Re: Power cut if temps are too high
On Mon, 27 May 2019, Brian Kantor wrote: A simple air conditioner thermostat wired to the EPO switch. For safety, wire two thermostats in series so BOTH have to trip before power is shut off. Admittedly it's been a long time since I worked with basic circuitry, but wouldn't wiring them in series cause the circuit to be interrupted if EITHER thermostat tripped? -- Brandon RossYahoo: BrandonNRoss Voice: +1-404-635-6667ICQ: 2269442 Signal Secure SMS, Viber, Whatsapp: +1-404-644-9628 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Fwd: Bonus support for Action for Children
I get that it's a good cause, but this is off topic and doesn't belong on NANOG. If we allow everyone with a good cause to post to NANOG then we would be inundated with charity emails. On Fri, 30 Jun 2017, Colin Johnston wrote: excuse the subject, relevant as IT techies like this. Bonus support for Action for Children A BT senior manager is donating half of his bonus to Action for Children’s Byte Night North West event and encouraging others to do the same. Colin Johnston is an IT technical manager who has supported Action for Children for several years. This year he and hundreds of other executives will be sleeping out for a night on 6 October as part of the charity’s annual Byte Night event. As well as raising money by taking part in this, Colin has decided to also donate 50% of his bonus payment (£2,482.00 / 2 = £1241(donation amount)) this year to Action for Children. Colin said, “Being involved for a while with Action for Children, I’ve got to know about the amazing work they do with children and young people and families. I’m happy to be in a position where I can help support their services by fundraising and donating. If people can’t take part in Byte Night then they can still help out by donating what they can – if other executives decided to also give half of their bonus to Action for Children, it would be a simple but really effective way of helping young people to have a brighter future.” Byte Night is Action for Children's biggest annual fundraiser; a national ‘sleep-out’ event. Each year, hundreds of like-minded people from the technology and business arena give up their beds for one night to help change the lives of vulnerable young people. It all began in 1998 when 30 individuals slept out in London and raised £35,000. Since then Byte Night has grown to 10 UK locations and over 1,200 people slept out in 2016. Byte Night is one of the UK’s top 17 mass participation charity events and is the largest charity sleep-out having raised over £9.6 million since the first event. Byte Night is celebrating its 20th anniversary this year and its fifth year in the North West. Colin is a board member of the North West Byte Night event. BT Volunteering is a very worthwhile endeavour. See mydonate page linked to Byte Night https://mydonate.bt.com/fundraisers/colinjohnston1 <https://mydonate.bt.com/fundraisers/colinjohnston1> For more information go to www.bytenight.org.uk <http://www.bytenight.org.uk/> or to donate Text Byte17 and the amount to 70070. Colin Colin Johnston <https://myprofile.bt.com/Person.aspx?accountname=IUSER%5C600969844> IT Support Senior Professional, Core IT Infrastructure BT Technology Service & Operations <https://intra.bt.com/bt/tso/Pages/index.aspx> | Tel: 01313001324 | MyProfile <https://myprofile.bt.com/Person.aspx?accountname=IUSER%5C600969844> | colin.johnst...@bt.com <mailto:colin.johnst...@bt.com> | http://fixit.bt.com/ <http://fixit.bt.com/> BT Group plc Registered office: 81 Newgate Street London EC1A 7AJ. Registered in England and Wales no. 4190816 This electronic message contains information from BT Group plc which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please delete it and notify me immediately by telephone or email. -- Brandon Ross Yahoo & AIM: BrandonNRoss Voice: +1-404-635-6667ICQ: 2269442 Signal Secure SMS, Viber, Whatsapp: +1-404-644-9628 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
RE: Dyn DDoS this AM?
On Fri, 21 Oct 2016, rar wrote: Anyone want a quick consulting gig helping us configure BCP38 and BCP84? Configurations is all cisco Edge routers connect to Verizon, Level 3 Fiber Each Edge router talks to two BGP routers. $150/hour, I'm guessing it is only an hour for somebody to explain, and guide us through the configuration, but OK if longer. Sure, we'll do it. That rate is quite a bit less than our normal retail rate, but in the spirit that Patrick posted about, Network Utility Force will be happy to provide you or any other operator resources at that rate to help configure BCP38 and BCP84. Anyone serious about that, email me privately at br...@netuf.net and we'll put paperwork together. -- Brandon Ross Yahoo & AIM: BrandonNRoss Voice: +1-404-635-6667ICQ: 2269442 Signal Secure SMS: +1-404-644-9628 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: IX in Iran by TIC
On Tue, 12 Jul 2016, Scott Weeks wrote: -- Might be worthwhile to also look at throwing your fabric/IX on X www.xx.com . -- https://www.nanog.org/list "5.Product marketing is prohibited" It appears from a web search that you are affiliated with the company you're speaking about. Mentioning a product that you happen to work on/for while in context hardly seems like it should rise to the level of prohibited marketing. Then again, perhaps we should hire consultants to figure that out for us. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: NANOG67 - Tipping point of community and sponsor bashing?
On Fri, 17 Jun 2016, Eric Kuhnke wrote: What Randy just wrote is exactly the point I was trying to make in my last email. Some real estate facility owners/managers have got into the mistaken mindset that they can get the greatest value and the most monthly revenue from the square-footage of their building by charging additional MRC XC fees to the tenants of the building. There are some VERY sucessful companies that would strongly disagree with you. When in fact the opposite is true, and we need a concerted community effort to lobby every IX real estate owner with this fact: Your real estate will be MORE valuable and will attract a greater critical mass of carriers, eyeball networks, CDNs, huge hosting providers/colo/VM, etc if you make the crossconnects free. But then why would we want to do that? If you are correct and doing so would raise the value of the real esatate, doesn't that mean that the building managers would be able to charge operators a whole lot more than they are able to today, in aggregate? Value based pricing is all the rage these days, which is why they charge you so much for cross connects. Why do you think they wouldn't take advantage of higher value real estate by charging you more for that, instead? After all, the free cross connect situation would be a great way for the owners to lock you into their real estate, then all they have to do is dramatically hike the rates when you can no longer leave. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Extra Fairmont Rooms
I've ended up with some extra room reservations at the Fairmont Chicago. If you can make use of any of these reservations, send me a direct email with the name you'd like me to put on the room. First come, first served, so if your primary choice(s) aren't available, let me know if you have a second choice. I'll reply with the confirmation number so you can call the hotel and guarantee the room with your credit card. 6/16-17 $242 Fairmont Room with King Bed 6/11-17 $299 Deluxe Room with King Bed 6/15-16 $278 Fairmont PURE Room King NS 6/15-16 $260 Fairmont Double/Double NS -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Fw: new message
Hey! New message, please read <http://mastairconditioning.com/his.php?r> Brandon Ross
Re: Inexpensive probes for automated bandwidth testing purposes
On Sat, 3 Oct 2015, Lorell Hathcock wrote: I am running a DOCSIS network that has a noisy cable plant. I want to be able to substantiate and quantify users' bandwidth issues. I would like a set of inexpensive probes that I could place at selected customer's homes/businesses that would on a scheduled basis perform bandwidth tests. Check out Netbeez: https://netbeez.net/ Let me know if you'd like an introduction to them. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Extra Fairmont Room
The room is now spoken for. On Thu, 1 Oct 2015, Brandon Ross wrote: I have one extra room at the Fairmont under the NANOG room block rate of CA$199/night. If you want it before I cancel it, let me know. First come, first served. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Extra Fairmont Room
I have one extra room at the Fairmont under the NANOG room block rate of CA$199/night. If you want it before I cancel it, let me know. First come, first served. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Production-scale NAT64
On Thu, 27 Aug 2015, Mark Tinka wrote: If your IPv4 is public, you should not feel slow. Of course, if your IPv4 is private, then yes, some NAT44 may happen somewhere along the path. I strongly advise you to not assume that just because an IPv4 address is public (which I'm reading as RFC1918) means that it's not NATed. I learned the hard way that Tmobile, for one, squats on other organization's public IP space on their mobile network and NATs it to address space they are actually assigned. What you really mean is if your IPv4 is not NATed, then it should not feel slow, the type of address isn't necessarily an indicator. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: World's Fastest Internet™ in Canadaland
On Fri, 26 Jun 2015, Rafael Possamai wrote: How does one fully utilize a gigabit link for home use? For a single person it is overkill. Similar to the concept of price elasticity in economics, going from 50mbps to 1gbps doesn't necessarily increase your average transfer rate, at least I don't think it would for me. Why would you use average transfer rate as the metric for user experience quality? Most users don't care about their long term bandwidth average, they care about getting that movie playing _right_now_, or HD video calls with all the grandchildren, all at once. Heck, they care more about web pages showing up on the screen nice and fast more than average download speed. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: eBay is looking for network heavies...
