Fwd: [CA Geeks] Vijay Gill
> Begin forwarded message: > > From: Herb L via CAGeeks > Subject: [CA Geeks] Vijay Gill > Date: August 2, 2022 at 20:47:13 EDT > To: CA Geeks > Reply-To: Herb L > > All, > I was told that Vijay passed on from a heart attack while at work. I am > deeply saddened by the news and wish to convey my deepest condolences to his > family. I really hope this is misinformation. > /herb > ___ > CAGeeks mailing list > cage...@tcp0.com > https://tcp0.com/cgi-bin/mailman/listinfo/cageeks > List Rules: http://cageeks.net/list_rules.php
Re: Reminder: Never connect a generator to home wiring without transfer switch
> On Aug 31, 2021, at 2:33 PM, Owen DeLong via NANOG wrote: > > > > ... > 15kW is 1.5kVA in a simple radiant electric heat application. (it’s a simple > resistive load with no power factor weirdness). Whether you could do this > with 4-8kVA depends on what else you’re trying to run. > > > > Owen 15kW is 15kVA (not 1.5 kVA) at a power factor of 1.0, if the heat is all resistive. Eric
DNSSEC Best Practices
Does anyone have a pointer to a good resource for current best practices for deployment of DNSSEC, preferably newer than RFC6781? What algorithms do you typically sign with (RSASHA256, ECDSAP256SHA256, both, something other)? Feel free to little r me off list if you wish — Eric Germann ekgermann (at) semperen.com LinkedIn: https://www.linkedin.com/in/ericgermann GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
dark fiber connection between 111 E 8th and Coresite NYC1 or NYC2
Looking for a recommendation of a provider who can give us a dark fiber cross connect or an L2 connection between the two in the subject for an AWS Direct Connect out of Coresite Thanks Eric
Akamai contact
Now that I’ve learned Delta is an airline, runs hotels, and makes faucets, amongst other things, if there is an Akamai [Company that deploys CDN’s and other things] contact who could contact me off list re: continuing to troubleshoot a Delta Airlines [amongst other sites] issue that would be most appreciated. Thank you EKG signature.asc Description: Message signed with OpenPGP
Anyone from Delta on list?
If so, can you contact me off list, please and thank you? EKG smime.p7s Description: S/MIME cryptographic signature
Gmail security contact off list
Can someone from Gmail security contact me off list. Pardon the interruption EKG
Re: BCP for securing IPv6 Linux end node in AWS
The goal isn’t to filter _all_ ICMP. The goal is to permit ICMP that is needed for correct operation across the global network while protecting from externally spoofed packets. For example, on the IPv4 side, there arguably is no value to timestamp requests and address mask requests externally, so dump them. Thoughts? EKG > On May 14, 2017, at 9:42 AM, Alarig Le Lay <ala...@swordarmor.fr> wrote: > > On dim. 14 mai 09:29:45 2017, Eric Germann wrote: >> Good morning all, >> >> I’m looking for some guidance on best practices to secure IPv6 on >> Linux end nodes parked in AWS. >> >> Boxes will be running various services (DNS for starters) and I’m >> looking to secure mainly ICMP at this point. Service filtering is >> fairly cut and dried. >> >> I’ve reviewed some of the stuff out there, but apparently I’m catching >> too many of the ICMP types in the rejection as routing eventually >> breaks. My guess is router discovery gets broken by too tight of >> filters. >> >> Thanks for any guidance. >> >> EKG > > Hi, > > Filtering ICMP breaks Internet and it is even more true with IPv6 as > almost all the bootstrap is based on ICMP (ND, RD, RA, etc.). Plus, you > will break connections where there is a MTU change on the path. > > So, my advise is simply to not filter ICMP and ICMPv6. And by the way, > why do want to filter ICMP? You will not be DDoSed with pings. > > -- > alarig smime.p7s Description: S/MIME cryptographic signature
BCP for securing IPv6 Linux end node in AWS
Good morning all, I’m looking for some guidance on best practices to secure IPv6 on Linux end nodes parked in AWS. Boxes will be running various services (DNS for starters) and I’m looking to secure mainly ICMP at this point. Service filtering is fairly cut and dried. I’ve reviewed some of the stuff out there, but apparently I’m catching too many of the ICMP types in the rejection as routing eventually breaks. My guess is router discovery gets broken by too tight of filters. Thanks for any guidance. EKG smime.p7s Description: S/MIME cryptographic signature
