T. Pfankuch [mailto:bl...@pfankuch.me] Sent: 13 October 2011 14:08 To: Matthew Huff; 'Jamie Bowden'; 'Joe Abley' Cc: 'nanog@nanog.org' Subject: RE: [outages] News item: Blackberry services down worldwide Agreed. Had a customer during the timeframe of this week ditch 90 blackberries for iPhone/android devices. He actually sent me a video after BES finished uninstalling and he shut the server down so help me I'm never getting another one of these damn coasters. One user said when they got the phone where is the silly wheelie clicky thing. IT manager said oh no you just touch the screen. I'm told it was like watching an 8 year old with a box of fireworks and matches For those who complain about security on windows mobile, iPhone or android... you can do l2tp vpn and then ActiveSync on top of that over https. Mobile device policies in Exchange for user experience control. Overall much easier than Blackberry, not dependent on someone else's equipment for things like mail delivery and internet browsing, and one less server to care about.
RE: Synology Disk DS211J
The easy way around the unhappy significant other/minion shaped offspring solution is to put all of the end user devices On a separate VLAN, and then treat that as an open DMZ. Then everything operational (ironic in a home) on your secured production network (restrict all outbound/inbound except what is needed). If you really want to complicate it you should even put your wireless into a separate VLAN as well, and secure it as appropriate. Gives you the ability firewall between networks, thus making sure that when your minions eventually get something nasty going on the PC they use, it doesn't spread through the rest of the network. Also means you can deploy some form of content filtering policies through various solutions to prevent your minions from discovering the sites running on the most recent TLD addition. This assumes that most people reading this email have the ability to run multiple routed subnets behind their home firewall. Be it a layer 3 switch with ACL's or multiple physical interfaces and the ability to have them act independently. Personally I run 8 separate networks (some with multiple routed subnets). Wireless data, management network, voice networks, game consoles, storage, internal servers, DMZ servers and Project network. Only reason why there is no end user network is that there are no wired drops anywhere in the house, so that falls under the wireless data. That network gets internet access and connectivity to file sharing off the internal servers and all internet traffic runs through Anti-Virus/Anti-Spyware before going outbound and inbound. Blake -Original Message- From: Matthew Palmer [mailto:mpal...@hezmatt.org] Sent: Friday, September 30, 2011 12:19 AM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote: On 9/29/11 17:46 , Robert Bonomi wrote: From: Nathan Eisenberg nat...@atlasnetworks.us Subject: RE: Synology Disk DS211J Date: Thu, 29 Sep 2011 21:58:23 + And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. - Matt The prudent home admin has a default deny rule for outgoing HTTP to port 80? I doubt it. No, the prudent nd knowledgable prudent home admin does not have default deny rule just for outgoing HTTP to port 80. He has a defult deny rule for _everything_. Every internal source address, and every destination port. Then he pokes holes in that 'deny everything' for specific machines to make the kinds of external connections that _they_ need to make. Tell me how that flys with the customers in your household... Perfectly fine. My users know not to go plugging random devices in, and I properly configure the firewall to account for all legitimate traffic before the device is commissioned. - Matt
RE: Anyone used Adtran NetVanta 1544?