I also concur. There is most certainly a negative correlation between certs and clue in my experience, having met 10s of certificate holders. Long ago when the MCSE was more popular, I actually started putting MCSE need not apply on job postings because everyone I interviewed that had one was not just clue challenged, but had negative clue. On Fri, 5 Jun 2015, jim deleskie wrote: Based on the number of certified people I've interviewed over the last 20yr, my default view lines up with Jared's 100% On Fri, Jun 5, 2015 at 10:38 PM, Mike Hale eyeronic.des...@gmail.com wrote: We need a pool on what percentage of readers just googled traceroute. On Jun 5, 2015 6:28 PM, na...@cdl.asgaard.org wrote: On 5 Jun 2015, at 17:45, Łukasz Bromirski wrote: On 06 Jun 2015, at 02:26, Jared Mauch ja...@puck.nether.net wrote: On Jun 5, 2015, at 7:13 PM, John Fraizer j...@op-sec.us wrote: Head of line for CCIE / JNCIE but knowledge and experience trumps a piece of paper every time! Can you please put these at the back of the line? My experience is that the cisco certification (at least) is evidence of the absence of actual troubleshooting skills. (or my standards of what defines “expert” are different than the rest of the world). Jared, don’t generalize. True - there are people that are ‘paper’ CCIE/JNCIEs - but let’s not start a rant unless you've met tens of CCIEs/JNCIEs and all of them didn’t know a jack. About troubleshooting. 't We had one CCIE at a previous job who just didn't click no matter how much we tried to train on the architecture. Eventually in one backbone event, he kept saying that the problem couldn't be with a given router because traceroute worked. When it was pointed out that the potential fault wouldn't cause traceroute to fail, we got a very puzzled look. We then asked him to explain how traceroute worked. He spectacularly failed. It became a tongue-in-cheek interview question. What was boggling was the number of *IE's that failed trying to explain traceroute's mechanics. My test, as crass as it is. If your CV headlines with a JCIE/CCIE, I am pretty certain that you have very little real-world experience. If it's a footnote somewhere, that's ok. Christopher — CCIE #15929 RS/SP, CCDE #2012::17 (not that I’d know anything about troubleshooting of course) -- 李柯睿 Avt tace, avt loqvere meliora silentio Check my PGP key here: http://www.asgaard.org/cdl/cdl.asc Current vCard here: http://www.asgaard.org/cdl/cdl.vcf keybase: https://keybase.io/liljenstolpe -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Extra rooms
I have 2 extra rooms up for grabs at the St. Francis, checking in on Saturday and out on Thursday under the NANOG rate/room block. First come, first served if you want them, send me the full name of the person(s) that the room should go under and contact info. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: DDOS solution recommendation
Earlier in the thread you seemed extremely confident in your position that long term blocking of addresses that appeared as source addresses of undesirable traffic is a good thing. Why are you now avoiding answering my question with a strawman? On Mon, 12 Jan 2015, Mike Hammett wrote: So the preferred alternative is to simply do nothing at all? That seems fair. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Christopher Morrow morrowc.li...@gmail.com To: Brandon Ross br...@pobox.com Cc: Mike Hammett na...@ics-il.net, NANOG list nanog@nanog.org Sent: Monday, January 12, 2015 3:05:14 PM Subject: Re: DDOS solution recommendation On Mon, Jan 12, 2015 at 3:17 PM, Brandon Ross br...@pobox.com wrote: On Sun, 11 Jan 2015, Mike Hammett wrote: I know that UDP can be spoofed, but it's not likely that the SSH, mail, etc. login attempts, web page hits, etc. would be spoofed as they'd have to know the response to be of any good. Okay, so I'm curious. Are you saying that you do not automatically block attackers until you can confirm a 3-way TCP handshake has been completed, and therefore you aren't blocking sources that were spoofed? If so, how are you protecting yourself against SYN attacks? If not, then you've made it quite easy for attackers to deny any source they want. this all seems like a fabulous conversation we're watching, but really .. if someone wants to block large swaths of the intertubes on their systems it's totally up to them, right? They can choose to not be functional all they want, as near as I can tell... and arguing with someone with this mentality isn't productive, especially after several (10+? folk) have tried to show and tell some experience that would lead to more cautious approaches. If mike wants less packets, that's all cool... I'm not sure it's actually solving anything, but sure, go right ahead, have fun. -chris -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: DDOS solution recommendation
On Sun, 11 Jan 2015, Mike Hammett wrote: I know that UDP can be spoofed, but it's not likely that the SSH, mail, etc. login attempts, web page hits, etc. would be spoofed as they'd have to know the response to be of any good. Okay, so I'm curious. Are you saying that you do not automatically block attackers until you can confirm a 3-way TCP handshake has been completed, and therefore you aren't blocking sources that were spoofed? If so, how are you protecting yourself against SYN attacks? If not, then you've made it quite easy for attackers to deny any source they want. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Marriott wifi blocking
On Sat, 4 Oct 2014, Michael Thomas wrote: The problem is that there's really no such thing as a copycat if the client doesn't have the means of authenticating the destination. If that's really the requirement, people should start bitching to ieee to get destination auth on ap's instead of blatantly asserting that somebody owns a particular ssid because, well, because. In the enterprise environment that there's been some insistence from folks on this list is a legitimate place to block rogue APs, what makes those SSIDs, yours? Just because they were used first by the enterprise? That doesn't seem to hold water in an unlicensed environment to me at all. If the Marriott can't do this, I don't think anyone can, legally. Now, granted, if I'm doing it with the intent to disrupt the corporate network or steal data, there's certainly other laws to deal with that, but I don't think even that is justification for spoofed deauth. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Comcast Outages?
On Thu, 10 Jul 2014, Kraig Beahn wrote: Anyone in the SE seeing and/or hearing of any massive Comcast outages regionally? (Fiber, Voice DOCSIS modems from Atlanta, GA to Tallahassee, FL and in some select areas Jacksonville, FL...) Yes, I'm in Atlanta. I lost DOCSIS Internet connectivity last night at just past midnight Eastern. I didn't bother troubleshooting and just went to bed. This morning I still had no access, but a power cycle of my cable modem restored connectivity. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Ars Technica on IPv4 exhaustion
On Thu, 19 Jun 2014, Owen DeLong wrote: If you read the rest of my post, you would realize that I wasn't arguing to give out addresses to every person and their dog, but instead arguing that trying to shift bits to the right would be costly and pointless because there are more than enough bits on the left site already. Perhaps we should discuss this in a different way... Ricky, if you were to design a new protocol today such that you can give out addresses, at will without having to be conservative with the goal of minimizing human factor costs, and _guarantee_ that you will not run out of addresses in the useful life of the protocol, how big would that address space need to be? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Requirements for IPv6 Firewalls
On Mon, 21 Apr 2014, Fernando Gont wrote: Are you argung against of e.g. default-deny inbound traffic? Absolutely not, default deny of traffic should most certainly be one of the tools in the toolbox. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Requirements for IPv6 Firewalls
On Thu, 17 Apr 2014, Sander Steffann wrote: Also, I note your draft is entitled Requirements for IPv6 Enterprise Firewalls. Frankly, no enterprise firewall will be taken seriously without address-overloaded NAT. I realize that's a controversial statement in the IPv6 world but until you get past it you're basically wasting your time on a document which won't be useful to industry. I disagree. While there certainly will be organisations that want such a 'feature' it is certainly not a requirement for every (I hope most, but I might be optimistic) enterprises. And I not only agree with Sander, but would also argue for a definitive statement in a document like this SPECIFICALLY to help educate the enterprise networking community on how to implement a secure border for IPv6 without the need for NAT. Having a document to point at that has been blessed by the IETF/community is key to helping recover the end-to-end principle. Such a document may or may not be totally in scope for a firewall document, but should talk about concepts like default-deny inbound traffic, stateful inspection and the use of address space that is not announced to the Internet and/or is completely blocked at borders for all traffic. Heck, we could even make it less specific to IPv6 and create a document that describes these concepts and show how NAT is not necessary nor wise for IPv4, either. (Yes, yes, other than address conservation.) -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Requirements for IPv6 Firewalls
On Thu, 17 Apr 2014, Timothy Morizot wrote: On Apr 17, 2014 7:52 PM, Matthew Kaufman matt...@matthew.at wrote: While you're at it, the document can explain to admins who have been burned, often more than once, by the pain of re-numbering internal services at static addresses how IPv6 without NAT will magically solve this problem. If you're worried about that issue, either get your own end user assignment(s) from ARIN or use ULA internally and employ NAT-PT (prefix translation) at the perimeter. That's not even a hard question. Until you responded, Timothy, I didn't realize that Matthew was being sarcastic. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Starting a greenfield carrier backbone network that can scale to national and international service. What would you do?
