Re: FCC proposes higher speed goals (100/20 Mbps) for USF providers

[John Schiel]

Terrain has a lot to do with the service you can get. Twenty five miles 
west of Denver are technically foothills but it is a lot of mountainous 
terrain. No company wants to run any cable up there.


--John

On 5/24/22 09:48, Mitchell Tanenbaum via NANOG wrote:


I have two fixed wireless Internet connections here.  One is 25/5, the 
other is 35/5.  There is no cable, no fiber, no cellular, not even DSL 
from the phone company.  That is reality in metro Denver, CO 
(actually, the foothills, 25 miles from the state Capitol building).


Regarding Starlink, no, you can’t get it.  I paid my deposit a year 
and a half ago and I am still on the waiting list.  Every time that I 
get close to the date they promise, they change the promise. Maybe I 
will get Starlink service some time in the future, but, not any time soon.


Oh, yeah, and 25 meg down costs $75 a month.  If you want VoIP, that 
is another $20+.


So not only is it slow, it is expensive too.

So yes, there still is a problem, right here in America.  And not just 
in the boonies.


Mitch

*From:*NANOG  *On Behalf 
Of *Matthew Huff

*Sent:* Tuesday, May 24, 2022 9:38 AM
*To:* Brian Turnbow ; David Bass 
; Sean Donelan 

*Cc:* nanog@nanog.org
*Subject:* RE: FCC proposes higher speed goals (100/20 Mbps) for USF 
providers


I grew up in rural Texas where my mother still lives. She has adequate 
speed internet, the biggest issue is reliability. The whole town 
(there is only 1 provider) has an outage for about an hour every week. 
Two weeks ago, there was no internet for 3 days. Cellular service is 
4G and not even that reliable for data even on the best days.


*From:*NANOG  *On Behalf Of 
*Brian Turnbow via NANOG

*Sent:* Tuesday, May 24, 2022 9:35 AM
*To:* David Bass ; Sean Donelan 
*Cc:* nanog@nanog.org
*Subject:* RE: FCC proposes higher speed goals (100/20 Mbps) for USF 
providers


Here in Italy there have been a lot of investments to get better 
broadband.


Such as government sponsored bundles for areas with no return on 
investments, for schools etc with a lot of focus on reaching gigabit 
speeds


The results have been mainly positive even though there are delays.

On the end user side in 2020 one of the largest ISPs started offering 
2.5Gbps service


Adds all over and users started asking for it, even though they don’t 
have a 2.5 nic or router,  so now all of the major providers are 
rolling it out.


Illiad one uped them a couple of months ago pushing  a 5Gbps service 
and now I get people asking me if we offer 5Gbps fiber lines.. pure 
marketing…


I have a 1Gbps/100Mbps line and it is plenty enough for the family 
rarely do we even get near the limits.


It’s kind of like when I ask for an Italian espresso in the states and 
get a cup full of coffee, no I just want a very small italian style 
espresso..


The response is Why? you are paying for it take it all

Bigger is better, even if you don’t need it, reigns supreme.

The real problem most users experience isn’t that they have a gig, or 
even 100Mb of available download bandwidth…it’s that they infrequently 
are able to use that full bandwidth due to massive over subscription .


The other issue is the minimal upload speed.  It’s fairly easy to 
consume the 10Mb that you’re typically getting as a residential 
customer.  Even “business class” broadband service has a pretty poor 
upload bandwidth limit.


We are a pretty high usage family, and 100/10 has been adequate, but 
there’s been times when we are pegged at the 10 Mb upload limit, and 
we start to see issues.


I’d say 25/5 is a minimum for a single person.

Would 1 gig be nice…yeah as long as the upload speed is dramatically 
increased as part of that. We would rarely use it, but that would 
likely be sufficient for a long time.  I wouldn’t pay for the extra at 
this point though.


On Mon, May 23, 2022 at 8:20 PM Sean Donelan  wrote:


Remember, this rulemaking is for 1.1 million locations with the
"worst"
return on investment. The end of the tail of the long tail.  Rural
and
tribal locations which aren't profitable to provide higher speed
broadband.

These locations have very low customer density, and difficult to
serve.

