Looking for contact within Comcast Xfinity

2022-08-23 Thread Michael Brown 
If anyone from Comcast Xfinity is on this list, can you please reach out
to me?

We're getting increased reports of xFi Advanced Security customers being
unable to access hosted sites and attempting to open tickets has had no
success.

Thanks,

Michael Brown

Re: QUIC traffic throttled on AT residential

2020-02-19 Thread Michael Brown 
On 2020-02-19 1:06 a.m., Masataka Ohta wrote:
> Are you saying AT should block UDP entirely?

No; while I don't presume to have all the answers they should at the
minimum take into account how it affects the end-user (CUSTOMER!)
experience when making decisions like this.

(No they shouldn't block UDP entirely, but if they're having UDP/443
DDOS problems then blocking it while they get a proper scalable solution
in place is better than throttling it).

Re: QUIC traffic throttled on AT residential

2020-02-18 Thread Michael Brown 
On 2020-02-18 7:07 p.m., Ross Tajvar wrote:
> Are you suggesting that ATT block all QUIC across their network?
Blocking a (for you) undesirable option when an established fallback
exists is a much better end user experience than introducing breakage
into that option

When you throttle or subtly break things you get:

On 2020-02-18 7:12 p.m., Daniel Sterling wrote:
> One might argue they already *are* doing so; QUIC is essentially
> unusable on my AT ipv4 residential connection (and a web search
> suggests I'm not alone).

Or: I no longer use my ISP's IPv6 access (via 6rd) since it would cause
terrible slowdowns due to packet loss when it broke

Or: some AT customers cannot connect to our customers due to IPv6
HTTPS interception: https://meta.discourse.org/t/-/140769/3

Or (probably the same problem):
https://tutanota.com/blog/posts/att-blocks-tutanota/

With blocking in these cases, QUIC falls back to TCP, Happy Eyeballs
falls back to IPv4, everybody's happy.

Looking for an AT Wireless contact

2020-02-05 Thread Michael Brown 
I'm looking for an AT Wireless contact to reach out to me off-list.

We (discourse.org) have reports from multiple customers that their users are 
unable to negotiate SSL with our sites when using their AT Wireless data
connection.

The problem is be affecting users around Chicago and Pennsylvania.

Evidence points to some sort of SSL interference/tampering.

Cheers,

Michael Brown

Re: Netflix banning HE tunnels

2016-06-07 Thread Michael Brown 
Or even easier, just block the he.net tunnel networks! Have them reject the 
traffic‎ so it falls back to IPv4!

Better than a vague error message combined with poorly or mistrained ‎support 
staff.

M.

  Original Message  
From: Elvis Daniel Velea
Sent: Tuesday, June 7, 2016 22:12
To: nanog@nanog.org
Reply To: el...@velea.eu
Subject: Re: Netflix banning HE tunnels

apparently, all they see is 3 people complaining on this mailing list.. 
well, this makes it 4 with me (and I have a bunch of people in various 
countries complaining on facebook that they have been banned from using 
netflix because they use an HE tunnel.

their answer - TURN IPV6 OFF!!! you're a techie so if you know how to 
setup a tunnel, you must know how to redirect netflix to use IPv4 
only... really?
the answer just pisses me off!

Netflix, YOU are the ones forcing people to turn IPv4 off... this is 
just insane. tens (if not hundred) of thousands of people chose to use 
HE tunnels because their ISP does not offer IPv6..
do you really expect all of them to turn it off? do you really want IPv6 
usage in the world to go down by a few percent because you are unable to 
figure out how to serve content?

I know nobody at Netflix will even answer to the e-mails on this list.. 
but I hope that they will at least acknowledge the problem and figure an 
other way to block content by country.
ie: they could try to talk to HE to register each tunnel in a database 
that points to the country of the user..

