Re: BGP in a containers

[Jeff Walter]

Years back I ran ExaBGP inside a Docker container (when it wasn't
"production ready") to anycast a contained service both within a datacenter
and across them. To make routing work correctly I had to also run another
BGP daemon on the Docker host machine; I can't remember if I used bird for
this, but it seems like what I'd use since I didn't need programmatic
control of prefixes.

Would I do it that way today? Not a chance. How would I do it? That would
really depend on two things: what I'm trying to accomplish with BGP and
what the service is. If you just want portability of a service (not
redundancy/balancing via anycast) is BGP really the best option? I'd make a
strong case for OSPF due to it needing far less config. The same need for a
routing instance on the Docker host would apply, but you wouldn't need to
manage configuration for neighbors as containers come up and go down (since
the IP will likely change). Sure, you could just add neighbor config for
every IP Docker might use, however-- ouch.

Jeff Walter

On Mon, Jun 18, 2018 at 8:45 AM, Hugo Slabbert  wrote:

>
> On Sat 2018-Jun-16 00:51:15 -0500, Jimmy Hess  wrote:
>
>
>> Running the BGP application in a container on a shared storage system
>> managed by
>> a host cluster would also make it easier to start the service up on a
>> different host when
>> the first host fails or requires maintenance.
>>
>> On the other hand, running directly on a host,  suggests that
>> individual hosts need
>> to be backed up again,   and  some sort of manual restore of  local
>> files from the lost host
>> will be required to copy the non-containerized application to a new host.
>>
>
> Even if the BGP speaker is running right on the host, the shared storage
> or backups thing doesn't click for me.  What about your BGP speaker will
> need persistent storage?  At least in our environment, everything unique
> about the BGP speaker is config injected at startup or can be derived at
> startup.  This might be based on differences in how we're using them (BGP
> daemon per container host in our case, rather than "I need X number of BGP
> speakers; schedule them somewhere"), I guess.
>
>
> --
> Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
> pgp key: B178313E   | also on Signal
>

Re: What services do you control at your org?

[Jeff Walter]

- I am in operations group which handles networking and systems
- Weebly
- Websites and commerce
- We rule it all: RADIUS, LDAP, DHCP (datacenter only), and DNS

--
Jeff Walter
Senior Operations Engineer
Weebly, Inc

On Thu, Apr 27, 2017 at 5:56 PM, Matt Freitag <mlfre...@mtu.edu> wrote:

> All,
>
> I'm doing an informal survey:
>
>- Are you in the networking group? (presumably yes)
>- What org do you work for? (optional)
>- What industry is your org in? (ex. Higher Ed)
>- Does the networking group control your NAC/RADIUS server used for
>network authentication, DHCP, and/or DNS servers?
>   - "Control" means the networking group does all the configuration,
>   administration, and maintenance of said systems.
>
> My answers:
>
>- I am in the networking group
>- I'm at Michigan Technological University
>- We're in Higher Education
>- Currently I control the NAC/RADIUS server, but not do DHCP and do
>minimal stuff with DNS. Mostly adding/removing other domains from our
>master BIND servers.
>
> Thank you for your time!!
>
> Matt Freitag
> Network Engineer I
> Information Technology
> Michigan Technological University
> (906) 487-3696 <%28906%29%20487-3696>
> https://www.mtu.edu/
> https://www.mtu.edu/it
>

Re: weebly.com contact

[Jeff Walter]

Yes. Give me a moment.

On Tue, Apr 18, 2017 at 2:26 PM, rwebb  wrote:

> ​Anyone from weebly.com on here that can contact me off list about a
> possibly phishing site being hosted with you?
> Thanks,Robert Webb
>

Re: IPv6 Cogent vs Hurricane Electric

[Jeff Walter]

As funny as that would be, it would never happen. Cogent thinks they're the
biggest. HE is the biggest (last I checked). HE wants to peer. Cogent wants
HE to pay for transit. Cake reference. Still partitioned.

How do you get them connected? I hate to say it, but it would take a major
shift within Cogent. In the meantime your best option to see the whole IPv6
internet is to pay Cogent and to get free v6 transit with HE over an
exchange or tunnel.

On Thu, Dec 3, 2015 at 12:51 PM, William Herrin  wrote:

> On Thu, Dec 3, 2015 at 1:40 PM, Jared Geiger  wrote:
> > Wouldn't this be a Net Neutrality issue now or would it fall on HE for
> not
> > willing to buy transit to Cogent IPv6?
>
> Wouldn't it fall on Cogent for being unwilling to buy transit from HE?
> HE is the IPv6 leader in the game.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems . Web: 
>

Re: IPv6 Cogent vs Hurricane Electric

[Jeff Walter]

That cake will haunt NANOG until the end of time.