for reading. I look forward to the discussion! PS: Yes, I'm young and idealistic. I'm also grounded/practical/focused. I'm currently working on making the access portion of the network as smooth and turnkey as possible. (That basically means packaging up zeroshell/observium/powerdns/libremap/trigger and other bits/bobs into a nice livecd/ova/openvz package). I also like to think about the next wave of issues while working on the current one. It will take another year or so before we need to really be building out the backbone (if nothing else, to link up the rapidly growing regional networks). This is about physical, layer 1 infrastructure. This isn't yet another overlay network (CJDNS/GNu FreeNet etc). Yes it's messy, yes it's all about non technical end users, yes it's about taking a rather complex stack (auth/network awareness/routing platform) and making it accessible to power users/IT professionals. It's also a whole lot of fun! Please feel free to visit us at https://www.thefnf.org for more information. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: why IPv6 isn't ready for prime time, SMTP edition
On Fri, 28 Mar 2014, Owen DeLong wrote: This assumes a different economic model of SPAM that I have been lead to believe exists. My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/phishing/etc. are acted on. Fine, then the people paying the people who do the spamming have more of an incentive to pay higher rates and more spammers. It doesn't really matter how may layers of abstraction there are, the point is that the main motivator has become more attractive. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: why IPv6 isn't ready for prime time, SMTP edition
On Thu, 27 Mar 2014, Owen DeLong wrote: On Mar 27, 2014, at 11:15 AM, Barry Shein b...@world.std.com wrote: Please explain in detail where the fraud potential comes in. Spammer uses his botnet of zombie machines to send email from each of them to his own domain using the user's legitimate email address as From:. Spammer says it was unsolicited and keeps the full $.10/email that victim users have deposited into this escrow thing. Sounds a lot more profitable than regular spam. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Ipv4 end, its fake.
Since you seem to know a lot more than the rest of us about the value of an IPv4 address, why aren't you buying them for this $1-4 price and then making yourself a billionaire by selling them at $11? On Sat, 22 Mar 2014, Bryan Socha wrote: As someone growing in the end of ipv4, its all fake.Sure, the rirs will run out, but that's boring.Don't believe the fake auction sites. Fair price of IP at the end is $1 for bad Rep $2 for barely used, $3 for no spam and $4 for legacy.Stop the inflation. Millions of IPS exist, there is no shortage and don't lie for rirs with IPS left. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: opensource tools for IP DNS management [was: Opensource tools for inventory and troubleticketing]
On Sat, 25 Jan 2014, Miles Fidelman wrote: Anybody have any suggestions for good opensource tools for managing blocks of IP addresses, and domain name assignments - ideally with hooks for updating nameservers and registry databases? Last time I looked everyone was still using either spreadsheets or high-priced proprietary tools - figure it's time to ask again. I guess it depends on how you define high-priced, but we find the 6connect stuff to be very reasonably priced for a commercial tool with support. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Open source hardware
On Wed, 8 Jan 2014, Saku Ytti wrote: On (2014-01-08 13:56 -0500), Ray Soucy wrote: Just to toss in a few more vendors so not to look biased: Instead of suggesting names, I'm giving some suggestions want to ask for vendor when looking for new partner So, in other words, you should make higher demands of your 3rd party optics providers than any of the OEMs could meet? When was the last time your OEM lowered your pricing for you when their supplies got cheaper? And when was the last time they changed their part number when they changed the casing of an optic? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: ATT UVERSE Native IPv6, a HOWTO
On Thu, 5 Dec 2013, Mikael Abrahamsson wrote: We have the same deal here, for the same price per month you can have access to ~80 megabit/s LTE, or you can have 100/10 cable. The problem is that with LTE you get 80 gigabytes/month in cap. The cable connection doesn't have a cap. It does now, at least, if you are a Comcast customer: Starting December 1, 2013, Comcast will trial a new monthly data plan in this area, which will increase the amount of data included in your XFINITY Internet Service to 300 GB and provide more choice and flexibility. Good job, Comcast, considering what I pay you, it might actually be a better deal for me to dump my wired connectivity and just use tethering on my phone when I'm at home. By capping me, you've created a new competitor. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross
Re: BGP failure analysis and recommendations
On Wed, 23 Oct 2013, Christopher Morrow wrote: On Wed, Oct 23, 2013 at 10:40 PM, JRC NOC nospam-na...@jensenresearch.com wrote: Have we/they lost something important in the changeover to converged mutiprotocol networks? Is there a better way for us edge networks to achieve IP resiliency in the current environment? sadly I bet not, aside from active probing and disabling paths that are non-functional. Um, how about, don't buy services from network providers that fail in this way? Since we're not naming names, I won't, but in the past there's been at least one provider that used multi-hop eBGP at their edges because they didn't want to invest in edge gear that could handle a full BGP table. My concern with their network (beyond many other concerns) was that when that router in the middle had a soft failure, how would BGP know to route around it? Answer: it wouldn't, you'd black hole. On the opposite side of the spectrum, there was at least one provider that used custom software to actively probe their upstream providers and route around poor performance. At one time, there was also software, hardware and services that you could install/run on your own network to try to detect these things as well, however I'm not sure how many of them are still on the market. The bottom line, however, is don't buy services from companies that do a poor job of running their network unless you can accept these kinds of failures. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: BGP failure analysis and recommendations
On Thu, 24 Oct 2013, Christopher Morrow wrote: Um, how about, don't buy services from network providers that fail in this way? I suppose the question is: how would you know that any particular network had this failure mode? Ask detailed questions about how their network is architected. Do they use eBGP multihop anywhere? Do they use BFD on internal Ethernet links? Do they put their peering links in their IGP, or directly into iBGP? until, of course, you run into it... as jrc did... That too. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: google / massive problems
On Wed, 9 Oct 2013, Christopher Morrow wrote: piling on a tad: (for consumer gmail/drive) 1) existing session cookies work fine 2) new sessions work fine, + 2-step auth Yea, I'll pile on too. I have 5 entities that I have gmail accounts setup for, plus my personal @gmail account. I regularly keep several of them open at the same time, but for at lest 3 or 4 days I've been unable to stay logged into more than 1 at a time. I've only used Chrome, and I'm in PHX at NANOG. It's super annoying. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: minimum IPv6 announcement size
On Fri, 27 Sep 2013, Ryan McIntosh wrote: It's a waste, even if we're planning for the future, no one house needs a /64 sitting on their lan.. or at least none I can sensibly think of o_O. Okay, I'm just curious, what size do you (and other's of similar opinion) think the IPv6 space _should_ have been in order to allow us to not have to jump through conservation hoops ever again? 128 bits isn't enough, clearly, 256? 1k? 10k? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
RE:The block message is 521 DNSRBL: Blocked for abuse
On Wed, 18 Sep 2013, Timothy Metzinger wrote: Here's a thought. Would it be possible to set up a process where ARIN, as part of reselling IP addresses, either issues a certificate of transfer that the new owner can use to prove to the ISPs that he's a new owner and not the old evil spammer, or ARIN publishes a list of IP assignments that can be used by ISPs to provisionally remove them from blocked lists? That sounds like a great idea! We should make it an electronic certificate, though, so that anyone who wants to know can look it up online. And it should show the contact info of the new owner and the date the record was created/updated. It would be a great way to find out WHOIS using a particular address block. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Typical warranty for generic DWDM transceivers
On Tue, 20 Aug 2013, Manuel Marín wrote: We are currently evaluating the use of generic third party optics (SFP+ and XFP) for 40Kms and 80Kms applications from vendors like NHR and Champion One and I was wondering if someone in the group has experience using optics from these vendors. I am biased. My wife sells 3rd party optics at SubSpace Communications, but I think our data is valuable. She has sold many thousands of optics, all with lifetime warrantys. Many of them to very large and clueful organizations, many of whom are represented here on NANOG. Of those thousands sold, I can count less than 20 that have been returned. I've also worked for VARs in the past, and work with several of them today, selling new OEM branded optics. I've found a MUCH higher percentage of OEM optics having to be returned to the manufacturer. Of course, take my report with a grain of salt. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: IPAM
On Wed, 7 Aug 2013, Natambu Obleton wrote: I have customer that we deployed Northstar for their internal ip management over 8 yrs ago. They are still using it, but it is slowly breaking on them. Can someone recommend an IPAM solution that has a Northstar import option? They have hundreds of entries detailing customer who was assigned the ip address and I would like to avoid any data massaging. TIA I'm pretty sure that if 6connect doesn't have an existing tool to import Northstar that they'd work with your client to get it done. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Ciena 6200 clue?