After the Sandwich Isles Communications scandal, gold-plated
proposals
will be viewed with skepticism.  While a proposal may have a lower
total
cost of ownership over decades, the business case is the cheapest for
the first 10 years of subsidies.  [massive over-simplification]

Historically, these projects have lack of timely completion
(abandoned,
incomplete), and bad (overly optimistic?) budgeting.

Re: [EXTERNAL] Re: Flow collection and analysis

[John Schiel]

Samplicator is a nifty tool.

--John

On 1/25/22 16:50, Compton, Rich A wrote:


Elastiflow is pretty cool. https://www.elastiflow.com  or the old open 
source version: https://github.com/robcowart/elastiflow


You can pretty much do the same thing with Elastic’s filebeat 
(https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-netflow.html). 



Pmacct is also good for grabbing netflow http://www.pmacct.net and 
sending it somewhere (file, database, kafka, etc.) You can also grab 
BMP and streaming telemetry with it.


If you’re looking for open source DDoS detection using netflow, check 
out https://github.com/pavel-odintsov/fastnetmon


Shameless plug, check out my tool to look for spoofed UDP 
amplification request traffic coming into your network 
https://github.com/racompton/tattle-tale


FYI, you can send netflow to multiple collectors with 
https://github.com/sleinen/samplicator


-Rich

*From: *NANOG  on 
behalf of David Bass 

*Date: *Tuesday, January 25, 2022 at 11:06 AM
*To: *Christopher Morrow 
*Cc: *NANOG list 
*Subject: *[EXTERNAL] Re: Flow collection and analysis

*CAUTION:*The e-mail below is from an external source. Please exercise 
caution before opening attachments, clicking links, or following 
guidance.


Most of these things, yes.

Add:

Troubleshooting/operational support

Customer reporting

On Tue, Jan 25, 2022 at 1:38 PM Christopher Morrow 
 wrote:


On Tue, Jan 25, 2022 at 10:53 AM David Bass
 wrote:

Wondering what others in the small to medium sized networks
out there are using these days for netflow data collection,
and your opinion on the tool?

a question not asked, and answer not provided here, is:
  "What are you actually trying to do with the netflow?"

Answers of the form:
  "Dos detection and mitigation planning"
  "Discover peering options/opportunities"
  "billing customers"

  "traffic analysis for future network planning"

  "abuse monitoring/management/investigations"

  "pretty noc graphs"

are helpful.. I'm sure other answers would as well.. but: "how do
you collect?" is "with a collector" and isn't super helpful if the
collector can't feed into the tooling / infrastructure / long-term
goal you have.

The contents of this e-mail message and
any attachments are intended solely for the
addressee(s) and may contain confidential
and/or legally privileged information. If you
are not the intended recipient of this message
or if this message has been addressed to you
in error, please immediately alert the sender
by reply e-mail and then delete this message
and any attachments. If you are not the
intended recipient, you are notified that
any use, dissemination, distribution, copying,
or storage of this message or any attachment
is strictly prohibited. 

Re: Don Smith, RIP.

[John Schiel]

Very well said Roland.

He cared greatly about this community and was always willing to help 
others. I personally would not be where I am today without his effort 
and caring.


Thank you Don, I will miss you greatly.

--John

On 7/23/20 5:22 PM, Dobbins, Roland wrote:

It is with a heavy heart that I must relate the news that Don Smith, formerly 
of CenturyLink and more lately of Netscout Arbor, passed away in his sleep last 
night.

Don was a colleague, friend, and mentor to many; he was a mainstay of the 
operational community, and tirelessly worked to make the Internet safer and 
more resilient for us all.  His intellect, wit, and generosity of spirit were 
well-known to those who were privileged to have the opportunity to work with 
and learn from him.

Don’s contributions to the industry were manifold.  While we are all diminished 
by his loss, his legacy abides; and we can honor him by continuing to build 
upon that foundation, for the betterment of the Internet community as a whole.

Once Don’s family have established plans for his memorial, they will be posted 
here.

Roland Dobbins 

Re: Antennas in the data center

[John Schiel]

On 7/18/19 7:54 AM, Robert Webb wrote:

Thanks for the info on the standards portion.

The booster configuration has been setup in a test scenario where the 
external antenna has been placed outside with line of site to the 
tower, less than a tenth of a mile away, with the feed cable run down 
a hallway indoors, the booster connected, and the indoor antenna 
connected (not in the data center though).


