Re: Gmail and SSL
On Wed, Jan 02, 2013 at 07:35:49PM -0500, William Herrin wrote: A reputable SSL signer would have to get outed just once issuing a government a resigning cert and they'd be kicked out of all the browsers. They'd be awfully easy to catch. I believe Honest Achmed said it best: In any case by the time he's issued enough certificates he'll be regarded as too big to fail by the browser vendors, so an expensive audit doesn't really matter. as well as Achmed's business plan is to sell a sufficiently large number of certificates as quickly as possible in order to become too big to fail and Achmed guarantees that no certificate will be issued without payment having been received, as per the old latin proverb nil certificati sine lucre. - Matt
Re: Gmail and SSL
On Tue, Jan 01, 2013 at 12:04:16PM -0700, Keith Medcalf wrote: Perhaps the cheapest way to solve this is to apply thumbscrews and have google require the use of co-option freindly keying material by their victims errr customers errr users. ITYM product. - Matt
Re: TCP time_wait and port exhaustion for servers
On Thu, Dec 06, 2012 at 08:58:10AM -0500, Ray Soucy wrote: net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_time = 90 net.ipv4.tcp_fin_timeout = 30 As discussed, those do not affect TCP_TIMEWAIT_LEN. There is a lot of misinformation out there on this subject so please don't just Google for 5 min. and chime in with a solution that you haven't verified yourself. We can expand the ephemeral port range to be a full 60K (and we have as a band-aid), but that only delays the issue as use grows. I can verify that changing it via: echo 1025 65535 /proc/sys/net/ipv4/ip_local_port_range Does work for the full range, as a spot check shows ports as low as 2000 and as high as 64000 being used. I can attest to the effectiveness of this method, however be sure and add any ports in that range that you use as incoming ports for services to /proc/sys/net/ipv4/ip_local_reserved_ports, otherwise the first time you restart a service that uses a high port (*cough*NRPE*cough*), its port will probably get snarfed for an outgoing connection and then you're in a sad, sad place. - Matt -- [An ad for Microsoft] uses the musical theme of the Confutatis Maledictis from Mozart's Requiem. Where do you want to go today? is on the screen, while the chorus sings Confutatis maledictis, flammis acribus addictis,. Translation: The damned and accursed are convicted to the flames of hell.
Re: Finding Name Servers (not NS records) of domain name
On Wed, Aug 15, 2012 at 06:10:25PM -0400, Anurag Bhatia wrote: Now as you would be knowing if I do regular dig with ns, it provides NS records. However I was able to find nameservers by digging gTLD root for gTLD based domains. This works for .com/net/org etc but again fails for say .us, .in etc. I was wondering if there's an easy way to do it rather then running script on thousands of domain names again again digging registry specific nameservers? I religiously use http://squish.net/dnscheck/ the moment I suspect *any* sort of DNS hinkiness. Verbose, but *damn* if it doesn't hand me the answer practically every time. - Matt
Re: job screening question
On Sat, Jul 07, 2012 at 11:01:29AM -0700, JC Dill wrote: On 06/07/12 9:06 PM, Matthew Palmer wrote: Maybe it's more significant to ask what the difference between TCP and UDP is. Yes, the difference between TCP and UDP is a much better question to ask, but having HR assess and act on the answer to the question is a whole hell of a lot harder. The best path is to have HR report the answer verbatim for the hiring manager to do the assessing. Then the hiring manager can decide which candidates proceed to the next level of interviews. Two problems there: * We've already had mention made in this thread of the problems associated with HR attempting to record, verbatim, an answer provided by a candidate. Unless all your HR phone screeners are experienced stenographers (who, I will note, can typically command salaries far in excess of HR associates), their chances of getting an accurate record of a candidate's statements is slim. * If you're going to have to carefully examine each candidate's answers *anyway*, why not just get on the phone screen with them in the first place, and get HR out of the picture? At least that way you're not wasting money paying for HR people, and you can do a far more in-depth interview because you're there, in real-time, to ask follow-up questions. - Matt -- MySQL seems to be the Windows of the database world. Broken, underspecced, and mainly only popular due to inertia and people who don't really know what they're doing. -- Peter Corlett, in the Monastery
Re: job screening question
On Thu, Jul 05, 2012 at 05:01:39PM -0700, Scott Weeks wrote: --- ja...@thebaughers.com wrote: From: Jason Baugher ja...@thebaughers.com Geez, I'd be happy to find someone with a good attitude, a solid work ethic, and the desire and aptitude to learn. :) --- Yeah, that. But how do you get those folks through the HR process to you, so you can decipher their skill/work ethic level? What can the HR person ask to find out if someone has these qualities? OSPF LSA type questions will not help. Don't get HR to do that sort of screening. They suck mightily at it. I lack any sort of HR department to get in the way, and I'm glad of it -- I don't see the value in having someone who doesn't know anything about the job get in the way of finding the right person for it. Sure, get 'em to do the scutwork of posting job ads, collating resumes, scheduling things and sending the lolz no! responses, but actually filtering? Nah, I'll do that bit thanks. If you have to have HR do a filter call, make it *really* simple, like What does TCP stand for? -- sadly, you'll still probably filter out half the applicants for a senior position... - Matt
Re: job screening question
On Sat, Jul 07, 2012 at 12:51:55PM +1200, Ben Aitchison wrote: On Fri, Jul 06, 2012 at 04:18:21PM +1000, Matthew Palmer wrote: On Thu, Jul 05, 2012 at 05:01:39PM -0700, Scott Weeks wrote: --- ja...@thebaughers.com wrote: From: Jason Baugher ja...@thebaughers.com Geez, I'd be happy to find someone with a good attitude, a solid work ethic, and the desire and aptitude to learn. :) --- Yeah, that. But how do you get those folks through the HR process to you, so you can decipher their skill/work ethic level? What can the HR person ask to find out if someone has these qualities? OSPF LSA type questions will not help. Don't get HR to do that sort of screening. They suck mightily at it. I lack any sort of HR department to get in the way, and I'm glad of it -- I don't see the value in having someone who doesn't know anything about the job get in the way of finding the right person for it. Sure, get 'em to do the scutwork of posting job ads, collating resumes, scheduling things and sending the lolz no! responses, but actually filtering? Nah, I'll do that bit thanks. If you have to have HR do a filter call, make it *really* simple, like What does TCP stand for? -- sadly, you'll still probably filter out half the applicants for a senior position... I've noticed a strong correlation between people who don't know what acronyms stand for, and competence. People who don't know anything try and figure out what the acronym stands for - people who want to understand things see it as just a place holder. [...] Maybe it's more significant to ask what the difference between TCP and UDP is. Yes, the difference between TCP and UDP is a much better question to ask, but having HR assess and act on the answer to the question is a whole hell of a lot harder. In many ways, *that's* the tough bit of finding a good screening question. Finding good interview questions *in general* isn't all that hard. With a good senior candidate my interview questions could just be bringing up problems I've recently solved or am currently wrestling with, and having a 30 minute conversation on the problem. I'll get a very good idea of someone's domain knowledge and problem-solving skills by doing that. But there's no way I can ask HR to do that, because they don't know how to assess the answer, and as previously demonstrated (fragmented disks, indeed), you can't have HR act as scribe and relay the answer to you, because they'll get it wrong, and the interesting bit is the *conversation*, not the canned single-shot answer. That's my motivation for asking a question as inane as What does TCP stand for? -- it has an overwhelmingly obvious answer that can be verified in a second or two by someone who really doesn't know anything about what they're asking. Give a candidate 10 of those sorts of questions over the phone from an HR drone, if they score 8-or-better (for instance) they pass and you get to see their resume. That is, of course, assuming your organisation is so screwed up that they won't let you at candidates directly (which is still my preferred option -- leave HR to do the paperwork). - Matt -- The real art of conversation is not only to say the right thing at the right place but to leave unsaid the wrong thing at the tempting moment. -- Dorothy Nevill
Re: F-ckin Leap Seconds, how do they work?
On Mon, Jul 02, 2012 at 09:13:42AM -0700, Michael Thomas wrote: My centos 6/64 running 3.0 seemed to weather it too. I'm not quite clear on what I should be looking for to classify it as being broken though. The problems I saw were related to programs that use futex(2) (Java, MySQL, Chromium, in my personal experience) chewing up lots of CPU because the futex system call wasn't quite doing what it was supposed to be doing (waking up threads when they were OK to proceed) and instead constantly waking the threads up, having the threads go OK, so my lock is clear and I'm ready to go?, the kernel saying oh, no, sorry and the thread going back to sleep again -- only to be woken up again immediately. Sort of an object lesson in why busy-wait locks suck. - Matt -- The main advantages of Haynes and Chilton manuals are that they cost $15, where the factory manuals cost $100 and up, and that they will tell you how to use two hammers, a block of wood, and a meerkat to replace special tool no. 2-112-A-- Matt Roberds in asr.
Re: CVV numbers
On Sat, Jun 09, 2012 at 02:34:03PM -0700, Scott Howard wrote: On Sat, Jun 9, 2012 at 12:12 PM, Wayne E Bouchard w...@typo.org wrote: The main weakness of CVV2 these days is form history in browsers. (auto complete). Any website requesting a CVV2 in a form field without the form history/autocomplete being disabled is in breach of PCI compliance, and risks losing their ability to accept credit cards. And convenience trumps pseudo-security yet again; Chrom(ium) asks me if I want to save my CC details when I put them in (to which I tell it not just no, but are you *nuts*?); presumably this is on forms which include autocomplete=off, since it happens often enough. So I would assume that this PCI compliance tickbox is being ignored by browsers. Whee! - Matt -- Ruby's the only language I've ever used that feels like it was designed by a programmer, and not by a hardware engineer (Java, C, C++), an academic theorist (Lisp, Haskell, OCaml), or an editor of PC World (Python). -- William Morgan
Re: Bogon list update for prefix for 5.1.0.0/19
On Mon, May 28, 2012 at 04:31:34PM +0300, Evgeniy Aikashev wrote: We are AS21219 - PJSC Datagroup and owner of 5.1.0.0/19 block. Our customers have no access to some part of Internet if they use these IPs. Could you please update your bogon filters to permit this range. You're probably going to go and have a stern word with the Hamachi people, too -- they've been squatting on that space for a while now. - Matt
Re: Industry practice for BGP costs - one time or fixed/monthly?
On Sat, May 26, 2012 at 09:39:16PM -0400, Luke S. Crawford wrote: On Sat, May 26, 2012 at 10:06:03AM +1000, Matthew Palmer wrote: We pay what our providers think they can get away with. Like most pricing decisions, they're not based on any technical logic, they're based on what the market will bear. Feel free to turn the process around -- decide what the service is worth to you, tell the provider of the service that price, and let them decide if they want to provide it to you at that price. Don't be too surprised if you get monkeys in exchange for your peanuts, though. Are you suggesting that you get worse service after you negotiate a better deal with a particular provider? To a certain extent, yes. It has been my experience (from both the service provider and the customer point-of-view) that customers who aren't worth as much to a supplier don't get as much love, because the cost of losing their business to a competitor is much less (or, in some cases, would be a net win). However, my main point was that if you are mainly concerned about price, rather than quality of service (or, more precisely, the value-for-money ratio between the two), you are likely to end up with a substandard service. I will concede, however, that I didn't make that point particularly clear, for which I apologise. - Matt -- Advocating Object-Oriented Programming is like advocating Pants-Oriented Clothing. -- Jacob Gabrielson
Re: Equinix Direct
On Fri, May 25, 2012 at 08:19:10AM -0400, Tim Durack wrote: It does concern me that the only connectivity options are FE/GE, no 10GE at this time. Makes me wonder about how serious the service is, and whether I will end up with a more congested service than simply getting a mix of transit providers myself. It depends on what you mean by serious. As I understand it, it's not targeted at the big end of town -- there's no way you wouldn't be going direct to the big tier 1s yourself if you needed multiple 10GE pipes, for a wide variety of reasons. Instead, it's intended as a leg up for the smaller players to get into the marketplace *without* needing to make a huge commitment to the big tier 1s and manage far more moving parts than would otherwise be the case. - Matt
Re: Industry practice for BGP costs - one time or fixed/monthly?