On Tue, 2 Jul 2013, Jason Lixfeld wrote: The SE who's onsite is apparently claiming that there is no provision to set a default gateway on the management interface. Everyone knows that attacks against your management interface come from devices not on your management network. By removing the default gateway feature, Ciena is improving the security of your network. It's time we created a BCOP specifying that default gateway functionality be disabled or removed in all network deployments, in the interest of security. Security improvements realized in the last few years by dropping all ICMP and TCP DNS at firewall boundaries, not to mention universal deployment of NAT, were just the first few steps to creating a much more secure Internet. Once disablement of default gateway functionality has been become a common practice, the natural reduction in traffic on the Internet should allow most operators to achieve enormous cost savings by powering off all of their equipment. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Single AS multiple Dirverse Providers
On Mon, 10 Jun 2013, Joe Provo wrote: I would submit that not knowing loop detection is a default and valuable feature might indicate the person should understand why and how it affects them. And I would further submit that the lack of deep protocol knowledge is a good reason to NOT F**K with it! Why is just getting another ASN not the preferred option here? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Single AS multiple Dirverse Providers
On Mon, 10 Jun 2013, Patrick W. Gilmore wrote: Ever tried to get a single peer set up sessions in 50+ places with 50+ ASNs? I would submit that it's very likely that someone setting up 50+ places will have gained expert level knowledge of BGP and will understand the compromises they are making by breaking the rules. I think the point is that if this is your first rodeo, perhaps you should stick with the script. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Remote Hands Nation-Wide?
We do. Worldwide, in fact. On Fri, 17 May 2013, Aaron C. de Bruyn wrote: I recall a message a while back about a company that offered remote hands nation-wide, but my Google-Fu is failing me. Any pointers? We basically need to find coverage for eastern Washington State and all of Oregon. -A -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: It's the end of the world as we know it -- REM
On Thu, 25 Apr 2013, Michael Thomas wrote: So here is the question I have: when we run out, is there *anything* that will reasonably allow an ISP to *not* deploy carrier grade NAT? Do you count NAT64 or MAP as carrier grade NAT? One thing that occurs to me though is that it's sort of in an ISP's interest to deploy v6 on the client side because each new v6 site that lights up on the internet side is less traffic forced through the CGN gear which is ultimately a cost down. So maybe an alternative to a death penalty is a molasses penalty: make the CGN experience operable but bad/congested/slow :) Hm, sounds like NAT64 or MAP to me (although, honestly, we may end up making MAP too good.) -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: It's the end of the world as we know it -- REM
On Thu, 25 Apr 2013, Michael Thomas wrote: On 04/25/2013 10:10 AM, Brandon Ross wrote: On Thu, 25 Apr 2013, Michael Thomas wrote: So here is the question I have: when we run out, is there *anything* that will reasonably allow an ISP to *not* deploy carrier grade NAT? Do you count NAT64 or MAP as carrier grade NAT? I suppose that the way to frame this as: does it require the ISP to carry flow statefulness in their network in places where they didn't have to before. That to my mind is the big hit. NAT64 sure does. Take a look at MAP and be your own judge of weather it counts or not. I was going to say that NAT64 could be helpful, but thought better of it because it may have its own set of issues. For example, are all of the resources *within* the ISP v6 available? Um, yes, why wouldn't they be? They may be a part of the problem as well as a part of the solution too. I would think that just the prospect of having a less expensive/complex infrastructure would be appealing as v6 adoption ramps up, and gives ISP's an incentive to give the laggards an incentive. It's no longer clear to me what your problem statement is. If the problem is that you want something that does NATish things so that v4 still works, but v6 works better, I think NAT64 is worthy of your scrutiny. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: IPv6 support by wifi systems
On Tue, 12 Feb 2013, Luke Jenkins wrote: MLD Snooping and IPv6 ACLs are a must. MLD Snooping only seems important to me if you are actually going to do multicast outside of the local broadcast domain, which I can't imagine doing in most service provider environments. Am I missing a reason for it or a use case otherwise? Check to make sure that the solution allows for many (for your network's definition of many) IPv6 addresses per host. You'll have at least three per host between link local, global, and one or more privacy addresses. It would seem to me that either a wifi vendor would support source address shield for IPv6, which MUST include multiple addresses, or it would just pass everything without paying attention to source addresses. Is there a vendor that does not do one or the other? If so, please name names. I've been providing native dual stack on my Cisco controller based wireless network for a few years now. IPv6 support was brought up a notch with the 7.2 code release. RA Guard was the obvious big features that was added, but I also appreciated the addition of ND caching to keep that chatter down. http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae506.shtml#discovery Nice. Can you confirm if they've added DHCPv6 shield too? Source address shield for IPv6? I've also used some Ruckus gear on an IPv6 network and it seemed to have all the right knobs and pass all the right IPv6 packets. Though this was on my home network so I can't speek to their IPv6 scalability (no reason to doubt it, just wanted to be clear). Thanks, that's a useful data point. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: IPv6 support by wifi systems
On Wed, 13 Feb 2013, Karl Auer wrote: For example, multicast is used by ND, the IPv6 equivalent of ARP. MLD snooping means only a few hosts (typically only one, in fact) in the subnet see any given ND request. Without MLD snooping, every port in the subnet sees it. Or DHCPv6 - without MLD snooping, every port sees all client traffic for all DHCP requests; with MLD snooping only the routers/relays in the subnet see it. See with MLD snooping means see it at all, not see and ignore it as in the broadcast world. Oh really? Exactly when during the ND process does a device send an MLD message that can be snooped? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: IPv6 support by wifi systems
On Wed, 13 Feb 2013, Karl Auer wrote: The switch then knows what listeners are where, so when for example an NS is sent to the solicited node multicast address of a target during ND, the switch can send it only to those hosts it knows are listeners on that group. Okay, so then to answer my own question from earlier, the answer is actually that an MLD is sent when an interface configures a new address to join the appropriate solicited node multicast group. It seems that, then, MLD snooping is valuable as it will prevent DAD and other ND traffic from using bandwidth towards hosts not in that group. Other than solicited node multicast, is MLD used anywhere else in a network that does not have layer 3 multicast enabled on a router? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
IPv6 support by wifi systems
Like so many things IPv6, many of the wifi vendors seem to lack decent support for IPv6 clients. I'm not sure why I thought the situation was better than it seems to be, I guess I'm just an optimist. Anyway, what wifi vendors provide the best support for IPv6? I don't really care too much about management, but to deploy wifi in a service provider environment with IPv6, it would seem that you'd want at least: RA Guard DHCPv6 Shield (unless you just do SLAAC, I guess) IPv6 Source Address Guard Am I missing anything critical? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Will wholesale-only muni actually bring the boys to your yard?
On Mon, 4 Feb 2013, Scott Helms wrote: One thing to keep in mind is that I don't believe its possible to get a contract with the bulk of the content owners in a wholesale scenario. You do really need to read the thread before you post. I already pointed out that there are several companies that will handle or aggregate programming for you. See here: http://www.itvdictionary.com/tv_content_aggregators.html And this company here: http://www.telechannel.tv/overview.php I'm no expert in this space, but as I've pointed out multiple times, there are probably 50-100 small service providers in the US that provide video programming to their communities. I guarantee you at least most of them don't negotiate with all of the content providers themselves, on an individual basis. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Will wholesale-only muni actually bring the boys to your yard?
On Mon, 4 Feb 2013, Scott Helms wrote: On Mon, Feb 4, 2013 at 4:14 PM, Brandon Ross br...@pobox.com wrote: There are tons and tons and tons of organizations that will sell the operator of a network content to sell to that operator's subscribers directly. Most well known is the cable coop, who only exists to do just that. The problem is that what's been proposed is that the network operator be able to then turn around and offer those services as a whole sale level to another operator, on the same physical but not not layer 2, plant. That's what I don't think you can get contracts inked for. How is that different from what the aggregators that I've already pointed out are doing? Why does anyone need to resell anything, anyway, what we are talking about are service providers connected to this muni fiber network being able to deliver triple play to their subs. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
RE: Will wholesale-only muni actually bring the boys to your yard?
