Re: (Slightly OT?) K8S Platform As A Service Recommendations

[Charles N Wyble]

On 4/7/21 11:38 PM, Raymond Burkholder wrote:
On 4/7/21 9:16 AM, Charles N Wyble wrote:> Does anyone have a 
recommendation for a self-hosted, on premise,

> platform as a service layer for k8s (specifically k3s)?
FWIW:

Maybe you don't need kubernetes:
https://endler.dev/2019/maybe-you-dont-need-kubernetes/



I have considered not running k8s. I didn't run it for a long time. I 
kept an eye on developments and waited for it to mature.


However the amount of applications and services I am now needing to 
support and the HA requirements and need for standardization etc I 
don't know of a better option.





Manually install a single node Kubernetes cluster on Debian
http://meta.libera.cc/2021/03/manually-install-single-node-kubernetes.html 



Or run Salt or something and spin up LXC containers.




Sure and how do I manage IP addresses? Ports? HA? Containers 
(LXC/docker) is the easy part (on a relative basis anyway!) . It's the 
meta stuff around it that gets messy.  The orchestration piece of the 
containers is the difficult part.



As I mentioned, we already have a mature stack outside the app runtime 
layer (for certs/LDAP/database etc). We just want applications/services 
on k8s. Minimize the complexity/blast radius! :)

(Slightly OT?) K8S Platform As A Service Recommendations

[Charles N Wyble]

Hello all,


I know this is primarily a networking list, but I know lots of server 
admins hang out here.


Does anyone have a recommendation for a self-hosted, on premise, 
platform as a service layer for k8s (specifically k3s)?


I have written up some context here:

https://github.com/TSYSGroup/docs-techops/blob/master/Applications/AppRuntimeLayerTodo.md

tl:dr : I have about 70 to 200 apps / (micro) services that will need to 
run across a handful of k3s servers . I already have HA 
database/networking/certificate/application load 
balanacer/authentication stacks in production use, I am currently 
running the actual websites/applications on a single Ubuntu LAMP server 
and want to build out an HA runtime layer for all the 
properties/applications and need a way to orchestrate k3s/metallb


Rancher rio has come up a few times in my 
research:https://bram.dingelstad.works/blog/finding-the-right-paas-for-k8s/ 



In addition to the web apps , I will also will be running a number of 
r applications and CUDA enabled containers (across a mix of physical 
x86/jetson/tegra machines with k3s workers).


Suggestions/comments/questions/flames welcome :)

On or off list as you prefer.

Re: BCOP appeals numbering scheme -- feedback requested

[Charles N Wyble]

Use a git repository.
Make tagged releases. 

This enables far easier distributed editing, translating, mirroring etc. And 
you can still do whatever release engineering you want. 

A wiki is a horrible solution for something like this. 

On March 15, 2015 8:24:49 AM CDT, Rob Seastrom r...@seastrom.com wrote:

William Norton w...@drpeering.net writes:

 Agreed - Hence the “Current” in the title. Maybe the date of the
 document will be the key to let people know that they have the most
 current version.

The date of a single document is of scant use in determining its
currency unless there is some sort of requirement for periodic
recertification and gratuitous reissue of BCOPs (for instance,
anything with a date stamp more than 18 months in the past is
by definition invalid).  That seems like busy work to periodically
affirm that a good idea is still a good idea, and I don't volunteer
for this job.  :)

I'm on board for wholesale replacement of the document (with revision
history preserved) rather than the RFC series approach.

The wiki/living document approach others have suggested seems like a
poor one to me, for the same reason that I dislike the current trend
of there's no release tarball, major release, point release, or
regression testing - just git clone the repository in free software
development.  Releng is hard and thankless but adds enormous value and
serves as a forcing function for some level of review, cursory though
it may be.

-r


!DSPAM:55058872288661838712557!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: What happened to Schprokits?

[Charles N Wyble]

Checkout trigger for what seems to be the most viable system:

https://trigger.readthedocs.org/en/latest/



On March 13, 2015 7:59:13 PM CDT, Pablo Lucena pluc...@coopergeneral.com 
wrote:
I have great hopes for Schprokits. The idea behind it is outstanding -
an
Ansible for networking. It must be tough though, integrating all major
vendor APIs seamlessly into a product. I have faith in Jeremy and his
team...hopefully they are close to shipping code =)

*Pablo Lucena*
On Fri, Mar 13, 2015 at 2:36 PM, Steve Noble sno...@sonn.com wrote:

 There are other stealth companies the space. I still see activity on
 Twitter (favorites, etc) so I he is still active. We will see good
things
 in the space.
 On Mar 13, 2015 11:31 AM, Adrian Beaudin
adrian.beau...@nominum.com
 wrote:

  it looks like (according to linkedin) that  Jeremy has moved to a
stealth
  startup.
 
  -a
 
 
  Adrian Beaudin
  Principal Architect, Special Projects
  Nominum, Inc.
  o: +1.650.587.1513
  adrian.beau...@nominum.com
 
 
 
  
  From: NANOG [nanog-boun...@nanog.org] on behalf of Scott Whyte [
  swh...@gmail.com]
  Sent: Friday, March 13, 2015 11:09 AM
  To: nanog@nanog.org
  Subject: What happened to Schprokits?
 
  Schprokits was mentioned at NANOG63 but http://www.schprokits.com/
  doesn't look too good.
 
  What happened?
 


!DSPAM:55038897231179442818726!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [OT] Looking for dhs / fbi contact

[Charles N Wyble]

They are in the phone book. Call them. Or walk into a field office near you. 

Don't bother nanog with such a generic / teasing question, its incredibly 
annoying. No one is going to provide you with a contact of any seriousness with 
such a generic query. 

On February 26, 2015 5:41:52 PM CST, jamie rishaw j...@arpa.com wrote:
Thanks for the off list reply. Oh, wait..
I was casting a wide net to fend off the you got something?ers but
without addressing your question my query stands
On Feb 26, 2015 3:43 PM, Bill Woodcock wo...@pch.net wrote:


  On Feb 26, 2015, at 1:16 PM, jamie rishaw j...@arpa.com wrote:
 
  obviously off list, but who are we kidding ;)

 Uh, which?  They're unrelated agencies with completely different
remits.

 -Bill






!DSPAM:54efaf7b199101326251351!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Intrusion Detection recommendations

[Charles N Wyble]

Checkout security onion. Its got a pretty nice suite of tools and can run a (or 
many) dedicated sensor system and communicate back to a central system.

As for SSL MITM, see the recent nanog thread for a full layer 2 to layer 8 
ramifications of that activity. 

For ssh mitm, I don't know of any tools. I'm looking for one. 

On February 14, 2015 12:57:29 PM CST, Jimmy Hess mysi...@gmail.com wrote:
On Sat, Feb 14, 2015 at 2:38 AM, Randy Bush ra...@psg.com wrote:

Bro, SNORT, SGUIL, Tcpdump, and Wireshark are some nice tools.

By itself, a single install of Snort/Bro is not necessarily a complete
IDS,  as it cannot inspect the contents of outgoing SSL sessions,  so
there can still be Javascript/attacks against the browser, or SQL
injection attempts encapsulated in the encrypted tunnels;I am not
aware of an open source tool to help you with SSH/SSL interception/SSL
decryption for implementation of  network-based IDS.

You also need a hand-crafted rule for each threat  that you want Snort
to identify...
Most likely this entails making decisions about what commercial
ruleset(s) you want to use and then buying the appropriate
subscriptions.


 if you were comfortable enough with freebsd to use it as a firewall,
you
 can run your traffic through, or mirror it to, a freebsd box running
https://www.bro.org/ or
https://www.snort.org/
 two quite reasonable and powerful open source systems

 randy
--
-JH

!DSPAM:54df9aed198762108866735!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: scaling linux-based router hardware recommendations

[Charles N Wyble]

There is no free lunch. If you want  tools that end users can just use then 
buy Cisco. 

Otherwise you need to roll up your sleeves and take the pieces and put them 
together. Or hire people like me to do it for you. 

It isn't overly complicated in my opinion. Also you'll find plenty of 
reasonably priced Linux or BSD integration engineers out there across the globe 
who are used to doing this sort of thing. 

Now once you move beyond basic forwarding / high PPS processing (which seems 
mostly commodity now) and get into say 80gbps (40gbps full duplex) IPS , ip 
reputation, data loss prevention, SSL MITM, AV... well that requires some very 
beefy hardware. Can that be done on x86? I doubt it.

Tilera seems the way to go here. Newer FPGA boards can implement various CPU 
architectures on the fly. You also have CUDA. I hadn't seen chelsio, I'm very 
excited about that. Ill have one in my grubby little hands soon enough. 

transceivers are still horribly expensive. This is a major portion of the bom 
cost on any build, no matter what software stack is putting packets onto them. 

It isn't so simple once you move beyond the 1gbps range and want full feature 
set. And not in one box I think. Look at https://www.bro.org/ for interesting 
multi box scaling. 

On January 28, 2015 7:02:34 AM CST, Paul S. cont...@winterei.se wrote:
That's the problem though.

Everyone has presentations for the most part, very few actual tools
that 
end users can just use exist.

On 1/28/2015 午後 08:02, Robert Bays wrote:
 On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org
wrote:

 My expertise, such as it ever was, is a bit stale at this point, and
my
 figures might be a little off. But I think the general principle
 applies: think about the minimum number of x86 instructions, and the
 minimum number of main memory accesses, to inspect a packet header,
do a
 routing table lookup, and enqueue the packet on an outbound
interface. I
 can't see that ever getting reduced to the point where a generic
server
 can handle 40-byte packets at line rate (for that matter, line
rate is
 increasing a lot faster than speed of generic server these days).
 Using DPDK it’s possible to do everything stated and achieve 10Gbps
line rate at 64byte packets on multiple interfaces simultaneously.  Add
ACLs to the test setup and you can reach significant portions of 10Gbps
at 64byte packets and full line rate at 128bytes.

 Check out Venky Venkatesan’s presentation at the last DPDK Summit for
interesting information on pps/CPU cycles and some of the things that
can be done to optimize forwarding in a generic processor environment.


http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan




!DSPAM:54c8de34274511264773590!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: gamer lag dashboard

[Charles N Wyble]

Ixia is very very expensive and has its own sets of fun, though it is a nice 
appliance for playing with packets. Though its more for protocol compliance 
testing and load generation.

You'll find that protocol exploration and... h... exploitation is an 
incredibly mature field in floss. 

https://code.google.com/p/ostinato/ would probably do what you need ( since 
you'll basically be spending lots of time with pcap capture and replay ). Once 
you get tired of spending expensive labor time on this project, you can throw 
some grad students, xboxes and scapy in a room and have them automate the 
process for you. :-) 

Also checkout http://www.pcapr.net/home ( specifically pcapr on premise)  to 
manage and analyze captured pcaps. Of course security onion must be considered 
if you want a more robust capture and management toolkit. Aol wrote something 
called moloch, that's on my list of tools to play with this year.

Wireshark wiki has many other things linked for pcap related play. 

My $dayjob involves supporting people who do horrible horrible things to 
packets and tcp stacks for fun and profit. So I've become very proficient with 
an extensive floss toolkit around this stuff. With a bit of critical thinking 
and research, you'll be able to devise a strategy that works.

Also +1 for Zenoss. That is a fantastic NMS. Written in python, so hooking up 
scapy to do periodic game latency checks would be slick and a natural fit. 

On January 19, 2015 5:18:38 PM CST, Josh Luthman j...@imaginenetworksllc.com 
wrote:
IXIA would be the first product to look at as far as emulating traffic.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Mon, Jan 19, 2015 at 6:16 PM, George Herbert
george.herb...@gmail.com
wrote:

 Emulating game traffic...  Good luck with that.  You'll probably have
to
 figure it out and build your own models per service, though a lot is
 encapsulated in https.

 In terms of showing it to the public, look at Zabbix and Zenoss; both
do
 dashboards and managing multiple realtime monitoring / performance
info
 feeds well.

 George William Herbert
 Sent from my iPhone

  On Jan 19, 2015, at 2:10 PM, Michael O Holstein 
 michael.holst...@csuohio.edu wrote:
 
  ?Can someone point me in the right direction for something that
allows
 creation of a dashboard with current and statistical latency to the
 various game servers (PC, Xbox, PS4, etc) ? .. I'm in the education
space
 and we get lots of questions/complains about this and would like a
way to
 make the stats public.
 
 
  I could roll something with RRD and Smokeping but with all the
 packet-shaping crapola (including that which we use here) I need
something
 that emulates the actual game traffic as would be classified by all
the
 network crap that endeavors to mess with it.
 
 
  (not intended to be an argument about QoS and prioritization,
responses
 addressing either --or the politics thereof-- really aren't helpful).
 
 
  TIA,
 
 
  Michael Holstein
 
  Network  Data Security
 
  Cleveland State University


!DSPAM:54bd9147175514905077569!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: gamer lag dashboard

[Charles N Wyble]

SSL is no problem. We just had a whole thread about breaking it. :-) 


On January 19, 2015 5:16:43 PM CST, George Herbert george.herb...@gmail.com 
wrote:
Emulating game traffic...  Good luck with that.  You'll probably have
to figure it out and build your own models per service, though a lot is
encapsulated in https.

In terms of showing it to the public, look at Zabbix and Zenoss; both
do dashboards and managing multiple realtime monitoring / performance
info feeds well.

George William Herbert
Sent from my iPhone

 On Jan 19, 2015, at 2:10 PM, Michael O Holstein
michael.holst...@csuohio.edu wrote:
 
 ?Can someone point me in the right direction for something that
allows creation of a dashboard with current and statistical latency
to the various game servers (PC, Xbox, PS4, etc) ? .. I'm in the
education space and we get lots of questions/complains about this and
would like a way to make the stats public.
 
 
 I could roll something with RRD and Smokeping but with all the
packet-shaping crapola (including that which we use here) I need
something that emulates the actual game traffic as would be classified
by all the network crap that endeavors to mess with it.
 
 
 (not intended to be an argument about QoS and prioritization,
responses addressing either --or the politics thereof-- really aren't
helpful).
 
 
 TIA,
 
 
 Michael Holstein
 
 Network  Data Security
 
 Cleveland State University

!DSPAM:54bd909e175152519182214!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: gamer lag dashboard

[Charles N Wyble]

As a zenoss plugin, I agree. 

On January 19, 2015 7:22:36 PM CST, Roland Dobbins rdobb...@arbor.net wrote:

On 20 Jan 2015, at 5:10, Michael O Holstein wrote:

 I need something that emulates the actual game traffic as would be 
 classified by all the network crap that endeavors to mess with it.

That sounds like a great open-source project - let us know when you're 
done!

;

---
Roland Dobbins rdobb...@arbor.net

!DSPAM:54bdae36220661660451680!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: DDOS solution recommendation

[Charles N Wyble]

Also how are folks testing ddos protection? What lab gear,tools,methods are you 
using to determine effectiveness of the mitigation. 

On January 8, 2015 11:01:47 AM CST, Manuel Marín m...@transtelco.net wrote:
Nanog group

I was wondering what are are using for DDOS protection in your
networks. We
are currently evaluating different options (Arbor, Radware, NSFocus,
RioRey) and I would like to know if someone is using the cloud based
solutions/scrubbing centers like Imperva, Prolexic, etc and what are
the
advantages/disadvantages of using a cloud base vs an on-premise
solution.
It would be great if you can share your experience on this matter.

Thank you

!DSPAM:54aeb96d198072115716976!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Incident notification

[Charles N Wyble]

Pushover and email to sms from both an inband and off site monitoring vm. 

On November 21, 2014 9:52:00 AM CST, Thijs Stuurman thijs.stuur...@is.nl 
wrote:
Nanog list members,

I was looking at some statistic and noticed we are sending out a
massive amount of SMS messages from our monitoring systems.
This left me wondering if there isn't a better (and cheaper)
alternative to this, something just as reliant but IP based. We all
have smartphones these days anyway.

Therefore my question, what are you using to notify admins of
incidents?

Kind regards / Met vriendelijke groet,

Thijs Stuurman



[IS Logo]




IS Group

Wielingenstraat 8

T

+31 (0)299 476 185

i...@is.nlmailto:i...@is.nl

1441 ZR Purmerend

F

+31 (0)299 476 288

www.is.nlhttp://www.is.nl



IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE
3402 certified. De datacenters zijn PCI DSS en ISO 14001 compliant.



!DSPAM:546f5ff6238696356864932!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: EFF gets into the CPE router software business..

[Charles N Wyble]

Well yes. :)

Plenty of relatively inexpensive x86 based kit out there. Maybe with TPM? Never 
looked.  Atom can push a good amount of packets. 

I am in the process of building an HCL for the various bits of the 
FreedomStack. (CPE/distribution/core etc). My family is  a very heavy internet 
user. Both directions. An atom pfsense router and netgear 3800 has done the 
trick. Now to package them up with a slick / simplified / turnkey configuration 
and not have people balk at the price.

I hadn't taken much security/TPM wise into account. Would be a good way to help 
folks deal with the  increased expense. NSA proof, Snowden endorsed! :)



On July 25, 2014 6:42:13 PM CDT, valdis.kletni...@vt.edu wrote:
On Fri, 25 Jul 2014 13:11:29 -0500, char...@thefnf.org said:
 On 2014-07-25 12:22, valdis.kletni...@vt.edu wrote:
  The second big challenge is that to the best of my knowledge, there
exist
  no router-class hardware that includes a TPM chip,

 OpenWRT x86? Run it on a decently specced laptop a couple gens old
(like
 a Dell Latitude 6500 or so). That's got TPM, plenty of ram.
 Of course you can run on a server board (Dell Poweredge or
something). I
 prefer pfsense myself for full blown kit.

Yeah, but it's hard to justify a PowerEdge for a Joe Sixpack consumer
CPE
(admittedly, I managed to leave that phrase out of 'router-class', mea
culpa).





!DSPAM:53d2eb62262122034419612!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Peering Latency

[Charles N Wyble]

Is it Friday already? Or is this not a troll email? Its hard to tell. 

If its not a troll: Put up some smokeping boxes. Graph it for a few nights. 
Gather details. Send us those. That is far more interesting/(damning?)

If its a troll: *grabs popcorn and gets comfortable* . we've not had a good 
zomg the pipes, they are teh fullz, woe is Netflix (and the obligatory 
cgn/v6/software vs hardware router sub thread divergences). 

Very nicely struck balance sir! 


On July 2, 2014 11:19:07 PM CDT, Sam Norris s...@sandiegobroadband.com wrote:
Hey all - new to the list but not to the community...