cheers,
elvis

On 6/8/16 1:01 AM, chris wrote:
> I am also in the same boat with a whole subnet affected even without a
> tunnel, tried multiple netflix support channels starting in early march and
> the ranges is still blocked 3 months later.
>
> I was a big fan of the service and somewhat of an addict up till this but
> I've really been shocked how this has been (mis)handled
>
> chris
>
> On Tue, Jun 7, 2016 at 7:23 AM, Davide Davini  wrote:
>
>> Today I discovered Netflix flagged my IPv6 IP block as "proxy/VPN" and I
>> can't use it if I don't disable the HE tunnel, which is the only way for
>> me to have IPv6 at the moment.
>>
>> But the fun part has been Netflix tech support:
>> "Oh I see, yeah we have been receiving reports of some other members
>> with ipv6 having this issues, at the moment Netflix is not really
>> designed to work with ipv6 connections, in this case I can recommend you
>> two things, one is to turn off the ipv6 and the other one will be to
>> contact directly with Hurricane Electric, there are some customers that
>> were able to use Netflix with an ipv6 under some specific settings set
>> by Hurricane Electric."
>>
>> I don't obviously expect HE to fix it, I don't pay for shit, it's a free
>> service, why should they?
>>
>> But it's fun to know that " Netflix is not really designed to work with
>> ipv6 connections ".
>>
>> Who did it say on this ML that the best way to solve these issues is
>> Netflix tech support? :)
>>
>> Ciao,
>> Davide Davini
>>
>>

Re: Netflix banning HE tunnels

2016-06-07 Thread Michael Brown 
On 2016-06-07 07:23 AM, Davide Davini wrote:
> Who did it say on this ML that the best way to solve these issues is
> Netflix tech support? :)
Netflix tech support isn't useful for *anything* - even when asked about
this specific issue while I was going through my own diagnosis:

Me: are you blocking he dot net IPv6 tunnels?
Netflix Jerry: IPv6 tunnels as far as I know, no, we have no issues there.
You: can you please check?
Netflix Jerry: Gimme a sec.
You: so if I have a he dot net IPv6 tunnel that is marked as geolocated
in Canada, would you still flag that as a VPN/unblocker?
Netflix Jerry: OK, Im back...
Netflix Jerry: There is no issue with IPV6 as far as today.
You: so IPv6 access won't EVER trigger the unblocker/proxy detection?
Netflix Jerry: Not at the moment.

M.

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: Turning Off IPv6 for Good (was Re: Netflix VPN detection - actual engineer needed)

2016-06-02 Thread Michael Brown 
On 2016-06-01 11:41 PM, Matthew Kaufman wrote:
>  Turns out it has nothing to do with my IPv4 connectivity. Neither of
> my ISPs has native IPv6 connectivity, so both require tunnels (one of
> them to HE.net, one to the ISPs own tunnel broker), and both appear to
> be detected as a non-permitted VPN. As an early IPv6 adopter, I've had
> IPv6 on all my household devices for years now.
>
>  So after having to temporarily turn off IPv6 at my desktop to fix
> issues with pay.gov (FCC license payments), and issues with various
> other things, and then remember to turn it back on again... I now have
> the reason I've been waiting for to turn it off globally for the whole
> house.
Wish I read this thread earlier. Damn. I just went through the whole
useless process myself with an ineffectual support rep…

«
> But if the system is telling you that error code, it is a setting on
the local network, call your ISP, they can assist you on that issue.

Oh right. RIGHT. I'm SURE they'll be able to help.
»

…and I came to the same conclusion and similar resolution (adding an
outbound rule rejecting traffic to 2620:108:700f::/48, causing fallback
to IPv4 worked for me).

At least I got the support rep to SAY he opened a ticket.

Wow! It's my chance to be the noisy minority!

M.

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: 10G-capable customer router recommendations?

2016-04-16 Thread Michael Brown 
"‎2 NIC module slots supporting 1/10/40G/Fiber/Copper/Bypass"

Get one of those with a server class processor and and it's a server that looks 
like a spiffy network appliance. 
‎
‎Very general purpose if general purpose is what you need, quagga / openbgpd on 
‎bsd, yes. And you can bake additional services onto it.

M.

  Original Message  
From: Ken Chase
Sent: Friday, April 15, 2016 20:26
To: NANOG
Subject: Re: 10G-capable customer router recommendations?

Does that lanner even do SFP+? Dont see it listed in the specs. Looks like 4210 
has
2x SFP+, though their 'performance' level products look more in line with 
'useful'.

http://www.lannerinc.com/products/x86-network-appliances/x86-rackmount-appliances/fw-8877

As for the microtics, wonky user interface, so very unciscolike (i guess thats
my problem - but the GUI thing feels like a toy), but for their midrange models 
I found
their bgp convergence times pretty poor on their low end cpus...