OSS Netflow that can use EngineID
Colleagues, Before I go down a source code path, I wanted to get your input. I have some Linux routers I’ve built that use lots of GRE tunnels. I use ipt-netflow to export flow traffic to a collector. The issue is it seems to randomly pick an interface address and export from that. If we add a tunnel interface, it can randomly switch to that interface for exporting. I’ve played with nfsen for collection/display, but it defines a source based on IP. Since the source IP of the exporter can change, this poses a problem ipt-netflow supports EngineID, but not a specific export IP. nfsend supports a specific export IP, but not EngineID. It seems like the solution is EngineID since we could wire it down. Does anyone know of a solution to that will pull in based on EngineID and separate it that way before I chomp in to source code of one or the other patch it to support the other. TIA, EKG smime.p7s Description: S/MIME cryptographic signature
Re: Looking for some Quagga experience to discuss 32 bit ASN + community issue with
So from reading the draft, if I’m understanding it correctly, I should be able (with the patch) to encode the 32 bit ASN + a community in to this as as32:x:y Is that correct? EKG > On Dec 2, 2016, at 2:27 AM, Job Snijders <j...@instituut.net> wrote: > > On Fri, Dec 02, 2016 at 09:00:57AM +, Nick Hilliard wrote: >> Eric Germann wrote: >>> Basically trying to advertise 4 byte ASN’s + communities, and then >>> pick them off elsewhere in a private network. Can’t get the config >>> right for the route map to import them on the “receiving” side. >> >> yes, sounds about right. There is a massive feature deficit regarding >> BGP communities suitable for asn32s, in that the feature just doesn't >> really exist yet. This is being remedied at the moment at the ietf, >> which has just moved the draft-ietf-idr-large-community internet draft >> to "Publication Requested" state. >> >> The feature hasn't made it into mainline quagga yet, but there is a >> patch. > > The quagga patch is being developed against quagga 1.1.0, the latest > version of the patch (0008-) is available here and would benefit from > more testing: https://bugzilla.quagga.net/show_bug.cgi?id=875#c13 > > The patch should provide a feature-complete implementation of Large > Communities, but the daemon crashes sometimes. We don't know why yet. > However I am proud to report that it compiles! :-) > >> Also, please prod your commercial vendors for support for this. > > Yes! > > Even if a vendor is listed as 'Planned' or 'Requested' on the > http://largebgpcommunities.net/implementations/ page, it really helps if > you email your account manager stating "Large Communities is what i want". > > Most vendors have a big backlog of feature requests and no shortage of > ideas. This operational community must make it unambiguously clear to > the vendors that Large Communities is the thing that needs to be > shipping in 2017. This peer pressure will help them to prioritize the > development, testing, Q, documentation development, internal & > external marketing etc to get it done. > > So, pause your IPv6 deployments for one day, and start calling your > Huawei, Cisco (ask separately for IOS and XR), Juniper, Nokia, Arista, > Brocade, ZTE, or Microsoft representatives and ask for it by name! :-) > > Kind regards, > > Job smime.p7s Description: S/MIME cryptographic signature
Looking for some Quagga experience to discuss 32 bit ASN + community issue with
Good evening, I’m looking for someone who’s familiar with Quagga and is using 32 bit ASN’s. Trying to do some work with communities with it and having no success. If you have some experience and would like to chat, email me off list or reply on-list if the demand is there. Basically trying to advertise 4 byte ASN’s + communities, and then pick them off elsewhere in a private network. Can’t get the config right for the route map to import them on the “receiving” side. Help much appreciated. Thanks EKG smime.p7s Description: S/MIME cryptographic signature
Anyone from American Express mail operations here?
