Re: netstat -s

2019-08-06 Thread Mike O'Connor 
:On Jul 17, 2019, at 20:54, Randy Bush  wrote:
:> 
:> do folk use `netstat -s` to help diagnose on routers/switches?

Yes, for sufficienly Unix-y routers/switches.

:I have used netstat -s on hosts to look at error counters if a switch or 
router was suspect.
:But that was a while ago (anyone remember when NFS corrupted all your files if 
one of your routers or the NIC had a bit error outside the protection provided 
by the Ethernet CRC?).
:
:Today, I have the problem that netstat -s doesn’t seem to work right on macOS.
:Many counter values are nonsensical, or simply zero.  
:I was guessing this was due to NIC offload, but I haven’t analyzed further.  
:If anyone knows more about recent macOS netstat -s, I’d love to hear more 
details.

"sudo netstat -s" is your friend.

-Mike

-- 
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Puny god." -Hulk


signature.asc
Description: PGP signature

Re: QoS for Office365

2019-07-09 Thread Mike O'Connor 
:How do you deal with QoS for Office365, since the IPs are subject to changes ?

How often is the data in:

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service

out of date?  


-Mike

-- 
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Nothing unreal exists." -Kiri-Kin-Tha's First Law Of Metaphysics


signature.asc
Description: PGP signature

Re: a quick survey about LLDP and similar

2019-03-01 Thread Mike O'Connor 
:Hello,
:having a bit of a debate in my team about turning on LLDP and/or CDP.
:I would appreciate if you could spend a minute answering this
:survey so I have some numbers to back up my reasoning, or to accept
:defeat.
:
:https://www.surveymonkey.com/r/TH3WCWP

"Is LLDP / CDP that evil?" -- geez.

Ask a leading question, get a leaden answer.  

It's clear what your biases are from the first few questions you ask.
It _might_ be more interesting for you to present the points of view
within your team.  

FWIW, my most recent foray into LLDP involved advising to turn it off
for some systems.  There were defects specific to the implementation
on particular hardware, and I had a strange desire to not make my head
hurt.  I didn't label it evil, but it just wasn't a situation where I
wanted "guinea pig" treatment while the vendor sorted out LLDP.


-Mike

-- 
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"We buy junk and sell antiques."   -Anguished English


signature.asc
Description: PGP signature

Re: Foundry FastIron

2017-12-29 Thread Mike O'Connor 
:A client of mine has some Foundry FastIron Edge X424HFs.
:
:Brocade and Extreme don't seem overly ambitious to help.

Brocade EOL'ed those old FESX-4 switches themselves on 03/31/2011, 
with EOS in 2016.  This was before Brocadecom spun off to Extreme.

:Anyone have any documentation they can scrounge up? SFP compatibility list? 
The ones I see in there already look substantially like the ones I get from 
FiberStore, but that doesn't mean much.

Can't help you there, sorry...  

:Do they still sell support on these? I'm largely just interested in newer 
firmware for them. I don't think they were updated since they left the factory 
and there are a few quirks I'm hoping they addressed at some point.

Depending on your bother, check out the FESX424-L3U "Layer 3 Upgrade
Kit".  That particular software piece looks like it gets support for
another few months, if I am to believe Brocade's website (which only
has the FESX-6 EOL notice, not the older FESX-4 one).

http://www.brocade.com/en/backend-content/pdf-page.html?/content/dam/common/documents/content-types/end-of-life-notice/brocade-fastiron-edge-x-6-end-of-life-notice.pdf

-Mike

-- 
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Take me out... to the black.  Tell 'em I ain't comin' back."-Firefly


signature.asc
Description: PGP signature

Re: Google DNS intermittent ServFail for Disney subdomain

2017-10-23 Thread Mike O'Connor 
:I know it doesn't help your problem, but friends don't let friends use public 
DNS resolvers (Google, L3, Open DNS, etc.). ;-) 

I've been experimenting with using Google's DNS resolvers for Google's
assorted domains.  At some point, I keep meaning to add Google's address
space as in-addr.arpa domains, but just haven't gotten there yet.  

Why?  Just curious, that's all.  Thus far, I haven't really noted any
major differences, but wasn't sure what to expect.  Maybe something
would be notably faster/slower, maybe different results/ads/whatever,
I dunno.  It just seemed reasonable to punt Google DNS to Google DNS
and see how things work.  YMMV, void where prohibited.


~Mike

-- 
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"If you have enough plutonium, everything starts looking like a city."  -Ches


signature.asc
Description: PGP signature

Re: Favorite Speed Test Systems

2016-12-06 Thread Mike O'Connor 
:On 05-12-2016 16:34, Nick Ryce wrote:
:> For testing downloads, fast.com is pretty nice
:> 
:
:The problem with fast.com is that they use HTTPS for the test. The user needs
:a fast computer to decode the SSL at full speed. Even if you have a very fast
:computer the test will max out at 100-200 Mbps because the Netflix servers
:are apparently not able to encode SSL any faster. Maybe we would get better
:speed if multiple SSL connections were used.

I've run into the opposite problem -- fast.com sporadically reporting
1+ Gbps times for circuits that are only 20-40 Mbps.  There's no obvious
client-side issues -- no proxying, interesting browsers, etc.  fast.com
is glitchy just often enough to give some friends of mine silly glee
when it misreports.

-Mike

--
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"A superhero should always speak from his diaphragm!"   -The Tick


signature.asc
Description: PGP signature

Re: NTP versions in production use?

2015-07-12 Thread Mike O'Connor 
:Thanks, and I'm kinda stunned that folks are running such ancient
:versions of NTP.

I suggest you get accustomed to being stunned.  