We use Adtran switches semi-frequently at work and I have a few pain points, but many good things about them. My biggest complaint is the availability of support if you need something from them. They operate under pseudo standard business hours which can be a deal breaker for some. Obviously AOS is very similar to IOS in the syntax which is a plus, minor little differences which drive you nuts when you switch back and forth with cisco and Adtran all day, however with some of the more advanced switching functions I find them a little lacking. When we have used these for smaller VMware deployments we traditionally build port channels to the VMware hosts for the data connections, and the port channel load balance methods available are a little lacking. Past that I don't mind them one bit, and actually push for an Adtran over a low end HP/3Com web managed switch when the customer doesn't want to pony up for Cisco gear. For the price you cant beat the configuration simplicity for the IOS aware people, and the webUI for end users is not that bad. You can't completely mangle the switch config from webUI by mistake anymore which most would consider a bonus... If you are looking at integrating multiple of these devices and building port channels between them, I would highly recommend manually specifying the spanning tree priority on the device. 6 months from now when you reboot a switch for an AOS upgrade it might come back up and you end up bringing down the entire network. I've now seen the 3 times on production networks now which are pushing the limits of the SMB NetVanta switches imo. Show run verbose will become a close friend :) and make sure you document the crap out of everything you set up :) Also make sure you are getting the G2 switches they are about 1000 times better than the G1 switches. You can actually get 2 of these in 1u and either stack them or vrrp them for more seamless failover. Feel free to ping me off list if you have more questions, I can outline some of the deployments we have used them for, issues I have seen on individual cases and where I have seen them work well. Blake Pfankuch -Original Message- From: Jay Nakamura [mailto:zeusda...@gmail.com] Sent: Wednesday, September 21, 2011 10:39 AM To: NANOG Subject: Anyone used Adtran NetVanta 1544? Has anyone have experience using Adtran NetVanta 1544 as a iSCSI SAN switch? Or any Adtran switch in general? Any problems or unexpected issues? Thanks!
RE: Tampa small colo recs?
I've managed a few servers from sago, they have a great network and quick support responses as needed. Hostway not had quite as good of responses from them, and some weird network issues. However that was a few years back. -Original Message- From: James P. Ashton [mailto:ja...@gitflorida.com] Sent: Sunday, September 04, 2011 11:31 AM To: Jay Ashworth Cc: NANOG Subject: Re: Tampa small colo recs? Jay, I recommend E Solutions, But I am biased (I build the network). But also in town we have, Switch and Data Qwest Peak 10 Sago Networks Hostway I know them all pretty well, so if you have any questions, fire away. James - Original Message - Anyone got any opinions on small colo rental in Tampa; anywhere from 8RU to a half-rack? I'd prefer at least one tier 1 uplink, and at least 1 tier 2, dial-a-yield 100Base, and 24 hour access, but I'm flexible. Pinellas County is also fine. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
RE: NANOGers home data centers - What's in your closet?
I'm with this too, my house is much less complicated than it used to be. I have dual WAN (Comcast Business Class and cheap DLS as a failover), fed into my Cisco 3750 core switch. I have a Sonicwall NSA2400 as my primary Gateway from LAN, with a Secondary Gateway of my Cisco UC520 (mostly for testing the 64 bit VPN client when it came out, and I haven't changed anything back). I have a third firewall for working on projects from home which is just a virtual IPCop Machine which I use to segregate devices with conflicting subnets during projects for work. I have VMware ESX running on a few servers I just pulled back from a colo (Asus 1u half depth single E5510 Xeons with 32gb of ram each) running iscsi off my open filer iscsi storage device with 16x 2tb drives and my old openfiler with 8x 1.5tb and 8x 1tb. Layer 3 routing done at my 3750, with a cisco 1142 AP serving voice, data and guest wireless. Internal IPv4 3x /25, 2x /26, 2x /27 and 2x /28 non routed for the iscsi. Externally only a /28 and a /29. Internal IPv6 5x /64 because I haven't had any time to set up IPv6 for my Guest wireless, voice or iSCSI. External IPv6 awaiting Comcast to get my IPv6 trial going, and Centurytel to offer IPv6 in my area. Voice service provided by Broadvoice (SIP) feeding into the UC520 for the alarm system. Of course the obligatory video games (xbox 360, wii and my girlfriends PS3 when she brings it over) all live in the guest VLAN, which sadly get used more for Netflix anymore than actual video games... Media center on the TV is a home brew mini ITX pc with a mid range core2duo in it. For power, I love the APC stuff. I have a Rack Mount 3000va and 2 shoebox 1500va boxes as backup. All fed back to the panel an 2 separate circuits. At one point I did have 4 full racks in the guest room and a partial DS3 (about 10 years back), with a dedicated AC unit and about 30KVA of UPS. Too much, too expensive. Colo somewhere close and cheaper circuits is the way I went and I've cut my power bill from over a grand a month to under $100 in the winter. Lets not talk summer I need new windows :) -Original Message- From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] Sent: Friday, August 12, 2011 6:30 PM To: Charles N Wyble Cc: nanog@nanog.org Subject: Re: NANOGers home data centers - What's in your closet? On Fri, 12 Aug 2011 18:28:57 CDT, Charles N Wyble said: I'm curious what other NANOGers have in their home compute centers? On the extreme end of course we have mr morris :) with his uber lab: http://smorris.uber-geek.net/lab.htm He doesn't get out much, does he? :) So what's in NANOGers home networks/compute centers? :) Surprisingly minimalistic - a Linksys cablemodem and a Belkin Play wireless router, both from Best Buy, a Dell Latitude laptop from work, and a PS/3. I'll upgrade if and when Comcast deploys IPv6 or other stuff worth upgrading in my area. ;) (I used to have more gear, but it came down to floor space for compute gear I didn't use versus guitar gear I *do* use.. ;)
RE: v4/v6 dns thoughts?