What do you put on the lanner? OpenBGPd? Quagga? Also looking for a 10G solution
here, low power (than a full ASR stack..) is my goal for 5-6 full bgp feeds.

/kc


On Fri, Apr 15, 2016 at 07:45:39PM -0400, Michael Brown said:
>Not *exactly* what you're asking for, but a Lanner appliance 
>(???http://www.lannerinc.com/products/network-appliances/x86-rackmount-network-appliances/nca-5210)
> might suit your needs.
>
>M.
>
>?? Original Message ??
>From: David Sotnick
>Sent: Friday, April 15, 2016 16:19
>To: NANOG
>Subject: 10G-capable customer router recommendations?
>
>Hello masters of the Internet,
>
>I was recently asked to set up networking at a VIP's home where he has
>Comcast "Gigabit Pro" service, which is delivered on a 10G-SR MM port on a
>Comcast-supplied Juniper ACX-2100 router.
>
>Which customer router would you suggest for such a setup? It needs to do
>IPv4 NAT, DHCP, IPv4+IPv6 routing and have a decent L4 firewall (that also
>supports IPv6).
>
>The customer pays for "2Gb" service (Comcast caps this at 2G+10% = 2.2Gbps)
>and would like to get what he pays for (*cough*) by having the ability to
>stream two 1Gbps streams (or at least achieve > 1.0Gbps).
>
>I'm tempted to get another ACX-2100 and do a 4x1Gb LACP port-channel to the
>customer switch, or replace the AV-integrator-installed Cisco SG300-52P
>(Cisco switch with e.g. an EX-3300 with 10Gb uplinks).
>
>Thanks in advance for your suggestions.
>
>-Dave

Ken Chase - m...@sizone.org

Re: 10G-capable customer router recommendations?

2016-04-15 Thread Michael Brown 
Not *exactly* what you're asking for, but a Lanner appliance 
(‎http://www.lannerinc.com/products/network-appliances/x86-rackmount-network-appliances/nca-5210)
 might suit your needs.

M.

  Original Message  
From: David Sotnick
Sent: Friday, April 15, 2016 16:19
To: NANOG
Subject: 10G-capable customer router recommendations?

Hello masters of the Internet,

I was recently asked to set up networking at a VIP's home where he has
Comcast "Gigabit Pro" service, which is delivered on a 10G-SR MM port on a
Comcast-supplied Juniper ACX-2100 router.

Which customer router would you suggest for such a setup? It needs to do
IPv4 NAT, DHCP, IPv4+IPv6 routing and have a decent L4 firewall (that also
supports IPv6).

The customer pays for "2Gb" service (Comcast caps this at 2G+10% = 2.2Gbps)
and would like to get what he pays for (*cough*) by having the ability to
stream two 1Gbps streams (or at least achieve > 1.0Gbps).

I'm tempted to get another ACX-2100 and do a 4x1Gb LACP port-channel to the
customer switch, or replace the AV-integrator-installed Cisco SG300-52P
(Cisco switch with e.g. an EX-3300 with 10Gb uplinks).

Thanks in advance for your suggestions.

-Dave

Re: Dial Up Solutions

2015-10-19 Thread Michael Brown 
‎> I didn't think Asterisk had modem DSP and RAS code?! 

In a way:

https://wiki.asterisk.org/wiki/display/AST/Asterisk+11+Application_DAHDIRAS
‎
You don't need Asterisk but you can use it for logic, etc.

M.

Re: Question re session hijacking in dual stack environments w/MacOS

2015-09-26 Thread Michael Brown 
‎> Those site eventually learnt after much feedback not to assume on IPv4 
address continuity.

I could envision that those checks might now be relaxed‎ to checking for 
address continuity in the same /24 for instance.

But when you're seeing the same session being used from two wildly different 
places (in this case, IPv4 and IPv6) at the SAME TIME, that does seem rather 
suspicious in the absence of other information.

M.

Re: Seeing odd behaviour loading site over ATT

2015-05-12 Thread Michael Brown 
Yes - is this flex reach wireless/4G?

I've observed past behaviour of image and page content optimization ‎(i.e. 
minifying, recompression) that causes problems for a site over this type of 
connection when using plaintext.

M.