Test with LTE equipment, ie. cell phones, has brought the signal from 
barely a single bar of 1x to 4 bars of LTE with good speeds.


Manager has no issue with equipment purchased and has polled the other 
tenants in the same data center and they are also OK with it. He has 
just cited that there is some standard but has not been forthcoming 
with any documentation.


I figured if there was such a standard then someone here would 
probably have run across it at some time.



Is he denying on some industry "LTE" standard or some other data center 
or security standard?





I am getting the feeling this is just something he has heard or been 
told in the past and really doesn't know.




On Thu, Jul 18, 2019 at 9:35 AM Matt Harris > wrote:


On Thu, Jul 18, 2019 at 8:30 AM Robert Webb mailto:rwfireg...@gmail.com>> wrote:

So I have a situation where I am trying to get LTE to an out
of band router and there is no signal available in the data
center. There was a booster setup purchased and I have a
manager telling me that standards, industry and not local,
prohibit the installation.

He has yet to produce any documented industry standard so I
thought I would reach out to see if anyone here has heard of this.

We fall under NIST controls and I haven't found anything there
and have also looked at TIA and not found anything.


I've never heard of any industry standard preventing such a thing.
There are a few questions this raises though. The first and most
obvious being, are you sure that a "booster setup" will actually
help? Have you done a site survey to figure out how to actually
accomplish what you need to accomplish? The other question is
whether perhaps the issue he has is with the specific "booster
setup" chosen. Perhaps there's something naughty about it, in
particular, that has caused him to not want it in his facility
(cheap Chinese radios are known, for example, for polluting the
spectrum outside of the frequencies that they are designed to
operate within.) Maybe he has other folks doing legit RF stuff in
there and doesn't want to risk that pollution?

Re: century link ipv6

[John Schiel]

I don't think it's your provider, check your hardware.

http://zszsit.blogspot.com.br/2012/10/ratelimit-callbacks-suppressed.html

(link provided by an associate)

--John

On 11/07/2015 02:33 AM, samaul carman wrote:

Hello I am writing to y'all in regards to based  on my understanding that
does not happen on a ipv6 dsl network however I may be wrong about that I am
still learning about ipv6 in my college courses however I have been noticing
that these only occur on cable network based on my google searches however
like I said I may be wrong  I have century link service and I am using an
asus rt68p ac1900 router the modem is in transpartent bridging and I use
ppoe for my connection protocol please excuse me if I made any errors on the
post to this list you may contact me off list if you like

Nov  6  kernel: net_ratelimit: 979 callbacks suppressed
Nov  6 19:50:55 kernel: net_ratelimit: 307 callbacks suppressed