:https://support.ntp.org/bin/view/Dev/ReleaseTimeline
:
:4.2.0 was EOL'd in June of 2006, and we've fixed about 3,000 issues in
:the codebase since then.

4.2.0 may have been EOL'd in 2006, but it was still shipping as the
default in FreeBSD until 2009. 

Out of those 3000 issues, only a tiny fraction are security-related
that would apply to JunOS.  I expect that they backport security and
other fixes as necessary, until some bigger engineering effort and|or
headache calls for a forklift/mass upgrade of things.


-- 
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Fire me, boy!" -The Human Bullet


pgpPiL8fSvRlj.pgp
Description: PGP signature

Re: the little ssh that (sometimes) couldn't

2012-10-29 Thread Mike O'Connor 
:
:corruption!
:
:
:http://mina.naguib.ca/blog/2012/10/22/the-little-ssh-that-sometimes-couldnt.html

I ran into a similar issue with a customer just a few days ago!  The
customer's theory was that there was something badly wrong with their
dorky gateway/switch (which we sold and support ).  ssh was
timing out, with a SSH2_MSG_KEX_DH_GEX_GROUP hang/failure during the
ssh protocol exchange.  Based on that, some wireshark captures, and
and stray Google droppings, I advised them to ratchet down the MTU to
make things work.  Through bisectional MTU settings and pinging, we
arrived at an MTU of 850.  And I initially started cursing at the
switch (because that helps move packets, really :) ).

Turns out -- the ssh server in question was running RHEL 5.x Linux,
and that was the key.  Even though "ip route show cache" looked sane,
"ip route flush cache" (which I had them run, just on a lark) made 
the problem go away.  So it probably wasn't my switch (unless it had
done something untoward in the distant past that induced some weird
Linux stack bug).

I'm mostly posting this because I was wondering if anyone else had
run into an MTU of 850 before.  Is that a "magic number" that rings
any bells (or perhaps has seen the Linux route cache behavior I did).

-Mike

-- 
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"It is now the age of now."-Non Campus Mentis


pgpco3nCOlAoW.pgp
Description: PGP signature

Re: Mobile Looking Glass?

2010-10-06 Thread Mike O'Connor 
:Anyone know of an iPhone application for checking public Looking Glass servers?
:
:Boss called me in a panic when I was out for lunch to check on something and 
would make my life much easier but searching for stuff on iTunes is awful.

If you have an AIM or Jabber client on your iPhone, there's bgpbotz:

http://software.merit.edu/bgpbotz/

I've used it successfully via AIM on my phone a couple times -- worked
like a champ.

--
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"YOU MUST OBEY ME BECAUSE I'M LOUD!" -Dogbert

Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]

2010-06-09 Thread Mike O'Connor 
:I think anyone in their right mind would agree that if a provider see
:criminal activity, they should take action, no?

What a provider "should" do and what makes sense under the law of the
land are two different things.

:If that also holds true, then why doesn't it happen?

The laws pertaining to what's required of people when witnessing a
crime vary by locality within the U.S.  I dunno how they work for
the rest of the NANOG audience.  What is required of people versus
what's required of corporate entities varies, too.  "Good Samaritan"
laws are hardly universal, and don't always play well with the other
laws of the land.  

Things can get ugly when some murky behavior gets retroactively deemed
a crime (perhaps by some tech-challenged judge or jury) and a provider
becomes an accessory after the fact.  "You mean, the DMCA makes THAT
illegal?!?"  Or, perhaps a provider tries to take some small action in
the face of a crime, then is deemed to have a "special relationship"
making them liable for not being quite helpful enough.  "You mean, I
have to rebuild my entire network because my customer support rep has
reported bad behavior to the authorities?"

Ultimately, acting on crime is a rat's nest.  Some providers have
enough trouble dealing with attacks from Pax0rland, extracting sane
prices for last-mile service, evaluating/deploying new technology,
keeping up with all the off-topic emails on NANOG, etc.  

Raise the bar so the least-paid front-line rep requires a "customer
support within the law" class.  Create a legal climate where the only
way it makes sense to provide bits involves a big army of attorneys
and lobbyists to define the regulatory climate.  Let's make total
provider consolidation a reality...  then we won't need those pesky
32-bit ASNs.  :)

Back to work...

--
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Not baked goods, professor...  baked BADS!"-The Tick

Re: two interfaces one subnet

2009-05-11 Thread Mike O'Connor 
:Hi,
:
:This is a pretty moronic question, but I've been searching RFC's on- 
:and-off for a couple of weeks and can't find an answer. So I'm hoping  
:someone here will know it offhand.
:
:I've been looking through RFC's trying to find a clear statement that  
:having two interfaces in the same subnet does not work, but can't find  
:it that statement anywhere.
:
:The OS in this case is Linux. I know it can be done with clever  
:routing and prioritization and such, but this has to do with vanilla  
:config, just setting up two interfaces in one network.
:
:I would be grateful for a pointer to such an RFC statement, assuming  
:it exists.

RFC1122, Section 3.3.4.1 explicitly says this IS a legal config
from an IP perspective:

  3.3.4  Local Multihoming

 3.3.4.1  Introduction

A multihomed host has multiple IP addresses, which we may
think of as "logical interfaces".  These logical interfaces
may be associated with one or more physical interfaces, and
these physical interfaces may be connected to the same or
different networks.

There are other considerations here -- OS, link-layer, etc.
Obviously, you want to do such things with care.  But simply
from a "standards" perspective, it's ok.  There are a lot of
hosts that historically didn't have enough RFC1122 compliance
to make such configurations problematic (e.g. section 3.3.1.2
and multiple default route support vs. old BSD IP stacks) but
that doesn't invalidate the standards.

-- 
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Pain has an element of blank."  -Emily Dickinson