On Tue, Dec 1, 2015 at 12:01 PM, Alarig Le Lay  wrote:

> On Tue Dec  1 14:39:14 2015, Andrew Kirch wrote:
> > Might I suggest cake pleas?
>
> You mean
>
> http://www.datacenterknowledge.com/wp-content/uploads/2009/10/Hurricane-Cake.jpg
> ?
>
> --
> Alarig
>

Re: Debian RWHOIS

[Jeff Walter]

Few years back I wrote an RWHOIS daemon for HE and because of that got put
in touch with Mark Kosters, one of the RWHOIS RFC authors. Without mincing
words he basically told me RWHOIS was dead. Honestly, unless you have a
specific reason to use RWHOIS (privatizing records as allowed by ARIN
policy) your best bet is to programmatically update the info on ARIN using
their API. I wouldn't even both emailing SWIP updates if you want to go the
route of automatic updates since I would guess that system will be retired
in favor of the RESTful API.

Jeff Walter

On Wed, Jul 8, 2015 at 1:03 PM, Shawn L sha...@up.net wrote:


 We ran it for a while, then gave up and just updated the info on Arin.


 -Original Message-
 From: Josh Luthman j...@imaginenetworksllc.com
 Sent: Wednesday, July 8, 2015 3:56pm
 To: Dan White dwh...@olp.net
 Cc: Josh Moore jmo...@atcnetworks.net, nanog@nanog.org 
 nanog@nanog.org
 Subject: Re: Debian RWHOIS



 I think this is what you're asking for:

 http://projects.arin.net/rwhois

 Should be a ./configure  make  make install #per this
 http://projects.arin.net/rwhois/docs/installation.html


 Josh Luthman
 Office: 937-552-2340
 Direct: 937-552-2343
 1100 Wayne St
 Suite 1337
 Troy, OH 45373

 On Wed, Jul 8, 2015 at 3:52 PM, Dan White dwh...@olp.net wrote:

  On 07/08/15 19:38 +, Josh Moore wrote:
 
  Hello guys,
 
 
  What do you use for ARIN resource assignments? I am looking to setup a
  Debian-based RWHOIS server but don't see much information on it.
 
 
  As of a couple of years ago when I looked around, there were no recent
  packaged versions of rwhoisd for Debian. We run a compiled version.
 
  --
  Dan White
 

Re: Setting Up a Looking Glass

[Jeff Walter]

Having written two looking glasses from scratch (lg.he.net and and internal
one for Weebly) I can tell you it's actually pretty simple. If you're
interested in writing your own I'm happy to pass along pointers to help you.

Jeff

On Mon, Jun 15, 2015 at 7:27 AM, Hicks, Byron byron.hi...@tx-learn.net
wrote:

 True.

 However, this is not a Microsoft Windows app, so the installer isn’t in
 play here.  The file is a .tar.gz file that contains the perl scripts
 necessary to set up the looking glass/router proxy, so it should be
 reasonably safe.  Hopefully, the University of Indiana will move the source
 to a safer delivery system in the future.


  On Jun 14, 2015, at 3:43 AM, Mark Foster blak...@blakjak.net wrote:
 
  If only it wasn't on sourceforge?
 
  http://ow.ly/OhNcR
 
  (or the original link,
 
 http://www.howtogeek.com/218764/warning-don't-download-software-from-sourceforge-if-you-can-help-it/
 )
 

 —
 Byron Hicks
 Lonestar Education and Research Network
 972-746-2549
 aim/skype: byronhicks

Re: RFC 7511 - Scenic Routing for IPv6

[Jeff Walter]

I only buy free-ranged packets and you should too.

On Wed, Apr 1, 2015 at 3:28 PM, valdis.kletni...@vt.edu wrote:

 On Wed, 01 Apr 2015 17:18:42 -0400, Sadiq Saif said:
  Informational of course. :)
  https://tools.ietf.org/html/rfc7511

 It already has an errata filed. Follow the link. :)

Re: Level3 rwhois broken

[Jeff Walter]

It's nice to see someone is using RWHOIS. Back when I wrote the RWHOIS
daemon for HE I spoke with Mark Kosters (one of the authors of RFC 2167). I
wish I still had the emails because at the time he was shocked anyone would
create software for something that no one really uses. I seem to recall him
calling it a waste of time ;-)

That said... I'm seeing Level 3's RWHOIS down as well. And to be honest,
they're probably not monitoring it.

On Tue, Nov 18, 2014 at 11:53 PM, Suresh Ramasubramanian 
ops.li...@gmail.com wrote:

 Anybody?   Makes it a pain to perform surgical spam blocking when this
 happens :)

 suresh@samwise 01:52:24 ~ $ telnet rwhois.level3.net 4321
 Trying 209.244.1.179...

 ^C


 --
 Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Issues with SNMP monitoring over a GRE tunnel.