Wondering if this is typical when there is too small of a pipe between
peering
arrangements:

From Level3 to Time Warner

 ADDRESSSTATUS
   24.69.133.206 4ms 4ms 4ms 
   34.69.153.222 9ms 4ms 4ms 
   4 4.69.158.78 8ms 4ms 4ms  (L3)
   566.109.9.121 28ms 53ms 29ms   (TWC)   --
   6107.14.19.87 30ms 28ms 28ms 
   766.109.6.213 27ms 28ms 28ms 
   8  72.129.1.1 32ms 32ms 32ms 
   9  72.129.1.7 27ms 26ms 25ms 
  10   67.52.158.145 28ms 29ms 31ms 

From TWC to Level3

 # ADDRESS RT1   RT2   RT3   STATUS

2 24.43.183.345ms   5ms   6ms 
 3 72.129.1.14 8ms   8ms   8ms

 4 72.129.1.2  6ms   8ms   8ms

 5 107.14.19.307ms   8ms   8ms

 6 66.109.6.4  8ms   8ms   8ms

 7 107.14.19.865ms   5ms   5ms

8 66.109.9.12234ms  33ms  31ms  (TWC)   
--

 9 4.69.158.65 31ms  30ms  29ms  (L3)
10 4.69.153.22133ms  33ms  34ms  
11 4.69.133.20532ms  32ms  31ms


I am showing, typically at night, a 20-40ms jump when hopping from
Level3 to
Time Warner and back in Tustin, CA.  This does not happen when using
Cogent or
other blended providers bandwidth.   I believe they are probably
stuffing too
many bits thru the peering there and wondering whats the best way to
prove to
them both (we pay for both) that they need to fix it.

During non-peak traffic times these look normal (sub 10s).

Sam


!DSPAM:53b5890e239912186872586!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Next steps in extortion case - ideas?

[Charles N Wyble]

Sue him for slander? 

Contact the US DOJ and request extortion charges be filed? I mean if someone 
was committing a crime against me, I'd certainly be in contact with law 
enforcement to have charges filed and a warrant out for arrest. 

You shouldn't have called him. He has certainly changed his phone number. He 
also now most likely has your personal phone number. 

Contact law enforcement. That's what you should of done instead of calling him. 
I'd also consult your attorney. Ironically enough , the person you contacted 
could potentially try and turn the tables on you. Did you record the telephone 
conversation? 

On June 28, 2014 9:32:15 AM CDT, Markus unive...@truemetal.org wrote:
Hi list,

nothing operational here, but there are many smart minds on this list 
and people working for telcos, ISPs and law enforcement agencies, so 
maybe you are willing to give me some advice in the following case:

There's an individual out there on the web that has been blackmailing 
hundreds of people and companies in a specific area of business for 
years. His scheme is: 1. Contact the alleged debtor via e-mail and 
inform him about an existing debt claim by a third party. 2. Offer the 
debtor a deadline to pay the debt and warn the debtor if he shouldn't 
pay he'll be prosecuted and his case will be made public. 3. Once the

deadline has elapsed, he'll publish completely false information made 
out of thin air on the web, in particular Facebook, Twitter, a blog, a 
website, including pictures of the debtor and serious accusations like 
This debtor is a child molestor or This debtor is part of the mafia

and other crazy stuff that you can usually only see in movies. All of 
course with real names, company information (if applicable) and 
basically everything he can find out about the debtor. 4. Then, the 
individual hopes that the debtor will be intimidated because the debtor

is afraid of the false information about him, which will show up on 
Google etc., and will finally pay to get this false information removed

from the web.

In all cases the published background information about the debtors
is 
false, made out of thin air, and over the top. Just the names and 
pictures are correct. Intentional slander in order to get the debtor to

pay. If any of the published information was true, then every 2nd
debtor 
would be a child molestor and every other debtor part of the mafia.

That individual is hiding his real identity really well, obviously, and

he knows what he's doing. Domain hosted in Russia, taking good care his

IP address won't show up in the mail headers, using false names and 
identities, phone numbers registered through some DID provider who 
doesn't collect personal information about the DID owner etc.

I am one of the accused and had lots of false information about myself 
and my company published by him. This is why I started to have an 
interest to track his real identity down. I took 2 days out of my life 
and researched high and low and finally found his personal phone number

along with a name, a picture of him and several possible addresses (in 
the US).

I cannot be sure that the name, picture and addresses are correct, but
I 
called him on his personal phone number and after having spoken with
him 
before under his false identity, I can confirm that it's the same
person 
(the voice is the same). He was quite surprised to say the least.

In case it matters, according to a LRN lookup the number belongs to 
Omnipoint Communications, which is part of T-Mobile USA, I think.

My idea is to somehow confirm his identity and confirm my research by 
matching the voice of the false identity (available from a message he 
left on my voicemail and also from his voicemail intro) to the real 
person. I'm thinking about hiring a private investigator in the US (I'm

in Germany) to drive up to the addresses I can provide the PI with and 
find the person that matches the voice / maybe even the picture. The PI

then must document the outcome in a way that it can be used in court. 
I'm wanting to go the PI route because it will be the fastest way to 
possibly gather evidence, I assume, as opposed to commissioning a
lawyer 
who will then in turn contact law enforcement etc.

Unfortunately I do not have the authority to access the personal data
of 
the person that pays the monthly bill for the phone number that I
called 
him on, otherwise that would be the fastest way I suppose. I spent
money 
for some pay-sites that do some reverse phone lookup and stuff like 
that, and although the information was helpful, I cannot be sure that 
it's accurate.

My goal is to confirm his real identity/name and address in order to 
start a lawsuit and have a lawyer, or maybe even law enforcement, 
investigate this case and ultimately, put an end to his slander 
activities, not just for my case but for all hundreds before me and 
those which are to come in the future.

Do you think the PI route makes sense? Any other 

Re: What Net Neutrality should and should not cover

[Charles N Wyble]

On 4/27/2014 3:30 PM, John Levine wrote:

That is, with CATV companies like HBO have to pay companies like
Comcast for access to their cable subscribers.


In a non-stupid world, the cable companies would do video on demand
through some combination of content caches at the head end or, for
popular stuff, encrypted midnight downloads to your DVR, and the
cablecos would split the revenue with content backends like Netflix.


So why hasn't someone like he or cogent done this? Especially for 
delivery into campus/corporate environments (which is a decent amount of 
the customer base for the smaller providers I think). Seems like a 
good market opportunity.


I happen to be quite interested in optimizing video delivery (triple 
play, and streaming content) to an access network in Kansas City.


For streaming, I know that Netflix has:
https://www.netflix.com/openconnect that I can stick in the colo that 
the access network already backhauls to.


Does Amazon have something like this? Hmmm maybe we can just peer 
with them at the nearest AWS POP. What are folks doing for optimizing 
Amazon streaming?


As for the traditional content  (hbo etc), my understanding is these can 
be accessed via wholesale agreements? Satellite downlink (lots of cheap 
real estate where I could have a downlink station), then I just need to 
be able to send it to my IPTV distribution fabric (fiber/ long range 
microwave whatever). Though I understand there is much DRM involved, and 
I don't know anything about any accounting / viewer reporting that might 
be required.


So it really seems to me, that even with an established competitive 
access network (located in Kansas City MO) , if I want to offer 
streaming/TV content (and have all the pain that the big boys have) I 
might not be able to do it? I can of course peer with netflix and deploy 
one of their fancy appliances.


See, all of this is so locked up and non clear. It's very un tractable 
to me. I am curious about even generalities of how this all works, where 
the pain points are etc.  I suppose the incumbents are annoyed with 
folks cutting the cord and bypassing that nice set of carefully 
engineered video delivery plant, for that pesky ip based stuff (but 
maybe keeping the ISP portion of the service)? Why don't the access 
network providers just raise the internet portion of the cost to match 
the lost revenue? Or work out a Pay Per View type deal with netflix? 
(Like you can buy apps via your cell phone provider, why don't 
netflix/time warner work out a Pay Per View that you could get on your 
monthly bill)?


It all seems very complicated to me.  Why not just work out deals with 
netflix behind the scenes to help cover port upgrade costs or 
something?  Instead of all this circus nonsense.  That way, you would 
get your costs covered (by the people who are forcing you to incur that 
cost), and you would still get your monthly transit revenue.


If I work on a particular project for a specific customer, I bill that 
customer for my incurred expenses. No one outside of me and the customer 
knows that, or needs to know that. I still bill them a recurring 
(hourly/monthly whatever) rate, and I bill them for one time expenses.



But this world is mostly stupid, the cable companies never got VOD, so
you have companies like Netflix filling the gap with pessimized
technology.  (I do see that starting tomorrow, there will be a Netflix
channel on three small cablecos including RCN, delivered via TiVo,
although it's not clear if the delivery channel will change.)


Yeah that was interesting. I'm curious how that actually works. Will it 
be an app on the set top box?




The other issue is that due to regulatory failure, cable companies are
an oligopoly, and in most areas a local monopoly, so Comcast has the
muscle to shake down Internet video providers.  That's not a technical
problem, it's a political one.  In Europe, where DSL is a lot faster
than here, carriage and content are separate and there are a zillion
DSL providers.  We could do that here if the FCC weren't so spineless.


Yes. Agreed.

I'm (with the Free Network Foundation https://www.thefnf.org) helping 
folks in KC and Austin build alternative access networks (using wifi, 
backhauled to neutral NAP locations).  That seems to be the only viable 
option in the US.

Someone with IP clue @Suddenlink please contact me

[Charles N. Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello all,

Anyone from Suddenlink on this list? If so, please contact me unicast.

I'm seeing some very significant issues originating in your network
core and want to get them sorted out. The normal channels haven't been
helpful. Yes I'm a downstream customer.

Thanks!
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTVwDvAAoJEMvvG/TyLEAtS7wQAJeK2dnSlelTM5uL7FiUHzxN
bKIMXgGdcT4rbP1vvNnLH9kRTUQC7gTHAUbhCxaTjEhhNJKEzlsRR9b1d7nxCaKv
2m1knsb793CI/AbaRG0WUBxpXOvYoQicRMjht5ynoL5jSVzL+HmgMUF7LBdFBH8g
8MnS+3LVb1B120NvPobuzMGdcz4reg4L78MHJFUDVRWKp47u0adKpEacGHMcahz8
CJzECfD8Z7gQfLpup8kIpl/ZzxlQwvfdR4oUBSaaqVK0OBILE0TXZ5erqxn2zlCx
4KJMF8jhVNNs54KBSpXo+qCCcRCCZ663EVaSnSAzT6ODJwk+QpLua/NZXWstn2AS
9e8bMpa10yjbzlXSLYYjaAgvHeRUJ/CFm3pZR8iitYNUt8yU5Br38R3RZFKRFUBB
ionEmuMU4XjdhYSJrtbZ+Ag2CDEOidOP7LXTt+Wf7GMeII+kE18LJX03QE1/cxxu
ErWPaWDTb7fl4RkUcQ6E+QUSzR6ib+WCgFj7SZ41jm8HXr9U09FkXYTnU2AcJULn
y0PI1/9x66kCi64mZE03qBC5nv+M/vaFT/w9y1kL8KJxXCkY/4Qz8tdilB2SsBvc
R1gVDnyjWzNN0p7mqM4ZlruSPQlJyENzF8Zf/ksPM/DFY19bxE6pH4RKMmz6kpIf
i4cU78SeVaa7ETXm7auO
=lhNi
-END PGP SIGNATURE-

Re: subrate SFP?

[Charles N Wyble]

On hp proliant gen8 servers with management and ilo on same port, with the 
server off the ports show up as 100mbps. 

Jimmy Hess mysi...@gmail.com wrote:
On Fri, Aug 30, 2013 at 6:42 AM, Jamie Bowden ja...@photon.com wrote:

  From: Saku Ytti [mailto:s...@ytti.fi]
 Considering that Dell and HP at least are shipping brand new hardware
with
 IPMI/BMC/iLO/whatever management ports that can only speak 100mbit
when
 every other Ethernet interface in the box at least gigabit, having a
useful
 way to talk to that port without having to keep separate switching
hardware
 around would be nice.  I'm not holding my breath, but you know, along
with
 a pony, this would be nice.


Eh?   That may have been the case a few years ago,  but  HP ILO4 and
iDRAC7  specifically list  10/100/1000 even when using in  dedicated
port
mode.

And even in prior versions,  you could have the port linking up at
1Gbps,
by operating the management in Shared port mode  (Sharing the
management
with the server's Eth0).

I expect  over time: support for linking up at 10/100 will get rarer
and
much more expensive.


The niche status a 10/100 media converter as an SFP  would have if
produced
 is likely to mean it would retail at $2000+ per port device.


It probably just makes more sense to go find an old obsolete  top of
rack
switch,  like a Cat3750  to get the small fraction of legacy copper
ports
required for  out of band network and server management, which:  by the
way,   should be part of a separate switching infrastructure anyways,
to
increase the chance it stays operational and useful for
troubleshooting, in
the event the production network experiences outage or has other issues
requiring diagnosis.



 Jamie

-- 
-JH

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Parsing Syslog and Acting on it, using other input too

[Charles N Wyble]

Yes. Logstash shipper on your syslog proxy, forward to elasticsearch. Graylog2 
is very cool. Tried kibana and didn't care for it.

Actually setting up graylog2 right now to do AD authentication.  

So workflow is

End device - syslog-ng vm - graylog2/elasticsearch vm and other destinations 
(it corp security cloud for stuff they want to track, observium for anything 
matching my network gear hostname pattern, etc).

I have the middle syslog-ng box so I can have great control over where certain 
hosts ultimately send data. However that system can be used in any template, if 
I don't filter it just gets dumped to graylog.

Kevin Stone kst...@inetlabs.net wrote:
Look at Logstash, http://logstash.net.

Rsyslog can do a bit, on Windows you could look at the Solarwinds Kiwi
syslog server.


On Thu, Aug 29, 2013 at 9:10 AM, Jason Biel ja...@biel-tech.com
wrote:

 You should look into SPLUNK (http://www.splunk.com/), it will
 collect/store
 your syslog data and you can run customized reports and then act on
them.


 On Thu, Aug 29, 2013 at 8:03 AM, Kasper Adel karim.a...@gmail.com
wrote:

  Hello.
 
  I am looking for a way to do proactive monitoring of my network,
what I
 am
  specifically thinking about is receiving syslog msgs from the
routers and
  the backend engine would correlate certain msgs with output/data
that i
 am
  receiving through SSH/telnet sessions. What i am after is not
exposed to
  SNMP so i need to do it on my own.
 
 
  I am sure there are many tools that can do parsing of syslog and
acting
  upon it but i wonder if there is something more flexible out there
that I
  can just re-use to do the above ? Please point me to known public
or
  home-grown scripts in use to achieve this.
 
  Regards,
 
  Sam
 



 --
 Jason


-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

[Charles N Wyble]

If you are OK with USB ether net for one interface,  check out the tplink 
wr703n. Its powered via USB, has a USB and rj45 jack. Runs OpenWrt. 

Leo Bicknell bickn...@ufp.org wrote:

On Aug 15, 2013, at 9:18 PM, Brandon Martin lists.na...@monmotha.net
wrote:

 As to why people wouldn't put them behind dedicated firewalls,
imagine something like a single-server colo scenario. 

I have asked about this on other lists, but I'll ask here.

Does anyone know of a small (think Raspberry Pi sized) device that is:

  1) USB powered.
  2) Has two ethernet ports.
  3) Runs some sort of standard open source OS?

You might already see where I'm going with this, a small 2-port
firewall device sitting in front of IPMI, and powered off the USB bus
of the server.  That way another RU isn't required.  Making it fit in
an expansion card slot and using an internal USB header might be
interesting too, so from the outside it wasn't obvious what it was.

I would actually like to see the thing only respond on the USB side,
power + console, enabling consoling in and changing L2 firewall rules. 
No IP stack on it what so ever.  That would be highly secure and
simple.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: which firewall product?

[Charles N Wyble]

Not sure how bsd handles ipip connections. If it breaks them out as a dedicated 
interface (like it does for openvpn connections) , then rules can be applied 
and pfsense would be quite useful. The UI is very simple. 

Warren Bailey wbai...@satelliteintelligencegroup.com wrote:
Look into pfsense. It's rock solid and bad based, and can be purchased
as an appliance. (both real and vm)


Sent from my Mobile Device.


 Original message 
From: William Herrin b...@herrin.us
Date: 07/30/2013 1:02 PM (GMT-08:00)
To: nanog@nanog.org
Subject: which firewall product?


Hi folks,

I'm trying to identify a firewall appliance for one of my customers.
The wrinkle is: it has to be able to inspect packets inside an IPIP
tunnel and accept/reject based on IP address, TCP port number and
standard things like that. On the packet carried *inside* the IPIP
tunnel packet.


From what I can tell, the Cisco ASA can't do this.

Linux iptables can (with the u32 match module) but the customer wants
an appliance, not a server.

What appliances do you know of that can do this? Is there a different
Cisco box? A Juniper firewall? Anything else?

Thanks in advance,
Bill Herrin


--
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: 48V DC Terminal server recommendations

[Charles N Wyble]

I just use SSH to ip:portnum . Used the web ui for initial setup. Never used an 
applet. Didn't know one existed.

This is on an acs48 model. I forget the pdu model (cyclades i something), they 
just daisychain off the acs and you can hit a key combo to powercycle.



david peahi davidpe...@gmail.com wrote:
We have used the Avocent console/power terminal servers for several
years.
Although the browser interface is cluttered, and the use of Java
sometimes
poses connectivity challengesm Avocent is a useful console server for
all
types of devices, and has the ability to remotely power-cycle AC and DC
devices.
Avocent devices meet your specs (-48V PS, NEBS compliance).

Regards,

David


On Wed, Jul 24, 2013 at 7:59 AM, Jeremy Bresley b...@brezworks.com
wrote:

 Looking for recommendations on a good terminal server to put into a
telco
 colocate facility.

 Requirements:
 8-16 ports for Cisco console access (RJ-45s preferred, DB9s if we
have to)
 -48V DC power
 USB/internal modem for OOB access
 NEBS Level 1 (or better) compliance.

 So far I've found Perle has several models that meet 3 out of 4, but
none
 that meet all the requirements.  The only OpenGear boxes we're seeing
with
 DC power is a little 4 port unit and they don't mention NEBS
compliance.
  Lantronix mentions DC power for their SLC line, but doesn't mention
 anything about NEBS compliance either.

 Anybody have any recommendations for one they've used that meets all
4 of
 those requirements?

 Thanks!

 Jeremy TheBrez Bresley
 b...@brezworks.com



-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: OOB core router connectivity wish list

[Charles N Wyble]

I have a Cyclades acs-48 console server. Direct power and Ethernet drop from 
the ceiling with a public ip. In my subnet, but not through my routers/switches 
or pdus. Completely out of band, except for relying on colo power/net, which if 
that's not up then oob is worthless to me anyway.

I have every device hooked to this. Pdus, routers, switches, vm, storage 
servers.  That allows me to get console and power cycle every device. 