Pardon the interruption Please contact me off list. EKG smime.p7s Description: S/MIME cryptographic signature
Re: Linux router guru sought for hairpulling issue
Thanks to Robert McKay for the answer that fixed it. His explanation was > Did you forget to add ttl 255 (or similar) to the tunnel setup? By default > the gre packets will end up with the ttl set to the same as the inside > payload ttl so when you traceroute they won't reach the other gateway.. that > sounds like what you might be talking about? > > http://lartc.org/howto/lartc.tunnel.gre.html > <http://lartc.org/howto/lartc.tunnel.gre.html> Added TTL=255 to the ifcfg-tun* config files and all is well. Thanks to the others for their ideas (too many to name). Great community EKG > On Oct 19, 2016, at 8:27 AM, Eric Germann <ekgerm...@semperen.com> wrote: > > Colleagues, > > I know we’re all usually running big gear, but I’ve been tasked with building > some appliances to run in the cloud as VM’s. > > Looking for someone who has built on Centos 7 using IPSec and GRE tunnels. > Having an issue with GRE tunnels and trace route. That’s pulling my hair out. > > If you’d like to discuss, reply off list. > > Thanks > > EKG > smime.p7s Description: S/MIME cryptographic signature
Linux router guru sought for hairpulling issue
Colleagues, I know we’re all usually running big gear, but I’ve been tasked with building some appliances to run in the cloud as VM’s. Looking for someone who has built on Centos 7 using IPSec and GRE tunnels. Having an issue with GRE tunnels and trace route. That’s pulling my hair out. If you’d like to discuss, reply off list. Thanks EKG smime.p7s Description: S/MIME cryptographic signature
Re: Questions re: VPN protocols globally
IPSec and corporate. Customers will connect to their respective regional sites separately. Any ITAR concerns there? > On Oct 5, 2016, at 12:01 PM, Christopher Morrow <morrowc.li...@gmail.com> > wrote: > > > > On Tue, Oct 4, 2016 at 11:15 PM, Eric Germann <ekgerm...@semperen.com > <mailto:ekgerm...@semperen.com>> wrote: > I’ve been charged with building a global VPN as an overlay on top of a > certain 3 letter company who also sells lots of stuff. > > > you say 'vpn' do you mean 'mpls vpn' or 'ipsec vpn over intertubes' ? > > We’re looking at > > US East > US West > US Central (eventually) > Brazil > Singapore > Frankfurt > Ireland > Sydney > Maybe Canada > Maybe India (outsourcesrs) > > In the planning stages now and wondering if there are any protocols I need to > stay away from ITAR wise with this list of countries. > > Contemplating Suite B with GCM, etc and AES acceleration. > > > most places dont' really care about encryption if your use is 'for corporate > use', not providing use by external parties (internet access sorts of > things), I believe. smime.p7s Description: S/MIME cryptographic signature
Re: Questions re: VPN protocols globally
I’m aware. We’re considering them down the line. So, back to the question, any ITAR gotchas with any of these companies? Thanks EKG > On Oct 5, 2016, at 11:05 AM, Peter Beckman <beck...@angryox.com> wrote: > > There is a Mumbai, India three letter company region available as of June 27, > 2016 > > https://aws.amazon.com/blogs/aws/now-open-aws-asia-pacific-mumbai-region/ > > On Tue, 4 Oct 2016, Eric Germann wrote: > >> I’ve been charged with building a global VPN as an overlay on top of a >> certain 3 letter company who also sells lots of stuff. >> >> We’re looking at >> >> US East >> US West >> US Central (eventually) >> Brazil >> Singapore >> Frankfurt >> Ireland >> Sydney >> Maybe Canada >> Maybe India (outsourcesrs) >> >> In the planning stages now and wondering if there are any protocols I need >> to stay away from ITAR wise with this list of countries. >> >> Contemplating Suite B with GCM, etc and AES acceleration. >> >> Any land mines? >> >> Thanks in advance >> >> EKG >> >> > > --- > Peter Beckman Internet Guy > beck...@angryox.com http://www.angryox.com/ > --- smime.p7s Description: S/MIME cryptographic signature
Questions re: VPN protocols globally