On Fri, May 25, 2012 at 09:31:11PM +0530, Anurag Bhatia wrote: I have been aggressively looking for deals in servers in Europe for anycasting. One thing which surprises me is the setup costs for BGP. Few providers quoted additional $50-100 which looks OK but a few of them quoted as high as $150 *extra every month* just for having BGP (no full routing table, but just default route pointing). Is there's any technical logic behind such heavy costs? I mean at the end of day we are all talking at layer 3 and thus it does not involves any hard connection/physical work. What other members pay for BGP setup costs? We pay what our providers think they can get away with. Like most pricing decisions, they're not based on any technical logic, they're based on what the market will bear. Feel free to turn the process around -- decide what the service is worth to you, tell the provider of the service that price, and let them decide if they want to provide it to you at that price. Don't be too surprised if you get monkeys in exchange for your peanuts, though. - Matt
Re: Cogent for ISP bandwidth
On Mon, May 14, 2012 at 09:27:57PM -0500, Jason Baugher wrote: On 5/14/2012 7:30 PM, Jay Ashworth wrote: - Original Message - From: Jason Baugherja...@thebaughers.com I've done some searching and haven't been able to find much in the last 3 years as to their reliability and suitability as an upstream provider. Really? That surprises me; people complain about Cogent on here, roughly, weekly. :-) Sorry, been on this list for quite some time, and I even went back to the archives. I don't see much there that is specific to Cogent doing a bad job. If I go back a few years, I find stuff about Cogent-Telia, Cogent-GBX, and even Cogent-HE IPv6 peering. So when you play What's the common factor?, you get... ? grin We decided not to use Cogent as one of the suppliers for a recent PoP deployment because of these sorts of games -- it's not that we'd get caught in them (we've got three providers), but we just don't want to reward that sort of behaviour with our money. - Matt
Re: Squeezing IPs out of ARIN
On Wed, Apr 25, 2012 at 08:31:44AM -0700, Owen DeLong wrote: On Apr 24, 2012, at 9:57 PM, Jack Bates wrote: I sometimes wonder what happens to that information; if it sits around in an archive somewhere in the vast digital repositories of ARIN awaiting someone to steal it. That's a very cynical view. I happen to know that ARIN takes the security of that data very seriously and I think they do a good job of protecting it. If you have any reason to believe otherwise, I invite you to offer some form of substantiation to support such a claim. I'm sure that if you s/ARIN/Sony/, s/ARIN/Wordpress/, or s/ARIN/RSA/ (just to name a few), you'd have found people at some point in the past more than willing to stand behind the resulting statement. Just sayin'. - Matt
Re: The day SORBS goes away ...
On Sat, Apr 07, 2012 at 08:33:10PM +0300, Hank Nussbacher wrote: On Sat, 7 Apr 2012, Rich Kulawiec wrote: Clearly, this is idiotic reasoning and only when others start blocking their IP ranges and DNS servers will they ever wake up. But how idiotic is it? Do you have all Yahoo IP space and domains blocked on your mail server? How many mailboxes does that cover? What percentage of Yahoo's daily e-mail volume are you blocking, and how much of a rat's arse do you think Yahoo cares? I think you can see where I'm going with this. It's only idiotic reasoning if it doesn't work, and so far as I can see, it's working just great -- there are effectively service providers who are too big to fai^Wblock, and so they get away with things that everyone else would only dream of. They do care about the almighty buck more than the 'net, but I'd say that almost all of us do, because almost none of us are willing to take the plunge and block Yahoo and other giant providers of spam and other abuse. (For the record, I'm in this camp, too -- I'm not willing to lose my job -- my almighty buck -- for taking the step of blocking Yahoo, so I'm not any sort of trailblazer along this path). To anyone out there who is blocking Yahoo, and is big enough for them to take notice, bravo to you! Speak up, tell the world what you're doing, and it might give the rest of us the courage and the precedent to do the same. - Matt -- A friend is someone you can call to help you move. A best friend is someone you can call to help you move a body.
Re: last mile, regulatory incentives, etc (was: att fiber, et al)
On Fri, Mar 23, 2012 at 02:18:26PM -1000, Michael Painter wrote: Really. This is from the Governor's Hawaii Broadband Initiative speedtest website: The indication of above average or below average is based on a comparison of the actual test result to the current NTIA definition of broadband which is 768 kbps download and 200 kbps upload. Any test result above the NTIA definition is considered above average, and any result below is considered below average. Just one more nail in the coffin of the word average. - Matt -- I seem to have my life in reverse. When I was a wee'un, it seemed perfectly normal that one could pick up the phone and speak to anybody else in the world who also has a phone. Now I'm older and more experienced, I'm amazed that this could possibly work. -- Peter Corlett, in the Monastery
Re: WW: Colo Vending Machine
On Fri, Feb 17, 2012 at 05:39:34PM -0800, Owen DeLong wrote: In such cases, I will occasionally stop by the colo without going home to retrieve the laptop. 90% of the time it works out OK. 10% of the time I end up leaving the colo, going home, retrieving the laptop and returning to the colo. Obviously, if there was a loaner laptop available for a $15 rental in the colo as described, it would probably be worth $15 to me and/or my organization to avoid the delay and bother of the round-trip between colo and home. As previously advised, typing passwords/phrases into such devices is... not recommended. At $ORK, we've got DC tech laptops in each suite for just such occasions, preconfigured with everything you might need (bookmarks into all internal systems and likely wiki pages, a DC tech jabber account, etc). Works well, and I'm sure they've paid for themselves many times over. - Matt -- liw hut.fi has or used to have two nfs servers not-responding and still-trying... don't know if their dns server was not-found... 4o4 would be then a good name for the web server... endless hours of fun aj did you get a response from 4o4? nah, it just 404ed
Re: UDP port 80 DDoS attack
On Sun, Feb 05, 2012 at 06:36:13PM -0500, Ray Gasnick III wrote: We just saw a huge flux of traffic occur this morning that spiked one of our upstream ISPs gear and killed the layer 2 link on another becuase of a DDoS attack on UDP port 80. Yep, we've got a customer who's been hit with it a couple of times (5Gbps the first time, 3Gbps the second). For hysterical raisins, we don't actually control the network for this particular customer, but the network provider did pretty much what you did -- blackholed the victim IP. We've mitigated the problem by using a full-time traffic-scrubbing service -- the hope is that the scrubbing service will pay for all the traffic and only the good stuff will get through. Only time will tell if it works. We also had to renumber the customer, as the attacks were obviously remembering the old IP and still knocking it off the network even after the DNS was repointed at the scrubbing service. - Matt -- I'm tempted to try Gentoo, but then I learned that its installer is in Python, and, well, a base Python install on my system is something like fifty megabytes (for what? oh, right, we NEED four XML libraries, I forgot). -- Dave Brown, ASR
Re: Linux Centralized Administration
On Thu, Jan 12, 2012 at 04:02:49PM -0500, Paul Stewart wrote: Hey folks. just curious what people are using for automating updates to Linux boxes? Today, we manually do YUM updates to all the CentOS servers . just an example but a good one. I have heard there are some open source solutions similar to that of Red Hat Network? At work, we use (and built) a tool called 'tingle' (https://github.com/anchor/tingle), which handles it all for us across our internal and managed-for-customers infrastructures. Personally, I don't run CentOS, but I use unattended-upgrades on my personal herd of Debian machines, which works well enough. - Matt -- A woman in liquor production / Owns a still of exquisite construction. The alcohol boils / Through magnetic coils. She says that it's proof by induction. -- http://limerickdb.com/?34
Re: Looking for a Tier 1 ISP Mentor for career advice.
On Fri, Dec 02, 2011 at 05:55:23PM -0600, Robert Bonomi wrote: Scott Weeks sur...@mauigateway.com wrote: Apologies for the rapid-shot email. It's Friday... :-) bmann...@vacation.karoshi.com wrote: On Thu, Dec 01, 2011 at 04:35:27PM -0500, David Radcliffe wrote: The reason it is not more accepted is too many people still think If I cannot see you you must not be working. actually, i've heard the real reason is corporate liability ... that said, there is an advantage for team f2f mtgs on a periodic basis. I don't follow. Could you elaborate? What is the liability? I don't know for certain, but I expect work at home' employeees fall under the scope of the employers Workmans Compenstation liability covrerage, with regard to injuries sustained on the job. There are those who say this has already happened http://www.news.com.au/business/telstra-forced-to-pay-costs-compensation-after-worker-dale-hargreaves-slips-while-working-at-home/story-e6frfm1i-1226081649913 Now, I'm sure the facts of the matter haven't gotten in the way of the story there, but I'm struggling to come up with a set of circumstances which *don't* involve an application of palm to face. - Matt -- You know you have a distributed system when the crash of a computer you’ve never heard of stops you from getting any work done. -- Leslie Lamport Security Engineering: A Guide to Building Dependable Distributed Systems
Re: Performance Issues - PTR Records
On Wed, Nov 02, 2011 at 06:12:21PM -0400, David Hubbard wrote: From: Matt Chung [mailto:itsmemattch...@gmail.com] Historically, there was no compelling reason to create PTR records for our CPE however more and more applications seem to be dependent on it. Although we will be assigning a record for each address, my question is why is the application (specifically HTTP) dependent on a reverse record ? What is the purpose? As a web host, we frequently find customers who have added Apache rules to their ecommerce sites to block undesirable traffic, such as credit card scammers, etc. Not knowing any better, they often do this by just blocking anything that ends in .in to block Indonesia for example. That's even less effective than you'd naively expect, given that Indonesia's TLD is .id... - Matt
Re: Synology Disk DS211J
On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote: On 9/29/11 17:46 , Robert Bonomi wrote: From: Nathan Eisenberg nat...@atlasnetworks.us Subject: RE: Synology Disk DS211J Date: Thu, 29 Sep 2011 21:58:23 + And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. - Matt The prudent home admin has a default deny rule for outgoing HTTP to port 80? I doubt it. No, the prudent nd knowledgable prudent home admin does not have default deny rule just for outgoing HTTP to port 80. He has a defult deny rule for _everything_. Every internal source address, and every destination port. Then he pokes holes in that 'deny everything' for specific machines to make the kinds of external connections that _they_ need to make. Tell me how that flys with the customers in your household... Perfectly fine. My users know not to go plugging random devices in, and I properly configure the firewall to account for all legitimate traffic before the device is commissioned. - Matt
Re: Synology Disk DS211J
On Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote: A little off topic, but wanted to share... I purchased a home storage Synology DS1511+. After configuring it on the home net, I did some captures to look at the protocols, and noticed that the DS1511+ is making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 89) on a regular basis. These addresses are owned by Synology and Chungwa Telecom in Taiwan. And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. - Matt
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 05:08:42PM -0500, Jimmy Hess wrote: On Tue, Sep 27, 2011 at 8:27 AM, Christopher Morrow morrowc.li...@gmail.com wrote: how does tls/https help here? if you get sent to the 'wrong host' whether or not it does https/tls is irrelevant, no? (save the case of chrome and domain pinning) Because the operator of the wrong hostcannot obtain a SSL certificate for the right host's domain from a legitimate CA. Oh, if only 'twere true... even without control of the DNS for the domain, there have been plenty of certificates erroneously issued. With DNS control, doing the necessary validation steps required for the issuance of a certificate is child's play. Then, of course, there's the issues with what constitutes a legitimate CA; the list of CAs that I'd never want to trust, but which are in my browser by default, is long and notorious. - Matt
Re: Question on 95th percentile and Over-usage transit pricing
On Thu, Sep 22, 2011 at 10:31:34AM -0700, Ryan Malayter wrote: On Sep 22, 12:54 am, PC paul4...@gmail.com wrote: An optimal solution would be a tiered system where the adjusted price only applies to traffic units over the price tier threshold and not retroactively to all traffic units. I have seen a more optimal scheme about 15 years ago. Pricing was a smooth function, but it was for software licensing, not networking. As I recall, their scheme went something like: invoice_amount = some_constant * (quantity)^0.75 This seemed smart to me. It gave the customer incentives to invest more, but also got rid of silly discontinuities that would cause irrational customer and salesperson behavior. Has anyone seen something similar in the service provider world? All I ever see are arbitrary step functions. I actually had this discussion quite recently with The Powers, as we have some fairly interesting issues with the results of our newly adjusted pricing steps. The rationale behind sticking with the steps was everyone else does it that way, so when customers are making comparisons they need to be able to make a meaningful comparison and continuous functions are too hard. Given that we're not a market leader in network traffic, I somewhat see the logic behind the first, and given the average customer has trouble understanding that XGB per month at $Y/GB = $X*Y, I totally see the point on the second, *in general*. However, if you want it, ask for it. Go so far as to say that you'll only consider pricing functions that are continuous, and therefore will be making an apples-for-apples comparison. You'll exclude a lot of the market, simply because the contracts can't be modified like that or the billing system can't handle it, but I'm fairly confident that the data to create such a function exists at every sanely-run network provider. - Matt -- For once, Microsoft wasn't exaggerating when they named it the 'Jet Engine' -- your data's the seagull. -- Chris Adams
Re: How long is your rack?