  Original Message  
From: Paul Lam
Sent: Tuesday, May 12, 2015 19:44
To: nanog@nanog.org
Subject: Seeing odd behaviour loading site over ATT

Hello all,

Wondering if anyone has encountered an issue where a website will load over 
https, but will only partially load over http using the same WAN connection. We 
are currently experiencing this behavior loading up a website hosted in AWS 
over an ATT Flex reach service in So Cal.

fuel
YOUTH ENGAGEMENT

Paul Lam | Network Administrator
T: +1(613) 224-6738 x257 | M:
www.fuelyouth.comhttp://www.fuelyouth.com

Re: FIXED - Re: Broken SSL cert caused by router?

2015-03-29 Thread Michael Brown 
That's something I suspected at first, it but discounted when your said your 
laptop also failed at the site.

The first intermediate you installed ‎took care of anything with the newer root 
certificates installed.

But for your older 10.4 Mac clients (which presumably haven't had a root 
certificate bundle update in a while) that wasn't enough - the new root needed 
to be provided since from their perspective it's an intermediate.

M.

  Original Message  
From: Mike
Sent: Sunday, March 29, 2015 23:29
To: nanog@nanog.org
Subject: Re: FIXED - Re: Broken SSL cert caused by router?

On 03/28/2015 01:50 PM, Matt Palmer wrote:
 On Sat, Mar 28, 2015 at 09:05:38AM -0700, Mike wrote:
 On 03/27/2015 10:34 AM, Frank Bulk wrote:
 Glad you figured that out.

 I've used three SSL evaluation websites to help me with intermediate 
 certificate issues:
 https://www.ssllabs.com/ssltest/analyze.html (will show the names and 
 details of the certs, missing or not
 https://www.wormly.com/test_ssl (quick SSL tester, will point out if 
 intermediate certificate is missing)
 https://www.digicert.com/help/ (will show a green chain link between certs 
 when they're all there *and* in order)
 I went back to Frank's list and did some additional testing. I have a
 different server which was set up the same way as the previous one
 discussed, and I thought I would use the above tools and see if my problem
 would have been identified by any of them. I am sorry to report, no, none of
 these either caught the problem either.
 Are you able to share the URL of the misconfigured site? It would be
 interesting to examine exactly what's going on.

 - Matt

SSLCertificateChainFile /etc/ssl/certs/gd_bundle-g2-g1.crt

I have actually fixed it.

What was going on seems to be this -

I have a new godaddy certificate for *.mydomain.com, and that is what I 
installed. However, the certificate chain I supplied was missing some 
intermediate godaddy certificate. Originally, it appeared I was missing 
'gdig2.crt', and once installed, that fixed some clients including the 
ones behind the meraki router. But then there were also some older 
clients this did not fix (a macos 10.4 something for example). So I went 
back and installed gd_bundle-g2-g1.crt in it's place, and that seems to 
have finally done it.

I apologize for the diminishing lack of operational content. It just 
seems that these ssl tests should be tightened up and perhaps some 
additional tools deployed out there to help us less knowledgeable folks 
'get it right'.


Mike-

Re: Fibre optic patch cables in Toronto area

2014-12-20 Thread Michael Brown 
‎At this time of day?

Or in general?

In general there's Ingram Micro (distributor) whom we use, not sure what retail 
outlets would carry them.

You could try Sayal Electronics, that'd be a good bet.

M.‎
  Original Message  
From: Miguel Hernandez
Sent: Saturday, December 20, 2014 17:03
To: nanog@nanog.org
Subject: Fibre optic patch cables in Toronto area

Hello list, 

I'm looking to source some various fibre patch cables (LC to SC, 1-2M lengths) 
in the Toronto, Ontario area. 


Could you please point me to some shops were we could drop by to pick them up? 



Thanks!

Miguel Hernandez

Re: Got a call at 4am - RAID Gurus Please Read

2014-12-09 Thread Michael Brown 
If the serveraid7k cards are LSI and not Adaptec based (I think they are) you 
should just be able to plug in a new adapter and import the foreign 
configuration.

You do have a good backup, yes?

Switching to write-through has already happened (unless you specified 
WriteBackModeEvenWithNoBBU - not the default) - these (LSI) cards ‎by default 
only WB when safe.

If WT, RAID10 much better perf. BUT you just can't migrate from R5 to R10 
non-destructively.

