Re: Texas internet connectivity declining due to blackouts

[Bret Clark]

Texas doesn't generally experience this type of extreme cold. The power grids 
are being overload due to people using their electric heat or electric portable 
heaters.


From: NANOG  on behalf of 
Rod Beck 
Sent: Tuesday, February 16, 2021 7:09 AM
To: Robert Jacobs ; Mark Tinka ; 
nanog@nanog.org ; Cory Sell 
Subject: Re: Texas internet connectivity declining due to blackouts

The problems with renewables is that you can't switch on or off and there is no 
good storage solution.

However, the issue in Texas is probably exposed power cables. In Europe they 
are buried and we have far milder weather than the States.

Anyone wants to provide some details on where the system has faltered? It is 
transmission? Or generation? Or just everything in general? 


From: NANOG  on behalf 
of Cory Sell via NANOG 
Sent: Tuesday, February 16, 2021 5:34 AM
To: Robert Jacobs ; Mark Tinka ; 
nanog@nanog.org 
Subject: RE: Texas internet connectivity declining due to blackouts

Ercot has already released actual documentation of the outputs. Wind is NOT the 
biggest loss here. Even if wind was operating at 100% capacity, we’d be in the 
same boat due to gas and fossil fuel-related generation being decimated. 
Estimated 4GW lost for wind doesn’t make up for the 30GW+ estimated being lost 
from fossil fuels.

I only interject because people are already pointing their fingers at 
renewables being the cause here and trying to pawn off the blame to wind/solar 
to further their agendas to reduce renewable energy R and adoption. Sure, 
wind isn’t perfect, but looks like solution relied on failed in a massive way.

Sent from ProtonMail Mobile


On Mon, Feb 15, 2021 at 10:17 PM, Robert Jacobs 
mailto:rjac...@pslightwave.com>> wrote:
How about letting us Texans have more natural gas power plants or even let the 
gas be delivered to the plants we have so they can provide more power in an 
emergency. Did not help that 20% of our power is now wind which of course in an 
ice storm like we are having is shut off... Lots of issues and plenty of 
politics involved here..

Robert Jacobs​
 |  Data Center Manager
[http://www.pslightwave.com/emailsig/plwlogo.jpg]
Direct: 832-615-7742
Mobile: 281-830-2092
Main:   832‑615‑8000
Fax:713-510-1650
5959 Corporate Dr. Suite 3300; Houston, TX 77036
[Facebook]
[LinkedIn]
[Twitter]
[http://www.pslightwave.com/emailsig/2020TopWorkplace.png]
 [http://www.pslightwave.com/emailsig/plw-wbenc.jpg] A Certified 
Woman‑Owned Business
24x7x365 Customer Support: 832-615-8000 | supp...@pslightwave.com

​This electronic message contains information from PS Lightwave which may be 
privileged and confidential. The information is intended to be for the use of 
individual(s) or entity named above. If you are not the intended recipient, any 
disclosure, copying, distribution or use of the contents of this information is 
prohibited. If you have received this electronic message in error, please 
notify me by telephone or e-mail immediately.
-Original Message-
From: NANOG  On Behalf Of Mark 
Tinka
Sent: Monday, February 15, 2021 10:06 PM
To: nanog@nanog.org
Subject: Re: Texas internet connectivity declining due to blackouts



On 2/16/21 04:14, Sean Donelan wrote:
>
> Poweroutage.us posted a terrific map, showing the jurisdictional
> borders of the Texas power outages versus the storm related power
> outages elsewhere in the country.
>
> https://twitter.com/PowerOutage_us/status/1361493394070118402
>
>
> Sometimes infrastructure planning failures are not due to "natural
> hazards."

I suppose having some kind of home backup solution wouldn't be too bad right 
now, even though you may still not get access to services. But at least, you 
can brew some coffee, and charge your pulse oximetre.

Mark.

Re: Retalitory DDoS

[Bret Clark]

Not an official club, but the unofficial club is full of members including 
myself unfortunately...little you can do except consider DDoS mitigation 
service if it continues.

It is a criminal activity, so you can report the attack to the FBI...they can't 
do much to be honest, but at the very least this is good to do in case the 
problem continues and/or you need to file a business loss with your insurance 
company barring you have Cyber insurance in your policy.

https://www.ic3.gov/Media/Y2017/PSA1710172
Internet Crime Complaint Center (IC3) | Booter and Stresser Services Increase 
the Scale and Frequency of Distributed Denial of Service 
Attacks
Booter and Stresser Services Increase the Scale and Frequency of Distributed 
Denial of Service Attacks Criminal actors offer distributed denial of service 
(DDoS)-for-hire services in criminal forums and marketplaces.
www.ic3.gov


From: NANOG  on behalf of 
Mike Hammett 
Sent: Monday, February 8, 2021 6:46 AM
To: NANOG list 
Subject: Retalitory DDoS

Is there a club for people that have been DDoSed? If so, count me in.

This one was directed at me (as opposed to one of my customers) because I got 
an e-mail explaining why I was getting DDoSed. Is that aspect common?

There were also some racial and sexual accusations that were made that clearly 
aren't true and just speak to the intelligence of people like this.

Is it safe to assume that they completely anonymized the email they sent to me?

Is there anyone I should be reporting this to?

I thought my site was running in Cloudflare, but my individual server was still 
attacked, so I gotta figure out where I screwed that up.


https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0



-
Mike Hammett
Intelligent Computing Solutions
[http://www.ics-il.com/images/fbicon.png][http://www.ics-il.com/images/googleicon.png][http://www.ics-il.com/images/linkedinicon.png][http://www.ics-il.com/images/twittericon.png]
Midwest Internet Exchange
[http://www.ics-il.com/images/fbicon.png][http://www.ics-il.com/images/linkedinicon.png][http://www.ics-il.com/images/twittericon.png]
The Brothers WISP
[http://www.ics-il.com/images/fbicon.png][http://www.ics-il.com/images/youtubeicon.png]

Re: BGPMON Alert Questions

[Bret Clark]

They are advertising one of /22 right now as well,

Bret


On 04/02/2014 04:21 PM, Bryan Tong wrote:

They have advertised all of ours now.


On Wed, Apr 2, 2014 at 2:16 PM, Bob Evans b...@fiberinternetcenter.comwrote:


Yes, I too have alerts for some of our prefixes from the same offending
origin 4761

On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change
event for your prefix (66.201.48.0/20 slash 20 bottom of nor cal)
The detected prefix: 66.201.48.0/20, was announced by AS4761
(INDOSAT-INP-AP INDOSAT Internet Network Provider,ID)
Alert description:   Origin AS Change
Detected Prefix: 66.201.48.0/20
Detected Origin AS:   4761
Expected Origin AS:   26803

Bob Evans
CTO





So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix.  Everything looks fine to me and I've
checked a bunch of different Looking Glasses and everything announcing
correctly.

I am assuming I should be contacting the provider about their
misconfiguration and announcing my prefixes and get them to fix it.  Any
other recommendations?

Is there a way I can verify what they are announcing just to make sure
they
are still doing it?

Here is the alert for reference:

Your prefix:  8.37.93.0/24:

Update time:  2014-04-02 18:26 (UTC)

Detected by #peers:   2

Detected prefix:  8.37.93.0/24

Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network
Provider,ID)

Upstream AS:  AS4651 (THAI-GATEWAY The Communications Authority

of

Thailand(CAT),TH)

ASpath:   18356 9931 4651 4761










--
Spectra Access
25 Lowell Street
Manchester, NH 03042
603-296-0760
www.spectraaccess.net

Re: Mikrotik Cloud Core Router and BGP real life experiences?

[Bret Clark]

On 12/27/2013 05:59 AM, Martin Hotze wrote:

On 27/12/2013, at 10:13 pm, Martin Hotze m.ho...@hotze.com wrote:

Thanks,

estimated traffic levels are at about half a gig, but at least 50 megs

of UDP (VoIP) in both directions.

one thing is that I haven't found a solution for redundant power supply.


Buy 2 :)

on 3am I only want to read the notification and know what to do first in the 
morning. And not jump out and bring the spare into production.

#m



You set them both up configure the spare for fail-over.

Re: why haven't ethernet connectors changed?

[Bret Clark]

Sort of like saying why haven't we changed from RJ-48's for phones...old 
habits die hard I guess! For the most part the RJ-45 connector is pretty 
sturdy...remember those silly dongle cables that were used for pc-card 
Ethernet adapters in laptops...those things would last about a month 
before dying!


As for the Raspiberry PI (I own one) it was silly to even put Ethernet 
on that instead of wi-fi, especially for the educational market that the 
PI was initially developed for; what classroom has Ethernet running to 
every desk especially in poor nations where copper theft is rampart!


On 12/20/2012 01:40 PM, Howard C. Berkowitz wrote:

On 12/20/2012 1:20 PM, Michael Thomas wrote:

I was looking at a Raspberry Pi board and was struck with how large
the ethernet
connector is in comparison to the board as a whole. It strikes me:
ethernet
connectors haven't changed that I'm aware in pretty much 25 years.
Every other
cable has changed several times in that time frame. I imaging that if
anybody
cared, ethernet cables could be many times smaller. Looking at wiring
closets,
etc, it seems like it might be a big win for density too.

So why, oh why, nanog the omniscient do we still use rj45's?