On Mon, Aug 15, 2011 at 11:37:37AM -0400, Randy Bush wrote: more likely a 'shortened' url. how anyone can click those is beyond me. I'm curious what your objection is. i have no assurance that a shortened url does not lead to a malicious site. also your privacy issue, but that is secondary. Given the rate of publicised defacements of all manner of sites (and that injecting malware into a page is the exact same thing as a clear defacement, from an execution point of view), a long URL gives you no greater assurance of protection from malice. - Matt (Fellow hater of URL-shortening services) -- I'm sorry they changed it back. The freedom-fries thing was a proclamation to the world that we are indeed ruled by fools and madmen, but it had the virtue of not requiring mass numbers of people to be killed in order to make the point. -- Brad Ferguson
Re: network issue help
On Wed, Aug 10, 2011 at 07:33:53PM -0400, Stefan Fouant wrote: Is there an acronym for RTFM when there are a volume of manuals that need to be read? FOAD, perhaps? - Matt -- When you have a Leatherman, everything looks Leathermanipulable. -- Nathan McCoy, in the Monastery
Re: US internet providers hijacking users' search queries
On Fri, Aug 05, 2011 at 05:04:51PM -0700, Bino Gopal wrote: http://www.newscientist.com/article/dn20768-us-internet-providers-hijacking-users-search-queries.html I hope more ISPs start doing this; it'll increase the take up of HTTPS. - Matt -- Part[s] of .us are the global benchmark for pumpkin being a verb. -- Anthony de Boer
Re: US internet providers hijacking users' search queries
On Fri, Aug 05, 2011 at 06:53:50PM -0600, Brielle wrote: Until they start MitM the ssl traffic, fake certs and all. Didn't a certain repressive regime already do this tactic with facebook or some other major site? Yes, there's plenty of rogue CAs. That's an easier problem to solve (though still difficult) than trying to stop traffic interception with plain HTTP. - Matt -- There's a term for those who fantasize that the world works in precisely the way that produces maximum convenience for them, despite years of evidence to the contrary. The term is Morons. -- Greg Andrews, in the Monastery
Re: dynamic or static IPv6 prefixes to residential customers
On Wed, Aug 03, 2011 at 10:00:37AM -0700, Bill Woodcock wrote: Also good for customer privacy. LE can still subpoena ISP logs, but e-commerce sites can't track users quite as easily. So... you're in that alternate universe populated by people who *aren't* constantly logged onto facebook. Good to know. - Matt
Re: Comcast Bussiness Class and GRE Tunnels
On Wed, Jul 27, 2011 at 12:17:16PM +0300, Denys Fedoryshchenko wrote: I can recommend you to try to use openvpn, if you are Mikrotik only. At least it doesn't have fragmentation issues, as IPIP/GRE/PPTP has, and also it will run smoothly over NAT/SPI. Cons, that it is a bit more laggy, because it runs over TCP. Au contraire, OpenVPN only runs over TCP if you explicitly tell it to; default configuration, and widespread practice, is to run it over UDP. - Matt
Re: Comcast Bussiness Class and GRE Tunnels
On Wed, Jul 27, 2011 at 12:30:36PM +0300, Denys Fedoryshchenko wrote: On Wed, 27 Jul 2011 19:23:33 +1000, Matthew Palmer wrote: On Wed, Jul 27, 2011 at 12:17:16PM +0300, Denys Fedoryshchenko wrote: I can recommend you to try to use openvpn, if you are Mikrotik only. At least it doesn't have fragmentation issues, as IPIP/GRE/PPTP has, and also it will run smoothly over NAT/SPI. Cons, that it is a bit more laggy, because it runs over TCP. Au contraire, OpenVPN only runs over TCP if you explicitly tell it to; default configuration, and widespread practice, is to run it over UDP. On Linux, yes, it is by default configuration is UDP, but in current case , on Mikrotik, it is working _only_ in TCP mode, and has few more limitations. http://forum.mikrotik.com/viewtopic.php?f=1t=20537 WT*F*? I've never understood the appeal of Microtik, and now I understand it even less. - Matt
Re: Address Assignment Question
On Mon, Jun 20, 2011 at 09:26:30AM -0400, Steve Richardson wrote: Hi Jason, On Mon, Jun 20, 2011 at 9:06 AM, Jason Baugher ja...@thebaughers.com wrote: Did everyone miss that the customer didn't request a /24, they requested a /24s worth in even more dis-contiguous blocks. I can only think of one reason why a customer would specifically ask for that. They are concerned that they'll get blacklisted. They're hoping if they do, it will be a small block of many rather than one entire block. When customers make strange requests without giving a good explanation, I have to assume they're up to something. Jason They provided an explanation, describing how the IPs were going to be used. Yes, part of it does have to do with being blocked, which *definitely* concerns me. One thing they do say is that they need several IPs per block to assign to their MTAs to handle such a large amount of email (3 to 5 million per day). Being primarily focused on layers 1 through 4, I don't have an incredible amount of experience with high volume email server configuration, so I have no idea if they are feeding me a line of BS or not. I've worked at a company that did managed services (including the pipe and address range) of a legitimate bulk mailer[1], and the logic provided to you is legit, as far as it goes -- that is to say, what they're saying is probably why they really want the space (whether it's a legitimate justification for the allocation of IP space as per current policies is a different matter). Basically, what your customer wants is to evade big e-mail providers' anti-spam measures. From their perspective, of course, I'm sure they think they're doing the right thing, and the people they're delivering to really, really want this e-mail, and it's just the nasty e-mail provider getting in the way. As I understand it, a common technique at these big providers is to have reputation for IP addresses by spamminess, as an element of the overall determination of whether a particular e-mail is spam. If an address doesn't have a reputation (yet), then it's rate limited, to limit the damage that a new spammer can do before the e-mail provider gets feedback (from users) about whether the e-mail they're getting is spam or not. This reputation score (presumably) extends to the /24 (and probably, to a lesser extent, the WHOIS block, but I'm not as confident about that bit). What makes me think you're being scammed is that, for all the troubles we had with our customer, they never needed more address space once they'd gotten a good reputation for their initial allocation. Maybe my customer just didn't grow as much as yours did, so their spamcannon didn't need any more barrels. Still, I'm led to believe that once an IP address has good reputation, it should be effectively unlimited, so if they need more addresses it's because the current ones don't have real good rep... My feeling is that (paraphrasing here) we might get blocked occasionally and we need this many IPs on our MTAs because they can't handle the load are *not* legitimate reasons for requesting so many addresses. You are correct; as far as I know ARIN doesn't take those as valid justifications if you need to go back to them for more space, so you can't either. At this point they've admitted to you that they're shitting on your good name, and setting you up for headaches down the line (dealing with complaints from people who don't like their spam, having to clean up the IP addresses they discard when they're useless (or they leave). In techie utopia, you'd be able to sting them a fairly hefty surety to cover the costs associated with cleaning up their shit -- and then tell them that the IP addresses they've already got are enough, and if they need more capacity, they should clean up the addresses they've got. In reality, though, unless you've got management with a far more cavalier attitude to revenue than mine did, they won't do anything to piss off a customer who is, in their eyes, quite the cash cow. I'm mildly surprised that you got to evaluate their address request to the degree you have; I predict that any attempts to actually deny them more space (let alone extract additional compensation for their destruction of your resources) will be overridden by management. - Matt [1] I use scare quotes because as far as I'm concerned, if your business model is based on sending lots of e-mail, sooner or later you're going to be sending spam because that's what makes you the money. If you didn't personally collect the addresses, you're in for a world of hurt, and if you don't know that, you don't deserve to be in the business of bulk e-mail, and if you do know that, then at best you're a spammer-by-proxy. -- Q: Why do Marxists only drink herbal tea? A: Because proper tea is theft. -- Chris Suslowicz, in the Monastery
Re: ICANN to allow commercial gTLDs
On Sun, Jun 19, 2011 at 08:22:17PM -0400, Jay Ashworth wrote: - Original Message - From: Paul Vixie vi...@isc.org inevitably there will be folks who register .FOOBAR and advertise it as http://foobar/; on a billboard and then get burned by all of the local foobar.this.tld and foobar.that.tld names that will get reached instead of their TLD. i say inevitable; i don't know a way to avoid it since there will be a lot of money and a lot of people involved. I think it's probably worse than that, since a lot of the companies who might be foolish enough to try that *are companies that make stuff that's on your LAN*... and what are you going to name the *one* Apple server that's on your LAN in your internal DNS? Of course; you're gonna call it apple. And it only gets better from there... how many places have various cutesy naming schemes that might include one or more trademarks (or whatever) that someone might want as a TLD? A naming scheme involving fruit would cover your apple example, but I'd bet that someone, somewhere, names their servers after fast food restaurants or brands of shoe... and I'm confident in predicting that there are plenty of cartoon characters that some company or another will want to turn into a TLD. - Matt -- When all you have is a nailgun, every problem looks like a messiah. -- Iain Chalmers, ASR
Re: unqualified domains, was ICANN to allow commercial gTLDs
On Mon, Jun 20, 2011 at 02:08:18AM +, Paul Vixie wrote: From: David Conrad d...@virtualized.org Date: Sun, 19 Jun 2011 16:04:09 -1000 On Jun 19, 2011, at 3:24 PM, Paul Vixie wrote: i think we have to just discourage lookups of single-token names, universally. How? that's a good question. marka mentioned writing an RFC, but i expect that ICANN could also have an impact on this by having applicants sign something that says i know that my single-label top level domain name will not be directly usable the way normal domain names are and i intend to use it only to register subdomain names which will work normally. Whilst we can dream that that will work, I don't think it'll actually last very long in the face of determined marketing department pressure; also, unless that agreement also says I agree to pay the additional costs borne by any party on the Internet that result from my failure to adhere to this agreement, it's worthless. Are your customers going to call Sony when they put http://sony/ into their web browser and it doesn't work? Hell no. They're going to call your helpdesk, and it's going to tie up a non-trivial amount of engineer time either renaming things or reconfiguring the client machine to make that URL work as the user expects it to. - Matt -- It fsck's the volume or it gets the format again. -- Don Quixote, in the Monastery
Re: The stupidity of trying to fix DHCPv6
On Sun, Jun 12, 2011 at 01:04:41PM +0200, Iljitsch van Beijnum wrote: On 12 jun 2011, at 12:35, Daniel Roesen wrote: Could you point to any RFC which implies or explicitly states that DHCPv6 MUST NOT be used in absence of RA with M and/or O=1? But what's the alternative? Always run DHCPv6 even if there are no router advertisements or router advertisements with O=0, M=0? That would seem to be the logical outcome, yes. Like I said before, that would pollute the network with many multicasts which can seriously degrade wifi performance. Regardless of it's potential downsides, the issue at hand was the RFC compliance of such a setup. Owen DeLong contended that: On Fri, Jun 10, 2011 at 09:12:26PM -0700, Owen DeLong wrote: As it currently stands, an RFC-compliant host will not attempt to solicit a DHCP response unless it receives an RA with the M inclusive-or O bits set. Daniel was merely requesting a reference for that assertion. If you have one, I'm sure Daniel (and Owen) would appreciate it. - Matt
Re: IPv6 and DNS
On Sun, Jun 12, 2011 at 09:38:32AM -0300, Fabio Mendes wrote: 2011/6/11 Matthew Palmer mpal...@hezmatt.org The router isn't assigning an address, it's merely telling everyone on the segment what the local prefix and default route is. As such, there's no reason why the router should try to register a DNS entry. On the other hand, the host could (and should) register it's address with whatever DNS server handles it's name. The protocol for such is already standardised and should be independent of IPv4/IPv6. I was thinking about something like this, it looks the natural way to go, but isn't too dangerous allow hosts to update entries (even if it's their own) in an DNS server ? What are the hazards and risks? I preferred to believe that a router would do this because routers are considered to be more reliable than a hosts. Reliable, or trusted? Do you mind to point me out where can I find infos about this protocol that is being standardised ? RFC2136. - Matt
Re: IPv6 and DNS
On Sun, Jun 12, 2011 at 08:59:50AM -0500, Jimmy Hess wrote: On Sat, Jun 11, 2011 at 9:04 PM, Matthew Palmer mpal...@hezmatt.org wrote: The router isn't assigning an address, it's merely telling everyone on the segment what the local prefix and default route is. As such, there's no reason why the router should try to register a DNS entry. However, it would be logical to extend the DHCPv6 protocol to allow for registration of the workstation address in DNS by the DHCPv6 management server to be requested (similar to DHCPv4). I don't believe we were talking about DHCPv6, we were talking about SLAAC. And I *still* think it's a better idea for the client to be registering itself in DNS; the host knows what domain(s) it should be part of, and hence which names refer to itself and should be updated with it's new address. - Matt
Re: Yup; the Internet is screwed up.