Nov  6 19:51:01 kernel: net_ratelimit: 320 callbacks suppressed

Nov  6 19:56:29 kernel: net_ratelimit: 93 callbacks suppressed

Nov  6 19:56:34 kernel: net_ratelimit: 418 callbacks suppressed

Nov  6 19:56:39 kernel: net_ratelimit: 169 callbacks suppressed

Nov  6 19:56:44 kernel: net_ratelimit: 391 callbacks suppressed

Nov  6 19:56:49 kernel: net_ratelimit: 389 callbacks suppressed

Nov  6 19:56:58 kernel: net_ratelimit: 97 callbacks suppressed

Nov  6 19:57:03 kernel: net_ratelimit: 439 callbacks suppressed

Nov  6 19:57:17 kernel: net_ratelimit: 231 callbacks suppressed

Nov  6 19:57:48 kernel: net_ratelimit: 261 callbacks suppressed

Nov  6 20:02:19 kernel: net_ratelimit: 157 callbacks suppressed

Nov  6 20:02:24 kernel: net_ratelimit: 75 callbacks suppressed

Nov  6 20:02:29 kernel: net_ratelimit: 412 callbacks suppressed

Nov  6 20:02:34 kernel: net_ratelimit: 439 callbacks suppressed

Nov  6 20:02:39 kernel: net_ratelimit: 360 callbacks suppressed

Nov  6 20:02:51 kernel: net_ratelimit: 219 callbacks suppressed

Nov  6 20:02:56 kernel: net_ratelimit: 345 callbacks suppressed

Nov  6 20:03:06 kernel: net_ratelimit: 89 callbacks suppressed

Nov  6 20:03:11 kernel: net_ratelimit: 420 callbacks suppressed

Nov  6 20:04:33 kernel: net_ratelimit: 180 callbacks suppressed

Nov  6 20:04:46 kernel: net_ratelimit: 166 callbacks suppressed

Nov  6 20:04:57 kernel: net_ratelimit: 140 callbacks suppressed

Nov  6 20:05:02 kernel: net_ratelimit: 142 callbacks suppressed

Nov  6 20:05:19 kernel: net_ratelimit: 159 callbacks suppressed

Nov  6 20:05:49 kernel: net_ratelimit: 73 callbacks suppressed

Nov  6 20:05:58 kernel: net_ratelimit: 76 callbacks suppressed

Nov  6 20:06:13 kernel: net_ratelimit: 278 callbacks suppressed

Nov  6 20:06:18 kernel: net_ratelimit: 50 callbacks suppressed

Nov  6 20:06:32 kernel: net_ratelimit: 173 callbacks suppressed

Nov  6 20:07:01 kernel: net_ratelimit: 173 callbacks suppressed

Nov  6 20:08:14 kernel: net_ratelimit: 353 callbacks suppressed

Nov  6 20:08:19 kernel: net_ratelimit: 149 callbacks suppressed

Nov  6 20:08:29 kernel: net_ratelimit: 53 callbacks suppressed

Nov  6 20:08:35 kernel: net_ratelimit: 228 callbacks suppressed

Nov  6 20:09:32 kernel: net_ratelimit: 398 callbacks suppressed

Nov  6 20:10:20 kernel: net_ratelimit: 258 callbacks suppressed

Nov  6 20:10:31 kernel: net_ratelimit: 25 callbacks suppressed

Nov  6 20:16:45 kernel: net_ratelimit: 301 callbacks suppressed

Nov  6 20:16:50 kernel: net_ratelimit: 423 callbacks suppressed

Nov  6 20:16:57 kernel: net_ratelimit: 64 callbacks suppressed

Nov  6 20:17:02 kernel: net_ratelimit: 440 callbacks suppressed

Nov  6 20:17:09 kernel: net_ratelimit: 298 callbacks suppressed

Nov  6 20:17:14 kernel: net_ratelimit: 439 callbacks suppressed

Nov  6 20:17:19 kernel: net_ratelimit: 112 callbacks suppressed

Nov  6 20:17:24 kernel: net_ratelimit: 146 callbacks suppressed

Nov  6 20:17:29 kernel: net_ratelimit: 427 callbacks suppressed

Nov  6 20:17:34 kernel: net_ratelimit: 405 callbacks suppressed

Nov  6 20:17:46 kernel: net_ratelimit: 93 callbacks suppressed

  

Re: Cisco Routers Vulnerability

[John Schiel]

On 04/13/2015 03:29 PM, Rashed Alwarrag wrote:

Hi
Today we have a lot of customers report that their Cisco routers got a root
access and the IOS got erased , is there any known vulnerability in cisco
products thats they report in their Security alerts about this recently  ?
  is there any one face the same issue ?


It would help if you could share the router type, IOS version, etc.

--John



Regards

Re: Cisco Routers Vulnerability

[John Schiel]

On 04/13/2015 03:49 PM, Rashed Alwarrag wrote:

I will try to get those informations


If you follow Chris's suggestion, you might get faster resolution.

http://tools.cisco.com/security/center/publicationListing.x

--John


Thanks

On Tuesday, April 14, 2015, John Schiel jsch...@flowtools.net 
mailto:jsch...@flowtools.net wrote:




On 04/13/2015 03:29 PM, Rashed Alwarrag wrote:

Hi
Today we have a lot of customers report that their Cisco
routers got a root
access and the IOS got erased , is there any known
vulnerability in cisco
products thats they report in their Security alerts about this
recently  ?
  is there any one face the same issue ?


It would help if you could share the router type, IOS version, etc.

--John


Regards




--

*Rashed Alwarrag *

Re: OT - Verizon/ATT Cell/4G Signal Booster/Repeater

[John Schiel]

On 12/15/2014 07:45 PM, Ray Van Dolson wrote:

One thing you might also want to consider are any calls you make to 911 
whilst using a repeater.


I use a repeater supplied by T-Mobile and they made it very clear, and I 
had to specifically acknowledge a statement, that using such a repeater 
takes away from emergency services being able to find out where you are 
if you make a 911 call from your mobile.