I’ve been charged with building a global VPN as an overlay on top of a certain 3 letter company who also sells lots of stuff. We’re looking at US East US West US Central (eventually) Brazil Singapore Frankfurt Ireland Sydney Maybe Canada Maybe India (outsourcesrs) In the planning stages now and wondering if there are any protocols I need to stay away from ITAR wise with this list of countries. Contemplating Suite B with GCM, etc and AES acceleration. Any land mines? Thanks in advance EKG smime.p7s Description: S/MIME cryptographic signature
Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment
Currently engaged on a project where they’re building out a VPC infrastructure for hosted applications. Users access apps in the VPC, not the other direction. The issue I'm trying to get around is the customers who need to connect have multiple overlapping RFC1918 space (including overlapping what was proposed for the VPC networks). Finding a hole that is big enough and not in use by someone else is nearly impossible AND the customers could go through mergers which make them renumber even more in to overlapping 1918 space. Initially, I was looking at doing something like (example IP’s): Customer A (172.28.0.0/24) — NAT to 100.127.0.0/28 —— VPN to DC —— NAT from 100.64.0.0/18 —— VPC Space (was 172.28.0.0/24) Classic overlapping subnets on both ends with allocations out of 100.64.0.0/10 to NAT in both directions. Each sees the other end in 100.64 space, but the mappings can get tricky and hard to keep track of (especially if you’re not a network engineer). In spitballing, the boat hasn’t sailed too far to say “Why not use 100.64/10 in the VPC?” Then, the customer would be allocated a /28 or larger (depending on needs) to NAT on their side and NAT it once. After that, no more NAT for the VPC and it boils down to firewall rules. Their device needs to NAT outbound before it fires it down the tunnel which pfSense and ASA’s appear to be able to do. I prototyped this up over the weekend with multiple VPC’s in multiple regions and it “appears” to work fine. From the operator community, what are the downsides? Customers are businesses on dedicated business services vs. consumer cable modems (although there are a few on business class cable). Others are on MPLS and I’m hashing that out. The only one I can see is if the customer has a service provider with their external interface in 100.64 space. However, this approach would have a more specific in that space so it should fire it down the tunnel for their allocated customer block (/28) vs. their external side. Thoughts and thanks in advance. Eric
Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment
Mulling over the implications of this. [root@ip-100-64-0-55 ~]# traceroute s3.amazonaws.com traceroute to s3.amazonaws.com (54.231.0.64), 30 hops max, 60 byte packets 1 ec2-79-125-0-202.eu-west-1.compute.amazonaws.com (79.125.0.202) 1.068 ms 0.824 ms 0.787 ms 2 178.236.1.18 (178.236.1.18) 1.193 ms 1.164 ms 0.869 ms 3 * * * 4 54.239.41.133 (54.239.41.133) 76.046 ms 76.029 ms 75.986 ms 5 54.239.41.166 (54.239.41.166) 76.314 ms 76.281 ms 76.244 ms 6 72.21.220.77 (72.21.220.77) 76.143 ms 76.054 ms 76.095 ms 7 205.251.245.224 (205.251.245.224) 76.346 ms 72.21.222.149 (72.21.222.149) 76.261 ms 205.251.245.230 (205.251.245.230) 76.360 ms 8 * * * ... 30 * * * but, [root@ip-100-64-0-55 ~]# wget https://s3.amazonaws.com --2015-02-24 04:20:18-- https://s3.amazonaws.com/ Resolving s3.amazonaws.com... 54.231.12.48 Connecting to s3.amazonaws.com|54.231.12.48|:443... connected. HTTP request sent, awaiting response... 307 Temporary Redirect Location: http://aws.amazon.com/s3/ [following] --2015-02-24 04:20:18-- http://aws.amazon.com/s3/ Resolving aws.amazon.com... 54.240.250.195 Connecting to aws.amazon.com|54.240.250.195|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: “index.html.1” [= ] 179,606 158K/s in 1.1s 2015-02-24 04:20:20 (158 KB/s) - “index.html.1” saved [179606] ICMP would break from the intermediates, but ICMP from the API endpoint should still work. Will have to chew on this a bit overnight. EKG On Feb 23, 2015, at 9:03 PM, Blair Trosper blair.tros...@gmail.com wrote: Might be ill-advised since AWS uses it themselves for their internal networking. Just traceroute to any API endpoint from an EC2/VPC resource or instance. :) On Mon, Feb 23, 2015 at 2:43 PM, Måns Nilsson mansa...@besserwisser.org mailto:mansa...@besserwisser.org wrote: Subject: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Date: Mon, Feb 23, 2015 at 10:02:44AM -0500 Quoting Eric Germann (ekgerm...@cctec.com mailto:ekgerm...@cctec.com): Currently engaged on a project where they’re building out a VPC infrastructure for hosted applications. snip Thoughts and thanks in advance. using the wasted /10 for this is pretty much equal to using RFC1918 space. IPv6 was invented to do this right. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 tel:%2B46%20705%20989668 It's NO USE ... I've gone to CLUB MED!!