Mike



Seen an AUI or vampire tap recently?  Vampires made a certain amount of
sense, but the AUI connector seemed to have little purpose other than
recycling weak metal from Coors beer cans.  IIRC, the inventor apologized.

IPSec Problems

[Bret Clark]

Anyone seeing their customers having problems with IPSec tunnels? Its a 
strange problem where the customer can ping the other end, but are 
having trouble keeping the IPSec tunnels active. I was able to 
preference some of our customer routes out of another BGP edge router 
which solved their problem. The only common issue (so far) is that the 
issue seems to occur when traffic goes over a Level3 connection 
otherwise the IPSec tunnels work fine.


Its a rather strange problem though why IPSec is only being affecting 
but nothing else and I not saying L3 is the reason, but not sure.  I 
opened a support ticket with one of our upstream providers and they 
mention their own customers have seen similar problems.


Scratching my head on this one!

Thanks,
Bret

Re: job screening question

[Bret Clark]

On 07/10/2012 03:32 AM, goe...@anime.net wrote:

On Mon, 9 Jul 2012, Jeroen van Aart wrote:

William Herrin wrote:

This is, incidentally, is a detail I'd love for one of the candidates
to offer in response to that question. Bonus points if you discuss MSS
clamping and RFC 4821.

The less precise answer, path MTU discovery breaks, is just fine.

I would say that the ability to quickly understand, troubleshoot and find a
solution to a problem (and document it) is a far better skill to have than
having ready made answers to interview questions learned by heart.

It should take a skilled person less than 30 minutes to find the answer to
that question and understand it too. The importance of knowing many things by
heart has become incredibly moot.

If you are applying for a network position, you better know the *basics*.
Having to look up the basics is not a good sign.

Do you really want to hire someone who is going to have to look up basic
networking concepts for 30 minutes every time they are in a meeting and
asked a question?

-Dan


Hence the reason he mentioned skilled person...

Re: Cheap Juniper Gear for Lab

[Bret Clark]

On 04/10/2012 12:31 AM, Steven King wrote:

Hello All,

I am tasked with replacing an old linux router setup with Juniper gear
in the near future. Though I am a Cisco guy myself.

Does anyone know of any older cheap Juniper gear I might find on Ebay so
that I may build a home lab without going broke?

Thanks!

http://www.ebay.com/sch/Networking-Communications-/11176/i.html?_from=R40_nkw=juniper 
http://www.ebay.com/sch/Networking-Communications-/11176/i.html?_from=R40_nkw=juniper 

Re: So... my colo was just bought.

[Bret Clark]

On 01/11/2012 04:38 PM, Jay Ashworth wrote:

And for the record, I've been quite happy with E-Sol; as long as Knology
plays no games with the staff, I don't expect any problems.

Cheers,
-- jra

It's extremely important you let the right people in Knology know that.

Bret

Re: So... my colo was just bought.

[Bret Clark]

On 01/10/2012 12:31 PM, Patrick Giagnocavo wrote:

Expect all the local guys you dealt with to be gone in 6 months.
--Patrick

It's unfortunate just how true this will be.

Bret

Re: Speed Test Results

[Bret Clark]

Couldn't agree more, it's unfortunate that so many users take them as 
gospel!



On 12/23/2011 04:23 AM, Leigh Porter wrote:

They are completely unreliable and not to be trusted except for an occasional 
general indication of speed.

Re: BGP noob needs monitoring advice

[Bret Clark]

Is http://cyclops.cs.ucla.edu/ still working? I don't seem to received 
emails from them anymore when we stop announcing to one of our upstream 
providers. On the other hand http://bgpmon.net/ does send me emails when 
an announcement disappears from an upstream, although it's usually a day 
later.





On 12/20/2011 02:03 PM, Hank Nussbacher wrote:

At 13:52 20/12/2011 -0500, Dave Pooser wrote:

Use one of the following services:
http://cyclops.cs.ucla.edu/
http://bgpmon.net/
You'll get an email whenever a routing change takes place in regards to the
prefix you are monitoring.

-Hank


Earlier this year I got a /24 of PA space, set up our shiny new router,
got BGP working with both my upstreams, and heaved a sigh of relief: I'll
never have to think about THAT again! (Okay, quit laughing; I SAID I was
a noob!)

Now, I discover that one of my upstreams quit announcing our route in
November (fortunately the provider who assigned us the /24, so we're still
covered in their /18) and the other upstream apparently started filtering
our announcements last week. I'm working with both of them to get that
fixed, but it's made it clear to me that I need to be monitoring this.

My question for the group is, how? I can and do monitor my own router, and
I can see that I'm receiving full routes from both ISPs. I am capable of
manually accessing route servers and looking glass servers to check if
they're receiving routes to me, but I'd like something more automated.
Free is nice, $$ is not a problem,  might become a problem.

Thanks in advance for any suggestions.
--
Dave Pooser
Manager of Information Services
Alford Media  http://www.alfordmedia.com

Re: consumer DSL problems

[Bret Clark]

On 11/01/2011 05:03 AM, Mike Reed wrote:


Is there a common policy on rendering vendor-supplied CPEs unusable?

Yes if they are old.

As a network operator to residential users, would you notify any
potentially affected users before making such a change?
Any responsible provider would make sure to notify users before making 
the change and then not make the change until all users had been 
upgraded to a new modem...within reason of course...some customer are 
hard to reach and never respond, so at some point you just have to make 
the switch.


Regards,
Bret

Re: Issue with Sprint Wireless

[Bret Clark]

Every cell tower is different, every region is different, good 
performance in one region on one carrier, maybe the exact opposite in 
another region on that same carrier. That's quite a bit of data 
(assuming 1-2mbps...not sure what digit megs are) you're trying push 
through a cell network especially 3G. Is it possible your Verizon 
testing is on Verizon's 4G network while Sprint's is 3G?


Bret

On 10/07/2011 12:17 PM, mitch tanenbaum wrote:

Hi



We are developing an android app that moves a fair amount (in the 1-2 digit
megs) of data up and down over an application specific encrypted pipe
(basically a custom VPN).  We see great performance when we use wifi (of
course) and very reasonable performance on Verizon Wireless. However, on
Sprint, we are seeing consistently poor performance, no matter what phone we
use.  These results are independent of date, time and location, so it
APPEARS to be Sprint wireless related.  Eventually, everything does go
through but it takes 5x to 10x the time it takes on Verizon Wireless.



Has anyone had any experience, good or bad, they can relate off list?  I
don't *think* this is an outage, just the way the Sprint Wireless network
works.   If there is a Sprint Wireless engineer on the list that could
contact me off list, that would be greatly appreciated.



Mitch Tanenbaum

iPhase3 Corp

mi...@iphase3.com

Re: ouch..

[Bret Clark]

On 09/14/2011 07:58 AM, Brian Raaen wrote:

Nice, I didn't see that.  Then I guess whoever set up this site was a shill for 
Cisco, I just love how instead of focusing on developing better products, that 
they are more about marketing now.

---
Brian Raaen
Network Architect


Cisco has always been about marketing from since Chambers took over way 
back when!

Re: Address Assignment Question

[Bret Clark]

On 06/20/2011 08:13 AM, Steve Richardson wrote:

What I'd like to know is whether there is a
legitimate use for so many addresses in discontiguous networks besides
spam?  I am trying my best to give them the benefit of the doubt here,
because they do work directly with Spamhaus to not be listed (I realize
reasons on both sides why this could be) and searches on Google and spam
newsgroups for their highest traffic email domains yield next to nothing,
given the amount of email they say they send out.
Well, not so sure I would worry about legit or not legit use...while 
ISP's are looked at being the police, legally law enforcement are the 
ones to pursue illegal use. But it sounds like you've done you're home 
work and they sound legit. Have them fill out an IP Justification form 
(as ARIN requires i) and go from there. I wouldn't worry about providing 
them the /24. Personally I would charge them for the /24 too, makes 
users think twice about the need for a block that large.


Bret

Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million

[Bret Clark]

Why would Microsoft need this many IP's? I could see the benefiting 
service providers much more.


On 03/24/2011 09:27 AM, Tony Finch wrote:

Jay Nakamurazeusda...@gmail.com  wrote:


666,624 is kind of odd number, isn't it?  That comes out to a
/13,/15,/19,/21 and a /22.

 From the court documents I gather that it is a collection of miscellaneous
blocks that Nortel acquired over the years, presumable via corporate MA.
However there isn't (as far as I can see) a list of the actual blocks. See
docket 5143 at http://chapter11.epiqsystems.com/NNI/docket/Default.aspx

Tony.

Re: What vexes VoIP users?

[Bret Clark]

On 02/28/2011 01:17 PM, Leigh Porter wrote:


VoIP at the last mile is just too niche at the moment. It's for people on this 
list, not my mother.

--
Leigh


Baloney...if that was the case, then all these ILEC's wouldn't be 
whining about POT's lines decreasing exponentially year over year!

Re: BGP Failover Question

[Bret Clark]

On 02/22/2011 12:23 PM, Hammer wrote:

As Max stated, you can set triggers based on thresholds that are monitered
via multiple methods in Cisco IOS. That way you could force the route down
dynamically. There's always a risk when letting the machines do the thinking
but this would help in situations like this. Can't speak for other vendors
but I'm sure the features are similar.

Well as someone else stated, if an upstream provider can't provide BGP 
reliably then it's time to give them the boot. Once in a year, okay, but 
beyond that, then it's time to read riot act with that provider.