Some may refer to this as a feature, depending on how much tin foil you 
have laying about, but the users of such device may need to be warned 
about emergency calls.  They'll need to be able to describe where they 
are to the responding sirens.


--John


Hi all;

Looking to improve cell reception for mixed ATT/Verizon users on the
first floor of one of our buildings.

Starting to dig into this and coming across items like this one at
Amazon[1], but thought some of you out there might have recommendations
for something that has worked well for you and has been reliable.

Am in a position to run cable from the roof to the floor in question.

Thanks,
Ray

[1] 
http://www.amazon.com/Wilson-Electronics-Indoor-Cellular-Booster/dp/B00IWW9AB8/ref=lp_2407782011_1_1?s=wirelessie=UTF8qid=1418671553sr=1-1

Re: Carrier-grade DDoS Attack mitigation appliance

[John Schiel]

On 12/08/2014 11:53 AM, Tony McKay wrote:

Does anyone on list currently use Peakflow SP from Arbor with TMS, and is it 
truly a carrier grade DDoS detection and mitigation platform?  Anyone have any 
experience with Plixir?
Peakflow SP with the TMS works quite well. Can be very fast once a 
threat is discovered, depending on how you set up the mitigation. If you 
use auto mitigate and anycast BGP announcements, you can get a base 
mitigation going within seconds.


Although it works quite well, it can be a bit pricey. I've seen but not 
yet played with DefensePro from Radware. I thought they also had premise 
based unit like Arbor's Pravail but I can't be sure on that.


--John




Tony McKay
Dir. Of Network Operations
Office:  870.336.3449
Mobile:  870.243.0058
-The boundary to your comfort zone fades a little each time you cross it.  
Raise your limits by pushing them.

This electronic mail transmission may contain confidential or privileged 
information. If you believe that you have received this message in error, 
please notify the sender by reply transmission and delete the message without 
copying or disclosing it.



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mohamed Kamal
Sent: Sunday, December 07, 2014 2:10 PM
To: nanog
Subject: Carrier-grade DDoS Attack mitigation appliance


Have anyone tried any DDoS attack mitigation appliance rather than Arbor PeakFlow TMS? I 
need it to be carrier-grade in terms of capacity and redundancy, and as far as I know, 
Arbor is the only product in the market which offers a clean pipe volume of 
traffic, so if the DDoS attack volume is, for example, 1Tbps, they will grant you for 
example 50Gbps of clean traffic.

Anyway, I'm open to other suggestions, and open-source products that can do the 
same purpose, we have network development team that can work on this.

Thanks.

--
Mohamed Kamal
Core Network Sr. Engineer

Re: cheap laptop with 32G or 64G recommendations

[John Schiel]

On 11/11/2014 05:54 PM, lobna gouda wrote:

Thanks all for your reply, lenovo seems decent almost all the pc ( lenovo and 
hp) are decent with the 16G.somebody mentioned with 16g it is a bit slow; Keith 
here is saying the 32G he had no issue. i intend to buy my own memory just to 
save on the costi agree 64 will be sky expensive and cloud will do, then.By the 
way W530 is replaced by W540, donot see much benefit for my case.


Be careful with Lenovo, some folks think it has a bad security 
reputation. Why? *shrug*, not sure but maybe because it's a Chinese 
company with ties to the PRC and IIRC, there was a BIOS flaw.


--John


Brgds,
Lobna Gouda

Date: Tue, 11 Nov 2014 12:13:09 -0800
From: blakan...@gmail.com
To: nanog@nanog.org
Subject: Re: cheap laptop with 32G or 64G recommendations

I have an almost two-year old Lenovo W530 with 32G ram. I've been happy
with it. I don't find myself taking advantage of the ram (w/ VMWare
Workstation) as much as I thought I would.

http://shop.lenovo.com/us/en/laptops/thinkpad/w-series/w530/

-Keith

Darden, Patrick wrote:

If there is a cheap quad-core laptop with 64GB of ram and no huge downsides...  
then sign me up!  I expect that will be the standard in 5 years, but right now 
that is a hoss.