Seeking VPS providers for low volume network probe
Greetings, I'm looking for recommendations on a reliable VPS Provider(s) who can provide 1. Centos 6 2. IPv4 and IPv6 (preferably) physically in the regions of African Continent, Eastern Europe/Russia, Middle East, South America and Canada. I've already deployed some globally with Vultr and Amazon (Brazil region). Basically doing a low volume test point probe (512MB-1GB RAM, 20GB disk) for latency measurements. Would prefer to have a secure (logically and financially) and reliable host. Thanks in advance, EKG
Looking for recommendation on 10G Ethernet switch
Colleagues, I'm looking for a recommendation on a smallish 10G Ethernet switch for a small virtualization/SAN implementation (4-5 hosts, 2 SAN boxes) over iSCSI with some legacy boxes on GigE. Preferably - 8-16 10G ports - several GigE ports for legacy GigE hosts or cross connect to a legacy GigE switch - preferably not a large chassis based solution with blades The hosts aren't going to be driving full line rate, nor the SAN boxes providing full line rate, but their offered loads will definitely exceed 1Gbps. Assessing whether it is better to go 10G now vs. multi-pathing with quad GigE cards. Trying to find the best solution for 1G on a trunk and $50K per box. Any recommendations appreciated. Thanks EKG
Question about Martians on Vyatta
All, I'm trying to understand why a Vyatta 6.4 collection of routers is carping about the following as martian routes: 113.107.174.14 27.73.1.159 94.248.215.60 95.26.105.161 They don't look like they fall in the traditional martian space.I also wondered if they were addresses without a reverse route, but they have reverse paths in our routing tables (full routes from AS 10796 and 11530). Any thoughts? EKG
RE: Question about Martians on Vyatta
Well, I did when I checked them shortly after I saw the log messages. Wondering now if the routes for those bounced and in the middle of the bounce, they're considered martian. Thanks! EKG -Original Message- From: William Pitcock [mailto:neno...@systeminplace.net] Sent: Thursday, June 28, 2012 11:45 AM To: Eric Germann Cc: nanog@nanog.org Subject: Re: Question about Martians on Vyatta On Jun 28, 2012, at 10:42 AM, Eric Germann egerm...@limanews.com wrote: All, I'm trying to understand why a Vyatta 6.4 collection of routers is carping about the following as martian routes: 113.107.174.14 27.73.1.159 94.248.215.60 95.26.105.161 They don't look like they fall in the traditional martian space.I also wondered if they were addresses without a reverse route, but they have reverse paths in our routing tables (full routes from AS 10796 and 11530). Any thoughts? EKG Do you have routing-table entries which cover those IPs? Try ip route show ip as root. Linux NET/4 stack considers (as far as IPv4/IPv6 go) anything that is not in the routing table or an immediate neighbour as martian. William
RE: GRX looking glass
While we're talking Looking Glasses, any pointers to best practices or pointers for securing a public looking glass, besides the obvious such as don't accept announcements originated from the LG. In a greenfield environment, is Zebra the choice? EKG -Original Message- From: Jared Geiger [mailto:ja...@compuwizz.net] Sent: Wednesday, March 14, 2012 5:58 PM To: nanog@nanog.org Subject: Re: GRX looking glass Telia - http://looking-glass.telia.net/ Telecom Italia - http://gambadilegno.noc.seabone.net/lg/ The GRX option is at the very bottom of both. On Tue, Mar 13, 2012 at 11:50 PM, Gus Crichton gus.crich...@digicelgroup.com wrote: Hello, Any public looking glasses for GRX? Thanks. Notice of Confidentiality: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system.