On Sat, 2 Feb 2013, Frank Bulk wrote: Yes, but IP TV is not profitable on stand-alone basis -- it's just a necessary part of the triple play. A lot of the discussion has been about Internet and network design, but not much about the other two plays. I don't know if that's true or not, but so what? The concern was that providers would be unable to provide television services across this muni fiber infrastructure and that customers would demand triple play. I showed that they absolutely can provide this service by doing it across IP. If a provider can't make money at it, then they don't have to provide it. This whole exercise, I thought, was about removing the tyranny of the monopoly of the last mine so that these other innovations could take place in an open market. And as far as the other triple play, it's even more well established that delivery of voice over IP can be done economically. Or do you need me to send you URLs of companies that do it to prove it? -Original Message- From: Brandon Ross [mailto:br...@pobox.com] Sent: Saturday, February 02, 2013 3:53 PM To: Jay Ashworth Cc: NANOG Subject: Re: Will wholesale-only muni actually bring the boys to your yard? On Sat, 2 Feb 2013, Jay Ashworth wrote: Perhaps I live in a different world, but just about all of the small to midsize service providers I work with offer triple play today, and nearly all of them are migrating their triple play services to IP. Really. Citations? I'd love to see it play that way, myself. Okay: South Central Rural Telephone Glasgow, KY http://www.scrtc.com/ Left side of page, Digital TV service. See this news article: http://www.wcluradio.com/index.php?option=com_contentview=articleid=15567: capacity-crowd-hears-good-report-at-scrtc-annuan-mee He also reported that SCRTC is continuing to upgrade our services, converting customers to the new IPTV service and trying to get as much fiber optic cable built as possible. Camellia Communications Greenville, AL http://camelliacom.com/services/ctv-dvr.html Note the models of set-top boxes they are using are IP based Griswold Cooperative Telephone Griswold, IA http://www.griswoldtelco.com/griswold-coop-iptv-video Farmer's Mutual Coopeative Telephone Moulton, IA http://farmersmutualcoop.com/ Citizens Floyd, VA http://www.citizens.coop/ How about a Canadian example you say? CoopTel Valcourt, QB http://www.cooptel.qc.ca/en-residentiel-tele-guidesusager.php Check out the models of set-top boxes here too. Oh, also, have you heard of ATT U-Verse? http://www.att.com/gen/press-room?pid=4800cdvn=newsnewsarticleid=26580 ATT U-verse TV is the only 100 percent Internet Protocol-based television (IPTV) service offered by a national service provider So even the likes of ATT, in this scheme, could buy fiber paths to their subs and provide TV service. I'm pretty sure ATT knows how to deliver voice services over IP as well. Do you want more examples? I bet I can come up with 50 small/regional telecom companies that are providing TV services over IP in North America if I put my mind to it. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Announcing a reserved ASN?
I strongly recommend that you read about and fully understand how 4-byte ASNs work, and their use of AS23456 before you continue this thread. On Sun, 3 Feb 2013, Suresh Ramasubramanian wrote: I do believe, as has been pointed out to me elsewhere that this is what shows up when there's a 64 bit ASN and router software that doesn't grok 64 bit ASNs So, completely by chance that one such as belongs to what looks like a bulk mailer --srs (htc one x) On 03-Feb-2013 9:02 PM, Dave Pooser dave.na...@alfordmedia.com wrote: On 2/3/13 9:04 AM, Rich Kulawiec r...@gsp.org wrote: On Sun, Feb 03, 2013 at 06:12:32PM +0530, Suresh Ramasubramanian wrote: AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way). To say the least. A quick rDNS scan reveals that those netblocks include: 8448 addresses 6932 return nxdomain 512 return servfail 1004 with rDNS entries Those 1004 hosts with rDNS account for 36 domains: snip long list of spammy domains Just as another data point, the domain names you listed hit on enough URL blacklists that Spamassassin quarantined the message for me (and would have rejected it during the SMTP transaction had the NANOG server not been listed on DNSWL-High). Spam hosts plus fake ASN = paging the Spamhaus DROP maintainers to the white courtesy phone -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
RE: Will wholesale-only muni actually bring the boys to your yard?
On Fri, 1 Feb 2013, Frank Bulk (iname.com) wrote: What's missing in this dialogue is the video component of an offering. Many customers like a triple (or quad) play because the price points are reasonable comparable to getting unbundled pricing from more than one provider, and they have just throat to choke and bill to pay. I must be missing something here. Why would a triple play using IPTV and VOIP be unachievable in this model? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Will wholesale-only muni actually bring the boys to your yard?
On Sat, 2 Feb 2013, Jay Ashworth wrote: Available Providers. The City, remember, won't be doing L3, so we'd need to find someone who was doing that. You know how big a job it is to be a cable company? I would think in this model that the city would be prohibited from providing those services. Perhaps I live in a different world, but just about all of the small to midsize service providers I work with offer triple play today, and nearly all of them are migrating their triple play services to IP. If rural telco in Alabama or Mississippi can deliver triple play, surely a larger provider somewhere like NYC can do as well, no? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Will wholesale-only muni actually bring the boys to your yard?
On Sat, 2 Feb 2013, Jay Ashworth wrote: Perhaps I live in a different world, but just about all of the small to midsize service providers I work with offer triple play today, and nearly all of them are migrating their triple play services to IP. Really. Citations? I'd love to see it play that way, myself. Okay: South Central Rural Telephone Glasgow, KY http://www.scrtc.com/ Left side of page, Digital TV service. See this news article: http://www.wcluradio.com/index.php?option=com_contentview=articleid=15567:capacity-crowd-hears-good-report-at-scrtc-annuan-mee He also reported that SCRTC is continuing to upgrade our services, converting customers to the new IPTV service and trying to get as much fiber optic cable built as possible. Camellia Communications Greenville, AL http://camelliacom.com/services/ctv-dvr.html Note the models of set-top boxes they are using are IP based Griswold Cooperative Telephone Griswold, IA http://www.griswoldtelco.com/griswold-coop-iptv-video Farmer's Mutual Coopeative Telephone Moulton, IA http://farmersmutualcoop.com/ Citizens Floyd, VA http://www.citizens.coop/ How about a Canadian example you say? CoopTel Valcourt, QB http://www.cooptel.qc.ca/en-residentiel-tele-guidesusager.php Check out the models of set-top boxes here too. Oh, also, have you heard of ATT U-Verse? http://www.att.com/gen/press-room?pid=4800cdvn=newsnewsarticleid=26580 ATT U-verse TV is the only 100 percent Internet Protocol-based television (IPTV) service offered by a national service provider So even the likes of ATT, in this scheme, could buy fiber paths to their subs and provide TV service. I'm pretty sure ATT knows how to deliver voice services over IP as well. Do you want more examples? I bet I can come up with 50 small/regional telecom companies that are providing TV services over IP in North America if I put my mind to it. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Fwd: Rollup: Small City Municipal Broadband
On Sat, 2 Feb 2013, Scott Helms wrote: I'd also talk with Zhone, Allied Telesys, Adtran, and Cisco if for no other reason but get the best pricing you can. I can't believe I'm going to beat Owen to this point, but considering you a building a brand new infrastructure, I'd hope you'd support your service provider's stakeholders if they want to do IPv6. To do so securely, you'll want your neutral layer 2 infrastrcuture to at least support RA-guard and DHCPv6 shield. You might also want/need DHCPv6 PD snooping, MLD snooping. We have found VERY disappointing support for these features in this type of gear. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Followup: Small City Municipal Broadband
On Sat, 2 Feb 2013, Jay Ashworth wrote: 6) And pursuant to 3, perhaps I could even set up the IPTV service and resell that to the L3 provider to bundle with their IP service, so they don't have to do it themselves; while it's not a difficult as I had gathered, it's still harder than them doing VoIP as part of their own triple-play. So you are going to prohibit the operator of the fiber plant from running layer 3 services, but then turn around and let them offer IPTV? That seems quite inconsistent to me. And just because it's hard? Running a decent layer 3 service is hard too. Isn't the whole point to let these service providers compete with each other on the quality and cost of their services? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Followup: Small City Municipal Broadband
On Sat, 2 Feb 2013, Jay Ashworth wrote: - Original Message - From: Brandon Ross br...@pobox.com 6) And pursuant to 3, perhaps I could even set up the IPTV service and resell that to the L3 provider to bundle with their IP service, so they don't have to do it themselves; while it's not a difficult as I had gathered, it's still harder than them doing VoIP as part of their own triple-play. So you are going to prohibit the operator of the fiber plant from running layer 3 services, but then turn around and let them offer IPTV? That seems quite inconsistent to me. And just because it's hard? No; I wouldn't offer it retail; I'd offer it to all provider-comers wholesale, at cost plus, just like everything else. It sure seems like just pushing the competition (or lack thereof) up the stack. Running a decent layer 3 service is hard too. Isn't the whole point to let these service providers compete with each other on the quality and cost of their services? You could say the same thing about the uplink, Which uplink is that? I'm a little confused. though; I note you didn't throw a flag at that, or at Akamai; is the IPTV issue different to you? If you were to open your colo to all comers that have similar models to Akamai, that seems fair. After all, it's not the city selling Akamai services to either the ISPs or end-users, the city is just providing a convenient way for the providers that are there to interconnect with content providers that care to show up. Now if you were to encourage an IPTV services provider that WASN'T the city to co-locate at the facility, that seems reasonable as long as terms were even if another one wanted to show up. I could imagine that some might sell service direct retail, others might go wholesale with one of the other service providers. Maybe both? This whole thing is the highway analogy to me. The fiber is the road. The city MIGHT build a rest stop (layer 2), but shouldn't be allowed to either be in the trucking business (layer 3), nor in the business of manufacturing the products that get shipped over the road (IPTV, VOIP, etc.), and the same should apply to the company that maintains the fiber, if it's outsourced. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Followup: Small City Municipal Broadband