Izaac's suggestion of using the cloud is good, if you can do it.  Cloud 
services have come a long way--fast and easy to set up complex environments.  
Great article comparing performance and costs:

http://www.infoworld.com/article/2610403/cloud-computing/ultimate-cloud-speed-tests--amazon-vs--google-vs--windows-azure.html

--p


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Izaac
Sent: Monday, November 10, 2014 6:25 PM
To: NANOG
Subject: [EXTERNAL]Re: cheap laptop with 32G or 64G recommendations

On November 10, 2014 4:49:08 PM EST, lobna gouda lobna_go...@hotmail.com 
wrote:

Hello,
Any recommendation, not looking for anything fantasy,  my understanding
it should be quardcore, with more than DIMM0 slot so each can have 8G.
wind7-64bits to work. I want to use it as a server or practice logical
routers 

Cheap and 64GiB of RAM are incompatible concepts in laptops.

There is no earthly reason you should need to carry a machine like that anyway. 
If for some reason you need something so equipped, get yourself a cloud 
instance and connect to it. That's how you save money.

If you're stuck working in a completely isolated environment, then work it into 
the contract. That's the cost of being on an island.

--
Izaac

Re: Tech Laptop with DB9

[John Schiel]

On 11/10/2014 02:05 PM, joel jaeggli wrote:

ftdi chipsets work on both mac and windows devices.


I'd be careful with FTDI chipsets, you want to make sure you get the 
real chip. If they decide to move forward with bricking counterfeit 
chips, you'll be wasting your $$.



--John



http://www.amazon.com/Serial-Console-Rollover-Cable-Routers/dp/B00M2SAKMG/ref=sr_1_16?s=electronicsie=UTF8qid=1415653377sr=1-16keywords=ftdi+serial

On 11/10/14 10:39 AM, Max Clark wrote:

Hi all,

DB9 ports seem to be a nearly extinct feature on laptops. Any
suggestions on a cheap laptop for use in field support (with an onboard
DB9)?

Thanks,
Max

Re: Linux: concerns over systemd adoption and Debian's decision to switch

[John Schiel]

On 10/22/2014 10:43 AM, C. Jon Larsen wrote:



Hardly.  The discussion so far has been weighted very heavily on the
side of Dana Carvey's Grumpy Old Man-style whining. That's the way
it was and we liked it!.

The people that like systemd (like myself) have wisely learned that
the people that hate systemd, hate it mostly because it's different
from what came before and don't want to change.  There's no way to
argue rationally with that.


Incorrect assumption. systemd is a massive security hole waiting to 
happen and it does not follow the unix philosophy of done 1 thing and 
do it well/correct. 


i was beginning to wonder how secure systemd is also.

--John

Its basically ignoring 40 years of best practices. Thats why folks 
that have been there, done that, dont want any part of it. Not because 
its new, but because its a flawed concept.


You are free to use it, but it would be a poor choice for system that 
has hopes of being secure.



--
Jeff Ollie

Re: Linux: concerns over systemd adoption and Debian's decision to switch

[John Schiel]

On 10/22/2014 01:30 PM, valdis.kletni...@vt.edu wrote:

On Wed, 22 Oct 2014 13:13:29 -0600, John Schiel said:


i was beginning to wonder how secure systemd is also.

One of the 3 CIA pillars of security is availability.  And if
it's oh-dark-30, figuring out what symlink is supposed to be where
for a given failed systemd unit can be a tad challenging.  At least under
sysvinit, either /etc/rc5.d/S50foobar is there or it isn't(*).

And if they carry through on their systemd-console threat, that could get
even worse - that introduces a whole new pile of risks for being unable
to diagnose early boot bugs

So yeah, there's security issues other than can it be hacked because
it's got a huge surface area.


Agreed, the oh-dark-thirty call outs will be harder to resolve but I'm 
sure some folks will learn to deal with it. It's new and changes the job 
but as was noted earlier, there is always change.


My concern is with the large surface area. Does that expose the daemon 
to more vulnerabilities because it does more or does one daemon make it 
easier to protect against multiple vulnerabilities? I don't know, that's 
where the research needs to be done.


--John



(*) Unless you're really having a bad night and it's a hard link to /dev/sda1
or something. :)

Re: Marriott wifi blocking

[John Schiel]

On 10/03/2014 04:26 PM, Hugo Slabbert wrote:
On Fri 2014-Oct-03 16:01:21 -0600, John Schiel jsch...@flowtools.net 
wrote:




On 10/03/2014 03:23 PM, Keenan Tims wrote:
The question here is what is authorized and what is not.  Was this 
to protect their network from rogues, or protect revenue from 
captive customers.