Bret

Re: Experiences with Comcast Ethernet

[Bret Clark]

On Tue, Jan 4, 2011 at 1:05 PM, Dylan Ebnerdylan.eb...@crlmed.com  wrote:

My company has about 2 dozen Comcast business cable accounts at satellite offices around 
the Midwest. We are looking at adding an additional ISP to the mix and we are thinking of 
purchasing an Ethernet circuit from Comcast in an attempt to increase performance on 
those connections by keeping all the traffic within Comcast's network.  Comcast, of 
course, has assured us this will result in noticeable speed increases for 
those accounts. I am more weary. Does anyone have any experience with Comcast's ethernet 
offerings? How reliable are they? Do Comcast cable connections see a significant 
performance improvement?

Dylan Ebner, Network Engineer

It will only help if the performance issues  are related to the Comcast 
Internet peering connections, otherwise you'll see no difference if the 
issues are related to congestion occurring on the coax connections from 
the optical nodes that services each coax feed through neighborhoods and 
business. This is simple over-utilization that (at least in our neck of 
the woods) is becoming more and more a problem as Comcast saturates 
there networks with too many connections...there is only so much 
bandwidth a coax line can handle! I suspect your performance issues are 
related to the latter.

Bret

Re: Some truth about Comcast - WikiLeaks style

[Bret Clark]

On 12/20/2010 06:55 AM, Jeff Wheeler wrote:

What no one has mentioned thus far is that CLECs really are able to
install their own facilities to homes and businesses if they decide
that is a good way to invest their finite resources.


Yes and no, we tried that way back when but found out that there were 
rules in place allowing only 3 lines on a pole (Elec, tele, cable), 
basically the rules are there to stop poles from have a gazzillon lines 
on them; a throwback from the early 1900's. Back then there were 
numerous Telephone companies competing for the same customer and poles 
became a nightmare with wires. It was common for competitors to cut 
other competitors lines back then.


Sure CLEC's could go underground, but outside of the expense, the 
permit's process would be a nightmare. Where there was conduit available 
we'd go that route, but Verizon would give us a hard time about it.

Re: Facebook issue

[Bret Clark]

On 12/16/2010 06:07 PM, D'Arcy J.M. Cain wrote:

On Thu, 16 Dec 2010 13:34:38 -0800 (PST)
andrew.wallaceandrew.wall...@rocketmail.com  wrote:
   

Anyone having issue with Facebook?
 

Always have but that's just me.

   
Comcast must have planned this so that we would flood the list with 
useless Facebook messages rather then harass them about their lousy 
traffic management issues ;)!

Re: BGP multihoming question.

[Bret Clark]

On 12/10/2010 10:01 AM, Dylan Ebner wrote:

3. You cannot trust the second isp to advertise the SWIP block correctly if 
they are not a tier 1. Even though they may advertise it for you to their 
upstream, they don't always have the appropriate procedures in place to get the 
LOAs to the upstream so your block just gets filtered out.


   
Just got done battling this exact issue with one of our upstream 
peers...caused a lot of headaches for us.

Re: U.S. officials deny technical takedown of WikiLeaks

[Bret Clark]

On 12/04/2010 06:03 PM, Ken Gilmour wrote:

Now Sarah Palin is suggesting Wikileaks are terrorists and should be taken
offline with technical capabilities
  http://www.golem.de/1012/79848.html

or for anyone who can't speak German:

http://translate.google.ie/translate?u=http%3A%2F%2Fwww.golem.de%2F1012%2F79848.htmlsl=detl=enhl=ie=UTF-8
(The
translation is about as coherent as Sarah Palin herself).
   

Enough already...this is not a political list!

Re: Level 3 Communications Issues Statement Concerning Comcast's Actions

[Bret Clark]

On 11/30/2010 07:59 AM, Sean Donelan wrote:


Or why don't you build a network to places that Comcast peers at; and 
bypass L3 completely and negotiate a peering relationship directly 
with Comcast?


We tried Comcast wouldn't peer with us because they considered us a 
compeititor.


Seriously this has nothing to do with L3 but more with Netflix...it's 
clear that the Netflix business model is eating into Comcast VoD 
business and so they are strong arming other providers to affect 
Netflix's business model. But as others have stated what would happen if 
Comcast starts coming after every service provider's hosting services 
that Comcast doesn't like?


Bret

Re: Level 3 Communications Issues Statement Concerning Comcast's Actions

[Bret Clark]

On 11/29/2010 07:55 PM, Ren Provo wrote:

http://blog.comcast.com/2010/11/comcast-comments-on-level-3.html

On Mon, Nov 29, 2010 at 7:51 PM, Dave CROCKERd...@dcrocker.net  wrote:

   
Okay's let's say L3 gives in to Comcast and pays them. L3 then turns 
around and charges us (providers) more to cover the additional money 
they have to pay Comcast now. In the meantime Comcast continues to 
undercut the market it sells into making it harder for me as a service 
provider to compete...that just isn't right. Maybe Comcast should raise 
their prices to their customers to cover the cost of upgrading there 
network, but then they wouldn't be able to undercut me 
anymore...monopolies are a dangerous thing!

Re: Auditing a network to add Voice

[Bret Clark]

Iperf can be used to measure jitter and delay as well as simulate a 
quasi VoIP call. You can also use mtr under Linux which provides jitter 
and delay measurements from one point to another point. A g.729 call 
(lower quality) takes about ~40kbps and a g.711 (high quality) used 
about ~100Kbps of bandwidth. With most of today's networks, the problem 
isn't bandwidth related, but more with jitter, delay, and packet loss 
through the network...personally I'm a big fan of deploying QoS through 
out an infrastructure...well at least in our WAN infrastructure.


Bret


On 11/22/2010 09:59 AM, Kasper Adel wrote:

Hi,

My customer would like to add VoIP over their network and they asked us for
an audit. the result of the audit would be simply you guys are ready for
it

Breaking it down [high level] for me sounds like : (suggestions are more
than welcomed) :

1) Looking at hardware computation finite resources (cpu, memory...etc)
2) Looking at available bandwidth
3) QoS policy
4) High Availability and Fast Convergence

Any thing else?

They asked us to measure the KPIs (jitter, delay...etc) of their existing
traffic, is there a way to do that?

Thanks,
Kim
   

Re: Auditing a network to add Voice

[Bret Clark]

Most VoIP solutions are RTP whether internal or via SIP solution from a 
service provider.


On 11/22/2010 10:04 AM, Kasper Adel wrote:

Sorry i forgot to add more detail.

We are not looking for IP Telephony type of voice but RTP from Media
Gateways.

Cheers,
Kim

On Mon, Nov 22, 2010 at 4:59 PM, Kasper Adelkarim.a...@gmail.com  wrote:

   

Hi,

My customer would like to add VoIP over their network and they asked us for
an audit. the result of the audit would be simply you guys are ready for
it

Breaking it down [high level] for me sounds like : (suggestions are more
than welcomed) :

1) Looking at hardware computation finite resources (cpu, memory...etc)
2) Looking at available bandwidth
3) QoS policy
4) High Availability and Fast Convergence

Any thing else?

They asked us to measure the KPIs (jitter, delay...etc) of their existing
traffic, is there a way to do that?

Thanks,
Kim

 

Re: Auditing a network to add Voice

[Bret Clark]

I'm not sure if Wireshark will let you do this...at least with TCP, we 
do use Wireshark to analyze RTP traffic which provides jitter/loss data, 
maybe a vendor provided LAN analyzer would provide this information


I still think you're better of on using some type of tools and do the 
measurement in their network's live at various times of the day. Every 
path through the network is going to have different delays/jitter/loss 
at various times of the the day. You can probably get loss via RMON 
statistics in switches/routers, but delays/jitter requires that you are 
monitoring a data conversation at the TCP/IP layer and I'm not aware of 
network equipment (switches/routers) that watch individual TCP/IP layers 
to provide jitter/delay...that would require quite a bit of a devices 
resources.


If you run the apps on their network live, they you are basically going 
to get the information you need about the overall quality of their 
network they have in place today.

Bret

On 11/22/2010 11:17 AM, Kasper Adel wrote:

Hi Bret,

These guys are not looking for measuring traffic generated by a tool, 
they want to measure what they have running now (not only Voice). I am 
not sue if measuring what they have or generating traffic and 
measuring it is the same thing. what do u think?


thanks,
Kim

On Mon, Nov 22, 2010 at 5:54 PM, Bret Clark bcl...@spectraaccess.com 
mailto:bcl...@spectraaccess.com wrote:


Iperf can be used to measure jitter and delay as well as simulate
a quasi VoIP call. You can also use mtr under Linux which provides
jitter and delay measurements from one point to another point. A
g.729 call (lower quality) takes about ~40kbps and a g.711 (high
quality) used about ~100Kbps of bandwidth. With most of today's
networks, the problem isn't bandwidth related, but more with
jitter, delay, and packet loss through the network...personally
I'm a big fan of deploying QoS through out an
infrastructure...well at least in our WAN infrastructure.

Bret



On 11/22/2010 09:59 AM, Kasper Adel wrote:

Hi,

My customer would like to add VoIP over their network and they
asked us for
an audit. the result of the audit would be simply you guys
are ready for
it

Breaking it down [high level] for me sounds like :
(suggestions are more
than welcomed) :

1) Looking at hardware computation finite resources (cpu,
memory...etc)
2) Looking at available bandwidth
3) QoS policy
4) High Availability and Fast Convergence

Any thing else?