What more would I want? Dialup means I need to be in a place I can hook up a 
modem. Not too many of those. If I make a configuration mistake,  need to 
reboot a box etc, I want to be able to access my kit from anywhere with ip 
connectivity.

If power or network in the colo is down, then oob does me no good, and I have a 
dr site for that scenario. That dr site also monitors production and emails my 
sms address. 



Michael Thomas m...@mtcc.com wrote:

On 01/10/2013 07:02 AM, Jared Mauch wrote:
 On Jan 10, 2013, at 9:51 AM, Mikael Abrahamsson swm...@swm.pp.se
wrote:

 I certainly want to use something more modern, having run Xmodem to
load images into devices or net-booted systems with very large images
in the past…

 I've seen all sorts of creative ways to do this (e.g.: DSL for OOB,
3G, private VPLS network via outside carrier).  It is a challenge in
the modern network space.  Plus I have to figure that 9600 modems are
going to be harder to find as time goes by.. at some point folks will
stop making them.



Isn't the biggest issue here resilience? If you have ethernet/IP as
your
OOB mechanism, how sure can you be that it's really OOB? This is,
I'm assuming the fallback for when things are really, really hosed.
What would happen if you needed to physically get hands into many,
many pops?

Mike

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: IP Address Management IPAM software for small ISP

[Charles N Wyble]

Zenoss works very well as a cmdb. 

George Herbert george.herb...@gmail.com wrote:

On Thu, Dec 20, 2012 at 7:48 PM, Jimmy Hess mysi...@gmail.com wrote:
...

 But is there a decently scalable open source application for building
 a CMDB,  that is  visually appealing and efficient for humans to use,
 without a ton of manual development;  other than custom building
 applications and SQL schema by hand,  for each kind of CI?

 I am not aware of one

I have not seen one, and I've been at places that have spent man-years
building custom apps and SQL schema by hand in the lack of an
available open source tool.


-- 
-george william herbert
george.herb...@gmail.com

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: IPv6 support via Charter | Ideas on BGP Tunnel via HE

[Charles N Wyble]

On 04/11/2012 02:34 PM, Seth Mos wrote:


 I'm getting about 40mbit through the IPv6 tunnel, so i'd say it works well, 
 although the throughput has slowly been dropping to the 30's range over the 
 last 6 months. But that's probably because of the latency.

 For something that is provided for free I'm really glad we have it.

Indeed. It's pretty amazing what HE has put together.

 I should have peered with their UK PoP as it's much closer by latency, thus 
 faster.

Why don't you? Can you setup more then one peering?

ipv6 classful addressing with mesh?

[Charles N Wyble]

So I came across this post the other day and wanted to see what folks
think about it.

https://plus.google.com/u/0/109418153881180057361/posts/AvjZbbK6T7X

Here is the relevant portion:

*Got anything more specific than that to go on?*

Actually, yes. Although I still want community feedback on how the idea
can be improved.

Most mesh systems have pretty arbitrary ways of handing out IP
addresses, so I say, put a little logic into 'em, in a consistent way
that works well for routing between networks and across the existing
internet. An IPv6 address is composed of 8 chunks, each of which is 4
hex digits long. The first chunk should be something arbitrary but
unclaimed - anybody know if 00fd is taken? - which is used consistently
to indicate that this is a mesh-global address. The next two chunks are
the longitude and latitude, respectively, in whatever precision a chunk
affords across its respective scope. These first three chunks make up
the network prefix that defines one network as distinct from another.

How much geographical accuracy does this imply? Just enough to indicate
where the heart of a network is, or was traditionally. A chunk can
represent any number from 0-65534, because it can represent up to 65535
unique numbers and we start at 0. So, longitude can be expressed as a
number of degrees moved east of the prime meridian from 0-360. This
means the difference between each integer in a longitude chunk is
360°/65535, or .005493°. At the equator, where a degree represents the
longest distance, that works out to about .4 miles [1]. For any other
latitude, however, precision is better than that. Latitude, which goes
from -90 to +90, can be represented as a 0-180 number where the equator
is at 90, which works out to .002747° precision.

So, competing networks in the same area can have slightly different
network prefixes, while still each being more or less accurate (because
networks are big and amorphous) while the precision isn't enough to
pinpoint any individual node of the network, which I'd say is a happy
medium. Longitude comes first for easier routing, since inter-network
send it east or send it west questions seem more likely to me to come
up for most switches based on the geography of the continents and the
nature of the existing backbone ring of the internet.

The remaining chunks can be chosen according to whatever algorithm the
network administrators feel like. Idiot devices that aren't
consciously part of the mesh will generally just put up and shut up with
whatever DHCP gives them anyways, so that's not too concerning. If you
decide to use client MAC address as part of it, that only leaves chunk 4
left to be set, and you can use the first four digits of the md5 hash of
the MAC for that if you need something arbitrary yet deterministic.

Every network can have its gateways to the corporate internet, and be
accessible from the outside through them. That way, you can have
inter-mesh communication over existing internet in a lightweight way:
your packet routes to a gateway in your network, then across the tubes,
through a gateway at the destination network, and to the ultimate
destination. No packet encapsulation, no complex routing bullshit, just
point A to point B.

That's a simplistic overview, of course. It doesn't include shortcuts
like nodes that act as part of multiple, neighboring networks, thus
acting as gateways between the two. It doesn't consider IPv4 requests
and service, which will probably require an AYIYA-based tunnel
negotiation between the client and a gateway. But as a basic pattern, it
provides consistency and efficiency between independent networks, which
as far as I can see, is a vast deal more important than making one mesh
to rule them all.


I'm not sure what to make of it. Seems like someone trying to re
establish classful addressing and not understanding routing, subnets,
managed networks etc.

Re: Monitoring other people's sites (Was: Website for ipv6.level3.com returns HTTP/1.1 500 Internal Server Error)

[Charles N Wyble]

On 03/20/2012 09:54 AM, Jeroen Massar wrote:
 On 2012-03-20 15:40 , vinny_abe...@dell.com wrote:

 For everybody who is monitoring other people's websites, please please
 please, monitor something static like /robots.txt as that can be
 statically served and is kinda appropriate as it is intended for robots.

This could provide a false positive if one is interested in ensuring
that the full application stack is working.

 Oh and of course do set the User-Agent to something logical and to be
 super nice include a contact address so that people who do check their
 logs once in a while for fishy things they at least know what is
 happening there and that it is not a process run afoul or something.

A server side process? Or client side? If the client side monitoring is
too aggressive , then your rate limiting firewall rules should kick in
and block it. If you don't have a rate limiting firewall on your web
server, (on the server itself, not in front of it) then you have bigger
problems.

 Of course, asking before doing tends to be a good idea too.


If you are running a public service, expect it to get
monitored/attacked/probed etc. If you don't want traffic from certain
sources then block it.

 The IPv6 Internet already consists way too much out of monitoring by
 pulling pages and doing pings...

Who made you the arbiter of acceptable automated traffic levels?



  (who noticed a certain sh company performing latency checks against
 one of his sites, which was no problem, but the fact that they where
 causing almost more hits/traffic/load than normal clients was a bit on
 the much side,

Again. Use a firewall and limit them if the traffic isn't in line with
your site policies.

  And for the few folks putting nagios's on other people's sites, they
 obviously do not understand that even if the alarm goes off that
 something is broken that they cannot fix it anyway, thus why bother...

You obviously do not understand why people are implementing these
monitors. It's to serve as a canary for v6 connectivity issues. If I was
implementing a monitor like this, I'd use the following logic:

HTTP 200 returned via v4/v6 == all is well
HTTP 200 returned via v4 or v6 , no HTTP code returned via v4 or v6 (ie
one path works) ==  v6/v4 potentially broken.
no HTTP code returned via either method == end site problem. nothing we
can do. don't alert.

Presumably you'd also implement a TCP 80 check as well.

Re: Logs Bank

[Charles N Wyble]

Yes. Check out rsyslog and logstash.

joshua.kl...@gmail.com wrote:

Hi,

If I may ask, is there any OSS that can serve as a log bank or log
server, where it aggregate logs from  different sources , and the logs
can be accessed using the web from any location on the network and can
do graphical presentations based on.the frequency or content os the
logs.

Thank you

Joshua

--
Sent from my Nokia N9

--
Charles N Wyble @charlesnw char...@knownelement.com

Building a cost effective, open, secure bit moving platform for tomorrows 
default free zone.

Re: Network Asset/Service Track/Management

[Charles N Wyble]

On 11/01/2011 02:38 AM, Babak Farrokhi wrote:
 Hi,

 I would suggest you use the element management software provided by your 
 vendor. But you may want to take a look at www.ziptie.org for an alternative.

Also nocproject.org

Re: [routing-wg] BGP Update Report

[Charles N Wyble]

On 10/15/2011 10:48 PM, Skeeve Stevens wrote:
 I read them all too.

 BUT, I get some 5 or 6 copies of them from all the lists I am on.  I would 
 rather subscribe to a list that was just for those.

+1. Or an rss feed or something.

That way interested folks could easily pull the data and stay up to date.

-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: Enterprise WiFi list recommendations?

[Charles N Wyble]

On 10/10/2011 10:04 AM, James M Keller wrote:

On 10/10/2011 11:01 AM, James M Keller wrote:

All,

I'm looking for some mailing list recommendations for wifi operations
community, any commendations?



Checkout wispa.org

Let us know what you decide to subscribe to.

Re: FCC - with Klezmer backup

[Charles N Wyble]

On 09/30/2011 02:53 PM, bmann...@vacation.karoshi.com wrote:
 http://gcn.com/articles/2011/09/26/fcc-net-neutrality-rules-nov-20.aspx

 wondering who is going to publically announce any changes prior to the 20nov 
 date.

 Or is this a non-issue for the Internet as we know it?  

 /bill


What does

commercial terms of their broadband services.

mean?

Peering arrangements? Transit pricing?

-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: Synology Disk DS211J

[Charles N Wyble]

On 09/30/2011 08:56 AM, Blake T. Pfankuch wrote:
 The easy way around the unhappy significant other/minion shaped offspring 
 solution is to put all of the end user devices On a separate VLAN, and then 
 treat that as an open DMZ.  Then everything operational (ironic in a home) on 
 your secured production network (restrict all outbound/inbound except what is 
 needed).  If you really want to complicate it you should even put your 
 wireless into a separate VLAN as well, and secure it as appropriate.  Gives 
 you the ability firewall between networks, thus making sure that when your 
 minions eventually get something nasty going on the PC they use, it doesn't 
 spread through the rest of the network.  Also means you can deploy some form 
 of content filtering policies through various solutions to prevent your 
 minions from discovering the sites running on the most recent TLD addition.  

Packet fence. Per user vlans. RADIUS back end auth with one time
passwords. I'm trying to package all this into a turnkey distro for my
own deployment across hundreds of sites. As such I need it anyway and
don't mind open sourcing it. It's been an on again/off again project but
it's really close to release.



 This assumes that most people reading this email have the ability to run 
 multiple routed subnets behind their home firewall.  Be it a layer 3 switch 
 with ACL's or multiple physical interfaces and the ability to have them act 
 independently.  

Routing on a stick to pfSense for me. Though I could use my l3 switch I
guess. *shrugs*

 Personally I run 8 separate networks (some with multiple routed subnets).  
 Wireless data, management network, voice networks, game consoles, storage, 
 internal servers, DMZ servers and Project network.  Only reason why there is 
 no end user network is that there are no wired drops anywhere in the house, 
 so that falls under the wireless data. That network gets internet access and 
 connectivity to file sharing off the internal servers and all internet 
 traffic runs through Anti-Virus/Anti-Spyware before going outbound and 
 inbound.

No. You aren't paranoid enough. See above. If it was turnkey, more
people would use it.

 Blake

 -Original Message-
 From: Matthew Palmer [mailto:mpal...@hezmatt.org] 
 Sent: Friday, September 30, 2011 12:19 AM
 To: nanog@nanog.org
 Subject: Re: Synology Disk DS211J

 On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote:


-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network -- ENOUGH ALREADY!

[Charles N Wyble]

My apologies to all. I was hoping the conversation would be of an 
operational nature.


I deleted the vast majority of messages in the thread as they weren't 
relevant.


If anyone wants I can post smaller scope subject threads. Or a summary 
of the operationally relevant bits in the thread.



Bret Palsson b...@getjive.com wrote:

   Thank you! 112 Emails on this subject, I am sick of it.

Re: vyatta for bgp

[Charles N Wyble]

On 09/22/2011 05:37 AM, Pierce Lynch wrote:

Andreas Echavez [mailto:andr...@livejournalinc.com] originally wrote:

Ultimately, the network is as reliable as you build it. With software, it's 
much cheaper to divide and scale horizontally. Hardware devices are expensive 
and usually horizontal
scalability never happens. So in reality, an enterprise blows 100k on two routers, they 
both flop because of some firmware bug, and you're down.

With this in mind, I am keen to understand how many implementations of packages 
such as Quagga and Zebra that the group use. With the likes of Vyatta being 
discussed, I am keen to see if products such as Quagga as still regularly used 
as it used to be.


I think that the original/upstream versions are out of date as compared 
to the one maintained by Vyatta. Or Google (for their MPLS processing 
needs). See 
http://www.nanog.org/meetings/nanog50/abstracts.php?pt=MTYzNSZuYW5vZzUwnm=nanog50 
http://www.nanog.org/meetings/nanog50/abstracts.php?pt=MTYzNSZuYW5vZzUwnm=nanog50





Thoughts welcome!

Kind regards,

/P.

Re: vyatta for bgp

[Charles N Wyble]

On 09/21/2011 06:14 PM, Andreas Echavez wrote:

btw, you guys might find
PacketShaderhttp://shader.kaist.edu/packetshader/a pretty
interesting concept

-Andreas


Excellent! I was wondering how far along this was. Good to see. Very 
exciting.


I've got a couple parallel systems sitting around looking for packets to 
route...


If anyone is doing research in this area, please let me know. Most of my 
research has been into accelerating IDS/IPS and fuzzing workloads with 
parallel systems. (Yes that's on top of starting an ISP).


I've been looking into http://www.read.cs.ucla.edu/click/Click

Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Charles N Wyble]

I plan to announce my ASN out of 3 physically diverse hops over 100mbps 
or gige. I believe that qualifies as multihoming under pretty much all 
definitions?


On that note, is anyone familiar with peering fabrics in 60 Hudson and 
600 West 7th (or peering fabrics that are fiber close in those locations)?


Initial connectivity/peering will be with my initial ISP friend in 600, 
and with KCIX in KC MO.


Would like to also peer with any peering exchanges in LA and NYC. I 
suppose peeringdb.com would be the place to look for this? (bringing 
this thread back on the original topic, though multihoming discussions 
definitely fall under the starting an isp category) :)

Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Charles N Wyble]

On 09/19/2011 10:40 PM, Matthew Kaufman wrote:
 On 9/16/2011 12:58 PM, Leigh Porter wrote:


 I wonder what would happen if a new ARIN member requested an IPv4
 block of say a /16 for a new business? Or even a smaller block. I
 don't know what the current ARIN rules are but RIPE will currently
 give out six months worth of space. Now, in six months, I don't
 expect there to be any left anyway, so what will likely be all the v4
 you ever get.

 Very soon it'll be nigh on impossible for new entrants to the ISP
 business to get their own v4 space.


 Isn't that the point?

That's what I'm thinking. :)

I don't plan on requesting any v4 space from ARIN. Just using provider
space for the small v4 traffic needs.

-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Charles N Wyble]

On 09/18/2011 08:25 PM, Frank Bulk wrote:
 I understand that tunneling meets the letter of the ARIN policy, but I'll 
 make the bold assumption that wasn't the spirit of the policy when it was 
 written.  Maybe the policy needs to be amended to clarify that.

Well that would be a shame in my opinion. When one is boot strapping a
network, it's very useful to have an ASN/PI space. Especially for v6. If
one starts with a real upstream and a multihomed via tunnel, is that
really so bad?

I don't think it is.

I am now very fascinated with the policy around all this. I didn't think
my thread would touch off this passionate discussion. I've only gotten a
few really useful response (from John/Owen/Roland) which come to think
of it, is about what I would expect. I was hoping for more technical
responses. Go gripe on the ARIN lists if you really truly want policy
changes.

I greatly appreciate the clarification of policy and relevant docs etc.
Seems really straightforward to me now.

Now let's get back to technical / nuts and bolts discussion of building
an ISP shall we?

-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Charles N Wyble]

On 09/17/2011 01:19 PM, John Curran wrote:

On Sep 16, 2011, at 3:45 PM, Charles N Wyble wrote:

2) Obtain ipv6 space from ARIN (inquired about getting space and ran into some 
issues. need to speak with my co founder and get details. evidently getting 
brand new v6 space for a brand new network is fairly difficult. for now may 
just announce a /48 from he.net. )

Charles -

Criteria for new IPv6 allocations is here: 
https://www.arin.net/policy/nrpm.html#six51, and includes meeting any of one 
the following:


Thanks for the link.


  • Having a previously justified IPv4 ISP allocation from ARIN or one of its 
predecessor registries, or;


Sure.


  • Currently being IPv6 Multihomed or immediately becoming IPv6 Multihomed and 
using an assigned valid global AS number, or;


That is our goal. I have two upstreams who are ready to peer with me 
once I obtain an ASN.

  • By providing a reasonable plan detailing assignments to other organizations 
or customers for one, two and five year periods, with a minimum of 50 
assignments within 5 years.


We submitted a numbering / subnet plan with our application, and stated 
we intended to multihome. Essentially we are trying to get both ASN and 
IP space at the same time. Bit of a chicken and egg problem perhaps.



Time to secure those letters of authorization and get that ASN. I think 
once we have that, the process should move forward pretty rapidly.




I'm not certain how this is fairly difficult, but can have someone from the 
ARIN Registration Services helpdesk contact you to work through your circumstances.  
(please contact me directly if that's desired.)


I may take you up on that. Thanks for the offer to assist. I'll read 
over the doc you sent and the sections Owen mentioned. I think I just 
didn't have enough information on the process. Looks like this will be 
very straightforward.

Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Charles N Wyble]

On 09/17/2011 06:52 PM, Randy Carpenter wrote:
 I have a small ISP customer who is not multi-homed, and is using
 about a /21 and a half of space, and is expanding. Their upstream
 is refusing to give them more space, so they wanted to get their
 own, and give back the space to the upstream, with the possible
 exception of a small block for their servers, which would be very
 difficult to renumber. We explained this all, and the response we
 got from ARIN was that we needed to have a full /20 from the
 upstream, at which time we could easily get a /20 of new space. In
 order to qualify for the immediate need, we would need to show
 need for the entire /20, of which we would need to fully utilize
 (renumber into) within 30 days. That is not even remotely
 possible.