I can't imagine that any 'AP-squashing' packets are ever authorized,
outside of a lab. The wireless spectrum is shared by all, regardless of
physical locality. Because it's your building doesn't mean you own the
spectrum.


+1



My reading of this is that these features are illegal, period. Rogue AP
detection is one thing, and disabling them via network or
administrative (ie. eject the guest) means would be fine, but
interfering with the wireless is not acceptable per the FCC 
regulations.


Seems like common sense to me. If the FCC considers this 
'interference',
which it apparently does, then devices MUST NOT intentionally 
interfere.


I would expect interfering for defensive purposes **only** would be 
acceptable.


What constitutes defensive purposes?


Whoa, lots of replies this weekend.

I haven't made my way through all of them but the point was to try and 
protect your network from an offensive device. It seems though, if you 
are law abiding and follow the FCC rules, you **cannot** protect 
yourself very well using the wireless spectrum. Need to do some more 
reading I guess.


--John





--John



K

Re: Marriott wifi blocking

[John Schiel]

On 10/03/2014 03:23 PM, Keenan Tims wrote:

The question here is what is authorized and what is not.  Was this to protect 
their network from rogues, or protect revenue from captive customers.

I can't imagine that any 'AP-squashing' packets are ever authorized,
outside of a lab. The wireless spectrum is shared by all, regardless of
physical locality. Because it's your building doesn't mean you own the
spectrum.


+1



My reading of this is that these features are illegal, period. Rogue AP
detection is one thing, and disabling them via network or
administrative (ie. eject the guest) means would be fine, but
interfering with the wireless is not acceptable per the FCC regulations.

Seems like common sense to me. If the FCC considers this 'interference',
which it apparently does, then devices MUST NOT intentionally interfere.


I would expect interfering for defensive purposes **only** would be 
acceptable.


--John



K

Re: MACsec SFP

[John Schiel]

Would be nice if we knew what the protocol was that communicated this
information down to the SFP and would also be nice if that was an open
protocol subject to review. UDP something? is my guess but ow do those
messages look?

I'm new to the MACsec idea but I would hope we could watch for such key
exchange traversing the wire and have some method to ignore spurious
messages and keys that may lock up a valid, working SFP.

--John


On Tue, Jun 24, 2014 at 1:27 PM, Pieter Hulshoff phuls...@aimvalley.nl
wrote:

 On 24-06-14 17:50, Christopher Morrow wrote:

 So.. now when my SFP in Elbonia dies I need to get a truck to Elbonia
 AND it's paired link in west caledonia? yikes. Also, is that a
 'ybFxasasdasd' on the serial-number/key-pair-note or ybfXasdadasdsd'
 Gosh joe I'm not sure...


 Obviously this solution wouldn't work for everyone, but I think for those
 people who prefer a simple unmanaged plug-and-play solution it would work
 just fine.


  Programmable seems like the way to go, provided there's a path to do
 that in the cli of the device you plugged the SFP into? (which I think
 is the hard part actually, right?)


 Actually, there are many other ways to solve this. If you want unmanaged
 still, you could opt for using a key infrastructure combined with 802.1X
 EAPOL. For managed solutions, the device could be made programmable via
 I2C, in-band from the switch or even in-band from the line. We have several
 such managed smart SFPs in our portfolio, so adding such features to this
 device will not be a problem. A management channel however is an also added
 security risk, so not everybody would be in favour of that. No size fits
 all.



 On 24-06-14 18:30, Christopher Morrow wrote:

 it's going to be hard to schedule a key roll then, right? I would
 expect that in most/many deployments where someone enters a 'key'
 there has to be some compliance process that includes: And you change
 that key every X days right? So you'll NOT want to be in a situation
 that involves coordinating a few thousand truck rolls every X months
 to have this deployed.


 True, though an MKA PSK could safely be used for the life-time of a
 device. Should one want a regular key roll though, the CAK could be given a
 life-time, with a new one distributed automatically via MKA or EAPOL when
 it expires. It's also possible to set up a management command to do the
 same thing at the operator's request. Plenty of options; I'm trying to find
 out what demand there is for each to determine what should make our first
 release, and what will not. :)

 Kind regards,

 Pieter Hulshoff