They asked us to measure the KPIs (jitter, delay...etc) of
their existing
traffic, is there a way to do that?

Thanks,
Kim

Re: NTP Server

[Bret Clark]

On 10/24/2010 12:29 PM, Brandon Kim wrote:

I guess what I'm trying to understand is, is having your own NTP server just a 
luxury?

I personally would like to have my own, I just need to pitch its advantages to 
my company. Unless everyone here on the NANOG group
clearly spells it out to me that it's a luxury.

I can see it as an added service/benefit though to our customers.


   
We have one internally because we use private IP'S on some of our own 
equipment for security reasons and those systems are unable to poll an 
external NTP server on the Internet. Plus some of our equipment only 
accepts a single NTP server and in the past we occasionally found 
external NTP servers to not be up, at least with our own server we know 
if it's accessible or not. As for pitching one to your company, not sure 
why that's an issue...talking about 500K app that can run on $50 pc with 
Linux from ebay


Bret

Re: Optical Wireless

[Bret Clark]

RF in general or you don't want to use wi-fi which is understandable? 
For our telcom back-haul needs which needs to meet carrier class grade 
we have found Ceregon, Redline, and Dragonwave to work flawlessly. 
Redline and Dragon are PoE, Ceregon use coax. Unfortunately we don't use 
laser because the weather would be a problem for us.


Bret

On 10/22/2010 03:15 PM, james edwards wrote:

I am looking for some vendors that make PtP optical wireless (laser) gear. I
have a project where I have to link 2 buildings separated by a 5 lane road.
Buildings are at least 10 stories high. Multiple reasons why RF (WiFi) or
fiber under the street will not work, plus some layer 8 issues.
I need 100 mbs, Ethernet is the protocol transported. PoE would be nice but
not a show stopper. Anyone have experience with this kind of gear and can
suggest a vendor ?


Thanks,

   

Re: Network Operators Unite Against SORBS

[Bret Clark]

On 10/12/2010 12:46 PM, Patrick W. Gilmore wrote:


I kinda-sortta feel like many others who have posted here.  This is a mail 
thing, not netops.  Grow a pair and post under your own name.  Is it even 
on-topic for NANOG?  Etc.

I even started typing a message to the effect of: even though I don't like SORBS, 
they should be allowed to publish a list and let others do as they please.  But 
then I realized, that is all this anonymous person is asking.  Or at least it could be.

If iHate SORBS wants to create a (another?) list of prefixes which should not 
be routed, and put SORBS on it, he (she?) should be allowed, just as SORBS should be 
allowed to have a list of mail servers SORBS doesn't like.  Then each operator can decide 
whether to implement a block based on the list or not.  Your network, your decision.

Of course, I fully expect no one to implement the block.  But that is no reason 
to deny the ability to create the list.

Now, I feel like quoting Pastor Niemöller so we can end this thread. :)

   


Not to mention it's bad enough with congress trying to pass laws to make 
us network operators police the Internet, I don't need to police SORBS 
on top of it!

Bret

Re: Facebook down!! Alert!

[Bret Clark]

I have to agree on this as well. I can understand when a service 
provider is having problems and people questioning it since that can 
affect many of us who depend on backbone connections, but sites like 
facebook and twitter being down should not be posted here but on the 
sitesemployeeswastetimeon.org [\sarcasm off]


On 10/06/2010 02:20 PM, christian koch wrote:

+1



On Wed, Oct 6, 2010 at 12:57 AM, Zaid Aliz...@zaidali.com  wrote:

   

I think the Outages mailing list is more appropriate for this.


On 10/5/10 9:46 PM, Mike Lyonmike.l...@gmail.com  wrote:

 

Same here in SF Bay Area

On Tue, Oct 5, 2010 at 9:44 PM, James Smithja...@smithwaysecurity.com
wrote:

   

At 1:20am here in Canada, NB our networks are showing that facebook is
down.
Please confirm in the USA.



~SmithwaySecurity

Sent from my iPhone


 




 

Re: Facebook down!! Alert!

[Bret Clark]

On 10/06/2010 06:08 PM, Tammy A. Wisdom wrote:

This thread proves too me yet again that nanog is the internets equivalent of a 
giant panty raid.  This isn't the outages list  I am rather annoyed that we 
must discuss junk social media sites such as facebook.  Just because you are 
panicing does not mean that the thousands of people on this list give a flying rats 
ass that facebook is down!
Can we please discuss relevant topics such as running networks? (for instance 
NOT @#...@#$ing FACEBOOK!)
This list over the last year has just gone soo far downhill that I am most 
likely going to unsubscribe from it as I don't get any technical benefit from 
the garbage that is discussed on this list 99.999% of the time.

--Tammy

   


I've always looked at the nanog list representing issues up to layer 4 
of the OSI model; mostly layer 3/4. Maybe a new mailing list could be 
made called the North American Network Applications Group 
(nanag)...there might be a pun there :).


Bret

Re: Level3 filter updates

[Bret Clark]

I was told every 48 hours when I recently dealt with Level3 on a similar 
thing about a month ago.


On 10/05/2010 12:50 PM, Paul Stewart wrote:

Normally it's done every night (overnight)... that's been our experience...

Paul


-Original Message-
From: Florin Veres [mailto:flo...@futurefreedom.ro]
Sent: Tuesday, October 05, 2010 12:42 PM
To: nanog@nanog.org
Subject: Level3 filter updates

Hey guys,

Anyone knows how often does Level3 update their filters?
I have a prefix in Europe which has a route-obj from Sunday, it's accepted
in Level3 Europe from Monday, but in the US it's still not accepted.

Thanks,
Florin
   

Re: ARIN IP/AS Assignment

[Bret Clark]

We just had to get another new block, took about 5 days.

On 10/02/2010 03:17 AM, Imran Moin wrote:

Hello All,

I was wondering how long it is taking ARIN these days to assign new IP block
and AS Number. We are a new startup and looking to build our network over
the next few months.

Thanks,
Imran.
   

Re: ATT Dry Pairs?

[Bret Clark]

If the buildings are a 100ft apart, can't you just go with a wireless 
connection? Speeds would probably be better and no monthly fee!


On 09/30/2010 06:08 PM, Robert Johnson wrote:

If your sales contact don't know what an alarm circuit is, go find
ATT's tariff filed with your state's PUC. It will contain the name of the
service. This will take some digging...

Verizon Maryland calls this an Intraexchange local channel, regular voice
grade and they go for $15.53/month. There are a plethora of different types
of dry pairs that you can order depending on the signal bandwidth of the
circuit and allowed attenuation.

On Thu, Sep 30, 2010 at 4:52 PM, Brandon Galbraith
brandon.galbra...@gmail.com  wrote:

   

Has anyone had any luck lately getting dry pairs from ATT? I'm in the
Chicago area attempting to get a dry pair between two buildings (100ft
apart) for some equipment, but when speaking to several folks at ATT the
response I get is You want ATT service without the service? That's not
logical!. Had no problems 3-4 years ago getting these sorts of circuits,
but it appears it's gone the way of the dodo now. Any emails off-list are
appreciated.

--
Brandon Galbraith
US Voice: 630.492.0464

 

Re: Software-based Border Router

[Bret Clark]

We use a mix of software and hardware based routers, have found little 
difference between the two platforms in terms of performance and 
stability. Our software base routers are serving a couple 100Mbps 
upstream links running on some HP Proliants with dual PS and dual HD's 
that we picked up on ebay for a $150 then loaded Quagga on them.


I actually have to give a little bit of a edge to the Linux based 
systems only because of all the all the other wealth of 
diagnostics/troubleshooting tools one gets with Linux in general...Its 
nice to be able to run Wireshark right on the systems if we need too.


As for troubleshooting, I've found the Quagga mailing list to be just as 
responsive (if not more responsive at times) as Cisco, but clearly your 
mileage will vary there.


Bret



On 09/27/2010 04:59 PM, Dylan Ebner wrote:

We have looked at using open source routers for our border, but in the end we 
cannot make the numbers add up. Once Cisco released the x9xx ISR2 routers, the 
x8xx have tanked in price on the used market. So, for about the same as a 
vyatta router running on newer hardware that you can trust you can get a 28xx 
or 38xx. If you also want support, Cisco will support these at less than 
$100/month and that gets you access to the IOS upgrades and a 4 hr. replacement 
window. I know I sleep better knowing Cisco will drop off a router in less than 
4 hours if one of mine fails.

Dylan
-Original Message-
From: Nathanael C. Cariaga [mailto:nccari...@stluke.com.ph]
Sent: Sunday, September 26, 2010 4:42 AM
To: nanog@nanog.org
Subject: Software-based Border Router

Hi All!


Just want to ask if anyone here had experience deploying software-based routers 
to serve as perimeter / border router? How does it gauge with hardware-based 
routers? Any past experiences will be very much appreciated.


I wanted to know because we've been asked if we want to assume full control of 
the internet link (up to the router). By assuming control up to the router, we 
still want to configure iBGP with our parent network so that we can take 
advantage of some routes available to the parent network's gateway. The saddest 
part is presently we do not have the router to serve as our gateway this is why 
we are considering the use of software-based routers.


Thank you.
   

Re: Facebook Issues/Outage in Southeast?