- Michael from Kitchener
  Original Message  
From: symack
Sent: Tuesday, December 9, 2014 16:04
To: nanog@nanog.org
Subject: Got a call at 4am - RAID Gurus Please Read

Server down. Got to colo at 4:39 and an old IBM X346 node with
Serveraid-7k has failed. Opened it up to find a swollen cache battery that
has bent the card in three different axis. Separated the battery. (i)
Inspect card and plug back in, (ii) reboot, and got (code 2807) Not
functioning
Return to (i) x3 got same result. Dusted her off and let it sit for a while
plugged in, rebooted to see if I can get her to write-through mode, disks
start spinning. Horay.

Plan of action, (and the reason for my post):

* Can I change from an active (ie, disks with data) raid 5 to raid 10.
There are 4 drives
in the unit, and I have two on the shelf that I can plug in.
* If so, will I have less of performance impact with RAID 10 + write-thru
then RAID 5 + write through
* When the new raid card comes in, can I just plug it in without loosing my
data? I would:

i) RAID 10
ii) Write-thru
iii) Replace card

The new card is probably coming with a bad battery that would put us kind
of in square one. New batteries are 200+ if I can find them. Best case
scenario is move it over to RAID 10+Write-thru, and feel less of the
performance pinch.

Given I can move from RAID 5 to RAID 10 without loosing data. How long to
anticipate downtime for this process? Is there heavy sector re-arranging
happening here? And the same for write-thru, is it done quick?

I'm going to go lay down just for a little white.

Thanks in Advance,

Nick from Toronto.

Re: abuse reporting tools

2014-11-18 Thread Michael Brown 
We need to come up with some sort of international Abuse Reduction and 
Reporting Engagement Suite of Tools as a Service.

M.
  Original Message  
From: Mike
Sent: Tuesday, November 18, 2014 19:59
To: nanog@nanog.org
Subject: abuse reporting tools

Hello,

I provide broadband connectivity to mostly residential users. Over the
past few years, instances of DDoS against the network - specfically
targeting end users - has been on the rise, and today I can qualify many
of these as simple acts of revenge where someone will engage a dos
(possibly, services like 'booters' or similar) because they lost an
online game or had some interactive in a forum they didn't like. I have
good 'consumer broadband' filtering rules in place which make sense and
protect against quite a lot of obviously ddos oriented traffic streams.
The next step I want to engage, for those types of traffic which I can
positively identify as not spoofed, is to send out abuse reports to
owners of ip ranges used to launch these attacks. Ideally I'd like to be
able to write up some form letter describing the attack, the source
ip(s) of note, some disassembled sample packets, and then feed a list of
IP source addresses and have it mail it out to the abuse contact at each
source network. I am wondering if anyone has a pointer or reference to
any tools which might help facillitate this?

Thank you.

Mike-

Re: Tech Laptop with DB9

2014-11-10 Thread Michael Brown 
Also worth mentioning: in a pinch they work great on Android and BlackBerry 
(Z30) devices with USB OTG support.

From memory I believe both pl2303 and FTDI work.

Another laptop option is an ExpressCard to serial adapter:
‎http://www.brainboxes.com/serial-expresscard

Disclaimer: this was merely the first Google result.

‎M.
  Original Message  
From: joel jaeggli
Sent: Monday, November 10, 2014 16:19
To: Max Clark; nanog@nanog.org
Subject: Re: Tech Laptop with DB9

ftdi chipsets work on both mac and windows devices.

http://www.amazon.com/Serial-Console-Rollover-Cable-Routers/dp/B00M2SAKMG/ref=sr_1_16?s=electronicsie=UTF8qid=1415653377sr=1-16keywords=ftdi+serial

On 11/10/14 10:39 AM, Max Clark wrote:
 Hi all,
 
 DB9 ports seem to be a nearly extinct feature on laptops. Any
 suggestions on a cheap laptop for use in field support (with an onboard
 DB9)?
 
 Thanks,
 Max

Re: TCP Window Scaling issue

2014-07-24 Thread Michael Brown 
On 14-07-24 12:25 PM, Tony Finch wrote:
 Zach Hill zach.reb...@gmail.com wrote:

 What's interesting is this is only affecting a single server and only
 when traffic is going over the WAN circuit. Testing from Server A to any
 server on it's network shows it is negotiating window scaling just fine.
 Check your firewall isn't buggering about with TCP options.

 Tony.
This, exactly. I diagnosed this issue a while back with our Checkpoint
firewall - it didn't understand TCP window scaling so it would blindly
zero out the field and cause nightmares.