I too agree the v4/v6 stuff is pointless and slightly annoying so I have been using same name with A/ records. -Original Message- From: Landon Stewart [mailto:lstew...@superb.net] Sent: Tuesday, August 09, 2011 6:16 PM To: nanog@nanog.org Subject: Re: v4/v6 dns thoughts? On 9 August 2011 16:36, Owen DeLong o...@delong.com wrote: My PTRs are all to the same host name. In any context where the protocol actually matters, you should have other ways to detect it. I also don't recommend doing the foo.v4/foo.v6 thing in your forwards. There's really no advantage to do it. Most tools either have separate IPv4/IPv6 variants or have command-line switches for address-family control if you care. I agree that using the v4 or v6 tag in forward or reverse is pointless. One can tell it is v4 or v6 by the result of the lookup and the hostnames don't change just because they are accessible via IPv6. If a hostname is directly related to the fact that its IPv6 by all means put it in there though. -- Landon Stewart lstew...@superb.net SuperbHosting.Net by Superb Internet Corp. Toll Free (US/Canada): 888-354-6128 x 4199 Direct: 206-438-5879 Web hosting and more Ahead of the Rest: http://www.superbhosting.net
RE: DNS DoS ???
I've seen this for the same on about 3 sets of nameservers I operate. fail2ban doing a 72 hour iptables drop rule. -Original Message- From: Drew Weaver [mailto:drew.wea...@thenap.com] Sent: Friday, July 29, 2011 3:01 PM To: 'Elliot Finley'; nanog@nanog.org Subject: RE: DNS DoS ??? We've been seeing this for several years on and off. thanks, -Drew -Original Message- From: Elliot Finley [mailto:efinley.li...@gmail.com] Sent: Friday, July 29, 2011 2:51 PM To: nanog@nanog.org Subject: DNS DoS ??? my DNS servers were getting slow so I blocked recursive queries for all but my own network. Then I was getting so many of these: ns2 named[5056]: client 78.159.111.190#25345: query (cache) 'isc.org/ANY/IN' denied that is was still slowing things down. I've since written a script to watch the log and throw these into the box local firewall. If I expire the entries after 24 hours then I accumulate about 10200 unique IPs. If I expire after 48 hours, then it's just over 2 unique IPs. Is anyone else seeing this? Elliot
Firewall Appliance Suggestions
Howdy, I am looking for something a little unique in a bit of a tough situation with some sticky requirements. First off, my requirements are a little weird and I can't bend them a whole lot due to stipulations being put on me. I am in need a firewall appliance which can be run on VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within a single Phase 1. I am also in need of something that can support VLAN interfaces on the LAN side, and ideally something with multi zoning so I can keep LAN side networks separate from each without ridiculous firewall rules. Meaning build a zone for Customer network 1 and it displays separately (ease of management and firewall config hopefully). I need a minimum of 10 zones on LAN side (/29 or /30), and NAT support for LAN to WAN (to dedicate all outbound connections to a single IP from a specific zone), ideally something extremely scalable (100-200 zones). And here is the super fun part! I need something that is going to be web managed primarily as minions will be doing most of the day to day maintenance, or very simple CLI config. Willing to pay for something if need be, but looking for something that can easily handly 50-100mbit of throughput. Any Ideas? Thanks! Blake Pfankuch
RE: Firewall Appliance Suggestions