[bret clark]

 Whoa...there is clairvoyance for you...that article is from 
yesterday...wonder if the author provides stock tips???


Facebook down...where is the Like button?

On 9/23/2010 3:46 PM, Steven Bellovin wrote:


http://blogs.wsj.com/digits/2010/09/22/facebook-goes-down-for-some-users/

--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Cogent issues

[Bret Clark]

We've been noticing high latency for some time with Verizon (UUNET) 
connections at least through the NY area.



On 09/08/2010 10:34 PM, Charles Mills wrote:

Anyone notice any issues with Cogent?

Internet Health Report showing some high latency to Verizon and a couple of
other carriers.
   

Re: ATT routing problems towards www.worldspan.com?

[Bret Clark]

That host is not working for us either, but looks more like a host 
problem rather then BGP problem. I have no problem getting to other 
IP's  in that range like 216.113.132.21 which is probably it's default 
gateway.



On 08/30/2010 05:22 AM, sth...@nethelp.no wrote:

We have problems reaching www.worldspan.com (216.113.132.22) from
some locations. The common problem seems to be ATT (AS 7018). Our
AS path towards the 216.113.128.0/19 prefix is typically

3356 7018 17228 19631

Anybody else see problems here? I note that I can ping 216.113.132.22
from some locations within our network - but not, for instance, from
route-server.ip.att.net.

Steinar Haug, Nethelp consulting, sth...@nethelp.no

   

Re: Rate Limiting on Cisco Router

[Bret Clark]

Agree...when you rate limit verse shaping you can actually cause more 
traffic because the packets need to be retransmitted to deal with those 
that got dropped.



On 07/08/2010 06:43 PM, Murphy, Jay, DOH wrote:

traffic-shape rate 7500 9000 9000 1000 for example. Your rate limit 
will police your traffic and drop it all.

Traffic shaping produces a queue, and does not completely junk a packet. It 
becomes q'd, and produces a smoother output.

~Jay Murphy
IP Network Specialist
NM State Government

   

Re: Please remove me from all mailing lists !!!

[Bret Clark]

On 07/02/2010 08:28 AM, William Hamilton wrote:

On 02/07/2010 13:20, Marshall Eubanks wrote:
   

At the very bottom of each message, you will see

https://mailman.nanog.org/mailman/listinfo/nanog

If you go there, you can unsubscribe.

Regards
Marshall


 

Was it really necessary to quote the entirety of the digest when responding?

B


   


28.8k Modem users...

Re: pls help about mtu setting

[Bret Clark]

google (or any search engine) is your friend.

http://www.google.com/search?aq=fsourceid=chromeie=UTF-8q=mtu+1492+dsl 
http://www.google.com/search?aq=fsourceid=chromeie=UTF-8q=mtu+1492+dsl

On 06/17/2010 08:19 AM, Deric Kwok wrote:

Hi

My DSL company asks me to set the modem 146 2 and my old company used 14 92

What is the different?

Why it is not standard 1 500?

Thank you

   

Re: Future of WiMax

[Bret Clark]

On 06/17/2010 09:46 AM, Dennis Burgess wrote:

Lots of my clients (Wireless ISPs) have looked into deploying it,
however the costs are well over 20 times the cost of a unlicensed system
per access point.
   
Yeah...that is really the crux of the problem. Every WISP I know would 
switch over in a heartbeat if the upfront cost was the same as deploying 
many well know 5.8GHz systems. Battling with interference in the 5.8GHz 
can be tough at times, at least with the 3.65GHz range there is some 
control over frequency use, but even so, dealing with frequency use in 
5.8GHz is worth it for the cost savings.

Re: thoughts?

[Bret Clark]

Not any different then when Bob Metcalf predicted the Internet would 
melt down in the late 1990's and looked like a fool when it never 
happened! Even though I don't disagree IP4 address are rapidly getting 
used up, most of us on this list have the know how and tenacity to 
work through current and future problems. I think a lot of people like 
to claim the sky is falling sooner rather then later.


On 05/27/2010 07:10 AM, Dorn Hetzel wrote:

http://www.cnn.com/2010/TECH/05/27/internet.crunch.2012/index.html?hpt=T2
   

Re: Mikrotik BGP Question

[Bret Clark]

On 05/21/2010 08:23 AM, Nick Hilliard wrote:

I will refrain from making any smart-ass comments about Mikrotik and BGP,
but no: there is no reason whatever that you can't take your internet feeds
from different locations, so long as you have a good quality interior
network link between those two locations, and your two routers talk iBGP to
each other.  Just make sure your boxes have enough RAM to cope with a full
dfz feed.

I.e. it's just the same as using any other router in this regard.

Nick

   
I've used Mikrotiks for everything except BGP, but we don't use 
Mikrotiks for BGP only because we already had BGP on a different 
platform...personally, when it comes to BGP, I think people are better 
off running it on devices they are familiar with rather then trying to 
learn the idiosyncrasies of a new platform.


Bret

Re: MikroTik strikes again ?

[Bret Clark]

Uhmokay...but why does anyone prepend their ASN that much? Are you 
saying the Mikrotik did that on purpose?


Adrian M wrote:

MikroTik strikes again ?

%BGP-6-ASPATH: Long AS path ... 39412 39625 39625 39625 39625 39625
39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625
39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625
39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625
39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625
39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625
39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625
39625 39625 39625 39625 received from : More than configured
MAXAS-LIMIT

aut-num: AS39625
as-name: ARANEO-AS
descr:  Omni-Araneo's AS number
org: ORG-OSTW3-RIPE
import:  from AS12968 action pref=100; accept ANY
export:  to AS12968 announce AS39625
import:  from AS39412 action pref=100; accept ANY
export:  to AS39412 announce AS39625
admin-c: TW1273-RIPE
tech-c:  TW1273-RIPE
mnt-by:  AS12968-MNT
mnt-routes:  AS12968-MNT
source:  RIPE # Filtered

  

Re: MikroTik strikes again ?

[Bret Clark]

Tim Warnock wrote:

Adrian M wrote:


MikroTik strikes again ?

%BGP-6-ASPATH: Long AS path ... 39412 39625 39625 39625 39625 39625
39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625
  

From: Bret Clark [mailto:bcl...@spectraaccess.com]
Sent: Monday, 3 May 2010 8:26 PM
To: nanog@nanog.org
Subject: Re: MikroTik strikes again ?

Uhmokay...but why does anyone prepend their ASN that much? Are you
saying the Mikrotik did that on purpose?




MikroTik asks for an amount of prepends rather than what ASN to prepend
with.

There was a bug in an old version that would modulus the ASN with 256 and
prepend that many times.

In this case 39625 modulo 256 = 201 prepends.
 



  

Yeah...guess I see why that would be a problem.

Re: Edu versus Speakeasy Speedtest

[Bret Clark]

All the new OS's (IE Windows7) automatically adjust TCP window size.

Personally I've never found those website speed test to be that accurate 
on fast connections (over 15Mbps full duplex).  The only way to really 
confirm bandwidth is by running IPERF.



Robert Glover wrote:

Adjust your TCP window size.

-Original Message-
From: Murphy, William william.mur...@uth.tmc.edu
Date: Thu, 29 Apr 2010 10:53:01 
To: nanog@nanog.orgnanog@nanog.org

Subject: Edu versus Speakeasy Speedtest

I work for an Edu with multi-gigabit Internet connectivity and I get
questions from users saying Why am I only getting 14Mb when I run this
speed test?  I have got to believe that the various Internet speed tests
(Speakeasy or dslreports) are rate limited to prevent someone from shutting
them down.  I am able to get 300-400Mb running from a PC inside my network
to NDT servers located on Internet2, so that tells me my border and internal
network is healthy.  Can someone on this list shed some light regarding
reliability and accuracy of these various speed tests especially for an Edu
with lots'o bandwidth?  Thanks.

 


Bill Murphy

University of Texas Health Science Center - Houston

 





  

Re: Wireless bridge

[Bret Clark]

   Peter Boone wrote:


I purchased 2x Ubiquity Bullet2's (2.4 GHz) and utilized our existing
antennas. It has been working extremely well, pushing a stable 54 Mbps over
the link without issue. Signal strength is consistently -40 dBm +/- 2 dBm,
from about -80 dBm before! Total cost included 2x Bullets, 2x PoE adaptors,
and approx 40 ft of STP cat5: $120. I have yet to see what happens in a big
thunderstorm, but I extrapolate that they will be able to handle the EMP
without going haywire like before. They have worked very well through
conditions that our last setup would not.

Thanks again for the input everyone!

Peter

   More an FYI as I'm not overly familiar with Ubiquity's, but I believe
   -40dBm is kind of a hot signal which means they are screaming at each
   other, are you seeing any physical errors, specifically CRC's?. Won't
   necessarily affect overall throughput, but -60dBm is the sweet
   spot...too much of a signal is just as bad as not enough...sort of like
   that Sienfield episode of the the close talker :).
   Bret

Re: Is TDM going the way of dial-up?

[Bret Clark]

   Steve Meuse wrote:

I'm wondering if others are seeing the same behavior, if it's
market-dependant, or if I'm just imagining things.  I'm working on building
new infrastructure and my current thoughts are to minimize my TDM
footprint.  It would be useful to get a better feel if this is an overall
trend or something local.