On Sun, Jun 12, 2011 at 11:04:46AM -0600, Christopher J. Pilkington wrote: On Jun 11, 2011, at 7:07 PM, Roy wrote: On 6/11/2011 4:29 PM, Christopher Pilkington wrote: Options seem to be limited to HughesNet and dial for the moment, but things may change if I put a tower on the property. HughesNet seems to relax it's bandwidth cap between 2am and 7am, which is helpful, but still a great shift from what I'm used to at the current residence (15/2). No 3G cellphone service? 3G at this location is marginal at best (stand on a hill and hold the phone up above your head.) That said, are there 3G radios that permit external antennas or are well suited to being sealed up in a weatherproof box and being placed on a pole/tower? The little USB stick I just retired in favour of tethering (Huawei U160(?); I can dig up the model number if it's important) has a tiny antenna connection port. I've seen people on the train with a small flat antenna hooked up to these sorts of devices; I'd assume that there are big-ass antennas that are much more efficient and more suitable for permanent mounting somewhere useful. - Matt
Re: The stupidity of trying to fix DHCPv6
On Sun, Jun 12, 2011 at 08:12:02PM +0200, Iljitsch van Beijnum wrote: On 12 jun 2011, at 15:45, Leo Bicknell wrote: Like I said before, that would pollute the network with many multicasts which can seriously degrade wifi performance. Huh? This is no worse than IPv4 where a host comes up and sends a subnet-broadcast to get DHCP. The IPv4 host does this once and gets its lease. If there is no DHCPv6 server then DHCPv6 clients would keep broadcasting forever. Not a good thing. You're not working from comparable situations. An IPv4 network without a DHCP server will probably have lots of IPv4 hosts banging out broadcast packets constantly as well. - Matt -- A committee is a cul-de-sac down which ideas are lured and then quietly strangled. -- Sir Barnett Cocks (1907-1989) (QOTD 20 Feb 2003)
Re: IPv6 and DNS
On Sun, Jun 12, 2011 at 01:46:20PM -0400, Jeff Kell wrote: On 6/12/2011 11:44 AM, Matthew Palmer wrote: I don't believe we were talking about DHCPv6, we were talking about SLAAC. And I *still* think it's a better idea for the client to be registering itself in DNS; the host knows what domain(s) it should be part of, and hence which names refer to itself and should be updated with it's new address. Register with what/which DNS? If no DHCPv6 no DNS information has been acquired, so you're doing the magical anycast/multicast. RFC6106, or local recursive resolver. Also, recursive resolution is not the same as DDNS registration with an authoritative server. Not a fan of self-registration, in IPv4 we have DHCP register the DDNS update; after all, it just handed out an address for a zone/domain that *it* knows for certain. No, it handed out *an* *address*. Assuming that everything that wants an address also wants the whole shebang is a whole other issue. The host knows what domains it should be part of ?? Perhaps a server or a fixed desktop, but otherwise (unless you're a big fan of ActiveDirectory anywhere) the domain is relative to the environment you just inherited. No it isn't. If I want someone to talk to my laptop, and I happen to be roadwarrioring at a client site, do I want to say hey, just hit floozy.hezmatt.org, or do I want to have to ask someone what domain will my laptop be registered as? and then work it out from there? Letting any host register itself in my domain from any address/location is scary as heck :) So don't do that, then. Only let hosts that you want to have in your domain register whatever their current address is. - Matt -- A polar bear is a rectangular bear after a coordinate transform.
Re: IPv6 and DNS
On Mon, Jun 13, 2011 at 09:56:59AM +1000, Karl Auer wrote: On Mon, 2011-06-13 at 01:44 +1000, Matthew Palmer wrote: And I *still* think it's a better idea for the client to be registering itself in DNS; the host knows what domain(s) it should be part of, and hence which names refer to itself and should be updated with it's new address. Having tried that, we ended up doing it via DHCP (v4 at the time). We only had probably 15-20K hosts trying to register their names, but the results were sobering. At a rough estimate, one in a hundred was properly configured. We saw obscenities, random strings, thousand-byte names, empty names, invalid names, names with a hundred labels, my name is Andrew - you name it, it came and tried to register itself. Why were you letting such ill-configured clients register themselves in your DNS? And then there were the clients. Clients that tried as fast as they could to register their name dozens of times per second, clients that tried to register many names, clients that registered and then immediately deregistered their names, clients that never deregistered their names at all, clients that tried to register important names like www.ourdomain, clients that had completely broken protocol support... Ibid. So we moved the job to the DHCP server, and most of the problems went away. The server got the desired name from the client, could check it for some level of sanity and could register it properly. The server could also deregister the names when the clients went away, or at least at the end of the lease period. Most hosts *did* speak the DHCP protocol adequately well. Instead of having to allow open slather, we could allow just two hosts to make TSIG-protected updates. The logs became useful again. But if I come to roadwarrior in your network, I'd have to allow updates from your DHCP server, and your DHCP server would have to be sending those updates. Similarly, if your clients go roadwarrioring elsewhere, the same (or, rather, inverse) configuration would have to be done there. So although YMMV, I can highly recommend letting your DHCP servers do DDNS instead of letting the clients do it themselves. No doubt it depends on a multitude of factors, not least being whether you actually use DHCP, but in general, it worked a LOT better for us. If you've just got a single-location, never-goes-anywhere network and client list, sure you can just get the DHCP server to do the registration. But if you've got that setup, DDNS isn't needed at all -- your set of hosts, addresses, and names is fixed sufficiently that you can just statically allocate everything. - Matt
Re: Yup; the Internet is screwed up.
On Sat, Jun 11, 2011 at 02:34:10AM -0700, Jeroen van Aart wrote: Ricardo Ferreira wrote: Funny, how in the title refers to the Internet globally when the article is specific about the USA. I live in europe and we have at home 100Mbps . Mid sized city of 500k people. Some ISPs even spread WiFi across town so that subscribers can have internet access outside their homes. Though it's nice to have why would one *need* 100 Mbps at home? I understand the necessity of internet access and agree everyone has a right to it. But that necessity can be perfectly fulfilled with a stable internet connection of a reasonable speed (say low to mid range DSL speed tops). I don't regard simultaneously streaming 6 channels of TV and downloading the latest movie torrent in 2 minutes as a basic necessity, let alone essential. Well, you probably live in a premises with only a couple of people. A household with the standard 2.3 kids might need to stream 4.3 TV channels, and it'd be nice if that didn't have an adverse impact on other traffic (an incoming SIP call or two, and useful work). - Matt
Re: IPv6 and DNS
On Sat, Jun 11, 2011 at 10:30:26PM -0300, Fabio Mendes wrote: Firstly, sorry if this may sound too newbie for the list. Reading the discussion about dhcpv6 vs RAs, this question just popped in my mind. It seems that most of IPv6 addressing for hosts will be choosed using EUI-64 method. Considering that no one (specially endusers) will bother to memorize an IPv6 prefix plus a mac address, integration between DNS servers and routers/dhcpv6 servers will be crucial. For dhcp there is already a mechanism for updating names in the DNS server for dynamically assigned IPs. I suppose it will be used (use some modifications) for IPv6. However, I never heard of anything similar for routers (in the case of autoconfigured addresses). Are there any dns servers that support updates from routers ? The router isn't assigning an address, it's merely telling everyone on the segment what the local prefix and default route is. As such, there's no reason why the router should try to register a DNS entry. On the other hand, the host could (and should) register it's address with whatever DNS server handles it's name. The protocol for such is already standardised and should be independent of IPv4/IPv6. - Matt
Re: Strongest Solar Tsunami in Years to Hit Earth Today
On Fri, Jun 10, 2011 at 03:22:59PM +0300, Hank Nussbacher wrote: http://www.ibtimes.com/articles/159964/20110609/nasa-solar-flare-tsunami-earth-sun-radio-satellite-interference-aurora-displays-coronal-mass-ejectio.htm Someone should tell the IB Times that Tsunami doesn't mean anything big and destructive. Oh, and that popup ads are *s* 1997. - Matt
Re: The stupidity of trying to fix DHCPv6
On Fri, Jun 10, 2011 at 07:53:36AM -0700, Owen DeLong wrote: On Jun 10, 2011, at 7:47 AM, Leo Bicknell wrote: In a message written on Fri, Jun 10, 2011 at 10:34:57AM -0400, Ray Soucy wrote: Also agree that I want flexibility to use RA or DHCPv6; the disagreement is that RA needs to be removed or changed from IPv6. Don't go breaking my IPv6 stack for your own ambitions, please. I want that flexability as well, but the IETF won't deliver. The two options delivered so far are: RA's only. Only sort of... This only works if you don't want to auto-configure things like DNS, NTP, etc. I would like to see both protocols made optionally complete, so, in addition to fixing DHCPv6 by adding routing information options, I'd also like to see something done where it would be possible to add at least DNS servers to RA. RFC6106... the future is nooow... I like it, inasmuch as I don't need to run a separate DHCPv6 server on a simple network, but that'd be equally solved by merging radvd into the DHCP server and just running that. The client-side configuration is annoying for RDNSS. - Matt
Re: Why don't ISPs peer with everyone?