 Or, they could easily multihome and qualify at a much smaller
 threshold.
 Unfortunately, this is prohibitively expensive. They are small rural telcos 
 who are connected to a collective state-wide fiber network. Any second 
 provider would could an order of magnitude (or more) more than what they 
 have, and would likely be delivered over the same fiber network anyway.

Um really? You can't find anyone out there who would give you an
LOA? No friendly ISP? I'm getting LOA from a buddy of mine that
administers a couple existing ISP networks. It's not that difficult in
my opinion. I mean does it have to be a wireline upstream provider? Or
can it just be any AS who is friendly? I guess it's different for me as
this is a green field deployment and I expect to peer all over the
United States at dozens of POPS. As opposed to being a more traditional
access network provider in a particular geographic region.



  
 The problem with this whole thing is that I have no less than 4
 ISPs that are in almost the same boat.
 Then propose a policy change to rectify it.
 Noted, and planned :-)

I look forward to those discussions. I'm kind of intrigued by policy
now, after starting this process. At first I was a bit irritated but now
after John/Owen posted links and comments, it's a walk in the park. Just
waiting on an LOA from my buddy and I should be able to get that ASN and
associated /32.


-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Charles N Wyble]

Wow this turned into a very long post

On 09/16/2011 01:10 PM, hass...@hushmail.com wrote:

No one replied with any useful information. I guess no one wants
competition on this list? Pretty poor tactic.

On Sat, 10 Sep 2011 21:55:01 -0400 hass...@hushmail.com wrote:



Mr hass...@husmail.com, the net is big enough for many forms of networks 
and competition to exist. The fact that you write from a hushmail 
address is intriguing to me. That may have kept others from answering 
entirely.


Using ones real name/personal e-mail address builds a reputation. It 
also helps if you've posted other threads in the past. Looking over my 
post history (both replies and  threads i started), one will see a 
progression of learning and participation. I don't recall seeing any 
posts from you in the past. As such, it may not have been wise to burst 
onto the scene and say please to do my homework for me.  Contributing 
to a few threads, starting a couple of your own (on a more specific 
subject) and saying this is what I'm planning to do, here is what I've 
researched, please tell me if I'm doing it horribly wrong is a good way 
to start in any community.


I had high hopes for the thread you had started, but am disappointed by 
the somewhat juvenile response that you sent. I believe you killed off 
the opportunity for some excellent discussion. So I'm starting another 
one, in the event people are ignoring the previous thread. Plus my title 
is cooler!


I did learn some things from that thread (such as nsrc.org). Thank you 
for posting those links and inspiring the title of this thread Bill.


In my case, I have knowledge (through consuming way too much *NOG lists 
and other resources). However all of my experience is in data 
center/enterprise LAN networking. WAN experience is limited to default 
BGP route delivery or statically configured links. So I have never built 
an ISP network before.  I want to join the community, and as such am 
seeking advice before I blindly go off and end up being one of those 
AS. :)



Here is what I am doing and how I plan to go about doing it. Feedback 
most welcome. Please be critical but polite. :)


The previous thread mentioned business plan. That's absolutely critical. 
Competing on delivering the Internet is foolish at this point in the 
game. I'm giving net access away for free, and making money off of hyper 
localized advertising). I'm also using existing co location facilities 
and networks.


Looking over my linked in profile will demonstrate my existing expertise 
on the business and tech side of both online and hyper local 
advertising, and large scale, distributed server operations.  However 
I'm currently not experienced on the network build out side. I figured 
the only way to get the level of experience I want, is to build a 
service provider network.


I'm in the process of building out a backbone network across the United 
States. Starting off small  (3 points of presence: 600 West 7th st Los 
Angeles, 60 hudson NYC , 324 E 11th KC MO). In two cases I'm leveraging 
existing relationships with strong WAN engineers who will be receiving 
some equity in my startup, in one I'm a new customer off the street and 
doing everything myself other then the basic colo services (net drop, 
power, cooling, security, smart hands).


This backbone network will be used to terminate regional wireless 
networks. The wireless networks are being funded by the communities that 
the network serves through direct donations and by hyper localized 
advertising sales.


So here we go with technical nuts/bolts of the plan (as bill so 
eloquently put it):
I am going to presume OSS and fully depricated kit to keep your costs 
down and to boost your learning skills.


Something like that.

1) Obtain ASN from ARIN (using LOA from existing upstream relationships).

2) Obtain ipv6 space from ARIN (inquired about getting space and ran 
into some issues. need to speak with my co founder and get details. 
evidently getting brand new v6 space for a brand new network is fairly 
difficult. for now may just announce a /48 from he.net. ) Yes I did come 
up with a sub netting plan for the entire United States out of a single 
/48. It's quite ingenious really. More details on request if anyone 
wants them.


3) Announce prefixes from initial point of presence locations for 
availability / traffic engineering reasons. Using a mix of Quagga on 
Linux virtual machiens, pfSense on dell servers and Cisco gear.


So more or less the steps that Bill mentioned in his response. It was 
somewhat tongue in cheek, but also quite accurate.  I'm bootstrapping 
with personal funds / gear at the moment. However I believe it can be 
done right. I also have a fair amount of gear I've been obtaining over 
the past few years with the specific intent of building an ISP. The 
business plan has evolved over time. It's now at a rather mature point, 
and it's time to get my hands dirty.


Whew. Sorry for the long post. 

Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Charles N Wyble]

On 09/16/2011 02:58 PM, Leigh Porter wrote:



-Original Message-
From: Charles N Wyble [mailto:char...@knownelement.com]
Sent: 16 September 2011 20:47
To: nanog@nanog.org
Subject: wet-behind-the-ears whippersnapper seeking advice on building
a nationwide network



Wow this turned into a very long post

On 09/16/2011 01:10 PM, hass...@hushmail.com wrote:

No one replied with any useful information. I guess no one wants
competition on this list? Pretty poor tactic.

On Sat, 10 Sep 2011 21:55:01 -0400 hass...@hushmail.com wrote:



2) Obtain ipv6 space from ARIN (inquired about getting space and ran
into some issues. need to speak with my co founder and get details.
evidently getting brand new v6 space for a brand new network is fairly
difficult. for now may just announce a /48 from he.net. ) Yes I did
come
up with a sub netting plan for the entire United States out of a single
/48. It's quite ingenious really. More details on request if anyone
wants them.



I wonder what would happen if a new ARIN member requested an IPv4 block of say 
a /16 for a new business? Or even a smaller block. I don't know what the 
current ARIN rules are but RIPE will currently give out six months worth of 
space. Now, in six months, I don't expect there to be any left anyway, so what 
will likely be all the v4 you ever get.


Hah. True.

I actually don't want any v4 space at all. I'm fine with using provider 
space for my minimal v4 needs. However I believe if I had existing v4 
space, that v6 space would be easier to obtain.



Very soon it'll be nigh on impossible for new entrants to the ISP business to 
get their own v4 space.


Indeed.

In my case, I'm perfectly happy with v6 space. Can have very minimal v4 
space for the time being. Google/netflix/facebook are reachable on v6. 
This is the vast majority of the net traffic. I can do large scale nat 
for v4 only content.


One aspect of my network, will be operational transparency. So as much 
as possible will be viewable in real time. This includes v4/v6 traffic 
statistics.


Also we do plan to expand into Europe and Asia. We are starting in the 
US first due to the relationships we have already established. If anyone 
is interested in supporting our activities in Europe, please let me know.


By our/we, I mean http://freenetworkfoundation.org/ (that's the non 
profit piece. the advertising part is separate but will help fund the 
non profit piece). Lots of dual use work being done.

Re: How to begin making my own ISP?

[Charles N Wyble]

On 09/16/2011 04:28 PM, hass...@hushmail.com wrote:
 On Fri, 16 Sep 2011 16:02:39 -0400 Markus unive...@truemetal.org 
 wrote:

 I didn't receive any such email, sorry. Try resending it if you 
 still have it ?

Maybe hushmail blocked it? :)

 @ Everyone else: thank you for the useful information. I didn't 
 mean to come off as being bratty with my competition notation, it 
 was meant as a bump to the posting and not an insult at anyone.

Thanks for clarifying.

 More info: yes, I was planning on having some co-lo sort of stuff, 
 maybe running a dedicated server provider. However on my own IP 
 space, and a good method of getting bandwidth of cheap. Stuff like 
 paying 5€/GB makes me feel sick.

H. Me thinks that's a no go. You are entering an incredibly
stiff competitive space. If you do have some magic pixie dust, I would sell
it to the highest bidder. :) (I do believe people were seeking pixie dust in
the 444 thread if I recall correctly).

Not to be snide, but what makes you think you have something that will
let you break into the colo market against a huge assortment of players?
(ref the lots and lots and lots of money response). You'll need some hefty
capital to attract customers. Plus if you can only compete on price, the
established players will just cut costs to match you.

That's all my opinion of course.




-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Charles N Wyble]

On 09/16/2011 04:34 PM, Justin M. Streiner wrote:
 On Fri, 16 Sep 2011, Randy Carpenter wrote:


 If you go to ARIN, day one, and ask for address space, they have no
 way of determining if your request is justified, beyond whatever
 pie-in-the-sky guesses and growth projections you give them.  You're
 asking for address space, sight unseen, in this case.  That would be
 like someone going to a bank and asking for a loan, with no
 documentation, collateral, or anything else to give the bank
 confidence that they'll pay the loan back.

 That's why the slow-start model has been used, particularly for v4 space.
 If you started off by getting PA space from one or more of your
 upstreams, then there should be additional documentation to back up
 your request (SWIP entries, RWHOIS data, etc).

 When I still worked in the ISP world, the startup I worked for started
 off with PA space, and then grew into PI space, and handed the PA
 space back to their upstreams as it was vacated.  I had no problems
 getting subsequent
 PI blocks because our documentation was in order.

Alright. This seems fair.

Easy enough to get some big chunks of v6 space from up streams and then
justify the PI space.

I shall have to do that then.




-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: Disappointing ARIN - A great advertisement for the USA ?

[Charles N Wyble]

Does whois have a bug tracker somewhere? That seems to be the place to
file these sort of things.

Re: How to begin making my own ISP?

[Charles N Wyble]

On 09/10/2011 08:55 PM, hass...@hushmail.com wrote:
 I want to begin making my own ISP, mainly for high speed servers 
 and such, but also branching out to residential customers. I'm 
 going to be in Germany for the next school year (probably either 
 Frankfurt am Main or Berlin); any suggestions on what sort of 
 classes I can take there that will be in English and will teach me 
 all I need to know on how to build and manage my own ISP, AS, etc? 
 Thanks.



I too am very interested in this topic. I'm in the process of putting a
small service provider network
together. Starting with three points of presence (Los Angeles, Kansas
City, undetermined east coast location).

I'm in the process of securing an AS, IP space etc. Already have all the
necessary networking gear. Working on getting
it configured and deployed.

I'm a data center guy coming into the WAN world. Learning as I go.

-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: New Natural Disaster! 8/27/2011 Hurricane Irene

[Charles N Wyble]

On 08/26/2011 09:51 PM, Scott Morris wrote:
 Did you have backup tomatoes?

Indeed. Multi gardening is all the rage.

Can't be too safe.

-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: How long is your rack?

[Charles N Wyble]

On 08/16/2011 02:33 AM, Leigh Porter wrote:

 How do you guys find time for all this? 

I live in a smallish apartment that doesn't require much cleaning and
have a room mate who handles all the errands/logistics  in exchange for
free rent and access to my awesome lab. Been doing this for a few years
now. Works very well and beats having kids. LOL.

  then I got married,

I did a ton more stuff, acquired more gear when I got married. Before I
was married I travelled non stop and had nothing more then my laptop and
a box at my parents house as my cloud.  Once I settled down, I begin
to acquire gear.

  had three kids

This will kill off productivity time for sure. Until you have enough of
them that are old enough to support site operations. But bootstrapping
that is difficult.

  and started a Theology PhD program..

I've avoided school. However I'm constantly learning. So I work full
time and do about 4 hours a day of hacking. Weekends I do no hacking.
This works well for me.

  Now anything I do at home is purely practical.

The things I've been doing are practical. I haven't touched the lab rack
yet. That's next months project. 

 I took on some ideas for backup though, so I am sorting out a backblaze 
 account and using Randy's fantastic sync thing that he mentioned. I really do 
 not want 18 months of research to vanish.

Indeed.


-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: Exploiting a non-facilities CLEC relationship

[Charles N Wyble]

On 08/15/2011 10:14 PM, Jon Lewis wrote:
 On Mon, 15 Aug 2011, Graham Wooden wrote:
 If I understand your question, yes.  We did this some time ago.  Colo
 in various ILEC and CLEC central offices, 

Um. Doesn't colo in various ILEC/CLEC CO == facilities based CLEC?

 order T1 loops (but it's only half a loop...from customer to CO), so
 you're saving there, and because you're ordering it as a CLEC, most
 people would be shocked how cheap a T1 can be. Connect the various
 colos together with a network of T1's and T3's (especially if you can
 establish a relationship with a carrier who's on-net in all or most of
 the COs you want to be in), and you're set.

Interesting. Can't you just ride the existing network between the CO
locations? For a fee of course, but I would think it could be all
ethernet based and just pay per mb or something?



 Someone looking to start this model now, I'd say is about 10 years
 late, 5 years too late.

Yeah. Building ones own network is a bit... difficult. At least to serve
on a competitive basis. 


-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: TDM voice DOS

[Charles N Wyble]

On 08/16/2011 11:46 AM, harbor235 wrote:

Anyone been involved with TDM voice DOS attacks? My thoughts are that if the
phone
call originates as an IP call somewhere in the wild, then typical abuse
security incident notifications may help
in the interim.


Indeed. Though I suppose it depends on where they come from. Probably 
originate in various nasty neighborhoods of the net.



  At least potentially identify through customer records or
make them move on where they eventually slip up.


Right.


If the abuse originates as IP what obligations do foreign service providers
(friendly?) have to
identify and mitigate?


Well I work at a very large shared hosting provider. Our upstream 
provider gets abuse complaints and a ticket lands in our queue telling 
us to clean up or the box gets dropped off the net (anywhere from 4 to 
48 hour warning window).


I'm guessing that most large service providers have similar procedures 
in place? Just hit up the abuse contacts for the IP range.  Doesn't 
matter where the destination is, what media etc. If it originates on an 
IP network/device, it can be dealt with that way.


However the bad guys probably aren't using the large providers, as they 
usually operate 24x7 abuse desks,  which means rapid ban hammering.  :)



  How can the community respond to service providers
who fail to
clean up their customer base?


iptables -s x.x.x.x/8 -j DROP  (modify to your local site firewall drug 
of choice).

Re: NANOGers home data centers - What's in your closet?

[Charles N Wyble]

On 08/16/2011 03:28 PM, William Warren wrote:
 On 8/12/2011 7:28 PM, Charles N Wyble wrote:
 Hey all,

 I have one rack of stuff..:)

Not Enough! We will be removing you now from the list that is. :)

   I then have my tower(custom build) and ups on another shelf.

What kind of UPS? Seems most here prefer APC. Perhaps that's a topic for
another thread...

  I have a dell sc420 running astaro 

Interesting. I have a download of astaro. I should play with it soon.
Coworkers recently mentioned Astaro. So maybe it's reached a tipping
point and time for me to mess with it.



-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: How long is your rack?

[Charles N Wyble]

On 08/14/2011 05:45 PM, Joe Greco wrote:
 I don't know, but 50 people had snarfed the picture I posted within
 30 minutes, a few hundred have by now, and it's the weekend.

Yes. Exactly. I'll start my more operational focused threads on Monday.
Plus Randy started a personal backups thread. I need to respond to that
soon. That's pretty operational.

I've always wondered if the next cisco/juniper 0 day will be delivered
via a set of exploits delivered via a link posted to NANOG. :) Maybe
I'll do a talk at DEFCON next year about that.

 Fun.

Precisely!


-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: IPv6 Real World Maturity (was re: How long is your rack?)

[Charles N Wyble]

On 08/14/2011 07:43 PM, Tim Wilde wrote:
 On 8/14/2011 8:36 PM, Charles N Wyble wrote:


 Yes, they prove that IPv6 is not a viable technology as it currently
 stands and we should be working on the next big thing, of course!
 IPv42, here I come!

:)

It certainly is being debated back and forth quite a bit. With apparent
0 forward progress
being made. It's important that we keep our audience in mind. Yes much
v6 is being deployed
(Owen and his band of merry men being the notable leaders) and various
pockets of link layer
availability from the big providers. It's time to just do it already.
Mark it experimental. Tell people
ZOMG you may have to r3numb3r. Why hasn't anyone capitalized on this
opportunity yet and rolled
out decent CPE with a fat margin. I mean seriously, why not? Just wrap
it in some buzzwords (security,
gaming, whatever). The vendors already do that at bestbuy.


 On a serious note, though, really, what DOES it say about the real-world
 maturity / actual chances of adoption for IPv6 that Charles' statement
 above is, in fact, true?

Well stated. Hopefully folks will chime in with an answer.

or start a flamewar
 (well, okay, I am trying to start a flamewar, that's what Sunday nights
 are for :)), it's honestly something that puzzles me.  It just doesn't
 feel right...

Yeah. Same here. It's why I dropped off NANOG. I got tired of the
constant bickering. Everyone just needs to do what seems right for their
network. What I'm curious about, is how many people actually deployed
networks following their preferred method? I mean he.net is clear about
what it believes is right and has stuck to it for several years now. 
Know how long it took me to have v6 working on my network? 10 minutes.
Just pfsense and an he.net tunnel. radvd and done. Instant v6 LAN wide.
v6.facebook/netflix/google all works. My linux boxes hit v6 mirrors
automatically. Sourceforge download via v6. Easy. Boring.

Current working theory: If you have other (sane,expected,normal)
mitigation techniques in place on your network, dealing with any
(perceived?) v6 security issues should be easy I think. I haven't labbed
this all up yet. But I will. Soon. Q3 is all about security for me.
Expect to see some posts about operationally focused security research
in Q3. Because I want to prove/disprove all the things I see flying
around. I've got the gear, I've got the time. It's time for the rubber
to hit the road.

I seem to recall a thread asking v6 status and a bunch of people
responding with AS numbers and prefixes. Hopefully that list keeps
growing. That's on the provider side of course. Is anyone here not
deploying a v6 network, so that someone else doesn't do it for you
(which again, it's my feeling that a well engineered enterprise LAN
wouldn't be susceptible to a lot of the attacks). My memory is a bit
fuzzy about all the details. I'll solicit requests for tests in a while,
once my current projects are wrapped up.




What about all the other folks out there? Who pushed whatever blasted
prefix size, or moaned about neighbor table overflows, or about NAT vs
FW or whatever other inane nonsense. I WANT MY LINK LAYER NATIVE V6! AND
I WANT IT NOW!