You aren't imagining things. In fact, some large national networks have been des
igned to support solely ethernet. It comes down to cost, as always


-Steve



   Actually, a lot of people would be shocked at just how much VoIP is now
   used to transport voice with TDM only occurring at the last mile and in
   many cases at the last foot. Anyone designing a voice infrastructure
   would be best to design it for VoIP. Your ROI is much much greater. If
   you need to use TDM, then do so only at the edge as close to the TDM
   equipment as possible.
   Of course if you are going to use VoIP through-out an infrastructure it
   certainly is a good idea to get familiar with QoS provisioning.
   Bret

Re: FCC releases Internet speed test tool

[Bret Clark]

Joe Greco wrote:


I've gotten strange stuff each time I've tried their tests.  I
particularly like the factor of 10 difference in upload speeds.

... JG
  
Yeah...these test are algorithm based and rarely accurate! On our 
100Mbps Internet connection (which I know handles 100Mbps) best I could 
get is 10Mbps down and 14Mbps up.
Wish someone would come up with a much better mouse trap. The only test 
I've ever found to be fairly accurate is iperf or a simple FTP test.

Re: Redundant BGP for lower cost

[Bret Clark]

OPSF (in this scenario) is easier to set up then BGP...but check out
http://www.openmaniak.com/quagga.php.

On Fri, 2010-03-05 at 10:46 -0600, Alex Thurlow wrote:

 I have to say that this looks like a nice solution to me, and I've 
 definitely had many people point me to OSPF.  One problem is that I've 
 never run OSPF before.  Some googling brings of a few results on 
 implementation, but can someone recommend a good place to look or a book 
 to get to really get it all figured out?
 
 Thanks,
 Alex
 
 
 On 3/4/2010 11:23 AM, Jack Carrozzo wrote:
  If you want to keep it cheap, roll out another Quagga edge - one to 
  each peer. Drop default into OSPF from both edges, iBGP over a GE 
  between them. If one toasts you'll only lose half your routes for 
  1s-ish, or however long you set your OSPF keepalives.
 
  While you're at it, add extra fans and run the edge systems off solid 
  state disks or CF cards.
 
  Or, buy $real hardware.
 
  -Jack Carrozzo
 
  On Thu, Mar 4, 2010 at 12:17 PM, Alex Thurlow a...@blastro.com 
  mailto:a...@blastro.com wrote:
 
  Let me preface this by saying that I'm not a full time network
  admin, but we're a small company and I'm the only one handling
  this.  Our budget is also not huge, but we're at the point where
  extended downtime would cost us enough money that we can spend
  some money to fix the problem.
 
   Here's my situation:  I have two providers, each handing me
  gigabit ethernet.  I'm getting full BGP feeds and handling them
  with a Linux/Quagga router.  We max out at about 100kpps, as we're
  mostly pushing video which gives us a large packet size.  It works
  fine, and I've been happy with it so far.  But, we've gotten to
  the point where I want a backup router of some sort in case
  something happens to that one, what with the fans and disks that
  could fail.  I see a few options.
 
  1. Just set up another Quagga box and use keepalived or some other
  HA solution.
  2. Buy a Cisco/Juniper/whatever and then have the Quagga box as
  backup.
  3. I have a 6500 behind the router that's just doing switching.
   Could I have something switch that to static route all traffic to
  one of my providers if something happened to the router?  The 6500
  has Sup1A with MSFC2 running IOS native.
 
  On the Cisco side, I see that we could probably run a 7200VXR with
  NPE-G1 (about $6000 on ebay).  Moving to the Sup720, even used is
  probably out of our price range.
 
  What do you guys think I should use here?
 
  Thanks,
  Alex
 
 
 

Re: Recommendations for router with routed copper gig-e ports?

[Bret Clark]

   Chuck Anderson wrote:

On Sun, Feb 14, 2010 at 02:41:51PM -0600, Lorell Hathcock wrote:


1 - AP network (need suggestion for cost effective gig-e switch)

2 to 4 - back haul ports

1 - internet port (on one out of every 4 towers or so)  (and most likely
fiber instead of copper)



Does anyone have any suggestions?


Juniper EX3200.  L2/L3 line rate GigE, partial or full PoE options
available.  Fiber uplink options.  24T version w/8 ports of PoE.  The
last 4 copper ports are shared with 1 Gig uplink module ports (but
they aren't shared if you use 10 GigE uplink modules).

[1]http://www.juniper.net/us/en/local/pdf/datasheets/1000216-en.pdf


   Well just make sure the current Mikrotik's in place don't have gig-e
   ports as the newer Mikrotik's do. In that case converting over to a
   routing environment should be as simple as some software changes in the
   Mikrotik's. As for fiber you'd need some media converters.  We run a
   Mikrotik's in our network using OSPF with a bunch of Cisco's and
   Riverstone routers without any problems.
   Bret

References

   1. http://www.juniper.net/us/en/local/pdf/datasheets/1000216-en.pdf

Re: Fiber Cut in CA?

[Bret Clark]

   Good point...so if the cut is in the middle of nowhere without easy
   access...then how the hell did it get cut? Malicious?
   Matt Simmons wrote:

And in an open desert, back hoes can smell fiber from miles away.

On Tue, Feb 2, 2010 at 3:27 PM, Bill Stewart [1]nonobvi...@gmail.com wrote:

On Tue, Feb 2, 2010 at 12:04 AM,  [2]char...@knownelement.com wrote:

That is one long protect path. Yikes.

There be mountains in the way, with deserts in between, and not a lot
of people to justify diversity or railroads and highways to run it
along.
Not many carriers have more than one fiber route across Arizona and
New Mexico, especially for the newer high-capacity fibers (i.e. built
this millennium, after the financial excesses of the 90s.)
I'm no longer current on what routes are being used by what carriers,
but if you don't have two routes across northern Arizona ( I-10/I-40,
with restoration routes like Barstow-LasVegas-Flagstaff-Phoenix),
then the next alternative is Barstow-LasVegas-SaltLakeCity-Denver,
at which point some carriers have routes down to Phoenix via Tucumcari
or Amarillo, and the rest are going to go through Dallas, and anybody
who doesn't have the LasVegas-SLC route is going to use
Sacramento-SLC-Denver, possibly also including San Jose, depending
on what routes they've got across California.

So, yeah, instead of the nice short 2200-mile restoration routes you
can use if SF-Seattle fails, cable cuts in the Southwest can be
really long...
--

Thanks; Bill

Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.

References

   1. mailto:nonobvi...@gmail.com
   2. mailto:char...@knownelement.com

Re: SSH brute force China and Linux: best practices

[Bret Clark]

denyhost is one of my favorite apps. http://denyhosts.sourceforge.net/

James Hess wrote:

When you really want to be safe -- even one illicit access attempt may
be enough to gain access.fail2ban  or ssh rate limiting  do not
stop distributed brute force attacks.

The best action depends on a tradeoff between OPSEC network operations
security considerations  VS  any legitimate  need for quick remote
access/admin convenience also Versus  simplicity / difficulty to
implement :   If feasible, BCP38 + use of a  destination port 22 ACL
on the  first/last  hop router  to discard unexpected SSH traffic to
your protected LAN(s)  from outside your IP prefixes, and therefore
all  local NIX servers.

For ISPs,  ssh blocking ACL should apply to your own device and router
 subnets,  but not  downstream  end-users.

+  In case access is desired from unknown remote IPs:  dynamic ACL and
 creative use of a facility  such as  access-enable on router:   or
port knocking  protection [on the ssh server itself].

If security is more important and readily available/quick remote
access from offsite is not important: then a  secure VPN router +
remote access VPN, is a difficult target for an attacker  (but
susceptible to failure  either on client side or hardware failure on
remote side).

For port knocking
http://www.portknocking.org/view/implementations
E.g.  fwknop  / knockd / BSD Doorman / knockdaemon /  PortknockO

This is in ADDITION   to   (not a replacement for) additional security
measures on individual hosts,   such as  the below.


- Forwarded message --
From: James Hess mysi...@gmail.com
Date: Sat, Jan 30, 2010 at 12:23 AM
Subject: Re: SSH brute force China and Linux: best practices
To: Bobby Mac bobby...@gmail.com

For home?Turn off the SSH daemon and keep it off, unless you really need it.
Or  use  iptables and   /etc/hosts.deny +  /etc/hosts.allow
to limit access to local IPs.

The considerations for a NIX workstation are really no different than
with any network device,  port 22  is under constant attack,  you
might want to filter upstream somewhere. Keep network software
up-to-date  with patches.

Set strong passwords.   Disable remote login to the admin/root user.
Use ssh only:  telnet is unsafe.  Configure an unofficial
alternative port number for ssh (one numbered below 1024  but not port
22).

Ban  password-based auth in favor of public key,  SSL Certificate, or
 Kerberos/GSSAPI-based authentication  (with Kerberos, configure it so
a SSH client can only authenticate by first holding a Kerberos ticket,
 instead of the default of allowing client to enter a password and
server  to obtain a ticket on client's behalf).

It's really hard to guess a valid  2048-bit  DSA key  by brute force
(a lot harder than guessing the average 8-character password).

  

Re: Linux shaping packet loss

[Bret Clark]

Won't say I'm an expert with TC, but anytime I see packet loss on an 
interface I always check the interface itself...10% packet loss is 
pretty much what you would get if there was a duplex problem. I always 
try to hard set my interfaces on both the Linux machines and Switches.