On Tue, Jun 07, 2011 at 10:15:48AM -0400, Drew Weaver wrote: -Original Message- From: Jon Lewis [mailto:jle...@lewis.org] Sent: Tuesday, June 07, 2011 10:00 AM -snip- I manage a network that's primarily a hosting network. There's a similar hosting network at the other end of the building. We both have multiple gigs of transit. We don't peer with each other. Perhaps we should, because the cost of the connection would be negligible (I think we already have multiple fiber pairs between our suites), but looking at my sampled netflow data, I'm guessing we average about 100kbit/s or less traffic in each direction between us. At that low a level, is it even worth the time and trouble to coordinate setting up a peering connection, much less tying up a gigE port at each end? - 100kbit/s at 1ms is better than 100kbit/s at 1ms. True, but the point being made is: how *much* better? Is it enough better to justify the cost of installing and maintaining another peering link? - Matt -- Ah, the beauty of OSS. Hundreds of volunteers worldwide volunteering their time inventing and implementing new, exciting ways for software to suck. -- Toni Lassila, in the Monastery
Re: blocking unwanted traffic from hitting gateway
On Wed, May 18, 2011 at 09:42:03AM -0300, Rogelio wrote: I've got about 1000 people hammering a Linux gateway with http requests, but only about 150 of them are authenticated users for the ISP. Are you the ISP, or someone else? Why is the gateway caring that the requests are HTTP? Is it also an HTTP server (and if so, does it matter that it's a gateway?) Once someone authenticates, then I want their traffic to pass through okay. But if they're not an authenticated user, I would like to ideally block those http requests (e.g. Google updater, AV scanners, etc) from ever tying up my web server. What authentication mechanism are acceptable? HTTP at the request level, captive portal, custom app, etc etc etc. Is there some sort of box I could put in front (e.g. OpenBSD pf in transparency mode) or maybe some sort of filter on the webserver? What risk or problem are you actually trying to mitigate against? Sure, you can put all sorts of things in front of it or on it, but are you just going to be moving the problem (whatever it may be) to another box, adding complexity for no good reason? This solution would need to be tied into the authentication services so authenticated users hit the gateway. You might want to mention what authentication services you're using if you want any useful recommendation about tying into it. - Matt -- The hypothalamus is one of the most important parts of the brain, involved in many kinds of motivation, among other functions. The hypothalamus controls the Four F's: 1. fighting; 2. fleeing; 3. feeding; and 4. mating. -- Psychology professor in neuropsychology intro course
Re: Yahoo and IPv6
On Tue, May 10, 2011 at 11:22:54AM -0700, Owen DeLong wrote: On May 10, 2011, at 9:32 AM, Igor Gashinsky wrote: On Tue, 10 May 2011, valdis.kletni...@vt.edu wrote: :: On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said: :: The time for finger-pointing is over, period, all we are all trying to do :: now is figure out how to deal with the present (sucky) situation. The :: current reality is that for a non-insignificant percentage of users when :: you enable dual-stack, they are gong to drop off the face of the planet. :: Now, for *you*, 0.026% may be insignificant (and, standalone, that number :: is insignificant), but for a global content provider that has ~700M users, :: that's 182 *thousand* users that *you*, *through your actions* just took :: out.. 182,000 - that is *not* insignificant :: :: At any given instant, there's a *lot* more than 182,000 users who are cut off :: due to various *IPv4* misconfigurations and issues. Yes, but *these* 182,000 users have perfectly working ipv4 connectivity, and you are asking *me* to break them through *my* actions. Sorry, that's simply too many to break for me, without a damn good reason to do so. In other words, Igor can't turn on records generally until there are 182,001 IPv6-only users that are broken from his lack of records. There may be something stupid I haven't considered about this, but wouldn't a v6-only end user be making their DNS requests over v6 (at least to their ISP's resolver), and if their provider was nice enough to continue that v6ness up the chain, wouldn't it be fairly simple (to the point of I'd be stunned if everyone wasn't already doing this) to say to Yahoo/Google/whatever's ultra-smart whitelisting DNS servers, v6-whitelist all v6 DNS requests? That way, v6-only people are guaranteed to get the records they so badly crave, without making an excessive mess for anyone else. I know this falls down if your v6-only-providing ISP takes your recursive DNS requests on IPv6 and sends them out via IPv4 even if records were available, but why would anyone be that dumb? Since the initial request would come in via v6, anything whitelisting in this fashion would be sending the records out, so you should never have to fall back to v4 unless someone isn't providing DNS via v6 at all, and who would willingly have their site v6 enabled without v6 enabling the DNS? (Yes, I'm aware of registrars who don't accept v6 glue, but get your whacking sticks out and keep whackin' 'til they fix it -- and kudos to gkg.net for having that sorted *before* I put my first v6 site up). - Matt -- Ruby's the only language I've ever used that feels like it was designed by a programmer, and not by a hardware engineer (Java, C, C++), an academic theorist (Lisp, Haskell, OCaml), or an editor of PC World (Python). -- William Morgan
Re: Ping - APAC Region
On Tue, Mar 29, 2011 at 06:33:07PM +0100, Robert Lusby wrote: Looking at hosting some servers in Hong Kong, to serve the APAC region. Our client is worried that this may slow things down in their Australia region, and are wondering whether hosting the servers in an Australian data-centre would be a better option. Does anyone have any statistics on this? No formal statistics, just a lot of experience. You may be unsurprised to learn that serving into Australia from outside Australia is slower than serving from within Australia. That being said, there's a fair bit less distance for the light to travel from Hong Kong or anywhere in the region than from the US. That is predicated on having good direct links, which is eye-wateringly expensive if you're used to US data costs (data going from China to Australia via San Jose... aaargh). Then again, hosting within Australia is similarly expensive, so splitting your presence isn't going to help you any from a cost PoV. Anyone living in this part of the world is used to everything taking a painful amount of time to load anyway, so unless you're doing something really latency-critical (online gaming and VoIP are the only things that leap to mind), hosting in a good west coast DC close to the trans-pacific links will cost you an order of magnitude less and won't have any noticeable impact on your visitor satisfaction scores. Or ... does anyone know of a ping tool we can use, hosted in Australia? No shortage of APAC looking glasses / tools listed at traceroute.org. - Matt -- FreeFrag The most secure computer in the world is one not connected to the internet. Thats why I recommend Telstra ADSL. -- bash.org/?168859
Re: Mac OS X 10.7, still no DHCPv6
On Sun, Feb 27, 2011 at 08:56:33AM -0500, Ray Soucy wrote: Mac OS X 10.7 does support RDNSS (RFC 5001) so it is able to get DNS server information in an IPv6-only environment. Of course nobody else has implemented that yet, making Apple a special case host once again (I don't even think Cisco supports the option in their T series yet). radvd and rdnssd work together on Linux nicely to provide RDNSS support. Works a treat. - Matt
Re: quietly....
On Thu, Feb 03, 2011 at 10:47:50AM -0600, Jack Bates wrote: On 2/3/2011 10:30 AM, Iljitsch van Beijnum wrote: I'm perfectly happy with an IPv6 network that only has rational people on it while those who insist on NAT stay behind on IPv4. I'm perfectly happy with watching the Internet go to hell; as it has been, and IPv6 will just escalate it. :) I am intrigued by your ideas, and wish to subscribe to your newsletter. Actually, I must agree that since I've stopped doing IT work professionally, I've found myself far less emotionally invested in this kind of thing, and far less worried about the world ending (which, let's face it, it rarely does). Does wonders for the blood pressure. - Matt
Re: quietly....
On Thu, Feb 03, 2011 at 12:35:46PM -0600, Jack Bates wrote: On 2/3/2011 12:17 PM, Owen DeLong wrote: Cost of application development Applications do not have to be written to support NAT (NAT66 shouldn't find itself in the areas where it's traditionally been a problem). The burden should be upon the NAT device to fix any issues, and this will be paid for by the few that utilize NAT. You're joking, right? Cost of administration If I choose to use NAPTv6, it's right to accept this cost. It doesn't make someone else pay more for me to administer my firewall. Cost of operations If I choose to use NAPTv6, it's right to accept this cost. It doesn't make someone else pay more for me to administer my firewall. Oh wait... you're *serious*? Have you never in your career come up against another party that says this is how we do it, and if you want to do business with us you can do it our way or get stuffed? All of a sudden, their decision to use NAT and/or do other spectacularly stupid things with their networks impacts on *me*[1], and costs *me* money. It doesn't work out like the optimistic utopia you're espousing. - Matt [1] Is there such thing as a royal me? There should be.
Re: quietly....
On Thu, Feb 03, 2011 at 03:20:25PM -0500, Lamar Owen wrote: On Thursday, February 03, 2011 02:28:32 pm valdis.kletni...@vt.edu wrote: The only reason FTP works through a NAT is because the NAT has already been hacked up to further mangle the data stream to make up for the mangling it does. FTP is a in essence a peer-to-peer protocol, as both ends initiate TCP streams. I know that's nitpicking, but it is true. So is SMTP, by the same token. Aptly demonstrating why the term P2P is so mind-alteringly stupid. - Matt
Re: quietly....
On Wed, Feb 02, 2011 at 11:45:49PM -0500, Jay Ashworth wrote: - Original Message - From: Blake Dunlap iki...@gmail.com On Wed, Feb 2, 2011 at 22:34, Jay Ashworth j...@baylink.com wrote: I won't run an edge-network that *isn't* NATted; my internal machines have no business having publicly routable addresses. No one has *ever* provided me with a serviceable explanation as to why that's an invalid view. Quite simply, its called Tragedy of the Commons. Everyone else has to work harder to provide you services if you are using something which breaks end to end connectivity, which costs everyone else money. The protocol designers are making a stand against this for the good of the commons. You'll have to document everyone has to work harder to provide me services; this is not my first rodeo, and TTBOMK, it's *transparent* to the other end of any connection out of my edge network that it's NATted at my end. As for incoming connections, it's transparent to them as well -- and which ones are valid targets for such connections *is a policy decision of mine*, not subject to external opinion. You're thinking too small -- it's not that individual TCP connections have problems, it's that the ability to solve a given problem using connections and UDP packets is badly constrained by a lack of end-to-end connectivity. The proof is fairly obvious in the number of hacks that have been deployed to try and get around NAT's inadequacies: Skype supernodes, STUN, all the various conntrack helpers in netfilters, etc etc etc. Now, if you decide that none of those applications are important to you, sure, you can firewall them off as appropriate. But the pervasive deployment of NAT means that the set of problems that can be solved is constrained, and of the problems that *can* be solved, the solutions tend to be more complicated, harder to implement, understand, and so on, which has a cost to the community (higher prices, less solved problems, whatever your desired metric may be). I think that's what Blake is getting at with his TotC. Of course, I'm a tiny bit of a skeptic, as I really can't see how a stateful firewall can know which other connections / packets are related without a lot of the same dodgy shenanigans that goes on now, but at least if you've gotten rid of the 1-to-N address mangling a fundamental stumbling block is removed and people can get on and solve the remaining (tractable) problems. - Matt
Re: quietly....