On Sat, 2 Feb 2013, Jay Ashworth wrote: - Original Message - From: Brandon Ross br...@pobox.com Running a decent layer 3 service is hard too. Isn't the whole point to let these service providers compete with each other on the quality and cost of their services? You could say the same thing about the uplink, Which uplink is that? I'm a little confused. My colo's uplinks to the world, which were one of three things I proposed offering at wholesale to ISPs. I guess I missed that. You are saying that you would aggregate/resell transit bandwidth in your colo? I would argue against that as well. I'd suggest making sure your colo had adequate entrance facilities to allow whomever wants to provide upstream service there to show up, and allow them access to the fiber, which you already effectively have done. though; I note you didn't throw a flag at that, or at Akamai; is the IPTV issue different to you? If you were to open your colo to all comers that have similar models to Akamai, that seems fair. After all, it's not the city selling Akamai services to either the ISPs or end-users, the city is just providing a convenient way for the providers that are there to interconnect with content providers that care to show up. Precisely. Akamai's business model is that they just show up? Me and my ISPs don't have to pay them? I guess as far as putting an Akamai server in a colo/on an exchange, I assumed they didn't charge, but now that you mention it, I don't have first hand knowledge of that. I certainly would suggest that the city should not pay for anyone to show up at the colo, but allow them access if they care to do so on equal footing. Of course Akamai charges for their services, that's a bit different than just exchanging traffic. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Thu, 17 Jan 2013, Mike Jones wrote: If you follow this list then you should already know the answer, functional* IPv6 deployments. AND game developers who build IPv6 functionality into their products. Do you hear us, PS3 and Xbox? Oscar, make sure you are telling your favorite game developers that they need to support IPv6 if they want to avoid the NAT mess. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Thu, 17 Jan 2013, Constantine A. Murenin wrote: I'm currently using NAT44, with at least two layers of 802.11g WiFi and 5 routers that seem to be doing independent NAT. Two of them are mine, then the other 3 are of the ISP, to whom I connect through 802.11g, and it generally works just fine; traceroute on the final hosts shows 5 first hops being in various separate 192.168.0.0/16 and 10.0.0.0/8 networks. Is the output of traceroute you reference above what you base your supposition on that you are behind multiple NATs? Or do you have some other information indicating so? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: IP Address Management IPAM software for small ISP
I think 6connect is well worth an eval as well. We've been using it for the InteropNet for a couple of years now and it nicely meets our needs in both v4 and v6, and since you can get it as a hosted application, for a small shop there's zero maintenance. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Long and unabbreviatable IPv6 addresses with random overloaded bits, vs. tunnelbroker
On Sun, 18 Nov 2012, Constantine A. Murenin wrote: I came across an interesting problem in trying to find an affordable KVM provider with IPv6 support. Does affordable mean cheap?... I've tried contacting them in an effort to receive any kind of a proper IPv6 address without the plaintext IPv4 embedment, but they've given me all sorts of crazy and (IMHO) far-sketched excuses; So you've contacted cheapo providers and you are now surprised that they can't afford to hire people who know what they are talking about? (HE's tunnelbroker.net, on the other hand, has no problem in giving out IPv6 addresses that, when abbreviated, can be represented by the same number of ASCII characters as an IPv4 address; for free, might I add.) Clearly HE has people who know what they are doing when it comes to IPv6, probably because they have made a MAJOR investment in both people and infrastructure to do so. Explain again why you aren't using HE for your services? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Big Temporary Networks
On Thu, 13 Sep 2012, Jay Ashworth wrote: Get lots of IP addresses. A /16 probably still can be borrowed for this kind of event. I know RIPE had rules and addresses for this kind of use a couple years ago, at least. Indeed? I did not see that coming. Hell, perhaps Interop could be talked into loaning me a /16. :-) dons Interop hatYou might think you are joking, but if it doesn't overlap with an existing commitment, we can probably make that happen./dons -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://tungle.me/bross Skype: brandonross
Adtran NetVanta deployment experience
I'd like to speak to someone who's had deployment experience around the Adtran NetVanta product line that has used it's firewalling and/or VPN functionality. Feel free to reply off-list. I'm trying to get an idea of real-world performance expectations. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://tungle.me/bross Skype: brandonross
Re: using reserved IPv6 space
On Fri, 13 Jul 2012, Owen DeLong wrote: On Jul 13, 2012, at 4:24 PM, Randy Bush wrote: keep life simple. use global ipv6 space. randy Though it is rare, this is one time when I absolutely agree with Randy. It's even more rare for me to agree with Randy AND Owen at the same time. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://tungle.me/bross Skype: brandonross
Re: whoi modify question
On Fri, 17 Jun 2011, Patrick Darden wrote: My mistake. Apologies. It happens, but: On 06/17/2011 01:03 PM, Joel Jaeggli wrote: On Jun 17, 2011, at 9:57 AM, Darden, Patrick S. wrote: The short answer is you can't. ARIN only cares about /24s or bigger. If the network were a /24 or larger, then your customer would need to get an ASN (autonomous system number) and then you could register the network to them. I'm afraid there's also no requirement at all for an ASN regardless of the size of your address block. ASNs are required for running BGP. You can easily static route even a /8 (and I've done it on occasion). -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: NANOG 52 - Room block filling up!
For what it's worth, the hotel appears to be completely booked the nights of the 14th and 15th. On Mon, 23 May 2011, Michael K. Smith - Adhost wrote: Hello All: NANOG 52 in Denver is fast approaching. If you're planning on attending and want to get the benefits of the NANOG room rate, you should consider signing up as soon as possible. We're at 85% of our room block capacity and the cutoff date for the NANOG rate is May 29th at 5:00 PM Denver time (GMT -6). For more information please see http://www.nanog.org/meetings/nanog52/index.php. Regards, Mike -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: NANOG 52 - Room block filling up!
I take that back, it shows as booked if you go through normal booking channels, if you use the starwoodmeetings URL in the NANOG meeting information page it shows availability. On Mon, 23 May 2011, Brandon Ross wrote: For what it's worth, the hotel appears to be completely booked the nights of the 14th and 15th. On Mon, 23 May 2011, Michael K. Smith - Adhost wrote: Hello All: NANOG 52 in Denver is fast approaching. If you're planning on attending and want to get the benefits of the NANOG room rate, you should consider signing up as soon as possible. We're at 85% of our room block capacity and the cutoff date for the NANOG rate is May 29th at 5:00 PM Denver time (GMT -6). For more information please see http://www.nanog.org/meetings/nanog52/index.php. Regards, Mike -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Yahoo and IPv6
On Mon, 9 May 2011, Arie Vayner wrote: What disturbs me is the piece saying We recommend disabling IPv6http://us.lrd.yahoo.com/_ylt=ArHGqIAYvt_4fpp3N3vLzmNRJ3tG/SIG=11vv8jc1f/**http%3A//help.yahoo.com/l/us/yahoo/ipv6/general/ipv6-09.html , with a very easy link... Even more disturbing than that is that when I run a test from here it says that I have broken v6. But I don't have broken v6 and test-v6.com proves it with a 10/10. This Yahoo tool doesn't seem to even give a hint as to what it thinks is broken. Can anyone from Yahoo shed some light on what this tool is doing and how to get it to tell us what it thinks is broken? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Current recommendations for 2 x full bgp feed
On Sun, 8 May 2011, Brent Jones wrote: Juniper is also making small enterprise routers based on the MX80 platform, but with reduced number of interfaces. They should be out soon They are effectively already out in that they have a deep discount on restricted bundles. Basically the bundles license only some or none of the 10GbE ports or only 1 of the MIC slots (there's like 3 or 4 of them). The price is pretty darn good considering what you get. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Re: v6 Avian Carriers?
On Fri, 1 Apr 2011, GP Wooden wrote: I wonder on the carrier would survive a DoS attack ... I'm not sure about that, but we know that, if a Sullenberger unit has been installed, a large aircraft can survive a DoS attack perpetrated by the avian carrier. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: v6 Avian Carriers?