 Regards,
 Tim


-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Infection vectors

[Charles N Wyble]

On 08/15/2011 10:31 AM, Steven Bellovin wrote:

On Aug 15, 2011, at 10:12 21AM, Randy Bush wrote:


I've always wondered if the next cisco/juniper 0 day will be delivered
via a set of exploits delivered via a link posted to NANOG. :) Maybe
I'll do a talk at DEFCON next year about that.

more likely a 'shortened' url.  how anyone can click those is beyond me.


I'm curious what your objection is.

Mine is privacy -- the owner of the shortening site gets to see every place
you visit using one of those.


That's why I have my own url shortening service using yourls. 
(http://yourls.org/)



   I don't think there's a significant incremental
security risk, because the URL you click on doesn't tell you what you'll
receive in any event.

Exactly.


   Case in point: https://www.cs.columbia.edu/~smb/SMBlog-in-PDF.pdf
does *not* yield a PDF.  (As far as I know, it's a completely safe URL to
click on, but I can't guarantee that someone else didn't hack my site.  I, at
least, haven't put any nasties there.)


Or so you claim! :) And a PDF file is a particularly potent infection 
vector. It would be interesting to put up a PDF (say OSPFvsISIS.pdf or 
WhyAnyoneWhoIsn'tNamedOwenHasRottenv6Ideas.pdf) with an exploit. This 
exploit could be a toe hold, which grabs other malware, opens reverse 
remote shell etc. If one is targeting very long term exploitation at 
mass scale, sitting in the network control plane for a long period of 
time is a large factor. And if one entices operators to download malware 
, the first step of most attacks (elevating privileges) is often much 
easier (certainly faster, as operators doing something privileged is a 
regular occurrence).





Given the rate of hacking -- is anyone really safe from a
determined amateur attack,

Maybe.


  let alone state-sponsored nastiness? -- and
given the amount of third-party content served up by virtually all ad-containing
site, you really have no idea what you're going to receive when you click
on any link.


Yep. I see hacked ad content every single day.

Re: Verizon Business - LTE?

[Charles N Wyble]

On 08/13/2011 12:54 PM, Ryan Finnesey wrote:


I was hoping to use LTE for a large number of sites we are about to 
roll out instead of DS1s.  But looks like we will go down the TDM route.




Why is that?

I ran a nationwide network of digital signage systems with about 500 of 
them being 3g (mix of Sprint and Verizon). Worked really well, except 
for the PRL updates. For some reason the AT command set to do the update 
didn't work. Never did get that figured out (was pulled off that project 
to come up with a way to convert the systems from Fedora to Debian 
without rolling a tech. I did get that project done. It was awesome). 
Now that startup is pretty much defunct. Hmmm... that's an idea for 
another thread (management of boxes that aren't in a colo).





Cheers

Ryan

*From:*Cameron Byrne [mailto:cb.li...@gmail.com]
*Sent:* Saturday, August 13, 2011 12:56 AM
*To:* Ryan Finnesey
*Cc:* nanog@nanog.org; Charles N Wyble
*Subject:* RE: Verizon Business - LTE?


On Aug 12, 2011 8:40 PM, Ryan Finnesey rfinne...@gmail.com 
mailto:rfinne...@gmail.com wrote:


 Well they are two completely separate companies .  I would think 
that the

 LTE network would be a good replacement for DS1 type services.


My guess is no.

Yes, I bet vzw buys from vzb, but not the other way round. Whatever 
you call the vz LEC does not want to give 40 some cents on the dollar 
to Vodafone ... the other part of the vzw ownership.


Not to mention that LTE is an IP service and ds1 is tdm...

Cb

 -Original Message-
 From: Charles N Wyble [mailto:char...@knownelement.com 
mailto:char...@knownelement.com]

 Sent: Friday, August 12, 2011 11:26 PM
 To: nanog@nanog.org mailto:nanog@nanog.org
 Subject: Re: Verizon Business - LTE?

 On 08/12/2011 10:23 PM, Ryan Finnesey wrote:
  Does anyone know if Verizon Business is using the Verizon Wireless LTE
  network to deliver service?

 Who else would they use? I would presume they are eating their own 
dog food.

 If not, that's very sad. :)

Re: Verizon Business - LTE?

[Charles N Wyble]

On 08/13/2011 01:09 PM, chris wrote:

I'm in princeton, nj and I recently moved into a new place and had no
internet for about a week and had my router in client mode grabbing hotspot
from my phone and it worked surprisingly well. Of course latency can be a
bit jumpy but my speeds overall were better than the neighbors comcast :) I
also pulled down about 150gb over that week and each day I was waiting for
verizon to pull the plug but it never happened. Speeds were consistently
around 20/10.


Nice!


I looked around but couldnt find any reasonably cheap 4G interface cards for
any of the major router vendors otherwise I might have actually considered
it as my home needs are pretty basic.


Cradlepoint. Yeah it's another box, but it's really nice. Just set it to 
bridge mode, run a 3 ethernet cable to the cisco WAN port and you are 
all set.

Re: Verizon Business - LTE?

[Charles N Wyble]

On 08/13/2011 11:52 PM, Ryan Finnesey wrote:

The  two problems I have with Clear is that it does not work well indoors


Oh? The dongle you mean? Yes. The dongle is complete garbage. The 
Motorolla CPE has been top notch. Tried it various places in my 
apartment (near window, not near window). Key element for good 
performance is 0 blockage of the antenna. Though even with a dell 
desktop in front of it, the performance was decent.



(major problem for air ports) and that they will not route my IP block over
there network.


That's annoying.

Re: Verizon Business - LTE?

[Charles N Wyble]

On 08/13/2011 11:56 PM, Tammy A. Wisdom wrote:

Clear is an absolutely horrible ISP.


I've heard people say that. I've used them heavily in Los Angeles and 
Austin for over a year (almost two now actually). Never had a problem.



It is quite common for it to go in and out


Probably in fringe cover areas.


and their modems overheat.


Never been a problem for me. Which modems (they have a few brands of CPE 
they are shipping).


Details! :)

Re: Home computer rooms

[Charles N Wyble]

On 08/13/2011 08:26 AM, David Swafford wrote:
 I'm borrowing a room at mom's place for this presently :-D, as the 1
 bedroom apartment was a bit too small!

I've got a two bedroom apartment currently. Seriously considering a 3
bedroom place. So I can have a dedicated server room/office and a guest
room. Right now guest room serves as server room and living room is the
office.

 It has 2 racks -- a 2post and a full server cabinent.  The racks are
 physically on separate sides of the room, so I've got a custom cable
 tray running along the walls, that's about a foot below the ceiling.

Nice. Another reason that apartments are annoying. Limited mods.
Though one could make the mods and just patch holes when they
leave. I wanted to drill a hole to the outside at my apartment and
patch when we left. The wife said no. LOL. It's cool though, cause
she doesn't bat an eye when I mention buying a 72U rack. :)

 Between the racks are 24-port patch panels for cross-connect needs.

Hmmm. Between racks you mean? Or from ports in wall to switch?



 Power is the fun part:  I installed a 50AMP, 240V, subpanel in the
 above room (with permits/inspection), and am feeding 1 x 240 to each
 rack and also 1 x 120 to the 2-post.

Ah yes. Power. This is what will drive me to a colo. I'm sure of it. I
don't want to rely on household wiring for heavy duty
loads.

   Each rack's power is handled by
 remotely managed power controllers.  I've found that maintaining UPS
 batteries became too expensive, given the age and present value of my
 gear, so everything is direct w/o UPS support.  Since I've got full
 power control, most of the gear remains off until I'm actively using
 it for studies. 

Excellent. This is what I do as well. Though the PDUs that I picked up
don't work with my current wiring. :(


 To conserve electric use, I rarely use additional AC,
 though I have a portable unit in the room for when the need arises --
 average temp runs about 85 in that room.

Nice.

 The routing gear is a mix of Cisco 2600s, 3600s, and 4500s (yep, those
 are a little old!); The switching gear is a mix of Cisco 3550s, 3560s,
 and 2950s; The server gear is mostly IBM xSeries, in the age range of
 about 5-7 years old.

Perfectly suitable for a wide variety of applications. Only things worth
swapping out on a regular basis are drives.

 Connectivity from my apartment to the lab is over a site-to-site VPN.
What kind of bandwidth in between?

 I've also got a Cisco call manager express (on a 1760) running my
 mom's phone service and have phones throughout her house and my
 apartment.

Nice. I've not dabbled with Cisco voip at all. Just Freeswitch/Asterisk
(abandoned Asterisk and exclusively Freeswitch these days).


   Production storage is on a QNAP NAS back at my apartment.

I believe this is the second mention of QNAP in this thread.

 The above room is about 180 square feet.  It sits next to the garage
 and kitchen, and to make it look more official I took out the door and
 replaced it w/ a plastic doorway like you see in big grocery freezers.
  The plastic made it easier to get in/out with gear without scratching
 up the house and it also helps mute out some of the fan-noise.

Excellent idea. Do you have a ramp of some sort to bring gear in?

-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: How long is your rack?

[Charles N Wyble]

On 08/14/2011 03:49 PM, Lyndon Nerenberg (VE6BBM/VE7TFX) wrote:
 I hope someone will explain the operational relevance
 of this ...

Small home compute centers/networks need care and feeding as well. I've
learned a lot from this thread. Things like common designs/layouts,
cooling, POE switches etc.

Can someone explain the operational relevance of the never ending v6
threads that are the EXACT SAME ARGUMENTS over and over and over again? :)

 Sun V100 FreeBSD firewall/border gateway
 Sun V100 Plan 9 kernel porting test bed
 Sun V100 OpenBSD build/test/port box
 Intel 8-core Solaris fileserver and zones host
 AMDx4Random OS workstation crash box
 Epia-EK  Plan 9 terminal
 MacBook xSnow Leopard build/test host
 Intel-mumble-ITX Win2K8.2 development host
 Supermicro XLS7A Plan 9 File server
 Supermicro XLS7A Plan 9 CPU/Auth server
 Sun V100 Oracle (blech) new-Solaris test/porting box
 Sun V100 crashbox for *BSD firewall failover tests
 Sun V100 *BSD ham radio stuff, plus Plan9 terminal
  kernal testing.

Sun is good stuff. I like crash box. Is that like a scratch system?
 sound-of-pants-zipping-up

Hah




-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: Home computer rooms

[Charles N Wyble]

On 08/13/2011 01:20 AM, Jari Arkko wrote:
 13.8.2011 3:18, Charles N Wyble kirjoitti:
 All,

 Related to my thread about home data centers, what are folks using to
 store compute gear in?

 Mine sits in two racks in my second bedroom. Cooled by ambient AC.

 Mine sits in a small room / closet under the stairs, in an on-purpose
 built for this. But it is a little cramped with the current amount of
 equipment I have.

I can imagine!



 I do not believe there are any standards applicable to this, though
 I've sometimes wondered if someone should write a guideline document
 for recommendations concerning what kind of setup makes sense from a
 long term perspective. Cat6, tubing to be able to replace even those,
 enough space  ventilation for the equipment, power, etc. I chose to
 put my IT equipment in a different utility room than the
 electrical/heating/etc equipment. In most new houses the two are in
 the same room.

Right.


 Here's some more information on what i did  some pictures:

 http://www.arkko.com/rakennusprojekti/kotiverkko.jpg
 http://www.arkko.com/rakennusprojekti/networkdesign.html
 http://www.facebook.com/media/set/?set=a.74638548291.75895.702428291l=940df4dde9type=1

 http://www.facebook.com/media/set/?set=a.74638548291.75895.702428291l=940df4dde9type=1http://www.arkko.com/rakennusprojekti/networkdesign.html



Amazing stuff!

Thank you for such incredible detail and sharing. Much appreciated.

My documentation leaves something to be desired. It's being reworked
into a living system so I don't have to constantly update it.

Re: Home computer rooms

[Charles N Wyble]

On 08/12/2011 10:56 PM, radhouan.all...@gmail.com wrote:
 Check the ccnsp book. They have I think what you looking for. 


Not sure what that is. Did some quick searching. Can you provide a bit
more detail?

I'm back...

[Charles N Wyble]

Hey folks,

Been months since I've graced the NANOG list. Been a busy year so far.

I see the same exact v6 threads going on as when I left. LOL. Like a 
forest fire that won't die. :) Go Owen and your band of merry men! And 
OSPF vs ISIS. Glad to see nothing has changed.


I have a few threads queued up

1) My experiences with ipv6 on the content provider side using a FLOSS stack
2) An experiment: Redundant array of inexpensive hosting providers (or 
do you/when do you really need bgp/expensive data centers?)

3) Current state of FLOSS data center suite
4) NANOG Home Networks - What's in your closet?

Hopefully this stuff is on topic for NANOG.

Charles (shaking things up)

:)

Home computer rooms

[Charles N Wyble]

All,

Related to my thread about home data centers, what are folks using to
store compute gear in?

Mine sits in two racks in my second bedroom. Cooled by ambient AC.

Has anyone built a dedicated room? What resources did you use to do so?
Are their any standards to reference etc?

Re: NANOG Digest, Vol 43, Issue 53

[Charles N Wyble]

On 08/12/2011 08:52 PM, Coy Hile wrote:
 Damn, and people claim I'm nuts!

 You know, you could go whole hog and multihome.

See I read that as having multiple homes. Not multiple feeds. LOL.

Re: NANOGers home data centers - What's in your closet?

[Charles N Wyble]

On 08/12/2011 09:17 PM, Joe Greco wrote:
 What nobody wired their abode with fiber ?

 Am i the only one here
 I ran a bunch of fiber from the telco rack

What's in the telco rack? This is in your house? What's on it?

  to the server rack to reduce
 the risk of damage to expensive servers ...  it's likely to be
 meaningless but it is just a little extra precaution.  The server rack
 is at least a little bit isolated from everything else.

Servers have fiber cards? Or is it fiber between switches only?

Re: NANOGers home data centers - What's in your closet?

[Charles N Wyble]

On 08/12/2011 10:08 PM, Eric Krichbaum wrote:
 I have a 12 pack of single mode run between wiring closets upstairs and
 downstairs.  

Nice. I can't wait to get my next house and be able to say exactly that
phrase. LOL.

 Only one server running feeding media to my xbmc's everywhere
 but quite a bit on gig. 

Xbmc is awesome. How are you sending the media? UPNP? Network share?

  Nothing overly noisy unless you have your head in
 the closets.

Sure. What do you have in your IDF? Do you have just one IDF (upstairs
closet)
and then MDF downstairs? Or is that another IDF?


 Eric

Re: Home computer rooms

[Charles N Wyble]

On 08/12/2011 09:02 PM, J wrote:
 Charles N Wyble wrote:
 All,

 Old IBM 32U cabinet in the unfinished basement, half a dozen older IBM
 x-series and NAS, Cisco 2950/3550, old terminal server, UPS (have to
 upgrade), bix patch panel, etc.
Nice.

I currently lack a patch panel. I think I have one somewhere. Maybe.

 Simple and cheap stuff I've managed to cobble together over the years.  A
 lot mirroring the configuration (not the hardware) at work.

Yeah I've built up my collection over a few years.
 Eventual projects include building the room around it

Hah

  and tying the phone
 into it all.

How so? PBX?
 It's all for fun, really.

Yes. Exactly. I've got a small production network, and a huge lab
network to mess around with.

Re: Home computer rooms

[Charles N Wyble]

On 08/12/2011 07:49 PM, Alex Rubenstein wrote:
 I am in the process of building a house.
Cool. Will you have wire closets? What about home audio? Security?

  I designed a room that can accommodate three 24 x 36 inch cabinets or four 
 post racks.

Downstairs? Basement?

  I will likely install a APC 2200 watt UPS in the bottom of two of the racks, 
 and the third will be a cross-connect field, patch panels, etc.

Cool. Will you have whole house UPS / surge suppression ?



 The house is backed up by a 48 kw genset with an auto transfer switch.

Beautiful.

 The weakness will be only one provider of connectivity.

What? No wifi/wimax backup link?

Re: NANOG Digest, Vol 43, Issue 53

[Charles N Wyble]

On 08/12/2011 08:53 PM, Alex Rubenstein wrote:


 .
 Trust me, if I could, I would certainly do dark to my house. 

The last house I was in, was 500 feet from ATT fiber and easy walking
distance to the CO. My sister in law lives there now. I'm considering
putting a rack or two in the garage for disaster recovery purposes.



 Been there, done that, in the current home. Two MDF's, upstairs. I hate it. 
 For the cost (not much) going to home run everything. Ethernet, coax, 
 speakers, etc.

Nice. Please write this up. I want to do the same. Hoping I can rack
mount everything and have an epic setup. Every room would have ethernet
drop, coax, speaker. What about video? Hmmm. What about fiber drop in
every room as well? 

4g hack

[Charles N Wyble]

http://seclists.org/fulldisclosure/2011/Aug/76

Wondering what folks think about this? If this was true then we just
entered a whole new era of mass WAN exploitation.

Off list replies welcome. Rock and roll folks.

Re: Peering Traffic Volume

[Charles N Wyble]

On 3/24/2011 10:34 PM, Patrick W. Gilmore wrote:

On Mar 24, 2011, at 7:27 PM, Ravi Ramaswamy wrote:

Tier 1 ISP is a nebulous term.


Indeed it is. See http://en.wikipedia.org/wiki/Peering and 
http://en.wikipedia.org/wiki/Tier_1_network for more information. I'm 
guessing you are using Tier 1 to refer to $LARGE_TELCOS (ATT/VZ/L3)

and I'm guessing their sustained daily traffic volume is well over 10tb.

The top few networks in the world (not all of them are tier 1 ISPs - and one 
is not even a network :)


Facebook and google probably push that much traffic daily. I used to 
work for a company that did 100Gbps sustained on a daily  basis.




are much larger.  The smaller tier 1s are probably that size or less.


I agree.

Re: Sunday Funnies: Using a smart phone as a diagnostic tool

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/27/2011 06:00 PM, Jay Ashworth wrote:
 Do you have a smartphone?  Blackberry?  iPhone?  Android?

Yes. Had all 3. Android is my only tool now. It's superb. I've
used/supported and developed applications for all 3 platforms. Android
has been the most pleasant by far.


 
 Do you use it as a technical tool in your work, either for accessing
 devices or testing connectivity -- or something else?

Yes. All the time. For out of band connectivity at customer sites to
various diagnostic applications on the phone.

 
 If so, what kind of phone,

My Touch 3g from t-mobile.

 and what (if you don't mind letting on) are
 your magic apps for this sort of work?

Built in browser on Froyo (often times need to search something when a
network is down), mail client (k9mail). Also netSwissTool. Oh and of
course I tether my phone.