On Thu, Feb 03, 2011 at 12:23:54AM -0500, Jay Ashworth wrote: - Original Message - From: Matthew Palmer mpal...@hezmatt.org Now, if you decide that none of those applications are important to you, sure, you can firewall them off as appropriate. But the pervasive deployment of NAT means that the set of problems that can be solved is constrained, and of the problems that *can* be solved, the solutions tend to be more complicated, harder to implement, understand, and so on, which has a cost to the community (higher prices, less solved problems, whatever your desired metric may be). I think that's what Blake is getting at with his TotC. Perhaps. I'm not sure that the collective importance of that difficulty outweighs the collective danger of making all nodes of the Internet *as it presently exists* publicly routable. Well, technically, nodes aren't routable, addresses are... and I don't even see any danger in the mere existence of a valid route to a host. The danger exists when that host is not sufficiently secured (be it via firewall, sensible configuration, whatever). I don't know whether it's occurred to people that if you make every node on the present day Internet routable, then *you've made every node on the present day Internet routable*; the number of machines subject to more or less direct attack goes up (by a jackleg estimate I've just now made up) by between 3 and 5 orders of magnitude. I make jackleg estimates all the time; I don't believe I've ever had to say 5 orders of magnitude. I'm willing to bet you're being deeply optimistic (pessimistic?) with that estimate; if your estimate were accurate, it would mean that for every publically addressed device there are between 1,000 and 100,000 privately addressed nodes. I *really* don't think that's plausible. At any rate, I think the days of severely broken IP stacks and spectacularly insecure by default OS installations are largely behind us; the security battle for the client endpoint has moved to client-initiated attacks, which are unhindered by NAT, firewalling, or any other layer-respecting network security device. Of course, I'm a tiny bit of a skeptic, as I really can't see how a stateful firewall can know which other connections / packets are related without a lot of the same dodgy shenanigans that goes on now, but at least if you've gotten rid of the 1-to-N address mangling a fundamental stumbling block is removed and people can get on and solve the remaining (tractable) problems. That is problematic as well, isn't it? It is, but at least it's a problem that has a hope of being solved. It speaks directly to the attack-surface comment I just made in another reply. I can't see how. - Matt -- For once, Microsoft wasn't exaggerating when they named it the 'Jet Engine' -- your data's the seagull. -- Chris Adams
Re: Bogons
On Fri, Jan 28, 2011 at 12:35:43PM -0800, Jacob Broussard wrote: Static bogons are the bane of my existence... The pain of trying to explain to someone for MONTHS that they haven't updated their reference, with traceroutes to back it up, and they continue to say that it has something to do with my network. THey're right -- your network is using an address range they've chosen to configure their equipment not to accept... grin - Matt
Re: Is NAT can provide some kind of protection?
On Sat, Jan 15, 2011 at 06:24:01PM -0500, Brandon Ross wrote: On Sat, 15 Jan 2011, Owen DeLong wrote: I really doubt this will be the case in IPv6. I really hope you are right, because I don't want to see that either, however... Why do you suppose they did that before with IPv4? Sure you can make the argument NOW that v4 is in scarce supply, but 10 years ago it was still the case. The finest raisins of all: hysterical raisins. Widespread consumer internet access was dialup, with Trumpet or equivalent. The concept of home networks was, at best, for the uber, *uber* nerds (like most people on this list). The idea that an average home user would *ever* need more than one IP was ludicrous, so your basic dialup account provided one IP (although I recall being able to ask for more, for free, if I needed them). Then it became a value add to have more than one IP, and then NAT came along because the hackers at home had networks, and then the hackers at home went into IT and used consumer-grade ISPs, and so they deployed NAT in the enterprise, and then those people became the standards writers for PCI DSS... - Matt
Re: AS Numbers from a common 32-bit pool.
On Mon, Dec 20, 2010 at 02:49:49PM +0200, Heinrich Strauss wrote: I'm kinda fearing this in South Africa, as we have a few large incumbents who aren't really driving -NG versions of protocols. They also have a prove to us it's broken, and we may look at it in a few months' time-attitude towards it. :O That would be why 32-bit ASNs have been requestable for the last couple of years(?); you could have been prodding providers with it doesn't work, fix it for a while now. - Matt -- For once, Microsoft wasn't exaggerating when they named it the 'Jet Engine' -- your data's the seagull. -- Chris Adams
Re: ipfix/netflow/sflow generator for Linux
On Mon, Dec 06, 2010 at 02:15:10PM -0500, Thomas York wrote: I've had the best luck with ipcad. The only thing that seems to not work with it is that it doesn't correctly give the interface number in the flow information. It refers to all interfaces as interface 65535. I've tried the config option for ipcad to map an interface directly to an SNMP interface ID, but that option of the config file seems to be ignored. Ntop functionally does exactly what I need, but it's extremely buggy. It segfaults after a few minutes, regardless of Linux distro or Ntop version. So..any ideas on what I can do to get good flow information from our Linux routers? Fix ipcad to send the interface number. - Matt -- Just because we work at a University doesn't mean we're surrounded by smart people. -- Brian Kantor, in the monastery
Re: IPv6 Routing table will be bloated?
On Tue, Oct 26, 2010 at 05:48:13PM -0400, Randy Carpenter wrote: Someone who Randy didn't attribute wrote: I think APNIC has a policy that defines the minimum IPv6 allocation based on your current IPv4 allocation/usage. This would fix the problem? It would be nice as a start, but does not really take into consideration future expansion needs. I would think that you could draw some parallels, though. Something like: v4 /16 ~ v6 /32 v4 /12 ~ v6 /28 v4 /8 ~ v6 /24 I know it we don't want to equate v4 and v6, but it may help as a guideline for the size of the customer base. I don't think it's a particularly good metric, either, because it doesn't take into account the conversion rate of IPv4 to IPv6 addresses, which is wildly different in different networks. Fer instance, $JOB[-1] is a colo/hosting business, with a fair chunk of IPv4 allocated, and the standard IPv6 /32. I did the initial IPv6 address plan, and I'm pretty confident in saying that they'll *never* need any more than that /32 of IPv6, because their business model means that they pack their /64s relatively (hah!) densely (typically there's at least one /24 of IPv4 per /64 of IPv6). However, anyone doing network access is likely to be replacing an IPv4 /32 with an IPv6 /48, which results in a lot more address space usage. Direct conversion between IPv4 and IPv6 will either result in many places being starved of IPv6 (very bad, as the OP of this thread pointed out), or space will be massively overallocated (also, not real hot). - Matt
Re: DHS and NSA getting married?
On Fri, Oct 22, 2010 at 11:32:38AM -0400, Christopher Morrow wrote: On Fri, Oct 22, 2010 at 11:08 AM, Steven Bellovin s...@cs.columbia.edu wrote: In the words of a former Justice Department official involved with critical infrastructure protection, ?I have seen too many situations where government officials claimed a high degree of confidence as to the source, intent, and scope of an attack, and it turned out they were wrong on every aspect of it. That is, they were often wrong, but never in doubt.? this happens with non-cyber things as well... all the time. Point being: cyber-attack follows down the path of 'send the people that deal with attacks to deal with this'. For non-cyber things, that would be the police almost every time. We don't send a squad of marines out after every mugger (although it'd have an interesting deterrent effect...) - Matt
Re: network name 101100010100110.net
On Sun, Oct 17, 2010 at 08:07:41AM +0200, Per Carlson wrote: On 17 Oct 2010 06:47, Day Domes daydo...@gmail.com wrote: I have been tasked with coming up with a new name for are transit data network. I am thinking of using 101100010100110.net does anyone see any issues with this? Technically, no. But you probably fancy annoying people. I wouldn't imaging anyone typing that right on the first attempt. And imagine answering the phones... - Matt
Re: Did Internet Founders Actually Anticipate Paid,
On Tue, Sep 21, 2010 at 09:31:07AM -0700, George Bonser wrote: Yes they are -- content providers aren't getting their connections to the Internet for free (and if they are, how can I get me some of that?). Maybe I wasn't clear. Traffic is moving away from transit to direct peering at private exchanges in many cases. [Citation needed] If the ISPs are directly peering with the content provider at some IX, the content provider gets what amounts to a free ride to the end user. Say wha? ISPs don't *have* to peer at an IX; if they think that it's cheaper to buy transit from someone than it is to peer, they're more than capable of doing so. Transit would have to get extremely cheap to compete with exchange peering. I don't see it getting that low any time soon. So it *is* cheaper to peer than to buy transit. Take the money you save from not buying transit and put it towards upgrading your core. - Matt -- Generally the folk who love the environment in vague, frilly ways are at odds with folk who love the environment next to the mashed potatoes. -- Anthony de Boer, in a place that does not exist
Re: Other NOGs around the world?
On Mon, Aug 23, 2010 at 12:42:03AM +1000, Karl Auer wrote: On Sun, 2010-08-22 at 10:17 -0400, Marshall Eubanks wrote: On Aug 22, 2010, at 9:52 AM, Rogelio wrote: What other network operator groups are there around the world (besides NANOG)? AusNOG. At a bit of a low S:N right now. We have been leading up to a Federal election, with two big tech issues involved - a new national broadband network and Internet censorship. These two topics have rather dominated discussions of late. Politics on an operational list? NEVAH! - Matt
Re: Numbering nameservers and resolvers
On Mon, Aug 16, 2010 at 06:08:02AM -0700, Owen DeLong wrote: On Aug 16, 2010, at 6:03 AM, Chris Adams wrote: Once upon a time, Patrick W. Gilmore patr...@ianai.net said: 1) Use different prefixes. A single prefix going down should not kill your entire network. (Nameservers and resolvers being unreachable breaks the whole Internet as far as users are concerned.) How do you do this in the IPv6 world, where I get a single /32? Will others accept announcements of two /33s to better handle things like this? The better solution is to trade secondary services with some other provider. Sure, it's a bit of a pain keeping up with the new zones to be added and old zones to be removed back and forth, but, it's a great way to have your authoritative servers truly diverse and independent. At $JOB[3], where I was responsible for this sort of thing, a small amount of shell scripting behind inetd on the master[1], and slightly more shell scripting behind cron on the secondaries[2], and all our problems were solved for all time. - Matt [1] Read /etc/named/zones/* mangled the (standardised) filenames to get a list of the zones, and dumped it on stdout, which went out on a high port that inetd was listening on. [2] nc to the master on the relevant high port, read the list and write out an automated named.conf fragment. Also use a bit of md5sum to detect when the list changed, so we know when to reload named on the slave. [3] Subscript, not footnote.
Re: Cost of transit and options in APAC
On Wed, Aug 11, 2010 at 12:53:18PM -0700, Joel Jaeggli wrote: On 8/11/10 12:29 PM, Franck Martin wrote: Nice to see this change APAC has been obliged to pay the cost to peer with the US (long distance links are expensive). Now that US wants to peer with Asia, pricing may become more balanced... I think the question is more like why am I being quoted $100 A megabit in India for transit in India? Not why am I being charged for for the transport cost across the pacific. Because the percentage of traffic that actually stays in India, as compared to that which transits the Pacific, is miniscule. If you're asking for enough bandwidth / throwing enough money around, I'm sure you could get an Indian-only deal, but you'd need to make it worth the while for the provider to setup the config, given that either way they'll be getting your money, and you won't be using a lot of transpacific traffic. Note also that it's unlikely that the provider will be getting a differentiated rate from their upstreams for internal traffic, and you may have to settle for peering-only access (if your chosen provider is connected to any peering points). - Matt -- Ruby's the only language I've ever used that feels like it was designed by a programmer, and not by a hardware engineer (Java, C, C++), an academic theorist (Lisp, Haskell, OCaml), or an editor of PC World (Python). -- William Morgan
Re: Google wants your Internet to be faster
On Mon, Aug 09, 2010 at 12:18:12PM -0700, Zaid Ali wrote: The devil is always in the details. The Network management piece is quite glossed over and gives a different perception in the summary. You can't perform the proposed network management piece without deep packet inspection which violates every users privacy. This is Google we're talking about here, though. - Matt -- MySQL seems to be the Windows of the database world. Broken, underspecced, and mainly only popular due to inertia and people who don't really know what they're doing. -- Peter Corlett, in the Monastery
Re: 33-Bit Addressing via ONE bit or TWO bits ? does NANOG care?