Bret


Chris wrote:

Hi All,

It would be appreciated if anyone using TC on Linux for shaping could please
help with an intermittent problem on an egress interface.

I'm seeing about ten per cent of packet loss for all classes at seemingly
quiet times and random parts of the day using about forty classes and
250Mbps. I've isolated it to the egress HTB qdisc.

Any TC experts out there have a spare minute please ? Any thoughts on the
RED qdisc ?

Thanks very much,

Chris
  

Re: SPF Configurations

[Bret Clark]

If the customer insist on using their domain, then you would have to 
have the customer setup an SPF record within their domain that points to 
your email server IP blocks. I would just tell your customer that if 
they insist of using their FROM domain, to help get past someone's 
spamming system the customer is going to have to add the a SPF record to 
their domain similar to the following:


[customer domain].com. IN TXT v=spf1 a mx ip4:[your IP block]

Putting an SPF record in your DNS record will have no affect on spamming 
software. SPF is basically another form of reverse DNS at the mail level.


Bret

Jeffrey Negro wrote:

Thanks for your input on this.  My main concern is mail filters at the
end users side thinking that our mail servers are spoofing our
customer's domain.  I'll check into MAAWG as well

Jeffrey Negro, Network Engineer
Billtrust - Improving Your Billing, Improving Your Business
www.billtrust.com
609.235.1010 x137
jne...@billtrust.com

-Original Message-
From: Joe St Sauver [mailto:j...@oregon.uoregon.edu] 
Sent: Friday, December 04, 2009 11:25 AM

To: Jeffrey Negro
Subject: Re: SPF Configurations

#Some customers insist on
#making the FROM address use their domain name, but the emails leave our
#mail servers on our domain.  


Then your IPs or outbound mail servers should be listed on the
customer's
SPF record... assuming they also send their own mail, they obviously
also
want to list their own mail servers.

#SPF seems to be the way we could possibly avoid more spam filters, 


SPF only provides a way of avoiding spoofing, it does not necessarily
enhance your IP reputation or your domain reputation

#and delivery rate is very important to our company.

Are you involved with MAAWG? (see www.maawg.org)

Regards,

Joe

  

Re: news from Google

[Bret Clark]

For sure...everyone remembers the Bill Gates Borg picture, but at this
rate, Google will soon become the new poster child for that picture (or
something comparable).   

Bret


On Thu, 2009-12-03 at 10:48 -0800, Seth Mattinen wrote:

 No kiddng. I must be the only one who is getting tired of seeing
 Google
 take over literally everything.
 
 ~Seth

Re: news from Google

[Bret Clark]

Brielle Bruns wrote:
Why is it that people start cracking out at the thought of Google 
offering a free service that people might have an actual use for and 
that is completely optional and used by choice?


It's a free service people!  No different then Hotmail, or Yahoo Mail, 
or Gmail, AOL Instant Messenger, MSN Messenger...  Use it if you want, 
but if you don't, so be it.  They're not holding a gun to your head.
Can you make that same statement when Google Chrome OS is released or 
future versions of Android are released?  It would be naive to think 
that Google wouldn't try to default the DNS to there services with those 
OS'...no for profit company does something for free without an 
underlying motive.


I don't think people have problems necessarily with Google getting into 
all this stuff, but at some point, if whatever users are doing always 
has Google as an initial destination, it becomes a concern and I think 
that is the underlying argument for most people


Just my 2 cents,
Bret

Re: Ethernet over DS3 Converters

[Bret Clark]

Long time ago I assited on consultation for this device. Probably
provide what you are looking for:
http://www.zhone.com/products/ETHX-2200-DS3/


On Tue, 2009-11-24 at 07:31 -0500, Jason Rowley wrote:

 On Mon, Nov 23, 2009 at 3:25 PM, Brad Fleming bdflem...@kanren.net
 wrote:
  Hello all,
 
  My company is searching for some Ethernet over DS3 converters /
 adaptors for
  a specific installation. I see several options from Adtran,
 RAD-Direct, and
  a couple other (smaller) vendors and was wondering if anyone out
 there has
  suggestions or insights.
 
  Our needs are pretty simple:
  We'll need to pass multiple VLANs unless that's simply not possible.
  We'll need copper 10/100 interfaces  on each side.

Re: earthlink sorbs

[Bret Clark]

Doesn't really say much, but blacklisted would certainly cause those
problems rather then just having server problems

http://www.dslreports.com/shownews/Earthlink-Suffers-From-Major-Email-Outage-105607


On Mon, 2009-11-23 at 18:29 +, chaim.rie...@gmail.com wrote:

 Same here
 
 Many bounces, started this weekend.
 
 
 Sent via BlackBerry from T-Mobile
 

Re: Password repository

[Bret Clark]

Don't recall if it was mention but we use a nice little app called MyPMS
http://lvoware.com/. Put it on an internal system and then people have
to access via a VPN connection to browse into it. That way if a person
is no longer with the company, then their VPN has been turned off and
they don't have access to it anymore.  The reason I like the app is it's
OS agnostic for the end user and keeps the data in an SQL DB. 

On Thu, 2009-11-19 at 14:07 +, gordon b slater wrote:

 On Wed, 2009-11-18 at 20:49 -0800, Darren Bolding wrote:
  Pwman
 
 ...which has the HUGE advantage of being CLI (so useable over SSH
 sessions from network devices) and has tagging for searching large
 databases of passes.  pwman3 is current version. For most OSs. 
 I've even used it looped through a multitude of nested VTY+SSH+screen
 sessions -  one of which was a Dropbear sshd and client on a 20$ plastic
 CPE - to save my sorry *ss
 
 For GUIs:-
 Keepassx for most OSs, and Keepass2.x on MS Windows
 Password Gorilla is a nice one for end-users, most OSs
 
 Bruce's Passwordsafe format is a somewhat de-facto standard for
 import/export. Keepass can do a lot of conversion for you. 
 Some shops use rsync top distribute the masters and set them readonly at
 filesystem - level though this tends to preclude regular rotation and
 updating. 
 
 Beware that some of the commercial offerings are trivially broken or
 otherwise borked for work use. ymmv
 
 Whatever you use dump the file to a flat file (crypted of course) and
 save a statically linked version of the app for those wow - what
 password app did we use way back in 2001? moments.
 
 Print a copy every month or so and store securely offsite too - all the
 usual caveats apply. Once you have a super-duper app for them you tend
 to crank the pw complexity up to a level where no-one can remember
 anything nor even recognise regular ones; it's mainly cut and paste,
 especially if you use X.
 
 
 Unless of course, the OP meant RADIUS pulling on LDAP, PAM, etc ? 
 
 Gord
 
 --
 rommon 3  You have reached the gateway of last resort. Abandon hope all
 ye who press enter here
 
 
 

Re: Policy News

[Bret Clark]

Yeah...because when the economy is sucking wind why not raise fees to
the consumer?!?!

Want to get broadband out to people, then deal with duopolies that many
of the regions in the country have...such as Verizon  Comcast! They are
the main barriers that cause grief in deployment, giving a chance there
are any number of small businesses that could respond to a broadband
deployment faster, quicker and cheaper! Talk with any CLEC and they have
countless stories regarding the horrors of dealing with an ILEC. 

Bret

On Wed, 2009-11-18 at 10:00 -0500, Justin M. Streiner wrote:

 
  The Federal Communications Commission Wednesday will lay out the
 case for
  expanding broadband Internet service, outlining current obstacles to
 making
  it widely available. The agency is considering whether to force
 Internet
  providers to share their networks with rivals and raise fees charged
 on
  consumer phone bills to pay for the broader access.

Re: Transit from Cogent - thoughts?

[Bret Clark]

Cogent has been brought up several times over the last year. I suggest
searching http://www.gossamer-threads.com/lists/nanog/users/  

Otherwise you've just reopened a can of worms again. 


On Wed, 2009-11-11 at 15:04 +, a...@baklawasecrets.com wrote:

 
  Contemplating using Cogent Communications for transit as pricing looks
 favourable.  Just trying to get a feel for what sort of a reputation they
 have in the network operators community.  I'm sure people have horror
 stories for every provider, but just trying to get a general idea of what
 sort of regard they are held in the community. 
 
 Thanks 
 
 Adel
  

Re: Speed Testing and Throughput testing

[Bret Clark]

   True, we usually find Linux based machines work better running IPerf
   then Windows (at least out of the box) because of the TCP window
   sizewell Windows XP at least, don't know about Vista or 7.
   Jason Biel wrote:

Please take note with using iperf that you'll want to make sure the
appropriate TCP Window Size has been negotiated.  We recently did some
testing with systems that had decided to pick less than optimal window sizes
and in turn had to manually set the size within iperf options.

Jason

On Tue, Nov 3, 2009 at 4:01 AM, Benoit VANNIER [1]benoit.vann...@apog.netwrote
:


Hello,

Iperf is pretty good at this ... It s free


Ben


-Message d'origine-
De : Mark Urbach [[2]mailto:mark.urb...@pnpt.com]
Envoyé : lundi 2 novembre 2009 22:57
À : [3]na...@nanog.org
Objet : Speed Testing and Throughput testing

Anyone have a good solution to get accurate speed results when testing at
10/100/1000 Ethernet speeds?

Do you have a server/software that customer can test too?