RE: IP Transit with netflow report?
+1 Use it, love it. Opened eyes on how much social media traffic (amongst other things) goes on on a daily basis. EKG -Original Message- From: George Bonser [mailto:gbon...@seven.com] Sent: Monday, February 13, 2012 5:31 AM To: ali baba; nanog@nanog.org Subject: RE: IP Transit with netflow report? nfdump + NfSen Do it yourself. -Original Message- From: ali baba [mailto:alibaba123...@gmail.com] Sent: Sunday, February 12, 2012 10:49 PM To: nanog@nanog.org Subject: Re: IP Transit with netflow report? Hi Everyone, Hope someone can help me out.. I have some IP Transit links with one of the Tier1s and I need to know the sourcedestination of traffic passing though.. My provider gives me a straight NO, we can provide this and I am wondering if anyone knows of any providers who gives out netflow report? Cheers, AB
TwTelecom engineer offlist
Anyone with twtelecom who can contact me off list about a possible congestion issue at one of your handoffs? Thanks EKG
RE: Need photographs of IT/Telecom gear/rooms
There are some fairly interesting photos of the Verizon CO that took a hit on 9/11 at http://www.slideshare.net/datacenters/verizon-contingency-planning-for-coop I recall far back in my memory some posts on this from a decade ago that pointed to some websites that had more photos. Was kind of surreal to see switch gear and open air in the same photo. EKG -Original Message- From: Drew Linsalata [mailto:drew.linsal...@gmail.com] Sent: Thursday, October 27, 2011 5:41 PM To: Mike Cc: nanog@nanog.org Subject: Re: Need photographs of IT/Telecom gear/rooms I did this at career day last spring for my daughter's fifth grade class. They were a bit young to get too deep into the nitty gritty, but they completely ate up the presentation and it was really gratifying to get notes and emails (all voluntarily sent) from some of the kids talking about how much they learned. All the kids love the Internet and using computers and other related gadgets, so I was a total hit. I'm sure you will be too. Enjoy the experience. On Thu, Oct 27, 2011 at 3:30 PM, Mike mike-na...@tiedyenetworks.com wrote: Greetings, I have been given the opportunity to teach the mechanics of the Internet to a group of 6 - 12'th grade students, .
BGP visibility for /24 End User Allocation
Long time on-again-off-again lurker. Looking to multihome in the most efficient mode. Our two upstreams are AS11530 (Embarq) and AS10796 (Time Warner). Diverse routed fiber from each at 10Mbps. Our traffic profile is highly asymmetric as a consumer of bandwidth (12-15Mbps average inbound aggregate, 2-3Mbps aggregate very bursty outbound). Years ago when I tinkered with BGP there were substantial issues with getting any prefix too small through filters to see the greater Internet (IIRC it was a /19 at that time). Given we really could justify a /24 realistically, what is the current status of filtering in terms of having that /24 get to the vast majority of the Internet given the two providers in question? Thanks for any advice in advance. EKG