M.

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: TCP Window Scaling issue

2014-07-24 Thread Michael Brown 
On 14-07-24 12:30 PM, Zach Hill wrote:
 Hi Tony. No firewall in the way.

 Physical flow is as below.

 Server A - Nexus 7k - 3845 router - Sprint MPLS - 3845 router - Cisco
 3750x stack - Server B

I blame the cloud.

Dump the actual packets as they leave Server A and arrive at Server B
(and vice-versa!). Does it get modified en route?

M.

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: IPv6 at 50% for VZW (Re: NAT IP and Google)

2014-05-22 Thread Michael Brown 
On 14-05-22 08:55 AM, Christopher Morrow wrote:
 Coke Classic managed to outlast NewCoke... pattern repeating? 
Coke Classic changed as well.

NAT44: the high-fructose corn syrup of IPv4.

M.

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: Cisco warranty

2014-04-03 Thread Michael Brown 
On 14-04-03 12:44 PM, Laurent CARON wrote:
 I bought a C3750G-12S which is now end of sale on cisco website. This
 device is now defective.

 Since I bought it from a reseller and not directly from cisco, cisco
 is refusing to take it under warranty and tells me to have the
 reseller take care of it.

 The reseller doesnt wan't to hear about this device since it is end of
 sale.
Did you purchase SMARTnet when you bought the device? If you didn't,
you're probably SOL.
 According to cisco website, end of sale means the device is still
 covered for 5 years.
This is not base warranty - this is potential coverage. Base warranty is
90 days: http://www.cisco.com/go/warranty
 My question is: Is it normal for my supplier to refuse to take it
 under warranty?
See above.
 Is there (from your experience) a chance I might get cisco to deal
 with it ?
Not likely.

Specific information for this product's EOL is here:
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/eol_c51-696372.html

You'll need to have a service contract associated with the device
(SMARTnet).

Unfortunately for you, from that page:

End of New Service Attachment Date: January 30, 2014
For equipment and software that is not covered by a service-and-support
contract, this is the last date to order a new service-and-support
contract or add the equipment and/or software to an existing
service-and-support contract.

So if you don't already have SMARTnet, you're probably out of luck.

M.

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: L6-20P - L6-30R

2014-03-18 Thread Michael Brown 
‎The connectors are definitely distinct and incompatible, you won't be able to 
force a 20 into a 30 or vice versa. 

So yes, one of the ends has been changed.

M.

  Original Message  
From: Randy
Sent: Tuesday, March 18, 2014 18:42
To: nanog@nanog.org
Reply To: a...@djlab.com
Subject: L6-20P - L6-30R

I have a situation where a 208v/20A PDU (L6-20P) is supposedly hooked to 
a 208v/30A circuit (L6-30R). Before I order the correct PDU's and whip 
cords...sanity check...are connectors 'similar' enough that this is 
possible (with force) or am I going to find we've actually got L6-20R's 
on the provider side?

-- 
~Randy

Re: Where does Downstream server error come from?

2014-01-19 Thread Michael Brown

Re: turning on comcast v6

2013-12-09 Thread Michael Brown 

On 13-12-09 11:19 AM, Christopher Morrow wrote:

yea, so my 'saga' started with:
   1) dlink 615 doesn't like dhcp-pd ... and is flat broken for v6
I had very borken things happen at home on my dlink-615 with their 
busted-ass IPv6 code. Specifics are here: 
http://serverfault.com/q/252083/2101


Although in that case, I wasn't trying to use it to route anywhere. It 
really was written as thought it Would Be the gateway.


The dlink stock firmwares even have support for he.net and other tunnel 
brokers now. But the stack isn't nearly as mature and there's too few users.


pfSense is the way to go here.

I'll try re-deploying the dir-615 it as an IPv6-only gateway device and 
see how it behaves.


M.

--
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: turning on comcast v6

2013-12-09 Thread Michael Brown 

On 13-12-09 01:19 PM, John Lightfoot wrote:

We don't even support IPv5 yet, so it will be a while before we support v6.
Naturally, as the odd-numbered releases of IP are experimental. They 
should be focusing on the even-numbered releases for production use.


M.

--
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: Any computer, anywhere?

2013-12-08 Thread Michael Brown

Re: Any computer, anywhere?