Thanks,
Mark Urbach
PinPoint Communications, Inc.
100 N. 12th St  Suite 500
Lincoln, NE 68508
402-438-6211  ext 1923  Office
402-660-7982  Cell
[4]mark.urb...@pnpt.com
[[5]cid:image003.jpg@01CA5BD5.1A5CEE20]

References

   1. mailto:benoit.vann...@apog.net
   2. mailto:mark.urb...@pnpt.com
   3. mailto:nanog@nanog.org
   4. mailto:mark.urb...@pnpt.com
   5. cid:image003.jpg@01CA5BD5.1A5CEE20

Re: Simple Change Management Tracking

[Bret Clark]

   We use [1]http://www.troubleticketexpress.com/ to do just that. While
   it leans more towards being a customer support system, we've had no
   problem using it as our internal provisioning/network maintenance
   system too.
   Basic, simple and ties into a SQL db.
   Bret
   Paul Stewart wrote:

Hi folks...



I'm just looking for some feedback ... we are looking for a *really*
simple Change Management ticket system.  All we want is a system that
does the following:



Technician opens ticket requesting a network level or server level
change outlining the brief details, severity level and date for work to
be performed.

Senior technical staff/management review and approve/deny

Technician completes change and records information in ticket to have it
closed off.



Ideal would be some kind of email notification option as well.



On the surface, this seems really simple but every option (open source
and commercial) wants to tie this into a MUCH larger package solution
which we don't need.  This is to manage approximately 6 people in a
specific group of the company.



Any input would be appreciated...



Paul














The information transmitted is intended only for the person or entity to which
it is addressed and contains confidential and/or privileged material. If you rec
eived this in error, please contact the sender immediately and then destroy this
 transmission, including all attachments, without copying, distributing or discl
osing same. Thank you.

References

   1. http://www.troubleticketexpress.com/

Re: DMCA takedowns of networks

[Bret Clark]

BS to say the least...first the US Chamber of Commerce is not a 
government organization.  And even if there were what right does anyone 
have to tread on Freedom of Speech?!? Was there a court order?


I'd really be interested in know what strong arm tactic they used with HE.


William Allen Simpson wrote:
http://www.huffingtonpost.com/2009/10/23/chamber-of-commerce-stron_n_332087.html 



  Hurricane Electric obeyed the Chamber's letter and shut down the spoof
  site. But in the process, they shut down hundreds of other sites
  maintained by May First / People Link, the Yes Men's direct provider
  (Hurricane Electric is its upstream provider).

What's going on?  Since when are we required to take down an entire
customer's net for one of their subscriber's so-called infringement?

Heck, it takes years to agree around here to take down a peering to an
obviously criminal enterprise network

My first inclination would be to return the request (rejected), saying
it was sent to the wrong provider.

Re: IPv6 internet broken, Verizon route prefix length policy

[Bret Clark]

On Tue, 2009-10-13 at 09:40 +1100, Mark Andrews wrote:

  Verizon's policy has been related to me that they will not accept
 or 
  propogate any IPv6 route advertisements with prefix lengths longer
 than 
  /32.  Full stop.  So that even includes those of us that have /48
 PI 
  space from ARIN that are direct customers of Verizon.
 
 Looks like Verizon doesn't want any IPv6 customers.  If a company
 has idiotic policies like this vote with your wallet.


Unfortunately, not everyone always has that choice. 

Re: Beware: a very bad precedent set

[Bret Clark]

How does this stuff ever make it to court??? Why is it an ISP is 
responsible for policing it's customers? I'm constantly getting called 
up from scammers trying to offering me bogus warranty insurance for cars 
I don't own...does that mean I can sue Verizon because they are letting 
scammers use their network?


It doesn't mention anything in the article,. but I'm wondering if the 
ISP received a court order to shut down the customer and ignored it, 
then I can see why the ISP lost the case.

It will be interesting to see the court cases against ISP's that
don't shutdown other illegal activities once they have been notified.
abuse@ better not be a blackhole or you are putting yourself at risk
based on this.

Mark
  

Re: ATT and having two BGP peers

[Bret Clark]

Cancel the circuit...I know most of the providers I've worked with have 
a 90 satisfaction guarantee. Chances are if you cancel the circuit they 
will mysteriously find a way to work with you.


Warren Bailey wrote:

Threaten to twitter about it. Worked for the guy on myth busters.. ;)

- Original Message -
From: Jay Nakamura zeusda...@gmail.com
To: na...@merit.edu na...@merit.edu
Sent: Fri Jul 10 09:48:15 2009
Subject: ATT and having two BGP peers

We are getting an Ethernet DIA circuit from ATT but they insist that
they can't BGP peer with 2 routers on our side.  The WAN circuit can
only have /30 they say.  Has anyone been able to successfully talk
them in to bending their rule?  If so, how?

I know this should have been negotiated before signing a contract but
I was unfortunately not in the loop... :(

It seems like a ridiculous bureaucratic restriction.

  

Re: Wireless bridge

[Bret Clark]

Justin Sharp wrote:
I didn't read through all of the replies to see if this was suggested, 
apologies if it was.


http://www.solectek.com/products.php?prod=sw7kpage=feat

I implemented a PTP link at about 3 miles using these Solectek radios. 
I get 40Mbps consistently with TCP traffic and ~100Mbps UDP. This PTP 
link has literally been up for 3 years (in 2 weeks) without failing. I 
live in a 4 seaons state, so its seen all sorts of weather over those 
years. I have clean line of site down the freeway for what its worth. 
Its natively powered via POE, power injector included. We run all 
sorts of usual business application over this link, including about 30 
simultaneous VOIP channels, and have not had one issue with stability. 
I was also told by the VAR that sold us the product that a city nearby 
(can't remember which one) connects all of its municipal buildings 
with Solectek stuff and runs its VOIP infrastructure over it as well.


We run it in bridged mode with routers on each end, but it does 
support some rudimentary L3 stuff, static routing and RIP.


IIRC, they were not cheap (couple of 1k), but for us have definitely 
been much cheaper than private circuits from carriers of comparable 
throughput capacity.


Hope its helpful.

--Justin

I have to say I did a double take on your speed claims. We use Solectek 
all over the place and have yet to archived those speeds on any of our 
links. Not only that Solectek engineers have told us that at a 108mbps 
radio rate realistically you are only going to see only 35mbps  data 
rate on link that's just a mile apart; further you go the less bandwidth 
you will have.


Other then that, I agree they are nice radios and even include heaters 
in them to help maintain temperatures above freezing during winter time 
so that ice buildup doesn't cause a problem.


Bret

RE: Wireless bridge

[Bret Clark]

On Thu, 2009-06-18 at 09:34 -0700, John van Oppen wrote:

 -Original Message-
 From: Tim Huffman [mailto:t...@bobbroadband.com] 
 Sent: Thursday, June 18, 2009 9:27 AM
 To: nanog@nanog.org
 Subject: RE: Wireless bridge
 
  The line of sight is all clear, no trees. Only one building along
 the
 way
  has a rooftop of similar height, but the antennas are extended far
 above
  the
  roofline. We have used a rifle scope to confirm line of sight is all
 clear
  at all angles.
  
 
 Unfortunately, you can't necessarily rely on visual line of sight. At
 800meters, the Fresnel Zone on your radio is about 14ft in diameter at
 the midpoint. You need to make sure that this is free of obstructions.
 


Not only that, the radios may actually be screaming at each other at
those distances which will affect performance

Re: spamhaus drop list

[Bret Clark]

John Levine wrote:

Not that I've ever seen.  Nobody else has the breadth of data that
Spamhaus does.

I've been using it for ages and based on zero complaints, it's never
blocked anything that any of my users wanted.

R's,
John

  
I have to agree with this...I'm somewhat surprised to see some of the 
comments here. I've found there service to work well and have never 
received customer complaints.

Re: Cogent input

[Bret Clark]

I'm skeptical as to where this info came from since this seems nothing
more then nay-say? if people are going to make grandiose statements then
they should justify them with reputable evidence.  I would be extremely
surprised if Cogent engineering isn't working on a IPv6 plan or doesn't
have one already in place. 

Bret


On Thu, 2009-06-11 at 10:37 -0400, Steve Bertrand wrote:

 Stephen Kratzer wrote:
 
  And, they have no plans to support IPv6.
 
 Ouch!
 
 I hope this is a non-starter for a lot of folks.
 
 Steve

Re: ISP best practices

[Bret Clark]

While BGP can become a rather complex protocol to implement as a network
grows, basic BGP peering between two providers isn't really that
complex...probably talking 10 config lines at most (excluding
bogon/filtering). The first thing you want to make sure is that you're
upstream providers are implementing filtering, which most of the serious
providers do. That way all you can do is hurt yourself while keeping the
rest of us on the list here happy :).

It's best to get your own IP address space from ARIN if possible,
because if you use IP space from your upstream provider, it's becomes a
nightmare to change over at a later date...IP renumbering is not fun!
That was the one mistake we made when we first started. 

Personally I'm a fan of the do it yourself club...yeah you'll make
mistakes, but the hands-on approach is by far the best way too learn.
Bret


On Thu, 2009-05-21 at 06:38 -0700, Philip Lavine wrote:

 To all,
 
 I am sure this has been asked 10 to the 1 millionth power times, however may 
 be the rules have changed. I am looking to set up a really small ISP with a 
 few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best 
 practices on setting up multihomed BGP and DNS with BIND so I don't blow up 
 the Internet.
 
 Thx
 
 Philip