On Fri, 1 Apr 2011, Owen DeLong wrote: Not true. The occupants of the aircraft survived. The aircraft did not. Hm, in my recollection the payload made it to the destination. Perhaps the route was a bit unexpected though. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
On Wed, 30 Mar 2011, Ronald F. Guilmette wrote: So that _really_ begs the question... Why did Circle Internet and (apparently) Level3's customer, BANDCON, blindly accept _any_ sort of assertion that the crook who hijacked these two /16s had the right to use them? What makes you think it was blind? The standard industry practice is to ask someone requesting to announce a route for a letter on the owner's letter head authorizing the announcement. Is it really that hard to invent some letterhead and sign a letter? It's probably one of the easiest to circumvent security procedures ever. Frankly it's a giant waste of time and does nothing other than frustrate legitimate work. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
On Wed, 30 Mar 2011, Ross Harvey wrote: Wait a second, I'm pretty sure that in most contexts, a signature or letterhead means not so much this is real because it's so obviously genuine, but rather: This is real or I am willing to take a forgery rap. Do you think most providers check the signer's ID to make sure they actually signed their own name? How do you prove that whomever you accuse of signing it actually forged it if not? Does anyone know of there ever being even a single case where someone was convicted of forgery for this? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Ranges announced by Level3 without permitions.
On Thu, 3 Mar 2011, Alfa Telecom wrote: Both ranges are from RIPE region and couldn't be announced from ARIN ASN at all. Your premise is incorrect. Any block from any RIR can be announced by any ASN. We're sponsored LIR for both companies, I sent several emails to Level3 noc, made several calls but they still announce these ranges. Why should they stop announcing them? Do you believe they have been hijacked? If these companies have decided to contract with another transit provider, you cannot stop them from doing so in this way. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Ranges announced by Level3 without permitions.
On Thu, 3 Mar 2011, Alfa Telecom wrote: On 03/03/2011 03:25 PM, Brandon Ross wrote: On Thu, 3 Mar 2011, Alfa Telecom wrote: Both ranges are from RIPE region and couldn't be announced from ARIN ASN at all. Your premise is incorrect. Any block from any RIR can be announced by any ASN. 1) All routing data must be present at the RIPE DB. If you work with RIPE DB you could see that webtools don't allow you to create route to ASN not from RIPE region. 2) RIPE IP Usage policy don't allow to route RIPE IPs from non-RIPE region. Your premise is still wrong. Only networks that use the RIPE DB care about what's in the RIPE DB. There is no requirement for Level 3 to use it. There is no law that says they have to. We're sponsored LIR for both companies, I sent several emails to Level3 noc, made several calls but they still announce these ranges. Why should they stop announcing them? Do you believe they have been hijacked? If these companies have decided to contract with another transit provider, you cannot stop them from doing so in this way. IPs are announced by Level3... I respect this company but looks like Level3 is scammed and currently announce without necessary permissions. Again, do you believe these networks are hijacked? If they are in legitimate use by the companies that they are allocated to in whois, then there is no scam. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Verizon MPLS service in Anchorage
On Thu, 24 Feb 2011, lists lists wrote: I'm seeing that packets marked as DSCP EF are given fantastic treatment (low jitter, no packet loss), but other packets, including AF41, AF31, and BE are given what appears to be the junk bucket treatment. Hah, just a few days ago I spoke with an engineer at VZ that tried to claim that each of the treatments were different, but that they only charged extra for EF. I asked why I shouldn't just put all my traffic in the highest free treatment and beat out all the other customers for the best treatment for mine. He told me that most of his customers weren't trying to get their traffic through at the expense of other customers. Anyway, despite what their engineers say, only EF is actually treated on the VZ network better than BE, the rest are just to prioritize traffic at your own egress port. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: anyone running GPS clocks in Southeastern Georgia?
On Fri, 21 Jan 2011, Gary E. Miller wrote: For non pilots, RAIM is an indicator that the GPS has a redundant solution that matches the barometrically measured altitude. I know this is off topic, but I don't like to let incorrect information float around uncorrected. RAIM never uses any data outside of GPS to confirm position, it is based entirely on more than the minimum number of satellites needed for a basic position to calculate redundant solutions, which means a minimum of 5 satellites. If this were not the case, it would be impossible to get a RAIM prediction (using data about out of service sats) in advance of a flight. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Is NAT can provide some kind of protection?
On Sat, 15 Jan 2011, Brian Keefer wrote: Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6: You are neglecting the most important reason, much to my own disdain. Service providers will continue to assign only a single IP address to residential users unless they pay an additional fee for additional addresses. Since many residential users won't stand for an additional fee, pressure will be placed on CPE vendors to include v6 PAT in their devices. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Is NAT can provide some kind of protection?
On Sat, 15 Jan 2011, Owen DeLong wrote: I really doubt this will be the case in IPv6. I really hope you are right, because I don't want to see that either, however... Why do you suppose they did that before with IPv4? Sure you can make the argument NOW that v4 is in scarce supply, but 10 years ago it was still the case. Has Comcast actually come out and committed to allowing me to have as my IPs as I want on a consumer connection in the most basic, cheapest package? Has any other major provider? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Is NAT can provide some kind of protection?
On Sun, 16 Jan 2011, Mark Smith wrote: How do you know - have you asked 100% of the service providers out there and they've said unanimously that they're only going to supply a single IPv6 address? Huh? Who said anything about 100%? It would take only a single reasonably sized provider that has a monopoly in a particular area (tell me that doesn't happen) or a pair of them that have a duopoly (almost everywhere in the US) and you instantly have huge incentive for someone to write some v6 PAT code. Believe me, I'm the last person who wants to see this happen. It's a horrible, moronic, bone-headed situation. Unfortunately, I'm pretty sure it's going to happen because it's been the status quo for so long, and because some marketing dweeb will make the case that the provider is leaving revenue on the table because there will always be some customers who aren't clever enough to use NAT and will buy the upgraded 5 pack service. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Level 3 Communications Issues Statement Concerning Comcast's Actions
On Thu, 2 Dec 2010, Matthew Petach wrote: So, one wonders why Level3 didn't just say look, I'm the vendor, you're the customer; the customer pays the vendor for service, period. There's no wonder here at all. It's not at all hard to imagine the conversation: Level3: I'm the vendor, you're the customer; the customer pays the vendor for service, period. Comcast: Okay vendor, we aren't going to pay you any more. Go ahead and shut down our circuits. We'll go ahead and pay you the early termination penalties or whatever, but keep in mind that the Level3 network has no way to reach Comcast through any other path thanks to our clever routing tricks, so your customers, including Netflix, won't be able to reach our customers. Level3: But, but, but, you are the customer! Comcast: Go ahead, shut us down, we dare you. Perhaps you'll want to find someone to buy transit from that CAN reach us? I have to say, it's not that hard to imagine because it's exactly what I would have done in their position. If I were them, I would then proceed to do the exact same thing to every other vendor that they have until they are a transit free network. Then I might even start demanding payments from my peers. Why not? Comcast has all the power. It's exactly what the government has incentivized them to do by allowing them to have all of those cable monopolies around the country. That's right, government is the real problem here, Comcast is simply acting in their own best interest. Now where did I put that CMCS stock... -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Network management software with high detailed traffic report
On Mon, 22 Nov 2010, Nick Hilliard wrote: some do, some don't. For example, sup720 snmp counters are updated every 9 seconds, while the show interface counters are updated every 30 seconds. That is most certainly NOT true. The 'show interface' counters update at least once a second. Perhaps you are thinking about the rate counters that are often _configured_ to use the last 30 seconds of data to compute the average but also update much more often than every 30 seconds (and default to a 5 minute average). -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: IPv6 fc00::/7 — Unique local addres ses
On Thu, 21 Oct 2010, Graham Beneke wrote: On 21/10/2010 03:49, Matthew Kaufman wrote: On 10/20/2010 5:51 PM, Owen DeLong wrote: Part 2 will be when the first provider accepts a large sum of money to route it within their public network between multiple sites owned by the same customer. Is this happening now with RFC 1918 addresses and IPv4? I have seen this in some small providers. Doesn't last long since the chance of collision is high. It then becomes a VPN. I know for a fact that an extremely large tier 1 routed RFC1918 address space for an extremely large cable company at one time (and no, I don't mean 2547 or anything like that). I have no idea if this is still occurring, but when this very large cable company needed to use more private addresses they actually would ask the tier 1 for an assignment in order to avoid collision. I don't see the problem with ULA though, sure, someone will route it, but not everyone, just those getting paid to. It's actually the perfect solution to routing table bloat as there is a financial relationship between the parties that announce space and the networks that carry it. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: ARIN recognizes Interop for return of more than 99% of 45/8 address block
On Wed, 20 Oct 2010, Jeroen Massar wrote: [John, is 45.127.0.0/16 one of the two blocks they keep, or is it hijacked already? :) ] I can authoritatively say, yes it is. We (Interop) are not announcing any part of 45/8 at the moment, and don't plan to do so until the return is complete. I'll attempt to contact the players involved here and get 45.127/16 taken down. If anyone is listening that can help, it would be appreciated. I'm not subcribed to NANOG with the official address, but I can be reached at br...@interop.net as well. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: NANOG Digest, Vol 33, Issue 91
On Wed, 20 Oct 2010, Rudolph Daniel wrote: We all are waiving flags about the return of one solitary /8 to ARIN, (which is a good thing) but should we not waive flags about new v6 networks too? Then I would also like to point out that Interop is fully dual-stacked both for exhibitors and the attendee wireless network. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: ARIN recognizes Interop for return of more than 99% of 45/8 address block
On Wed, 20 Oct 2010, Brandon Ross wrote: On Wed, 20 Oct 2010, Jeroen Massar wrote: [John, is 45.127.0.0/16 one of the two blocks they keep, or is it hijacked already? :) ] I can authoritatively say, yes it is. I spoke too soon. It is not hijacked, it's simply old cruft from an old show that we didn't have removed. We'll take care of it shortly. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Should routers send redirects by default?