 
 (My motivation?  Well, um, Lee, I'm looking at buying an HTC Thunderbolt,
 if everyone can get their thumbs out, and I want to get a feeling for
 the lanscape, if you'll pardon the pun. :-)

I keep meaning to pickup a cheap android tablet. Load ubuntu on it
(android os is quite nice on a phone. larger system i would prefer to
have ubuntu). (before you sneer at me, i've been using linux for almost
15 years, and want something that just works :)


- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNayE2AAoJEMvvG/TyLEAtV7oQAI8Ezh8ZUmB4HaAM28gyC4UV
aD4KTMSxwDyAKXpGdWzgWMe1kqFcKCmswN4NDhpIkXMi0y1t03B3ZTdlOK+gUYiG
i7ZKVD4SusZKJE5QzQpAHPvwQue5Hg1tciD3EeHZHbfg4AhIGF6QnYQFtOdsaPQO
WyuTmJ4oNJYqOXCEVmZyEq+kbgl0KEZwhYlDV7kzHFkQSyooYs4+Opq1Evoi0Tbg
9+2vrNpEButSKld2Av2vG+nSXg4Um8qCnU/QepOmHiHcXxC/9KM54xsrABLC66d1
7pc4PncurON8sO6xd0Fzi3mzGHUeaVBqm3V01gT2INOrP0gGE+tYUajoLRmvSmii
re0s94Wpaw8WLMYvzLSaOBSJVkFqYPWPyutuj+iYwiKHdqOJhXYXV4jB+tnFXDbB
5Z9U2+WfBpD5WUZrQHhAr/LVRfjE8KPyfFFCQ2bxx78qCQv0KwsLdSFPFnU9gpIj
FpAe8V0GAi0nLaItw6sAIsgjgAA52UV0jGYZo6VT0UAKVOQJWe5c6Ofcm3eAZTBi
+GAn1Jl8iELbeFkTD+UPNoBCgpz3YuelF4qdhK8mMhjV9Sx1T5PsTwW9nMmQFYpr
oOrnOkqUsisz2AHKKg8CvjMeKXA7/od9N6l6Uu0XIlh9+8znbGai2Rs9FbbWquiX
/fVRLQ0aSScb6xRF1DLJ
=vOOX
-END PGP SIGNATURE-

Re: Top webhosters offering v6 too?

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/09/2011 06:16 PM, Fred Richards wrote:
 On Sun, Feb 6, 2011 at 5:15 PM, Mark Andrews ma...@isc.org wrote:

 In message aanlktiksv84+tsm80ajyxg-xzdfx3ngjz1fjm0kq6...@mail.gmail.com, 
 Fred
  Richards writes:
 I ran across this link a while back, it shows, of the top 100k
 websites (according to Alexa), which ones are IPv6 enabled:

 http://www.atoomnet.net/ipv6_enabled_popular_websites.php?complete_list=3Dt=
 rue

 And 1.5% of  lookups, in the Alexa top 100, fail as the SOA
 is in the wrong section or the wrong SOA is returned or timeout or
 return NXDOMAIN when A returns a answer.  GLB vendors have a lot
 to answer for as almost all of these errors involve a GLB being
 installed.  Either their products are broken or their documentation
 is so poor that people can't configure their boxes properly.

 Mark
 --
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

 
 Hey, maybe all we need is an analysis site which says warning: your
 ipv6 is broken!.  And give reasons ... point out misconfiguration
 like your examples above, regardless of whether it's dns or global
 load balancers.  We'll see v6 adoption skyrocket overnight.  ;)

http://test-ipv6.com/ is a good start for basic sanity checks. I need to
get my v6 content provider stuff done and write up a blog post and/or do
a presentation. Soon


- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNU2zGAAoJEMvvG/TyLEAtteYQAMGr6P0zmW5or0rYUfAh4cVk
xVvH7x6SvcvygKZArM9BYqYaOo8qvD1yQ11tKn4/OUaNynwE24kF1w03KUbftf+v
jmg1jN6cS2rTKIJr9esf4RD0z2Y9r1TO/lp6r0hz7QAfAnqwfek7C6Wr8U8QDp35
QdTly/tZbAnCegCOW4KDMGnjusqzK1zl5OU3N546X6NI5JXaqrw8iEZVbMMF61B1
2XCK03DRVAqiASN1wA274DWy641pPDy/W40a2jMU2+TvfgnQQN5eLgdiRmm9b4BA
Zyt6fquBLDOpD8/PzIlgWMZS/PVmeo9lDXl5c09cOsGs+ryDTCCcniEiv9uaMBVs
t0/BVmLh87Srqxcjt6BL/dHl0msJX3AEhsZObMp9zjtmGKJ1boBMeXIuOYuag7C7
nyPLa3WOIw8j+zdeux2aJc8VQ6f00gUg4L716m36yApig/DfsiAAD4+drDEsqkJh
NeYO3zLo++91b//a/UmK+a/HiNcwjw0/1rOaO9n/+6HAW2YNl55LoeWNn7dpCo5U
iBwou+RRz0w/YvnEB+FiysDier4/iS+cRxiV0X1g+RGtbQ3+BgnQmxSBxbshsijw
h9A22uwsjmcoU8Ns6OunJpVMG+epE0ohq5ynejqjwi0aJ7Ck/v7lzHjU1h6zCbFd
e+8t3cGc9at795oLSulP
=5vQz
-END PGP SIGNATURE-

Re: Top webhosters offering v6 too?

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/06/2011 02:15 PM, Mark Andrews wrote:
 In message aanlktiksv84+tsm80ajyxg-xzdfx3ngjz1fjm0kq6...@mail.gmail.com, 
 Fred
  Richards writes:
 I ran across this link a while back, it shows, of the top 100k
 websites (according to Alexa), which ones are IPv6 enabled:

 http://www.atoomnet.net/ipv6_enabled_popular_websites.php?complete_list=3Dt=
 rue
 
 And 1.5% of  lookups, in the Alexa top 100, fail as the SOA
 is in the wrong section or the wrong SOA is returned or timeout or
 return NXDOMAIN when A returns a answer.  GLB vendors have a lot
 to answer for as almost all of these errors involve a GLB being
 installed.  Either their products are broken or their documentation
 is so poor that people can't configure their boxes properly.

Given that v6 is probably an afterthought for these vendors, I'm
guessing the documentation is at fault. I know the docs for some of the
brands I've worked with were bad enough for tier-1 features. Bah.

I'm in the process of putting together a fully software based system to
do GLB. Presenting on it in a couple of weeks in the Los Angeles area.
Hit me off list for details. It seems fairly straightforward to put the
system together. Spent this weekend doing the research and architecture
design for it.

I'll send the slide link to the list after I give the talk. Maybe I'll
present it in person at one of the upcoming NANOG meetings if I can get
my employer to sponsor travel. :)

Unfortunately it will be all v4. I have v6 turned up via he.net (as I
alluded to a while back), but it's not at the same level as v4 is. I'm
currently going through the learning process with v6. However that's an
incredibly high priority for me, and I hope to be at parity with v4 by
end of Q1.

I'll probably do a separate ipv6 for datacenter/application operators
presentation at some point in Q2. I know there will be one at SCALE this
year, by one of our frequent v6 posters. :)

- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNT0rqAAoJEMvvG/TyLEAtURcP+wbsYil0YufyEWsOlbtqcWDF
kpoBgikyCPSazH/aM8trKsPFdWpo7HPX2RDHh+aJwRN3WEOPAdMzN+uchD28bvj8
1X0W4oJ+Tyrq0770iy7kcNmN0YJL7DpJlfiA8401lsPmsHBWrE55hEjcDz/lXjHA
kfu7NOygoQ9PtQS8XgOrIpPVZ3Juv9ae/XUuwYEPkvGuwhn8ZdIBTKzSEIujPYOV
dpMOxrXkaKrZILybUd9tmaFAKk4jML3+IqcziWYaDiJUWrrjLK18jMDOVr4WM8Pb
TK8kz86B3oTNworxeVT9/oWyWMoPf0FDSCWCeEgdj4YvvlPlbq7skC2djvRvpPBE
DtdOqw1gz8Buw3wvIrUfFsZgvOIrDRBCeXVvG0MoErpK18TubA79ZM8x58/aXAAY
3bnoiIfdJQGCnO5IscMEOijmPq60UI9fl1u4KTGd30nIEVFN1jPPKXXWDBPEFSA4
ylEJLKRP6CKNETURcfiMo9hi25IMiVjf4GvWGz1VPTqBhewh7ZxCEJkXrdQ7cAnh
uZhbX76e/AGkeSiBvWdSDPlrUkFES5utoghswwZ8yCPaQguoF4NUMaDtMNfwlk8X
F3YR8ocCn9HKvBhAEPezkvR4n0SMy+ybAJJkUsJ0QVZifWCNFdz0oJLuy7OVtmGt
Uw2dQluyXu8c24UfuIhI
=nX8D
-END PGP SIGNATURE-

Re: Weekend Gedankenexperiment - The Kill Switch

[Charles N Wyble]

On 2/3/2011 7:43 PM, Jay Ashworth wrote:

An armed FBI special agent shows up at your facility and tells your ranking
manager to shut down the Internet.


Let's look at this from a different perspective. What level of 
impairment would the feds face if they ordered wide spread
net shut downs.  Do the feds have a big enough network of their own, 
that they can continue to
operate without the commercial nets being up?  I mean they would need to 
declare martial law and coordinate enforcement

activities. Can they do this all via satellite networks?

Also what's to stop the operations staff from saying no way jose and 
walking out?



Ok. Let's say they aren't dependent on the net being up. What would the 
scenario look like?


Presumably this would be at a major IX, colo etc? Like say One Wilshire 
or something?
They would show up with several agents, and probably some tech folks. 
One presumes they would have
an injunction or some other legal authority to order you to terminate 
connectivity. This would have to
be spelled out to the letter (terminate all IX traffic, drop all 
external sessions, take down core routers

etc).




What do you do when you get home to put it back on the air


Put what back on the air? Regional connectivity to let people coordinate 
a revolution? (I'm
dead serious by the way. If things have gotten to the point where the 
feds are shutting down

the net, it's time to follow our founding code:

That whenever any Form of Government becomes destructive of these ends, 
it is the Right of the People to alter or to abolish it


Depending on the geography, one could establish some long distance links 
via 802.11/3.65ghz. Hopefully that gear is

already on stand by.



  -- let's say email
as a base service, since it is -- do you have the gear laying around, and how
long would it take?


Well I'm a huge data ownership guy and have been preaching to folks the 
importance of self hosting.
Lots of details are on my wiki at 
http://wiki.knownelement.com/index.php/Data_Ownership
So yes, I have the gear in service already doing my hosting. I also run 
a small neighborhood WISP.
I only offer net access via that WISP, but it would be trivial to stand 
up a neighborhood
xmpp/irc/mail/www server in that VLAN. Maybe I should do that now. Get 
people using it
before hand, so it's what they naturally turn to in time of 
distress/disaster. Hmmm



Do you have out-of-band communications (let's say phone numbers) for enough
remote contacts?


How much phone service would still work, if the feds hit all the major 
IX points and terminate
connectivity? I seem to recall much discussion about the all IP back 
bone of the various large
carriers (Qwest/ATT).  I guess calls in the same CO and maybe between 
regional CO's might work.


Think of this from a disaster preparedness perspective (ie a major 
earthquake or terrorist attack significantly damages One
Wilshire and/or various  IXes in the bay area).  ATT has a very large 
CO right next to One Wilshire, with something like 1.5
million  lines terminated in the building. It wouldn't take that much 
work for the FBI to shut those places down if they

felt a significant need to.


Interesting thought exercise. Let's keep the conversation going guys/gals!

Re: Connectivity status for Egypt

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/28/2011 12:36 PM, George Bonser wrote:
 
 
 -Original Message-
 From: Jake Khuon [mailto:kh...@neebu.net]
 Sent: Friday, January 28, 2011 12:07 PM
 To: Patrick W. Gilmore
 Cc: NANOG list
 Subject: Re: Connectivity status for Egypt

 On Fri, 2011-01-28 at 11:27 -0500, Patrick W. Gilmore wrote:

 I think it does not matter.  Censorship is censorship.  (So much for
 routing around it.)

 
 
 I think it would be pretty hard to actually cut off communications when the 
 telephone system is still working.  You can move a lot of email by dialup 
 UUCP if you wanted to.

Right. In a government regulated monopoly telcom carrier.

 
 I am guessing that satellite internet still works

If people can't afford to eat, I doubt they can afford satellite internet.

 and landline dialup to a modem outside the country still works.

This presumes people have long distance plans.

  And there's always static routes :)

To what? If everyone has dropped BGP sessions how are you as an end user
going to setup static routes? Unless there are no firewalls and
everything is wide open how would you reach gateways?




- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNQyyUAAoJEMvvG/TyLEAt2ZoQALt3Arteje09ssqAkrbsretj
BuH1UyzK6VNpyk9q72p9C10XowqNE9BGTni+B1lZxh4VNY/cSdRaQFQO9DsMt+ww
dWl4HAu/PswRkWGrdQ2DIncRuXd8D6IOQ+ggv2I3cA6Pxi9Ep3rg5GF63+x1fTff
6SCU+FWjTe4ghkeDkR7d2L/6DESJiZCR1DojBMIPf1/W8TTllqmCXflPW6cLgIlC
gBqiCVM24FhMBmNzGGjfcnfoQnCcwFD5qAVPBcMh0Y9Hz5olEN2F0tsgYSbG2szH
3UD4ocZ07xLMAG1LdkjoEJmORdAQOv5GL2nkFFCi+/K6sMTyhRhBkO03DA0tOkRN
M/wJIrRMeSS5ur6NBy0PDgHcHYo138w5wUAoZi3B8JrfiP+cxJ+oEMm6LDDLTNV7
NbKgpkUOeAvi+qhXo2BUbXpZv8Oh/OAedwIu7/5xHx8YPm2Bq9OTkZrPECslig/G
p2NCWpohbKfUn0EeN/NdutxWX/O6YY3y5mB/wfFasnr0kvi413QOMnRViOSgfNY/
DTtpzTc7aahY0L2uAU21qTZIMDRuB/aYaHfbfsKpL2LGdxq/JFm6sQQ/IeN5Q7ii
0QvMDM04Eqi4cCgut7p3DKTjkxFnU9Wilo/A8jeY4CRVH1I/Afft6aDh7GZNPKgr
QaEcUTQLrfCF284d1XSl
=QICt
-END PGP SIGNATURE-

Re: Connectivity status for Egypt

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/28/2011 01:02 PM, Alexander Harrowell wrote:
 On Friday 28 January 2011 20:36:30 George Bonser wrote:
 -Original Message-
 From: Jake Khuon [mailto:kh...@neebu.net]
 Sent: Friday, January 28, 2011 12:07 PM
 To: Patrick W. Gilmore
 Cc: NANOG list
 Subject: Re: Connectivity status for Egypt

 On Fri, 2011-01-28 at 11:27 -0500, Patrick W. Gilmore wrote:
 I think it does not matter.  Censorship is censorship.  (So much for

 routing around it.)

 I think it would be pretty hard to actually cut off communications when the
 telephone system is still working.  You can move a lot of email by dialup
 UUCP if you wanted to.


 
 I wonder if anyone's working on a mesh or p-t-p radio app that runs on a 
 smartphone?
 
 

Yes.

http://www.servalproject.org/


- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNQzHxAAoJEMvvG/TyLEAtV60P+wUsrIDsZJrS7L2reSL0GhF7
LOZlTAWG4LeuJQnt6GfpKVJlZgoR1/ucm1NLZDnJeJ6+14sB0CqMipd2XDse5shB
zWzvdHn0yGF/RQEnEpZPhQv83crbLVBN2k56KoPkgxbuBwLRdmIZkvSSTXbeAqXy
ovQWTGMQWxjT0IUYFylljFo1Djsx/aFeMm+MW5R+9bSL4DASg802ozi2oxVeSpzP
lbYsp2ZOtPq3XkWRE3g2JeA/BEJiVJ0BRGUSuoSKUVRsvW4qwlGK1ZUFmNeQ+7xn
0tCucyAhpe/ir3eLm0fMpXk0haXzbpns6oxfudUdMXPLO6PwtYNC/DgBIxlnxDxQ
7G9YD6O63xsRLf3VclDVYgvgwpm6YEIVcjZ4pg/fk1IpKazEB1UlQl10UaFItRvC
V7Vo6sK9wzs4GddNwXVJFa919IP3bRsFY7wnWDNES/Nb71vmzvZlk1eEMITn/F1S
zxDr1MQdAnsiWYqG7CFjrWjVNCOK/1x7msmIdRpUB31TyMRnzFWxb4JxXEweVbRo
VulT+c1fNVyag+YnIkI1nj/8U5zfPygZXMx4FQhMCtA4dqcBeN2W01P0vDJnUuVH
zGASBV18/4F1MGduC9zKU1yW4pTxTt0/t/o/o4/SkAMz8BCDvo7vct+3+3Y9+v4p
aovANFV1Q3cNt+0GMqQS
=UYCf
-END PGP SIGNATURE-

Ipv6 for the content provider

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,


All the recurring threads about prefix length, security posture, ddos,
consumer CPE support have been somewhat interesting to my service
provider alter ego. Ipv6 is definitely on folks minds this year. The
threads seem a lot less trollish as well. It appears some significant
progress is being made, and peoples opinions are firming up. Hopefully
this will help move ipv6 adoption forward.

I have recently turned up an ipv6 tunnel with he.net and have end to end
connectivity. I'm using pfsense as my routing platform. It was pretty
easy (about 10 minutes of total work I think). So I can connect to
various ipv6 enabled sites on the interwebz. This seems to be the first
step in deployment.


For the most part, I'm a data center/application administrator/content
provider kind of guy. As such, I want to provide all my web content over
ipv6, and support ipv6 SMTP.  What are folks doing in this regard?

Do I just need to assign ip addresses to my servers, add  records to
my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
WWW. Postfix for SMTP.