On Thu, Jul 29, 2010 at 11:38:56PM -0400, Atticus wrote: What world do live in? Yes, we extend the life of IPv4 by increasing the numeric range. As for only needing port 80, I'm not really sure where you've been for the last decade or so. There's are hundreds of services using different ports, and tunneling them all makes absolutely no sense. Yes, we don't really need 65k ports, but stealing bits in the header from them is the most ridiculous thing I've heard yet. Fark, Tom, he's gone straight past the hook, line, and sinker, and taken it all the way up to the second line guide. Better get the big pliers. - Matt
Re: Addressing plan exercise for our IPv6 course
On Mon, Jul 26, 2010 at 06:24:04AM +0200, Jens Link wrote: Owen DeLong o...@delong.com writes: The correct answer is No, you don't have to configure rules, you just need one rule supplied by default which denies anything that doesn't have a corresponding outbound entry in the state table and it works just like NAT without the address mangling. They used NAT as an excuse not to let some applications to the outside. That's OK, if it's NAT unfriendly, chances are it requires deep packet inspection to make the state tables do the right thing anyway. - Matt -- Skippy was a wallaby. ... Wallabies are dumb and not very trainable... The *good* thing...is that one Skippy looks very much like all the rest, hence...one-shot Skippy and plug-compatible Skippy. I don't think they ever had to go as far as belt-fed Skippy -- Robert Sneddon, ASR
Re: Mikrotik OC-3 Connection
On Sat, Jul 03, 2010 at 05:12:14PM -0700, Majdi S. Abbas wrote: On Sat, Jul 03, 2010 at 07:32:48PM -0400, Scott Berkman wrote: I really wouldn't use the word legacy to describe SONET and OC-3's. It's around 25 years old (work started in 1985, first standards published in 1988) and we now have a ratified 100G Ethernet standard. Much of it is being used to transport subrate links, some of which are derived from even older transport standards. If not legacy, what word WOULD you use? Legacy (adj.): A pejorative term used in the computer industry meaning it works. - Matt -- Apparently if you are aware that the From: field can be, and often is, forged, you are overqualified to write antivirus software. -- Jamie Zawinski, http://www.jwz.org/gruntle/virus.html
Re: Inquiries to Acquire IPs
On Fri, Jul 02, 2010 at 04:40:07PM -0500, Aaron Wendel wrote: I sent an inquiry in to ARIN yesterday for a certain ASN that was available and was told that management won't allow them to issue requested numbers. :( That's easy, then... Can I have any of ASN 0 to $DESIRED-1 or $DESIRED+1 to 65535... since they can't issue a number that's requested, the one you want is the only one left. - Matt (Back into my hole)
Re: Finland makes broadband access a legal right
On Fri, Jul 02, 2010 at 12:14:42AM +0100, Matthew Walster wrote: On 1 July 2010 23:17, William Herrin b...@herrin.us wrote: In 1996 a certain inventor of the Internet decided that the universal service fund needed to pay for PCs in rural schools (the E-Rate program) instead of improving rural communications... As someone who's always been in the tech field, the amount spent on ICT in schools has always shocked and appalled me. Don't get me started on ICT in schools. Please. - Matt -- Igloo I remember going to my first tutorial in room 404. I was most upset when I found it.
Re: eur.army.mil net ops contact?
On Wed, May 19, 2010 at 06:11:34PM +0530, Suresh Ramasubramanian wrote: There's this old joke - spread across multiple countries around the world - about there being three ways to do something .. 1. The right way 2. The wrong way 3. The army way I know it as 3. The railway, and boy ain't it the truth... - Matt
Re: [Re: http://tools.ietf.org/search/draft-hain-ipv6-ulac-01]
On Mon, Apr 26, 2010 at 08:20:33AM +0930, Mark Smith wrote: On Sun, 25 Apr 2010 13:21:16 -0400 Richard Barnes richard.bar...@gmail.com wrote: Moreover, the general point stands that Mark's problem is one of bad ISP decisions, not anything different between IPv4/RFC1918 and IPv6. My example, although a bit convoluted to demonstrate a point, is about robustness against Internet link failure. I don't think people's internal connectivity should be dependent on their Internet link being available and being assigned global address space. That's what the global only people are saying. (how is the customer going to access the CPE webserver to enter ISP login details when they get the CPE out of the box, if hasn't got address space because it hasn't connected to the ISP ...) I've been using IPv6 for about 18 seconds, and even *I* know the answer to that one -- the link-local address. - Matt -- You are capable, creative, competent, careful. Prove it. -- Seen in a fortune cookie
Re: ARIN IP6 policy for those with legacy IP4 Space
On Thu, Apr 08, 2010 at 02:56:15PM -0400, Dorn Hetzel wrote: Well, yeah, but that is a separate problem. Anyone for an announced-prefix-tax ? :) Just add announced prefixes to the settlement charges, alongside bits transferred... - Matt -- A friend is someone you can call to help you move. A best friend is someone you can call to help you move a body.
Re: log parsing tool?
On Mon, Feb 22, 2010 at 04:15:22PM -0600, fedora fedora wrote: Anyone has good recommendations for an open-sourced log parsing and analyzing application? It will be used to work with syslog-ng and other general syslog and application logs. I have been looking at swatch and logwatch, but would like to find out if there are other good choices, thanks SEC does seem to be the gold standard in advanced log correlation beyond that available in grep | mail type systems such as logwatch. However it is incredibly arcane, and despite reading a lot of documentation for it I've never really been able to wrap my head around it. A colleague has started to write a SEC-like tool with (I hope) a more approachable mental model; take a look at http://github.com/rodjek/grok. I must (embarrasedly) admit I haven't looked at it yet, but he claims that he reimplemented sshd_sentry (the fail2ban equivalent we use) in two lines of rules, which seems like a nice (basic) demonstration. - Matt
Re: BIRD vs Quagga
On Tue, Feb 16, 2010 at 07:47:13PM +, Thomas Mangin wrote: (with a domino's effect as well). Your routes processed in 30 minutes or it's free? - Matt (Yeah, I know, back in my hole...)
Re: 192.255.103.x
On Thu, Feb 11, 2010 at 07:27:38PM -0800, Hector Herrera wrote: On Thu, Feb 11, 2010 at 6:08 PM, Matthew Palmer mpal...@hezmatt.org wrote: On Thu, Feb 11, 2010 at 05:30:11PM -0800, Hector Herrera wrote: I'm trying to diagnose an issue with 192.255.103.x As far as I can tell from IANA, the block 192/8 is allocated to ARIN. ARIN does not have a record of 192.255.103 being allocated to anybody. Here is the issue ... the customer insists that is the correct IP and for a few hours yesterday, it was actually working. ?Their satellite phone can reach it, but we can't see it advertised today from any networks. Smells to me like their satphone provider could be doing something dodgy. More info would be handy: what your customer's relationship to that IP block is, and what they think should be available at that IP block. According to the customer the IP is at their home network. They are in town for a certain large event *cough*fiverings*cough* and they keep insisting (and their home IT department indicates the IP is valid). The customer is now claiming this IP is part of a hidden and secret block of IPs ... How can you have hidden IPs? Pfft, that's just code for we picked a block at random. See also: 1/8. I think I'm just going to chalk this one up to a made up IP block that is probably statically routed by their satphone provider. Indeed. - Matt
Re: Connectivity problems to google via openDNS
On Tue, Feb 09, 2010 at 09:56:23AM -0800, Jay Hennigan wrote: Mark wrote: Hello nanog, Just wondering if anyone is experiencing the same problem with google and openDNS on their end or knows what's going on there with openDNS. The problem just occurred about 20 minutes ago. Don't do that then. OpenDNS is a form of censorware and almost certainly hijacking queries to Google (and numerous other sites), redirecting to its own servers. It's also got some spectacularly odd failure modes. I was helping a customer diagnose a problem yesterday where when they attempted to connect to one server by name, they were reliably getting another server on the same network. Turned out that the DNS responses from OpenDNS (they were in a cafe somewhere with free wireless that was using OpenDNS) were giving slightly wrong addresses -- like the real address for example.com was 192.0.2.12, and OpenDNS was giving the response that example.com was at 192.0.2.16 (another server in the same cluster, hence the insane confusion). No wildcarding or recent DNS changes at our end, either -- it was just OpenDNS screwing things up *somehow*. Never, ever use OpenDNS is my recommendation. - Matt
Re: Enhancing automation with network growth
On Wed, Jan 20, 2010 at 10:52:39PM -0500, Erik L wrote: One thing that would take a major load off would be if my MRTG system could simply update its config/index files for itself, instead of me having to do it on each and every port change. Can anyone offer up ideas on how you manage any automation in this regard for their infrastructure gear traffic graphs? (Commercial options welcome, off-list, but we're as small as our budget is). Not sure how you're doing your graphs currently, but have you considered Cacti? If automating MRTG config is hard, automating Cacti config is about as close to impossible as one can get without popping around to the Augean stables. - Matt
Re: 1/8 and 27/8 allocated to APNIC
On Thu, Jan 21, 2010 at 08:22:57PM -0500, Jon Lewis wrote: On Thu, 21 Jan 2010, George Bonser wrote: Some of that water is dirtier than the rest. I wouldn't want to be the person who gets 1.2.3.0/24 The whole /8 should be fun. http://en.wikipedia.org/wiki/AnoNet To avoid addressing conflict with the internet itself, the range 1.0.0.0/8 is used. This is to avoid conflicting with internal networks such as 10/8, 172.16/12 and 192.168/16, as well as assigned Internet ranges. In the event that 1.0.0.0/8 is assigned by IANA, anoNet could move to the next unassigned /8, though such an event is unlikely, as 1.0.0.0/8 has been reserved since September 1981. I thought there was some other group that had been squatting in 1/8, something about radio and peer to peer...but not AnoNet (at least that name was totally unfamiliar)...but this was all I could find with a quick google. Yeah, they're not the only bunch of idiots who think that unallocated means free for all. I'm reliably informed that Hamachi uses 5/8 (for the same reasons as this AnoNet bunch). There's probably others out there. Fun times ahead for moron-fac^Wcustomer-facing support personnel. - Matt
Re: Default Passwords for World Wide Packets/Lightning Edge Equipment
On Wed, Jan 13, 2010 at 12:55:00PM -0500, Matt Simmons wrote: That would be excellent for both the administrator, and anyone walking down the row with a wand in their pocket. So... someone has a list of the barcodes on all my equipment. ONOES! Without access to the asset database that backs it, I'm not sure what damage they're going to do. It's not as though one of my core switches is going to try and get through airport security with it. - Matt
Re: Default Passwords for World Wide Packets/Lightning Edge Equipment
On Wed, Jan 06, 2010 at 08:41:14PM -0500, Joel Esler wrote: On Wed, Jan 6, 2010 at 8:26 PM, Steven Bellovin s...@cs.columbia.edu wrote: On Jan 6, 2010, at 6:24 PM, Jeffrey I. Schiller wrote: An option I saw years ago (I forgot on whose equipment) was a default password which was a function of the equipment's serial number. So you had to have the algorithm and you needed the serial number which was not related to the MAC. So if you didn't have physical access, you were not in a good position to learn the password. I suspect this was a support nightmare for the vendor and I bet they went to a more standard (read: the same) factory password. At the end of the day, minimizing support costs for the vendor (not to mention likely annoyance for the customer) trumps providing default security for the folks who won't change the default password. The MyFi apparently does this. According to http://www.nytimes.com/2009/05/07/technology/personaltech/07pogue.htmlThe network password is printed right there on the bottom of the MiFi itself. At least it's not . But yes, my Mifi *had* the password on the bottom. As long as the passwords are reasonably secure (ie not generated to a simple pattern that can be easily brute forced) and they can be changed, I'd consider that to be pretty reasonable security. As has been mentioned in this thread already, if someone's got physical access to your equipment you're dead in the water, security wise, so having the device-specific factory default password on the equipment is far more secure than having a single factory default password, whilst being *far* more user friendly than a hash-the-serial-number approach -- or even a prompt for a password before I'll do anything (which, I agree, is the most secure, but is still not very usable). For the record, all of my personal networking gear has the admin credentials (and whatever else I need to get into them, like IP addresses, etc) written on it. I don't trust myself to remember those over the years, and assuming that anything else is going to be working when I *need* to get into them seems awfully optimistic. - Matt