2013-12-08 Thread Michael Brown 

On 13-12-08 03:24 AM, Warren Bailey wrote:

http://m.washingtonpost.com/business/technology/2013/12/06/352ba174-5397-11e3-9e2c-e1d01116fd98_story.html

Noticed this tonight.. Not saying the WP is always on target, but what software 
could be installed via a browser on any computer to gather all of that data? 
And how would it be done without the OS speaking up about it? Far fetched.. Or 
do the Firefox / chrome guys have some 'splainin to do?
Let's remember that the information in the article was filtered through 
no less than two people who don't fully speak tech. I think I can 
translate it back:


«The FBI crafted a custom piece of malware targeting Mo, designed to 
snoop his activities . A link was emailed to Mo in a spear phishing 
attack in an attempt to get hin to download and install the malware from 
the FBI's monitored servers.


The attempt failed; the software was downloaded but never executed in a 
manner enabling the software to send back information to the FBI.»


Nothing too special. I wonder if Mo had the balls to submit the software 
to Sophos etc. for malware analysis. :)


M.

--
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: Empty messages (was Re: Any computer, anywhere?)

2013-12-08 Thread Michael Brown 

On 13-12-08 04:59 PM, Larry Sheldon wrote:

On 12/8/2013 8:13 AM, Michael Brown wrote:




I've been getting several of these (empty messages) from different 
people and on different subjects but always on the NANOG list.


Secret messages?  Or is NSA sucking too hard?

This I can solidly attribute (at least in my case) to the fact that 
BlackBerry 10 devices only send emails with a text/html part and no 
text/plain part.


I've seen this cause problems in a few places - notably in services that 
automatically parse emails for replying to forums/chat/etc. (Discourse  
kato.im and now the nanog list which strips text/html). Somewhere I have 
a nice little python snippet I wrote for extracting text out of the html.


It's convenient when you're *expecting* it (you can use the html div 
information to separate out the actual reply vs. the signature vs. the 
quoted text) but when you're expecting to be able to use text/plain, 
it's just not there.


(arguments over who is being a worse Internetizen - BB for not having 
text/plain or Mailman/Mimedel for stripping out text/html when there's 
no text/plain are not included in this :D )


M.

--
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: Empty messages (was Re: Any computer, anywhere?)

2013-12-08 Thread Michael Brown 

On 13-12-08 10:02 PM, Jorge Amodio wrote:

Same here, they are written with invisible bits, like invisible ink. You have 
to drop some special lemon juice on your email client to be able to see it.

Lemon juice as promised, to be applied prior to de-HTML-izing email:

http://stackoverflow.com/q/20462965/93180

M.

--
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: APC UPS Advice/Guidance for Canada 120/240

2013-08-16 Thread Michael Brown 
On 13-08-16 05:47 PM, Nick Khamis wrote:
 We are in the market for a APC UPS, and had a few questions. We are not
 that familiar with APC, and was hoping for some clarity. Our power demands
 will be for a unit that will sustain 3 kW/4 kVA scalable to 8 kVA.
The model you're looking at looks good for your needs. The electrical
spec sheet seems WAY more readable than the webpage by the way:
http://www.apcmedia.com/salestools/ASTE-6Z8LSA/ASTE-6Z8LSA_R0_EN.pdf

The reason you're looking at the input voltage on the webpage and
getting confused is probably:
Input voltage range for main operations: 96 - 138V (Line to Neutral)

What that REALLY means is that it will function as long as the incoming
line voltage is in the 122±16V bracket (i.e. the UPS can tolerate under
and over-voltages). That's hot-to-neutral voltage.

Now, in Canada when you're running on 208V you're USUALLY getting two
hot phases at 120° phase offset (each at 120V hot-to-neutral) giving you
a RMS voltage (think of it as the time-based mean voltage) of 208V, not
the 240V hot-to-neutral you may used to... elsewhere. Sometimes you'll
get two hot lines of 120V at 180° phase offset, giving you 240V. In rare
cases you'll actually get 240V hot-to-neutral.

This UPS will be happy with either (it says on the spec sheet: Input
voltage: 200, 208,  or 240).