Feel free to point me at any good manuals and say RTFM :)



- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNQGZvAAoJEMvvG/TyLEAt9ykP/ROLSWz3LmAF78OMBEhWEMvX
MjOVR2QK6kQ3byV8WLro95tCOuyo8L8fUC60KyFh4XRsedb7xk6S8cTER80zmGzG
rOAFVpNyJ1QzCcf4MYpj8xHn9zM6Fywft4VzKQEgDvlV8yD0VZKJi+fNj4noZ5oK
tmM1s9Is5db3d5ldrC6M54TQJsbaZiuz+FrFtpkENraJIWlOeU3laM6kvwzvYpok
BKtnaY6zBq42QovpJ+MU+lmanCB6Z0r3e2cSB+N7XJL0Va/Y2IW/eZn35S+dE3xk
y7RPSZu2jDxJ6atQJVIBpjfL6oqUUr+0RHc+gX4VJyOrwpEuJQ/GvTiRDTUZkA0A
twhvQnS6yc5G8L+iwID4YqkVKNCFcJUtAHUntqmy1FqTe9iQSlZdUPPhKrkRE7zW
B2S2T0Lv6a/neHU5yfsGjiYbIAy7keXoiMPbR4ZJxC/KkogfWNgMZBVpjGVn0NI4
COOymyFYgvQFiXIpvmpQn0iLFcWmmGdwV2DPvxMArdmfw2SeyipJiBSeeEbb4ZG4
kw1LOrI7+OGnoDEByAtkZPh42wAbXbrSw9WeWvphAsQ2dAmASqXUKuHTDXd1laCC
yi37NTRmWACNHKcVEhpk3saJDCsPPVx6ECYfhSsSALZDn6696BvFXZnN2423Fmk7
dtMKM38+rxz9r4IL5O+n
=Mi6R
-END PGP SIGNATURE-

What's the current state of major access networks in North America ipv6 delivery status?

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Is anyone tracking the major consumer/business class access networks
delivery of ipv6 in North America?

I'm on ATT DSL. It looks like they want to use 6rd? I've only briefly
looked into 6rd. Is this a dead end path/giant hack?

https://sites.google.com/site/ipv6implementors/2010/agenda/05_Chase_Googleconf-BroadbandtransitiontoIPv6using6rd.pdf?attredirects=0


I spoke with impulse.net last year, which appears to serve large
portions of the ATT cable plant in Southern California. They were
willing to offer native ipv6. Not sure how (one /64, a /48) etc.

I see that FiOS did a trial in April 2010
http://newscenter.verizon.com/press-releases/verizon/2010/verizon-begins-testing-ipv6.html
(it mentions special CPE). What about verizon DSL?

Comcast is currently conducting trials:
http://comcast6.net/ (anyone participated in this?)

How about TimeWarnerCable? They don't seem to have any sort of v6
offering, on wholesale or retail services.


Am I missing anyone in the DSL/Cable/FTTH market?

As for wireless broadband providers, there is satellite and 3g/4g/LTE. I
haven't looked at the satellite providers. I know Verizon is offering
dual stack on their LTE service, according to a thread a couple weeks
ago.  T-mobile is offering it on the small subset of phones that have v6
capable baseband.

For grins and giggles, how does North America stack up against other
regions, when it comes to access network ipv6 delivery.

Thanks.

- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNQJd/AAoJEMvvG/TyLEAtIx4P/1ehNtwotF30HZf4BqeWlJ7C
gGmp33VkvwPdh8qUT4scHT/Wcql2V/ijhEJk7t0Tu9F98ig51c3euLuJ9iUhgP8v
RdX9Ty8uAThs2EL/sT3aEVlrbiEOtkjW5zFQzWv3So7aPFeO9u5uBa9XO2eeOFG4
nI1ztpPzq3obGGLZWixIJ3ukOvKnb1ilKk74h9kjvnRA89wE1nS8ZvulWdWovAZ6
CaiU54SARQFlqtZ5PsrPrAi1LEz5lXP3Pp3kvphjp019XmyPvtgFwqwX6WoMbBgQ
hHulUEnTX9A/3S/Llzz/eQRcWDX+KtqfF/khNBglsr6Y8tBgvJ360YI7dmn9J2hS
1QmnkiwTKlSkvbBM9HVbC/no7nB/J4ybOTVV004ciY6WWTRnCNGtgnoUWO4+qJVK
E0996B2egOmhkUJs8AR+VYsguEVbSc12wbxZYrfjTjh7yE87q92okw/mUVi5OOVL
t+ysZpV6yifR6/0T26VTJnJ/Ha6tjOE8SmA6lSKdKac5GTPkFBRqzkqsgGmF3lQq
NAYMaVKmmq58j5e3eA8btGNf/u4wzJv9JJFXx3aij7pCE29yAfSrMfNV8r6ayAvL
lDXQH3AP6LpV6EPb2vAUPq95iw+Fvl5PN80PYdyxVwpphQRutYQYvPZBh9/RfFOi
LL5HLupKb900MQX/ZMjY
=tE8q
-END PGP SIGNATURE-

Re: Ipv6 for the content provider

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/26/2011 01:50 PM, Randy McAnally wrote:
 On Wed, 26 Jan 2011 10:22:40 -0800, Charles N Wyble wrote
 
 For the most part, I'm a data center/application 
 administrator/content provider kind of guy. As such, I want to 
 provide all my web content over ipv6, and support ipv6 SMTP.  What 
 are folks doing in this regard?
 
 The only issue I've faced is RHEL/CentOS doesn't have stateful connection
 tracking for IPv6 - so ip6tables is practically worthless.


H. Interesting. I wonder if this is specific to the RedHat kernel?
Or a problem with v6 support on Linux in general? Perhaps it could be
solved with tweaking which iptables modules get loaded. Ugh. This is why
I don't care for iptables as a firewall. Lost lots of time tracking down
bizarre corner cases due to module issues. Don't get me started on the
number of issues due to distro patching of the kernel.

I haven't used Linux for any serious networking duty for some time. Just
Cisco and pfsense. However the majority of my servers are Linux (Ubuntu
10.10/8.04) (with a couple of windows 2008 servers).




- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNQJh0AAoJEMvvG/TyLEAt5pQP/iSi5x43vW5oGGsatcMXCFnz
nd4vXZrMlujHazd9DAYwkbwHUXkdXq26sQk+k3Ah90rBecpRJPm6y0O5Gyoktdex
oxEP1CRLsgWk1kJFa2aSqS/Lh3loJgXHRaY17sNiqbqWoNXz9meh8oLNATFM5iu0
2uFgxJKQhEGv0iwWUFXtzXkUlQxdFNP71+AcCKY6mhaLYdVUUasmFWrwsumN0KNo
WsVhTqI8LLow0HcfOjhxI7QD2m84Hl46oUyIzZ05I2g4iI0BD6UyvrGW2FKEsuml
9Fwb9kULuNBO9vJRPu0PyzgFL6qYtjTC3EigUP8/wpsSDC6TxLLXuZI5cSZnnd8M
DOpjhL2854eTNq2IKicaxwb5U+Hq6E4rbpKFZxutvo9z3nFKGOwQx8qUnMiFgNu9
i4oASTus3ZLOkMncacXFxI8CJlvOGlktAeWdDfJ+z1ebCutgtCC1Qkgz7EFGq2oe
zejLgMZsKVkr3Ezmiij7CTlrHCiWFeNrl9OLkGs7uB8Kx7SJmJlWRxsU3mfm72np
4Q1MQrk8NSI687S/XI3yf/q0+E73eI7ldYdivstubN5VcPpQDMFOQ/7yYm7AeM7V
IbnPwkICxTQqJNALTB3QUFBq5UM26MRONFhi58TAOSkkwgQzyuLarLI4eBft43sx
NQ6IrlMG0nFYl1h12SGy
=gbrP
-END PGP SIGNATURE-

Re: What's the current state of major access networks in North America ipv6 delivery status?

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1




On 01/26/2011 01:52 PM, Charles N Wyble wrote:
 
 Is anyone tracking the major consumer/business class access networks
 delivery of ipv6 in North America?
 
 I'm on ATT DSL. It looks like they want to use 6rd? I've only briefly
 looked into 6rd. Is this a dead end path/giant hack?
 
 https://sites.google.com/site/ipv6implementors/2010/agenda/05_Chase_Googleconf-BroadbandtransitiontoIPv6using6rd.pdf?attredirects=0
 

Found an article talking about att v6 support

http://www.networkworld.com/news/2010/102710-att-ipv6.html?page=3

Also found
http://www.corp.att.com/gov/solution/network_services/data_nw/ipv6/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNQKEzAAoJEMvvG/TyLEAt45cP/0g+8lNUb1z6Ew/tWgGPEYWu
u7wemSTjs27yxKXIbdfWzcWizvX3THHFNW6oRlRIdaH3z+Ttkzb/ne5wEDw9lcgV
vnW0n/QjKQOWFaZ+chgEpplEVPth5jww/B/o9taeS7MXonbhQipTeTo3/U7am0GB
MCZXngLllOhPZmmjhqsssiLX94wjc5uvqSdAExTt7aXQ7+SaVzpFghXTZgWAG9eE
X9JpFeLhJMNPed1MOzxOn7WTsqDu2sHyszoyrZwGyjyQ/JZFDFfdhE3qQPRe97tv
ZOmlfPYFjJRjQ4MlY7iX+BI/CTRAeM+59oslpX8h7VeGY4zmlNGw8dhR1yvB400h
w+/GubudSnL50XppUslKWbl03v+4dTQYMy3dotwH2OM8ovcJMn596rLW8j+3zV7t
zcOuLSLFlqY6QZYy8tp705qzYesLWvHJJlpbXryyOGoz/5SJyTvfkDywOgyNeXz4
siU2a+JaAxlJsrBc9YsabCY8C60zFQxKBwANXWhvP7TZiFtt+SaNLp/Eahh9NoAO
Zygs4FekumT9TFeNsAnPlHFFCl9v6fU0Yxc8u0ffYa2+hW6f/2My4tY0n07PNd8l
DUUO7h9GtLpfEgTk2eLavY8HZcb1RtA4cvMe8n1J2GOVCwpGfOD0xl1Y3AX6v+rk
JuGqPIfyQ8GiNtj7KzRV
=LASk
-END PGP SIGNATURE-

Re: [arin-announce] ARIN Resource Certification Update

[Charles N Wyble]

On 1/24/2011 8:52 PM, Roland Dobbins wrote:

On Jan 25, 2011, at 11:35 AM, Christopher Morrow wrote:


thinking of using DNS is tempting


The main arguments I see against it are:


2.  The generally creaky, fragile, brittle, non-scalable state of the 
overall DNS infrastructure in general.


Can you expand on this a bit?


Routing and DNS, which are the two essential elements of the Internet control 
plane, are e also its Achilles' heels.  It can be argued that making routing 
validation dependent upon the DNS would make this situation worse.

The main reasons for it are those Danny stated:

1.  DNS exists.

2.  DNSSEC is in the initial stages of deployment.

3.  There's additional relevant work going on which would make DNS more 
suitable for this application.

4.  Deployment inertia.



I kind of like the DNS idea. Though some challenges have been raised in 
this thread that warrant further discussion.  In particular the in.addr 
delegation scenarios between RIRs.

Re: DSL options in NYC for OOB access

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/24/2011 02:54 PM, Adam Rothschild wrote:
 On 2011-01-24-17:04:25, Andy Ashley li...@nexus6.co.za wrote:
 Im looking for a little advice about DSL circuits in New York, 
 specifically at 111 8th Ave [...]
 
 You can get a CLEAR WiMAX fixed modem with static IP address for $50
 (USD) monthly, or less if you opt for the low-bandwidth plan.


+1 for the clear stuff. I've spent the last couple of weeks doing
extensive 3g/4g testing, and been incredibly impressed with Clear. (I'm
doing video conferencing over it).




- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNPgQ+AAoJEMvvG/TyLEAtDfwP/0x34BJg6W9QxK+bKGdKuE5w
cYCM+X7FEhm7JNGVIv66kAIWCW7eA4kJNv6u2lZgfmsdsCKGBM+j+34I2lPv7bLP
LWKaVd6lbssy9g9QcRxtg7Mg7kq8r2oq6WVjExcUw/DGZSEUt4KppUlOXEloPyKl
vc3k2Y8TTctboOvTWhfhsIW5qAuq7W6/5HyX+SFMD6SB+gK3SfFzs+0BOErttcfy
xv+PmMpoBk1VNsz2kn4ggLGBOd7X1yUXVukNvTDFmZJz2RbPh17eH/rnokYgH1jE
TL4mouSmoGXiVhgX/33DoJ+GbRTGNwxhklN+5PGR4jideG8YsL0s/Hz4+YAVv82s
JKF6hmLF+nTAe4Zz+pfBLbmFJx7fHh4xnZtejXIAX0R9g+M8o0OAV2KUOMjIOAjX
eERYaqWrYHNkc+GbvV2LkBRS5XL3ETkmpSwXO58/cJgnMMTEQ3b0lNTn/JCloQ/x
j5WV9B7LhUAxO61VWJANuCuq8SNwf59yHpuHTAx2WvG7A+f3EXuUSpGakIH8l+It
tsLaSvL7of0Bkiq2smDstFR8irqNhxOXHsY2yiBkUwC9+HaC3YAnTMaEjGBTeuk8
Q5V/CoU1SQTCKjEJlxAqKtAWzqVTZZCPX9Y3RDBp3fdNiWq6OIIFZNMn2OTrHbrO
2VohYIThNjC7saRiwVLe
=Ih+5
-END PGP SIGNATURE-

Re: Software DNS hghi availability and load balancer solution

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ha-proxy and linux virtual server are popular packages.

On 01/18/2011 09:42 AM, Sergey Voropaev wrote:
 Does any one know software sollutions (free is preferable) like as cisco GSS
 and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must
 be able to monitor server availability (for example by TCP connect) and from
 DNS-reply depends on it.
 
 I know that it is possible by BIND with set of script. But we are trying to
 find more usable solution with frendly interface.
 
 Thanks a lot.


- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNNiivAAoJEMvvG/TyLEAtnnIQAIYceJh4o1HdFqg0sEc7wBmH
W6JejIsI/mrOXaODXLrLjsEuAqGMB9F0For8o3ZTXshnPFldbOcKedAgg0xvZNN6
YlKvvfrrqjRJbIa9ZgeJ9Tqe7/HMPDXWtfxWjzdVIlQE9xuIMIZVZ7F9HHyLfUwU
eyWrfEWqjWFlDGSUOqQzlNGt0QoGSEataRNjQX4S4juEmPxN6L+owAvK3dbO61ff
74Nt+KNLBqycbGOcGdiyAIt18GDrR7T35S2hoJ/igcF22Ik76d3pJQNKPgR7dXY6
RPaEftL4W5Kyabhmi6KsBreyeIEqPKq1J9xLlsgujnqHwIw9M/dr+yuVwPGnxiqU
f72TreyrLL2ctqX/VrlJWLUdSNQ8YaHmdUVWOrN8STc922AGc3gnpBWrc4GsR3pj
d1839gYtgP5niqeMaEw+k/089G9YuIdDETW2a64AFYsa0p/DUy11Zco30ioDuymo
UYtJ6X+arJuoD2QtO7onDb0kI3HnzR7xsGyV14KuglSlXF4D3PtveaETEHAWLefr
L3uC+WhDZWkaZJKmA60UAiRP0tRbQYEzoCYKEOdS324odeLmnfvNQhzhiEfuABQq
quHBhnHjNNr+V9AT10VSd3jXmOoa0oZnuJyD6v94MqzX/M8/TDgvCi8awxXapVpa
2/ldrIuwMeTJBrgamMmm
=UzNz
-END PGP SIGNATURE-

Re: Software DNS hghi availability and load balancer solution

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/18/2011 04:01 PM, david raistrick wrote:
 
 On 01/18/2011 09:42 AM, Sergey Voropaev wrote:
 Does any one know software sollutions (free is preferable) like as
 cisco GSS
 and F5 BIG-IP? The main point is that DNS-server (or dns server
 plugin) must
 be able to monitor server availability (for example by TCP connect)
 and from
 DNS-reply depends on it.

 
 On Tue, 18 Jan 2011, Charles N Wyble wrote:

 Ha-proxy and linux virtual server are popular packages.
 
 Neither of these do DNS. 

What does that mean? Load balance DNS lookups across multiple servers?
Or use DNS to load balance? I've never setup a load balancer for DNS
before. Always just had one server and moved the VM in event of
failure/maintenance.

  He asked about DNS based loadbalancing (also
 known as GSLB, among other things) software packages

Ah. DNS based load balancing. I've heard good things about powerdns for
that.



- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNNjK6AAoJEMvvG/TyLEAtT1gQALYOb8mYK8llulRAikXo0Nij
nTaBSq8Bj/DnTA85iZpa1MZ0WCQY6ofXnOjvvfUvqM3idFzQC4I5R/gPgPgZrfYg
ZKZFuaEIiqT0zMzufzM4rAZk96zH/BkgcXK0M7foS1vLijxWCo06Ba2Srga1Uawo
JpZXp2WZILZc1VRCdvxBioU3UHWSdjiDjVZ9p+uMXTDjh/O7VpPNh4LhP0fdfY/P
K/WMpTTm8djCyTuzgnx0KXucjp7uqmdy+7LrvROQ67avqcooDzM7P8amw8OI+SyC
Y2ipe7iHREenH1Cr9V8bABUn3qJuHwEgQxObu5SS+mZsCH3YpjCsog3j9TWpwNZd
34Jm+/viYCxEYvPM9j2r3ABJPGsQQcjbkE1mGqEKxsWSNIss9wTuqDDofc0JfnN/
GkZpZZLjpxdA7DCV1gioaVVhUNPELg/qSM/3DfVnW1EA24PIyfLOeZcwC9jHS0X/
DjgnjpktoFu1gVIZTKf4jOGEqdbympYabr/NhYRSKrA1uLJUOHAHN47QJonP5CkI
YuEPM3uEmmO5/S2C1gKYKa3hHFQpfMcqjSwdGnCrcJ/G+j6PyU/YmTOy+2RMJI6A
UKgP1IK7hYeBScPB/qibfkgNeakBjg+WIO3djps7lqxR2QSUzK6qIqQSGeK1euxt
GqK3Q9I7rh+tDEtA3t4Y
=PTkN
-END PGP SIGNATURE-

Re: Is Cisco equpiment de facto for you?