Re: Default Passwords for World Wide Packets/Lightning Edge Equipment
On Wed, Jan 06, 2010 at 10:45:32PM -0600, Joe Greco wrote: On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland rdobb...@arbor.net wrote: Which goes to show that they just really don't get it when it comes to security. ?Maybe they should look here at all the entries for 'default credentials': Roland, this isn't the home wi-fi market we're talking about. Anyone that's going to buy one of these puppies is going to have a clue about putting their password in. You apparently missed the recent thread on NANOG where this guy was asking for some help with Default Passwords for World Wide Packets/Lightning Edge Equipment ... apparently not everyone has the clue you expect them to. To be fair, he was just asking about factory resetting the device because the current password was unknown, then reconfiguring the device (I'm willing to be generous and assume that the reconfiguration included setting a new, secure password). - Matt
Re: Smartcard and non-password methods (was Re: Password repository)
On Sat, Nov 21, 2009 at 04:06:48PM -0500, Jeffrey Lyon wrote: I was pretty excited about this post until I found out that myvidoop only works on older version of FF. I can only find something about the plugin not working on FF 3.5, but I don't use the plugin since I only use it as an OpenID endpoint. I can't imagine how the main site wouldn't work in FF 3.5 -- it's just a bit of javascripty fluff. - Matt
Re: Smartcard and non-password methods (was Re: Password repository)
On Sat, Nov 21, 2009 at 04:58:27PM -0500, Jeffrey Lyon wrote: So it works as a standalone password vault also? I don't know. My only experience with it has been as an OpenID endpoint/provider/whatever, and it was on that basis that I replied originally. - Matt
Re: What DNS Is Not
On Fri, Nov 20, 2009 at 09:49:14AM +1030, Andrew Cox wrote: As a follow up to this, one of the large Australian ISP's has just introduced a DNS redirection service for all home customers. /The BigPond-branded landing page provides BigPond customers with organic search results, sponsored links, display advertisements and intelligent recommendations, all derived from the invalid domain input - much more helpful and friendly than a nasty 404 page error./ *Facepalm* Maybe my browser's just doing something wrong, but when was the last time you got a nasty 404 page error for an NXDOMAIN response? - Matt *mumblemumble*journalists*mumblemumble*
Re: DreamHost admin contacts
On Tue, Oct 13, 2009 at 01:34:47PM -0700, Brandon Galbraith wrote: Have had great luck (no outages) with Rackspace Mail (formerly Mailtrust). Quite affordable as well. It's definitely luck that's kept you outage free -- my former employer outsourced all their customer e-mail services to Mailtrust, and had no end of problems with it. They're on my avoid with extreme prejudice list. - Matt
Re: 32-bit AS numbers
On Fri, Oct 09, 2009 at 12:05:57PM -0400, Kevin Loch wrote: Greg Hankins wrote: We also started a Wiki with content based on the presentation that has more updated information, including a current list of vendor support. If you see a vendor missing, let us know and we can update the list. Or better yet, create an account and add some content yourself :-). http://as4.cluepon.net/index.php/Main_Page While it's good to see support _finally_ in 2.2SX, I still don't see it in 12.2SR (for rsp720). It's almost like Cisco has no idea how many of these things are actually used on the Internet. Or, more plausibly, they know exactly how many there are out there, and how much they'd be able to make if everyone were forced to upgrade. - Matt
Re: Data Center testing
On Wed, Aug 26, 2009 at 03:32:42PM +, Dylan Ebner wrote: I always love it when I get an outage report from my ISP's or datacenter and they say an unexpected issue or unforseen issue caused the problem. Well, at least it's better than yeah, we knew about it, but didn't think it was worth worrying about. - Matt
Re: Using twitter as an outage notification
On Sun, Jul 05, 2009 at 11:01:43AM +0100, Roland Perry wrote: [snow day notifications] Unfortunately, the number of students polling the website for news means it can't cope with the traffic. I don't believe they can justify paying more for better web hosting, just to manage this once-a-year half hour event. There are web hosting providers whose 18c/year hosting plans can't handle a few thousand requests to a static page over a period of maybe 15 minutes without falling over? The mind boggles. - Matt
Re: Where to buy Internet IP addresses
On Sat, May 02, 2009 at 09:40:23AM +1000, Mark Andrews wrote: In message 49fb4661.8090...@west.net, Jay Hennigan writes: LEdouard Louis wrote: Optimum Online business only offer 5 static IP address. Where can I buy a block of Internet IP address for Business? How much does it cost? Only five? Really? Our basic residential users get 18 quintillion addresses, and business users get 65536 times that many. Tell them you need a few more. :-) Actually residential users do. One /64 is not enough. On can argue about whether a /56 or a /48 is appropriate for residential users but a single /64 isn't and residential ISP's should be planning to hand out more than a single /64 to their customers. How many home users (or even small businesses) have more than one subnet at the moment (behind NAT, presumably)? As a percentage of subscribers, what does that equate to? Handing out an IPv6 /56 to a DSL or cable customer should be handled much the same way as giving them an IPv4 /29 is today -- ask, and it shall be provided, but it's wasteful[1] to do so by default. - Matt [1] Just because we've got a lot of it, doesn't mean we should be pissing it up against the wall unnecessarily. A motto for network engineers and economists alike. -- [M]ost of the other people here [...] drive cars that they have personally built (starting with iron ore, charcoal, and a Malaysian turn-signal tree) [...] but I wimp out on all of those points. Sometimes there are advantages to paying somebody else to do it for you. -- Matt Roberds, in the Monastery
Re: Important New Requirement for IPv4 Requests
On Tue, Apr 21, 2009 at 02:51:11PM -0700, Jo Rhett wrote: On Apr 21, 2009, at 1:58 PM, David Hubbard wrote: Raising the price won't help; there's already a huge amount of wasted address space by web hosts selling IP addresses to customers who need them solely for 'seo purposes' rather It's a common request we see. We refuse it, and point them to the Google documentation that shows that unique IPs don't help or hurt their SEO standings. Then they come back with a request for IPs for SSL certificates, which is a valid technical justification. BTDT. People will find a way to do the stupid thing they want to do. - Matt
Re: Important New Requirement for IPv4 Requests
On Tue, Apr 21, 2009 at 04:41:46PM -0700, Jo Rhett wrote: On Apr 21, 2009, at 4:22 PM, Ken A wrote: Chris Adams wrote: Once upon a time, Jo Rhett jrh...@netconsonance.com said: Since virtual web hosting has no technical justification for IP space, I refuse it. SSL and FTP are techincal justifications for an IP per site. Right. Also, monthly bandwidth monitoring/shaping/capping are more easily done using one ip per hosted domain, or ftp site, or whatever. Otherwise you are parsing logs or using 3rd party apache modules. *Shrug* I've been doing IP allocations for 14 years and that's never been mentioned to me. Oh, you lucky, lucky person. We've got a couple of customers at the day job that constantly come back to us for more IP addresses for bandwidth accounting purposes for their colo machine(s). Attempts at education are like talking to a particularly stupid brick wall. - Matt
Re: Important New Requirement for IPv4 Requests
On Tue, Apr 21, 2009 at 08:24:38PM -0400, Ricky Beam wrote: On Tue, 21 Apr 2009 18:40:30 -0400, Chris Adams cmad...@hiwaay.net wrote: SSL and FTP are techincal justifications for an IP per site. No they aren't. SSL will work just fine as a name-based virtual host with any modern webserver / browser. (Server Name Indication (SNI) [RFC3546, sec 3.1]) I encourage my competitors to do this. You only have to get one noisy curmudgeon who can't get to your customer's SSL website because IE 5.0 has worked fine for them for years to make it a completely losing strategy to try deploying this everywhere. Since you can't predict in advance which sites are going to be accessed by said noisy curmudgeon, you don't bother deploying it anywhere, to be on the safe side. FTP? Who uses FTP these days? Certainly not consumers. Even Cisco pushes almost everything via a webserver. (they still have ftp servers, they just don't put much on them these days.) A depressingly large number of people use FTP. Attempts to move them onto something less insane are fruitless. Even when the tools support it (and plenty of web design tools don't appear to do anything other than FTP), we've always done it that way and it works fine and if we have to change something we'll move to another hosting company rather than click a different button in our program. Business imperatives trump technical considerations, once again. And, for the record, we're moving toward IPv6, so we're *trying* to be part of the solution, in our own small way. - Matt
Re: Is whois.apnic.net down?
On Tue, Feb 10, 2009 at 09:48:21AM -0700, Dale Carstensen wrote: I get Connection timed out on whois commands to it. Sorry to attempt to answer my own question, but maybe it's the fires in Australia, as the last traceroute hop is a Brisbane.telstra.net domain name. Brisbane's about 2000km north of the major fires. Instead, they're recovering from a cyclone. Gotta love this country. - Matt -- Talk about unlucky. D'you know, if I fell in a barrel of tits I'd come out sucking me thumb. -- Seen on the 'net: http://thelawwestofealingbroadway.blogspot.com/2006/01/bang-to-rights.html
Re: v6 DSL / Cable modems [was: Private use of non-RFC1918 IP space
On Mon, Feb 09, 2009 at 09:27:59PM -0500, TJ wrote: The SOX auditor ought to know better. Any auditor that requires NAT is incompenent. Sadly, there are many audit REQUIREMENTS explicitly naming NAT and RFC1918 addressing ... SOX auditors are incompetent. I've been asked about anti-virus software on UNIX servers and then asked to prove that they run UNIX. Fair enough, but my point was that it isn't the auditors' faults in _all_ cases. When the compliance explicitly requires something they are required to check for it, they don't have the option of ignoring or waving requirements ... and off the top of my head I don't recall if it is SOX that calls for RFC1918 explicitly but I know there are some that do. Considering that RFC1918 says nothing about IPv at all, could that be a blocker for deployment in general? That'd also make for an interesting discussion re: other legacy protocols (IPX, anyone?)... - Matt -- I tend to think of solution as just a pretentious term for thingy. Doing that word substitution in my head makes IT marketing literature somewhat more tolerable. -- lutchann, in http://lwn.net/Articles/124703/
Re: Private use of non-RFC1918 IP space
On Wed, Feb 04, 2009 at 11:57:36AM +1100, Skeeve Stevens wrote: OK. Following myself up, and referencing a link someone else gave me in regards to IPv6 http://en.wikipedia.org/wiki/Private_network Has the entry: Private use of other reserved addresses Several other address ranges, in addition to the official private ranges, are reserved for other or future uses, including 1.0.0.0/8 and 2.0.0.0/8[1]. In recent years, large companies have begun to use this address space internally. [citation required] - Matt