For those of you who responded quickly and usefully, do you have any experience with the CheckPoint/Juniper/Fortinet in an environment with multiple protected subnets running on VMware? Simple enough for a NOC monkey to make changes to without breaking assuming he has half a brain and a process in front of him to follow? -Original Message- From: -Hammer- [mailto:bhmc...@gmail.com] Sent: Thursday, June 30, 2011 9:57 AM To: nanog@nanog.org Subject: Re: Firewall Appliance Suggestions CheckPoint -Hammer- I was a normal American nerd -Jack Herer On 06/30/2011 10:50 AM, Blake T. Pfankuch wrote: Howdy, I am looking for something a little unique in a bit of a tough situation with some sticky requirements. First off, my requirements are a little weird and I can't bend them a whole lot due to stipulations being put on me. I am in need a firewall appliance which can be run on VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within a single Phase 1. I am also in need of something that can support VLAN interfaces on the LAN side, and ideally something with multi zoning so I can keep LAN side networks separate from each without ridiculous firewall rules. Meaning build a zone for Customer network 1 and it displays separately (ease of management and firewall config hopefully). I need a minimum of 10 zones on LAN side (/29 or /30), and NAT support for LAN to WAN (to dedicate all outbound connections to a single IP from a specific zone), ideally something extremely scalable (100-200 zones). And here is the super fun part! I need something that is going to be web managed primarily as minions will be doing most of the day to day maintenance, or very simple CLI config. Willing to pay for something if need be, but looking for something that can easily handly 50-100mbit of throughput. Any Ideas? Thanks! Blake Pfankuch
RE: Firewall Appliance Suggestions
Normally I would agree with you as far as separate instances, however this will be in a situation where we pay ridiculous amounts for cpu and memory, so a single instance is what we are shooting for (remember those ridiculous requirements). I am planning to do some further testing with vyatta and pfsense. Thanks you all for the on list and off list responses! -Original Message- From: Sargun Dhillon [mailto:sar...@sargun.me] Sent: Thursday, June 30, 2011 9:56 PM To: George Bonser Cc: Blake T. Pfankuch; NANOG (nanog@nanog.org) Subject: Re: Firewall Appliance Suggestions - Original Message - From: George Bonser gbon...@seven.com To: Blake T. Pfankuch bl...@pfankuch.me, NANOG (nanog@nanog.org) nanog@nanog.org Sent: Thursday, June 30, 2011 11:30:53 AM Subject: RE: Firewall Appliance Suggestions Willing to pay for something if need be, but looking for something that can easily handly 50-100mbit of throughput. Any Ideas? Thanks! Blake Pfankuch I might also look at Vyatta. They have appliances or you can run the software on your own hardware. I would not go with Vyatta if you're doing anything complex. The number of random bugs I've hit with their software are numerous. In the right hands, it's a powerful tool. And it seems to fit your solution really well. If I were in your shoes, I would install two instances that would handle the edge of the cluster, and then an instance per customer (lightweight, they sell a VMWare image). Then use dynamic routing to direct traffic to the customer (assign each customer their own ASN, and peer with their instance). So, worse case scenario, the NOC monkey only breaks one customer's gear. -- Sargun Dhillon VoIP (US): +1-925-235-1105
RE: IPv6 day fun is beginning!
Anyone with native v6 want to help me test my content? I don't have any v6 access from anything except a few dedicated servers yet. Off list response is fine :) -Original Message- From: TJ [mailto:trej...@gmail.com] Sent: Tuesday, June 07, 2011 6:32 PM To: NANOG Subject: Re: IPv6 day fun is beginning! On Tue, Jun 7, 2011 at 20:14, Jared Mauch ja...@puck.nether.net wrote: Props to google for doing it right, e.g.: maps.googleapis.com gg.google.com safebrowsing.clients.google.com Thank you google! - Jared ... and Gmail, too ... /TJ