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

pfsense in redundant pair for routing/security/vlan termination
cisco all the way for l2 switching

On 01/10/2011 09:38 AM, James Smith wrote:
 All the places I've worked in the past decade have been all Cisco shops for
 routing and switching, with a lot of Cisco use for security too (firewalls
 and IDS).  Same with my current position, but we're switching to Juniper for
 all those product categories.  Same or better performance, but 10-20% less
 cost.  Additionally, I find the Juniper command line has more features that
 make operating and monitoring much more efficient.  Also, JunOS has only one
 development train which means that the commands I use work on every single
 Juniper platform.  It always bugs me when I’m trying to setup QOS across a
 network with different Cisco platforms (CatOS, ASA, different versions of
 IOS) and each platform has a completely different way of doing it.
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNK2KwAAoJEMvvG/TyLEAtXloP/3PkJv8vGs4zZMpaQVO++Err
JOtLbTCuKDIpmaB71KFBPUfMBzCNHfpiV1hrkY2gRjf+MC+9510kdC6KT2mPW2lz
KyJXkvy3TxZn2LgOsYodQGBdq4ngmtdUBNJHWkOZpOZ3p1mxWUTmqsoSt+7PwNw+
LN5cYfxTVx083LukISfTaZQLDvAbJETfUunvi5k8q+JpJOgQM226nN+eMSgMmuU0
cDdWclzSeLuJwM7NZD2pijm7fNT6rZj2NynLvq161sMy6CLmCUckzyRNz6dxjBuT
8Pvabs02CfCsFBkK2QBdhAQpyPcgCyZIj01PM2IYeKfnX2fUwO/k2tIEAkg6jxLO
EpJEJACWIN8Clbs6Lxz7rNhTZozsNeSmSF9yMLbQZubUu8JFa0JnW3KhQEYqBBgB
6JK1NS7VJz5DEsnm3ZrH2Udwo+WTm4AdoLVmaAQUlHLt5A2vchYS8OEA4FJuy24o
gzXZ+cPVqqx3FOoOSlAsTDt7ofM78KyuqbAJqubwWOBjxIFSZjOGTKAhcrrW6tzc
NGejHfiTU6LlnfJ9HFY0NuS+LccA36RYdu2J/Ubm6v6JqDZqCbBdfdTLnxgfamp7
tZtziA0c7Jk9tjh0KYncgEtqlLQPyOEWZXHHNHDX3LOcpUZWW1OhdTzyV4fOR8N4
zUzZ+qfrmN4VRpr4VHHt
=c7OX
-END PGP SIGNATURE-

Re: AltDB? (IRR support direction at ARIN)

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/09/2011 03:41 PM, Jeff Wheeler wrote:
 On Sun, Jan 9, 2011 at 6:27 PM, Randy Bush ra...@psg.com wrote:
   Do you: 1) want IRR services, and if so, with what features?
   2) believe IRR services should be provided by ARIN?


 
 I am simply suggesting it is dangerous and irresponsible to run an IRR
 with only MAIL-FROM authentication, and quite easy to also support
 CRYPT-PW.  ARIN should either support passwords or immediately make
 their IRR read-only and stop offering it as a service.  Imagine if
 there was a Slashdot article or something about this, how long would
 it take for some 14-year-old to erase the whole database, and how that
 would pretty much force ARIN to make a choice anyway, but also, create
 a lot of negative fall-out that might jeopardize trust in ARIN with
 regard to other operational matters, like RPKI.

So why hasn't this happened already? If it's so easy, then all the
normal actors that like to cause us late nights would have struck already.

And according to http://www.irr.net/docs/list.html there are lots of IRR
databases.

I had a vague concept of IRR before this thread, and have researched
them as a result of it. They seem quite useful. I didn't know anything
about RPKI before this thread. I'm looking into that now.

So I don't think ARIN should spend it's limited resources on anything to
do with it's copy of the IRR. In fact I'm not sure why they even operate
one. It seems to be the realm of service providers to do so.

Can anyone enlighten me as to why a RIR is operating an IRR database? It
doesn't make sense to me.


- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNKoRSAAoJEMvvG/TyLEAtjuUP/0HsjYoulhixWOp/2LRMzll+
zc0YBVOD+mebDyM2tPdXN/UGVVQCrhdakbWOkbRsn1+qHOZEK0SKI41cnWineluB
z4xxEXVSbOb3wRfqVr+WwNilZnQIST8p6IddEShJ283ZDvFBa7f6b80POue28SU2
DSFW0DWL+Ti38tGyXBuiPSBMWNY4mRUJQDznz5msiXLiWTzHIUeXmiyGErbR0R+f
OPK5SPUvkJvI1G2ytqqWdzkelCgp78O6uQzVM0443ZvdN4HBEq45ac82+t3pR99q
2DgTnU4mWjMiQBZxWAZidqxW7Rsl3K4Zbr1lJEQ8R5Ke9PQzLD2cd8k0AKUFOg3M
rNY/wz2ha75G38k9f4OqglCcwQOglGwXX1ASWCjKM9ISVcq0+m/SyOnlmtf/fRLH
R+LdX8fntpCMv6kxjqAojBghOmaso9NvrW0umHqT0XSMZRuHGOIP4XYj+Rws/TwI
IFV4gQLNCoqEswq5vreM2cMzTIFXJDsS8Pd4HS/g+c+teIMC/8TIIs4EUMhX2wPY
O5iW8PiDCLnbwXT0OrPDHjz1M5Xl5fNduAvjsTnN0Kn7jc+TwRuTIoPJudKxqa9A
L6MDGEYgK7nyboARUYmPrB9f+/FMA9jKTXD2b5j7ZiTj0bWxByU1BL6V2eBtDwdd
GPMgRarxix8cp2Stn4dx
=shdY
-END PGP SIGNATURE-

Re: AltDB? (IRR support direction at ARIN)

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/09/2011 03:48 PM, Randy Bush wrote:
   Do you: 1) want IRR services, and if so, with what features?

I think so. In theory it seems useful. In practice...
http://www.renesys.com/blog/2009/05/keeping-score.shtml

not so much.

   2) believe IRR services should be provided by ARIN?

No. As I mentioned elsewhere in this thread, I don't see why an RIR is
operating an IRR database. It seems to be something clearly in the realm
of service providers (ie people who are making use of allocated resources).

John,

Can you shed some light on why this is the case? Was this requested by
the community, or driven internally? Or both?



- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNKoZsAAoJEMvvG/TyLEAt/xsP/2CC55GEeTO46/QB2UN3RWwZ
MxiLAIgurtyHTjeh9Gr6dfujnx5si6HP1Kxv+ET3HDapyOc4M8yfugvuSfrAMz1Z
A/ObcWbHwtTFvii6ULtE4w7+AU1Msy7XQIPluh9g3fYk85+fBdMvE45Hyw1je04o
SidM3m9XP5jCDMcKNgbSN90ibf8GykgzR6u0fExRxUta0bhHrTWZM15oVSpXeCGN
Kl/6E0QSd1DbQvWxvQPotMCHoaEulAjPt4kKiBAKnxAAGsB1aC2ceMZ5PI2xeNeB
pZcsWqiaemhnDmlUyPE5xjoVYSUxFk5R99RV4PfGBbAf7TyZJFAhfsm3yHqYVefN
EIaguXaB0T1ekCJuBzgljExNnrMCTllx8j5GmLAQrgusrkBna61OFknp/DzVzWjS
cxb60AKVbJX8kfvFdxd//zw4+15qflslrBFoGx+8/eJItzCuE5sggj4vQj9lSO5p
ocvl7zbVkiYsw0EfDcJAlVpj3VGC4V93k0h8Rkh9oIykqJuO0JC7VSB7ZBwjM43t
AN7/Kjqhp0e19ztUiIjFpFW3Gi9Bpw0M8KMPo8pX27W4sXcG/CMlu2jTwadiKQyR
Dk+7a5B9qVvgLC4c1ygYzfyPYJzvq78CYa+vpsBl3Wl0vgLNSLicPg9gN/87fJhU
kt4lYu8javFnsFGQbH69
=Bc5T
-END PGP SIGNATURE-

Re: reporting physical plant damage to ATT?

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/05/2011 09:11 AM, Jo Rhett wrote:
 On Nov 25, 2010, at 2:11 PM, Kevin Oberman wrote:
 Have you tried 611 (from an ATT land-line phone)?
 
 Many people don't have one.  I haven't had one for over 12 years now, nor 
 have any of my employers for the last 8 years.

They have an 877 number that routes to the same people.  I was at a
client and they were having some sort of telco emergency and obtained
the number as part of the resolution process.

Here it is:
from http://www.att.com/gen/general?pid=1603

Repair Service

1-866-346-1168
or 611 within state

24 hours a day, 7 days a week

It's amazing how many people don't know about 611. It's the fastest way
to reach clued/capable of paging clued people.



 


- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNJK1KAAoJEMvvG/TyLEAtWVgP/3jB6bEu3s7whO1ONHDedJYr
NVurhbgNu3EZkbzffXb/NLT2OhfIZNPwAYD0P1H7D8KbZRo3fd+OX8f1q2ys/1G4
/3WV2gEyny9K7GJ8xnK6o7oFnaKc0SXVEk/0T4rHZhAsm5Gpjym42ecAbIf40CZr
63TovwrYUOambFY05Do6UWnkzFGghESwWjQyZKJ3YcQ9upwUBgRQ/uYnGL7MqPDR
sr31DjzvtX7woAS1ZC4yH7s4QJ+YnURkgcEfMsDNOGqlak47T53JEgE/YaUp8oQp
kxw5ppijLN2xmjQMGfzErDuGVlGpGxJq6bWDNLSQnEXZ3MK56DdnhjUfPYKFiBtj
qr/C9GW+16uSlcwIFSvl6EOxoiLkqnQ4QW5py2+D0o9P2K0BMkVluNu+9N0ledp7
9NJSV6WaJEJQnOn6AWEBrpwQPeys5VJksac3eAmqB8ftFus8JeYKGiJSlwSAqP0S
EVWn3Z/sSVwcIF1rEzR0bR8ha7AX6eZctcXV1cXETsATwf4nKmr9hiq2qB1nW6bU
yAJIluvrBoHxZ8ZkbbtHN5VC+E/mdLJiLcs77+e+0kweh+AFzAQ5/rwNl9iHLGjz
ZO6y9xp9novJEHrVWIyYw/Dy7WVlw8o+od3S5bmfjEe3+3hIPCeOfOd1CuevVNaX
gEKSu2SK41HRhBxeg+OL
=oIB0
-END PGP SIGNATURE-

Re: Low end, cool CPE.

[Charles N Wyble]

Check out cradlepoint. Doesn't have all the features you want, but will 
do wifi/3g/ethernet as wan options. Not sure if it load balances between 
them though. Also check out pfsense. That's what I am currently running.


On 11/11/2010 05:54 PM, Suresh Ramasubramanian wrote:

And does this take cellular modems as a backup?  The only wifi AP I've
seen that would take SIM cards besides ethernet was a no-name chinese
brand I saw in a Hong Kong electronics store.

Re: Low end, cool CPE.

[Charles N Wyble]

On 11/12/2010 01:24 AM, Eugen Leitl wrote:

On Thu, Nov 11, 2010 at 05:41:00PM -0800, Leo Bicknell wrote:

I've run into a number of low end CPE situations lately where I
haven't found anything that does what I want, but I have to believe
it is out there.  I'm hoping NANOG can help.

An ALIX with pfSense 2.0 (BETA4 at the moment) would fit most
of the above. IPv6 support is coming (is mostly there in the
kernel, but interface only alpha).



PPPOE is currently broken in 2.0 BETA4. :(

If you want to run the snort package I'd however pick a
Supermicro Atom system with 2 onboard NICs and add a dual-port
Intel NIC, and run pfSense from a small SSD or an USB stick.
Albeit a rackmount, the system would be quiet enough for SOHO.


Yes. I agree. Have SNORT run as a transparent bridge and have a separate 
management interface. Use vlans on that interface
to handle whatever you need to do (dedicated vlan for snort, one for 
your management network, one for secure wifi, one for guest

wifi etc).




Basically think about a sophisticated home user, or a 1-5 person
small office.  Think DSL, Cable Modem, maybe Cell Card or ISDN as
backups.  Looking for an appliance, very much fire and forget. I
probably won't get all the features that I want, but in no particular
order:




- Able to deal with backup connectivity, eg. Cell Cards which you
   only want to use if the primary is down.
- User friendly features, e.g. UPNP, NAT-PMP, etc.
- Good manageability.  ssh to a cli would be a huge bonus, at least
   the ability to backup a config.

Very well supported. http(s) and ssh both.


Well the SSH interface is very limited. You can login and do some basic 
checks. However everything is driven from a single
XML config file that gets parsed by PHP scripts during the init process 
and then writes out all the UNIX configuration files.
However all the things I've ever done from the CLI on a Linux box are 
readily available from the pfSense web interface (arp table

checks, traceroute,ping,iperf,tcpdump).

I only use the CLI when I have broken something.

_ Nice firewall features.

- IDS features are cool.


It has a SNORT package that's pretty nice. Also has some other AV type 
stuff and a proxy. I haven't gotten the proxy/av to work yet, but

haven't put much time into them.

WiFi is not strictly required, but would be cool. Things like guest
WiFi would be an added bonus.


It supports a lot of wifi cards. I put a USB wifi stick in my pfsense 
box and configured it as an AP from the web UI.


I'm running the current stable pfSense (1.2.3 I think). Very happy with 
it. It's a fully featured distribution that is incredibly

well put together.

Re: OT: VM slicing and dicing

[Charles N Wyble]

On 11/9/2010 2:38 PM, Brandon Kim wrote:

Thanks everyone for your input today on this topic. I wanted to recap with a 
list of sites that everyone has suggested
both online and offline for FYI purposes.



http://www.microsoft.com/systemcenter/en/us/default.aspx


I haven't used system center, but have been very happy with Microsofts 
other management offerings. In particular the combination of WMI and 
Active Directory is pretty slick. Now days with W2k8 Server Core and VM 
friendly licensing, the Microsoft OS density on a hardware node is 
starting to approach Linux density levels.


http://www.proxmox.com/products/proxmox-ve


I use Proxmox exclusively and am very happy with it. It's a great 
product. You might need to do a bit of CLI work if you want to support 
multiple VLANS or other slightly advanced features. I'm lazy but I might 
get around to patching the web UI at some point to support the stuff I 
do manually.  The OpenVZ docs are very clear and the process is pretty 
trivial to do on the CLI.



http://www.openqrm-enterprise.com/


This has received some serious attention from me, but it seemed a bit 
heavy on the startup requirements and it wanted to own my entire 
infrastructure.  Proxmox was just plug and play and reduced the effort 
to deploy virtual machines. Anyone here using openqrm? How demanding is 
it? Can you just utilize the pieces you want? These days most users have 
existing systems in place to handle storage, security, monitoring, os 
configuration management etc. I guess if you are a completely new 
startup, then OpenQRM might make sense.



http://www.openstack.org/


Ah yes. The new comer of sorts. Anyone looked at this in detail? Beta 
deployed it?

Re: OT: VM slicing and dicing

[Charles N Wyble]

On 11/12/2010 12:09 PM, Robert Brockway wrote:

On Fri, 12 Nov 2010, Charles N Wyble wrote:

I use Proxmox exclusively and am very happy with it. It's a great 
product. You might need to do a bit of CLI work if you want to 
support multiple VLANS or other slightly advanced features. I'm lazy 
but I might get around to patching the web UI at some point to 
support the stuff I do manually.  The OpenVZ docs are very clear and 
the process is pretty trivial to do on the CLI.




Managing OpenVZ from the CLI is easy.  I wrote wrapper scripts to 
perform the desired functions.


Yeah. It's very easy. Proxmox is for super lazy people like me. :)



It has extensive documentation available.  From a documentation point 
of view it really stands out among OSS and even commercial apps.


Yes. The documentation is fantastic. Top notch. OpenVZ is very simple 
and utilizes existing features in Linux directly. As opposed to XEN (at 
least as it ships with centos 5) which utilizes an entire super 
structure of complex shell scripts to do it's networking setup. If you 
have a few years of server admin experience it's very easy to get up and 
going. You can utilize all your existing CLI knowledge.

Re: Rough cost for monitoring

[Charles n wyble]

One would need to know a lot more about the specifics of your requirements. 

My suggestion would be to invest money in qualified people to watch over 
something like opennms or (my favorite) a combination of alienvault and 
opsview. 

Eric Gauthier e...@roxanne.org wrote:

Heya,

I'm trying to quickly pull together some very rough
budget numbers for purchasing a full monitoring
system (network, server, security, facilities).  Is
there a source for rough unit costs?  If not, does
anyone have recent RFI pricing that they'd be willing
to share?

Eric :0


--
from the desk of Charles wyble
ceo  president known element enterprises
xmpp/sip/smtp: char...@knownelement.com
legacy pstn: 818 280 7059

Re: Specifications for Internet services on public frequency

[Charles n wyble]

Check out the openbts and tier wireless projects. 

Georges-Keny PAUL paulgk...@gmail.com wrote:

Hello all,

My team is working on technical and technological specifications of a
document for the deployment of Internet service on public frequencies in
rural areas. We welcome your thoughts on the topic in terms of previous
experiences and, well sure, you recommendation in terms of equipment. You
should note that the environment in question is very mountainous with very
precarious infrastructure conditions: no electricity, poor access, etc. We
would like to deploy a service at minimal cost, using mainly open source
software.


All comments, suggestions, recommendations, draft, success stories are well
come.


Feel free to contact me for additional information.



Warms regards,
Georges-Keny PAUL

--
from the desk of Charles wyble
ceo  president known element enterprises
xmpp/sip/smtp: char...@knownelement.com
legacy pstn: 818 280 7059

Re: on network monitoring and security - req for monitoring tools

[Charles N Wyble]

On 08/23/2010 07:40 AM, Scott Berkman wrote:

Are you looking only at Open Source tools?  If not you are missing all of
the most widely deployed tools out there (including):


You will also need to look at separate security monitoring software if your
goal is to cover that.  Not including any commercial vendors, I'd say you at
least need to include:
SNORT (possibly including a front end like BASE/ACID)
Suricata
Nessus
   


These days I use openvas.org instead of nessus.

Re: legacy /8

[Charles N Wyble]

Hmmm... it is 2pm on a Friday afternoon. I guess it's the appropriate 
time for this thread.


*grabs popcorn and sits back to watch the fun*

Home CPE choice - summary

[Charles N Wyble]

Thank you everyone for your replies! :)  It's been great having an 
operational type discussion.


Here is my summary of the thread:

Software:

Linux:
Vyatta
IPCop
Astaro

BSD:
pfSense
m0n0wall (I didn't know this was the base for pfSense until I started 
researching it today)


Appliances:
Juniper. I have taken a Juniper course and have the Oreilly book, but 
I'm a Cisco guy pretty much through and through.
Cisco 871 (I see these pop up on craigslist a fair amount. I suppose 
I'll pick one up and add it to my lab)
Fritz!box (not available in the US) :(  I would love to get my hands 
on one of these.


Hardware:
Alix/Gumstix/Sokeris
Various full desktop systems
I got some great hardware sizing advice offline which referenced 
http://www.pfsense.org/index.php?option=com_contenttask=viewid=52Itemid=49 




My choice:
pfSense on a Dell Optiplex (dual core, 1 gig of ram).  I think this 
should be more then sufficient for performing WAN duties and routing on 
a stick for my 3548 switch. I currently have an 1841 performing those 
duties and really like it. However I need it for my cisco cert studies. :)


I was originally going to deploy pfSense in a KVM VM, but it appears BSD 
paravirtualization support may not be up to the level that Linux is at. 
If anyone has experience with this, please let me know. I have 
everything else deployed in virtual machines, but after reading a bit it 
seems that pfSense in a VM would consume a lot of CPU resources even 
doing moderate amounts of traffic (10 mbps).  I don't want to starve out 
my other virtual machines.