[Jeff Walter]

I think the simple solution here is to query for fewer OIDs to get the
packet size (in both directions) down below the MTU. It'll take more
requests and thus longer, but if that's what solves the problem... well,
that's what solves the problem.

On Wed, Nov 5, 2014 at 7:59 AM, Brian Christopher Raaen 
mailing-li...@brianraaen.com wrote:

 I have two different customers where I am unable to monitor their networks
 due to GRE MTU issues.  This is monitoring cable modems so I can't change
 the MTU of the end device.  The problem I am having is that the modems are
 producing frames that appear to be larger than some kind of MTU limit in
 the system (we do not control the customer routers in either case).  One
 that I am looking at is dropping anything larger than 1472, and I have let
 to tune down on the other one.  In one case the customer endpoint is a
 Cisco ASR1K router and the other is a ASR9K.  because these are UDP packets
 I can't use a mss to clamp things down.  Also I have been unable to
 replicate the issue in my lab, so I can't send them a list of commands to
 help fix the issue on their end.

 --
 Brian Christopher Raaen
 Network Architect
 Zcorum

Re: Recommendations for a decent DWDM optical power meter.

[Jeff Walter]

We also have a Solid Optics CWDM meter and it does the job quite nicely. It
feels solid (haha...) and is relatively cheap.

--
Jeff Walter


On Mon, Jul 28, 2014 at 4:34 PM, Neil Davidson n...@knd.org wrote:

 We have the Solid Optics DWDM and CWDM power meters. Simple, inexpensive
 and works well ...
 http://www.solid-optics.com/category/cwdm-dwdm/power-meter ... n



 --

 K. Neil Davidson
 +1-720-258-6345


 On Mon, Jul 28, 2014 at 2:45 PM, Tom Hill t...@ninjabadger.net wrote:

  On 28/07/14 19:33, Timothy Kaufman wrote:
 
  Also maybe the ODPM-48.
 
 
  I've got the CWDM version of this, and it does the job. Haven't explored
  the test result downloading/archiving features (didn't expect them to
 work
  with Linux anyway) but overall it was very helpful for measuring loss
  across various passive muxes (where DDM wasn't available).
 
  Tom
 

Re: Friday Hosing

[Jeff Walter]

On 7/17/13 1:59 PM, Alex Harrowell wrote:
 On 15/07/13 01:09, Tony Patti wrote:
 TWELVE years ago (press release March 20 2001), Comcast deployed
 Linux-based
 Sun Cobalt Qube appliances as CPE with their business-class Internet
 service,
 these provided firewall security, web caching, optional content
 filtering,
 an e-mail server, a web server, file and print servers.

 This is a good idea
At the time it may have been the best option, but that doesn't make it
a good idea. I can't even begin to comprehend the number of support
calls generated by providing CPE with those functions.

--
Jeff Walter



signature.asc
Description: OpenPGP digital signature

Re: Performance Issues - PTR Records

[Jeff Walter]

On 11/2/2011 2:57 PM, Matt Chung wrote:

snip!
Although we will be assigning a record for each address, my question is why
is the application (specifically HTTP) dependent on a reverse record ?
What is the purpose?


HTTP has no requirement that the connecting client have reverse DNS 
setup.  Some servers have reverse lookups enabled, and some of those 
undoubtedly block until the record has been retrieved or all avenues of 
discovery have been exhausted... and this is likely where the issue 
exists.  As to why the server or the script/application its running 
needs the record, you'd have to ask the developer.


--
Jeff Walter
Network Engineer
Hurricane Electric, AS6939
attachment: jeffw.vcf

Re: DDoS - CoD? - Activision contact

[Jeff Walter]

On 9/6/2011 6:02 AM, BH wrote:
Looking around, I believe the issue is that the IP has ended up on a 
master game list, so we are now getting the queries directed at US.


Having written multiple versions of a Quake III master server (again, 
much self-hate) I pulled one of my old master query scripts out of 
mothballs and checked.  You are not listed on the CoD4 master server 
(assuming you did not alter the UDP frames you originally posted).  If 
you were you would be seeing getInfo and getStatus queries, but 
you're not.  You're seeing the getInfoResponse and getStatusResponse 
packets from a server which is listed on the master server.  This is an 
attack, nothing sinister is happening.


Your best bet is to filter all UDP traffic except for what you need (DNS 
comes to mind).  You might also want to get in contact with 
killku...@hotmail.com and encourage them to install the previously 
mentioned patched server executable to prevent their server from being 
used as an attack amplifier.


--
Jeff Walter
Network Engineer
Hurricane Electric
attachment: jeffw.vcf

Re: DDoS - CoD?