As for the output, first a quick primer on reading the NEMA plug types:

*$LOCK$VOLTAGE-$AMPERAGE$END*
LOCK = L |  (if L, it means twist lock end)
VOLTAGE = 5 | 6 | 14 (5?120V, 6?208 or 240V, 14?120/240V combo i.e. 2
hots, neutral and ground)
AMPERAGE = 15 | 20 | 30 (literally 15A / 20A / 30A)
END = P | R (Plug or Receptacle)

So you'll want to plug your 120V PDU into the L5-20R receptacle and
you'll need a cable with a L5-20P at one end an a C13 or C19 (depending
on what your PDU takes as input) on the other. Such as:
http://ca.startech.com/Cables/Computer-Power/External/8ft-IEC320-C-19-to-NEMA-L5-20P-123C-Power-Cord~PXTL520C198

(btw, do note that those two L5-20R outlets only give you 4800VA × 0.8
of total power. You'll need to hardwire or use the L14 receptacles as well)

As far as STONITH goes, the only control you'll have is all ports off or
all ports on. You'll want a PDU with switched outlets if you need more
granular control.

(plug time: if you want more help speccing this out and a quote, feel
free to email me at netdirect.ca as we can sell this).

M.

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: APC UPS Advice/Guidance for Canada 120/240

2013-08-16 Thread Michael Brown 
On 13-08-16 10:33 PM, Michael Brown wrote:
 VOLTAGE = 5 | 6 | 14 (5?120V, 6?208 or 240V, 14?120/240V combo i.e. 2
 hots, neutral and ground)
That would be:

VOLTAGE = 5 | 6 | 14 (5-120V, 6-208 or 240V, 14-120/240V combo i.e. 2 hots, 
neutral and ground)

The mailing list ate my Unicode arrows. Nom nom.

M.

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: which firewall product?

2013-07-30 Thread Michael Brown 
In the pfSense UI, you create the physical interface as a GRE tunnel
then assign it to a logical interface against which you can apply the
firewall rules:



The screenshot is a GIF IPv6 he.net tunnel (this is 2.1RC0) but it works
the same way on 2.0.1.

Works great!

M.

On 13-07-30 04:10 PM, Charles N Wyble wrote:
 Not sure how bsd handles ipip connections. If it breaks them out as a 
 dedicated interface (like it does for openvpn connections) , then rules can 
 be applied and pfsense would be quite useful. The UI is very simple. 

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: 48V DC Terminal server recommendations

2013-07-24 Thread Michael Brown 
On 13-07-24 10:59 AM, Jeremy Bresley wrote:
 Looking for recommendations on a good terminal server to put into a
 telco colocate facility.

 Requirements:
 8-16 ports for Cisco console access (RJ-45s preferred, DB9s if we have
 to)
 -48V DC power
 USB/internal modem for OOB access
 NEBS Level 1 (or better) compliance.

Avocent's (formerly Cyclades) ACS devices meet all of your constraints:

http://www.emersonnetworkpower.com/documents/en-us/brands/avocent/documents/datasheets/01/acs6000-ds-en.pdf

M.

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: gTLDs opened up

2013-07-11 Thread Michael Brown 
On 13-07-11 04:08 PM, Alex Buie wrote:
 Am I missing something, or is that purporting to be an IPv4 address
 beginning with 478?
Heh... it seems as though they mistyped '*78.47.115.194*' there.


   7 - How to distinguish between identical TLDs?

 Within the Icann framework, names such as: tube.com, tube.net,
tube.org, etc. allow in principle to differentiate different domains
under the same name.

 Within the open root framework, if there are several .tube, one will
distinguish them according to the root being activated.

Wait... so 'open root' isn't a single alternative root namespace? It's
different depending on... near as I can tell which part of the planet
you're in?

Or is the product multiple independent roots... are you buying your own
'.' tree or a 'tld.' tree?

Clearly, this will work?

Is this the future? Visit my site at
http://fluttershy.turgid.wonka.^78.47.115.194/index.go;

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: non operational question related to IP

2010-11-22 Thread Michael Brown 
On 11/22/2010 02:58 PM, Steven Bellovin wrote:
 010 is how C represents an octal number.  This one is known in decimal as 8.  
Obviously, what Greg meant to type was:
$ ping 012.0xA.10.1
PING 012.0xA.10.1 (10.10.10.1) 56(84) bytes of data.

M.

-- 
Michael Brown   | The true sysadmin does not adjust his behavior
Systems Administrator   | to fit the machine.  He adjusts the machine
mich...@supermathie.net | until it behaves properly.  With a hammer,
| if necessary.  - Brian