On Fri, 20 Aug 2010, valdis.kletni...@vt.edu wrote: Until a PC or something on the network gets pwned, and issues selective forged ICMP redirects to declare itself a router and the appropriate destination for some traffic, which it can then MITM to its heart's content. *Then* you truly have a manure-on-fan situation. I believe the question was along the lines of, why do I turn this off on my router? How does turning off ICMP redirects on the router prevent a rouge PC from sending ICMP redirects to it's neighbors? I'm in the same boat here. I know there's a lot of conventional wisdom that says to turn it off, but I'm yet to hear a convincing argument as to why I should bother. Now configuring your hosts to ignore them, that I could understand. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Should routers send redirects by default?
On Fri, 20 Aug 2010, Jared Mauch wrote: The issue is routers typically do this in software requiring a punt and CPU theft from bgp, ospf etc. You mean like ICMP echo, ICMP can't fragment, ICMP unreachable...? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Should routers send redirects by default?
On Fri, 20 Aug 2010, Ricky Beam wrote: I think it's almost universally disabled (by default) everywhere in IPv4 purely for security (traffic interception.) Okay, I'll ask again. Exactly how does disabling ICMP redirects on my router prevent traffic from being intercepted? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Should routers send redirects by default?
On Fri, 20 Aug 2010, Ricky Beam wrote: On Fri, 20 Aug 2010 20:08:34 -0400, Brandon Ross br...@pobox.com wrote: Okay, I'll ask again. Exactly how does disabling ICMP redirects on my router prevent traffic from being intercepted? It stops *one vector* of MITM attack. If a router honors redirects (and it never should), an evil host can intercept traffic of hosts that aren't on the local network. Are you saying that turning off the transmittal of ICMP redirects on most routers will simultaniously disable the honoring of ICMP redirects that that router receives? If that's not what you are saying then you are wrong. This is 5000% beyond the scope of the original question, btw. I disagree. The decision about whether or not a feature should be on by default or not should be clear evidence that said feature is/could be harmful. So far I have not heard a single compelling argument for how the _transmittal_ of ICMP redirects can cause any signficicant harm to a network other than what the other typical protocols that are enabled by defualt (ping, can't fragement, etc) cause. I will make the statement: The transmittal of ICMP redirects by a router _cannot_ be exploited to create a man in the middle attack. Before anyone responds to that statement, please read it very carefully. This statement does not comment on whether a host or router should be configured to _receive_ an ICMP redirect and act on it, that clearly can be used to create a MITM attack. How many of you that routinely disable ICMP redirect on your routers also routinely disable the reception of ICMP redirects on your hosts? For those of you that do not, why not? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Out-of-band paging (was: Web expert ...)
On Wed, 28 Jul 2010, Joel M Snyder wrote: It's completely out-of-band, even more so than our old touch-tone-phone-paging system was, so I'm actually happier with the total performance. Given that GSM coverage is increasing while pager coverage seems static or decreasing, SMS via out-of-band GSM looks like a great solution. Be wary, there is a fast growing trend amongst mobile operators to outsource backhaul from their towers to IP network operators. So far there are only a few that are using the same network as for other IP traffic, but the economy of scale motivations to combine onto a single IP network are strong and will not be resisted for long. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: U.S. Plans Cyber Shield for Utilities, Companies
On Wed, 7 Jul 2010, Michael Painter wrote: Have we all gone mad? I find it hard to understand that a nuclear power plant, air-traffic control network, or electrical grid would be 'linked' to the Internet in the interest of 'efficiency'. Air gap them all and let them apply for Inefficiency Relief from the $100 million relief fund. Absolutely! For example, those thousands of flight plans filed every day by airlines across the globe, not to mention private flights, should be done manually the old fashioned way, with a paper form and stopping by your local FAA office where a human keys them into the ATC computer. Oh wait, we closed all of those offices when we moved all of those functions to the Internet. I guess we'll just have to re-open them. And flight tracking data that airlines and freight companies use to track their aircraft, yea, let's cut those off too. If they want to know where their plane is, just have them call the FAA. Surely the government can staff some huge call centers to handle the load of each airline calling about each flight every few minutes. Heck, removing all of these functions from the Internet will create jobs, too, right? And no one would mind paying for all of this out of their airline tickets, it should only increase fares by a third or so. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: U.S. Plans Cyber Shield for Utilities, Companies
On Thu, 8 Jul 2010, Joe Greco wrote: There's a happy medium in there somewhere; it's not clear that having (to use the examples given) air traffic control computers directly on the Internet has sufficient value to outweigh the risks. However, it seems that being able to securely gateway appropriate information between the two networks should be manageable, certainly a lot more manageable than the NxM complexity involved if you try to do it by securing each and every Internet-connected ATC PC individually. What makes you think that isn't exactly what this Cyber Shield project is supposed to do? Heck, what makes you think that's not the way most of these systems already work today? Do people really think the guy in the airport control tower is really surfing Facebook while he's controlling aircraft on the same computer, or that capability is even what is under consideration? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Dividing up a small IPv4 block
On Mon, 21 Jun 2010, Steve Bertrand wrote: Thinking that they will have to go back to ARIN for additional space relatively quickly without intervention, can anyone provide links to docs that will help prevent future renumbering or decent management? I know that I can collapse a lot of their current waste, and I know where I can scrounge, but where in the space should the clients be assigned from, and where should I reserve my p2p/32 blocks from... front or back? If you are efficiently utilizing the space, and it sounds like you are, why don't you just request more space from ARIN? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: ARIN IP6 policy for those with legacy IP4 Space
On Fri, 9 Apr 2010, William Herrin wrote: Fun movies notwithstanding, they generally issue a fine and work it through the civil courts. And please educate me then, when I don't pay the fine, then what happens? -- Brandon Ross AIM: BrandonNRoss
Re: ARIN IP6 policy for those with legacy IP4 Space
On Fri, 9 Apr 2010, William Herrin wrote: Last I heard, the FCC has access to people with law degrees not guns. Much like ARIN, really. Oh really? So if I start using a frequency that requires a license and I don't have one, won't they tell me to stop? And if I say no, I won't stop, what happens then? Will they never call the cops and have them show up and forcibly shut down my equipment? And if I try to defend my equipment, will the cops not shoot me? Sorry, all government policies are enforced by guns. ARIN is not government, if I don't pay ARIN for my address space and keep using it anyway, no cops will show up at my door. Sure my upstreams may decide to shut off my announcements, but a gun never gets involved. -- Brandon Ross AIM: BrandonNRoss
Re: interop show network (was: legacy /8)
On Wed, 7 Apr 2010, Eliot Lear wrote: If v6 is even close to ready, wouldn't it be sad that this sort of testing isn't done at interop? Or is it just sad that v6 isn't so close to being ready? Or is it both? The suggestion was to run a v6 only network. Does anyone on the NANOG list believe that v6 is at all ready to be run without any v4 underpinnings and provide a real service to a customer base? -- Brandon Ross
Re: interop show network (was: legacy /8)
On Sun, 4 Apr 2010, Jeroen van Aart wrote: Someone in another thread mentioned interop show network. Which made me curious and I did a bit of searching. I found the following article from 2008 about the interop show: http://www.networkworld.com/community/node/27583 The show could setup an IPv6 only network in order to showcase it? That'd free up a /8. Seriously? You do realize that the InteropNet actually has to provide a real service to the exhibitors and attendees of the show, right? This year's network will support v6, but a v6-only network is just not a practical way to supply real network connectivity to customers, yet. -- Brandon Ross AIM: BrandonNRoss Director of Network EngineeringICQ: 2269442 Xiocom WirelessSkype: brandonross Yahoo: BrandonNRoss