[Jeff Walter]

Call of Duty is apparently using the same flawed protocol as Quake III 
servers, so you can think of it as an amplification attack.  (I wish I'd 
forgotten all about this stuff)


You send \xff\xff\xff\xffgetstatus\n in a UDP packet with a spoofed 
source, and the server responds with everything you see.  With decent 
amplification (15B - ~500B) and the number of CoD servers in world you 
could very easily build up a sizable attack.


--
Jeff Walter
Network Engineer
Hurricane Electric
attachment: jeffw.vcf

Re: World IPv6 Only Day.

[Jeff Walter]

On 6/8/2011 3:31 PM, fredrik danerklint wrote:

How about that one?

(Please reply to the mailing list only)

You wouldn't be posting to the list... :-)

Received: from [77.105.232.43] (port=53699 helo=fredan-pc.localnet)
by mail.fredan.se with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.71) (envelope-fromfredan-na...@fredan.se)
id 1QURHg-0004ZJ-4d
for nanog@nanog.org; Thu, 09 Jun 2011 00:31:32 +0200


attachment: jeffw.vcf

Re: v6 Avian Carriers?

[Jeff Walter]

On 4/1/2011 5:41 AM, Sachs, Marcus Hans (Marc) wrote:

I was wondering which April 1st this would happen on.   Now I know.  So if a v6 
carrier swallows a v4 datagram does that count as packet loss or tunneling?

http://datatracker.ietf.org/doc/rfc6214/


Depending on whether or not the packet arrived at its destination 
determines if it is loss or tunneling.  In the event it is tunneled, 
please be certain to filter the packet as de-encapsulation is a bit... 
messy.
attachment: jeffw.vcf

Re: Pacific Northwest downtime?

[Jeff Walter]

We contacted GBLX and the issue was resolved shortly thereafter.  Last 
time this happened one of their internal routers hung and someone kicked 
it.  No idea if this was the same type of issue.


In this case, more that just traffic between us and Comcast was 
affected, at least according to a friend of mine who's on Comcast.


+ H U R R I C A N E - E L E C T R I C +
| Jeff Walter  http://www.he.net/ AS6939   Phone 510/580-4108 |
| Network Engineer   Colocation, Dedicated  Cell 510/771-7036 |
| je...@he.netServers, Direct ConnectionsFax 510/580-4152 |
+- I N T E R N E T - S E R V I C E S -+

On 8/12/2010 11:32 PM, John A. Kilpatrick wrote:


Yeah, I saw it too.  My traceroute was dying at an IP belonging to Global 
Crossing and the DNS looked like it was at 11 Great Oaks.  I called Comcast to 
report it, but they just kept saying I should reboot my modem.

On Aug 12, 2010, at 11:19 PM, Ashoat Tevosyan wrote:


Never mind, back up! Apparently there was a problem at Comcast.

Thanks,
Ashoat

On Thu, Aug 12, 2010 at 11:07 PM, Ashoat Tevosyan
ash...@cs.washington.eduwrote:


Hey guys,

Anybody else in the Pacific Northwest notice some sites down? I'm using
Comcast here at home, and I can't reach anything over at Hurricane Electric.
I can confirm that HE is reachable from the University of Washington.

Thanks,
Ashoat



--
 John A. Kilpatrick
j...@hypergeek.netEmail| http://www.hypergeek.net/
john-p...@hypergeek.net  Text pages|  ICQ: 19147504
   remember:  no obstacles/only challenges


attachment: jeffw.vcf

Re: Pacific Northwest downtime?

[Jeff Walter]

On 8/12/2010 11:42 PM, Matthew Petach wrote:

There are definite reports that it affected connectivity to some
portions of Yahoo
for some comcast users in the Bay Area as well.

Matt
*offers a new roll of duct tape to Comcast for their routers*


Just got confirmation from GBLX... Router seized.  Perhaps some WD-40 is 
in order?


+ H U R R I C A N E - E L E C T R I C +
| Jeff Walter  http://www.he.net/ AS6939   Phone 510/580-4108 |
| Network Engineer   Colocation, Dedicated  Cell 510/771-7036 |
| je...@he.netServers, Direct ConnectionsFax 510/580-4152 |
+- I N T E R N E T - S E R V I C E S -+
attachment: jeffw.vcf

Re: subnet aggregation script

[Jeff Walter]

Ric Moseley wrote:

Does anyone know of a tool/script that can aggregate subnets feed to it
via command line?  Meaning if I give it multiple /30s (or any size
subnet) it will scrunch them together. 


Here is a Perl script to do just that.  My normal one reads from STDIN.

#!/usr/bin/perl

use Net::CIDR::Lite;

my $cidr = Net::CIDR::Lite-new ();

foreach (@ARGV) {
if (/^[0-9a-f\.:]+(\/\d+)?$/) {
$cidr-add_any ($_);
}
}

print (join (\n, $cidr-list ()));