APC UPS Advice/Guidance for Canada 120/240
Hello Everyone, We are in the market for a APC UPS, and had a few questions. We are not that familiar with APC, and was hoping for some clarity. Our power demands will be for a unit that will sustain 3 kW/4 kVA scalable to 8 kVA. Input: The first issue is that I see all the units default with 208v input (other inputs 240v). At my location we only have 120 or 240. Also, we do not want to use a transformer (240-120) as it adds another failure point that can be avoided... The unit we are looking is found here: http://www.apc.com/products/resource/include/techspec_index.cfm?base_sku=SYA4K8RMP&total_watts=500 Output: Hard Wire 4-wire (2PH + N +G)NEMA L14-30R[image: NEMA L14-30R]NEMA L5-20R[image: NEMA L5-20R] What? How do I plug our 120 PDU into this? STONITH: This will be for a cluster that will require stonith capability. Does anyone know if this unit supports that? Not so important as the previous two questions... Kind Regards, Nick.
Re: How big is the Internet?
On 8/14/13, Jorge Amodio wrote: > > "This big" has been a pretty accurate answer over the years > > -Jorge > Oh hahahhaah. Oh man, I better get back to work. Have a nice day gentlemen :). Nick from Toronto.
Re: Revealed: NSA program collects 'nearly everything a user does on the internet'
I'll make this short. Is our OpenVPN server prone?
Secure Tunneling. Only with more Control!!!
Not having to hijack http://seclists.org/nanog/2013/Jul/251, and without further ado, On 7/12/13, ryang...@gmail.com wrote: > It wouldn't be. When the endpoint in question is compromised, there isn't > any amount of tunneling or obscurity between point a and point b that will > resolve it. Only thing you can do is change to a solution that you have more > control over. > Sent on the TELUS Mobility network with BlackBerry This just got very interesting. Given that we do not own any Microsoft products here, and still able to function like any other corporation, I am more interested in a "solution that you have more control over" secured connections. We currently are using OpenVPN and PKI, coupled with a company policy of key updates every 3 months this will only get incrementally more complex as the number of clients increase. Not to mention one only needs a 3 minutes Question: What other options do we have to maintain a secure connection between client and server that gives us more control over traditional OpenVPN+PKI. It would be nice to be able to deploy private keys automatically to the different clients however, seems like a disaster waiting to happen. I would really appreciate some of your takes on this matter, what types of technology, policies are being employed out there for secure connections. Kind Regards, Nick.
Re: Friday Hosing
Set up your own email server, host your own web pages, maintain your own cloud, breath your own oxygen FTW. N.
Re: Office 365..? how Microsoft handed the NSA access to encrypted messages
On Fri, Jul 12, 2013 at 5:23 PM, Bruce Pinsky wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Matt Baldwin wrote: > > While that would secure the connections from snooping if you're mailboxes > > are on Office 365 and those mailbox stores do not exits on an encrypted > LUN > > then a service can easily read the Exchange database; anyone with server > > access can read mail across all mailboxes. In fact, Microsoft supports > this > > type of setup with impersonation, e.g. a global user that can query any > > mailbox it has permissions to within Exchange. This is how some EWS > > integrated applications work. It wouldn't be that far fetched for the NSA > > to incorporate the same type of query to monitor the mailboxes -- even > > subscribing to change notifications so it only queries and collects when > a > > new mail item has arrived. Additionally, Office 365 can simply create a > > journal rule and have all inbound / outbound mail journal to a location > > that makes it easier for snoops to look through the messages, e.g. an > > external SMTP endpoint, all without the end customers' knowledge. > > > > If anyone has any questions on Exchange they, too, can contact me off > list. > > > > Just my 2-cents. > > Any what's to say that email addresses at Office 365 aren't just mailing > lists where you get a copy and so does $FEDAGENCY. That's how my kids' > email addresses work at home :-) > > > - -- > = > bep > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.17 (MingW32) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlHgc98ACgkQE1XcgMgrtyYZhgCg3CO8DJfFDXJWj8W6JuasjeOf > VeQAnRmhMfhyp5M7S81fxagW96ZGWoCH > =LDSL > -END PGP SIGNATURE- > You spy on your kids? I thought not being able to put a lock on my door was bad... N.
Re: Office 365..? how Microsoft handed the NSA access to encrypted messages
>> I should also note that even if the stores are on an encrypted LUN you are >> still exposed to >> impersonation and journaling. >> -matt I would hate to assume. Please do elaborate. N.
Re: Office 365..? how Microsoft handed the NSA access to encrypted messages
We are currently working on something right now where all connections are doing over an encrypted vpn. We are bringing SIP, email, search, and cloud to the tunnel. You can contact me off list if you would like to know more. Nick Khamis
Re: Google bot contact
If lucky maybe bot google contact shortdudey...@gmail.com On 7/11/13, Grant Ridder wrote: > Can someone that works with the Google Bot contact me off list? I am > seeing some really weird access activity for a site I manage. > > -Grant >
Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]
On 6/25/13, Warren Bailey wrote: > Is there a realistic way to deal with dropped packets in that situation? I > would think packet loss could get really messy.. ;) > > As you know this is not such a problem for UDP streams however, we have not worked out all the bugs for services that run on TCP. Oh yeah it's messy!!! You know it brings a different set of challenges (i.e., PITA, Pamela Anderson). It's a tuff world out there guys We are however trying to conform to RFC standards as pointed out by Jev. You guys really need to look at this. It's easily implementable: http://tools.ietf.org/html/rfc1149 N.
Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]
On 6/25/13, Javier Henderson wrote: > RFC 1149 addresses the practice of avian carriers. > > -jav Jav, this one takes the trump!!! You sir are a man of few words! :) N.
Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]
Screw the pyramids. Look at that building Yeah we though about this and currently in the process of training pigeons to carry messages. Will keep everyone posted. :) Nick.
Re: PDU recommendations
And now for the stupid question. Is there an APC UPS in a U form factor with sufficient outlets that can act kind of like a PDU, only better? PS If it has stonith capabilities ever better!!! Kind Regards, Nick.
Re: PDU recommendations
Hello Michael, does that mean you do not employ PDUs in your network? I.e., found a UPS with sufficient number of outlets in the back. With that in mind, could you make a recommendation for such a UPS-direct for a VM environment. Kind Regards, Nick.
Re: Need AT&T Contact
Is this an ISDN trunk or their IP Flex product? I don't have a rep for the latter. N.
Re: huawei
On 6/13/13, Michael Thomas wrote: > On 06/13/2013 09:35 AM, Patrick W. Gilmore wrote: >> >> I am assuming a not-Hauwei-only network. >> >> The idea that a router could send things through other routers without >> someone who is looking for it noticing is ludicrous. >> > > ::cough:: steganography ::cough:: > > Mike > > Well put! N.
Re: huawei
A local clec here in Canada just teamed up with this company to provide cell service to the north: http://cwta.ca/blog/2012/09/24/ice-wireless-iristel-and-huawei-partner-for-3g-wireless-network-in-northern-canada/ Scary N.
Re: OC3/STM-1 Line Card
Sorry everyone for the delayed response. Basically we are trying to setup up POPS in specific ares. Each POP should be capable of handling 1500-2000 channels or ~60-80 virutal PRIs "please bare with me". Laying down the 80K for Audiocodes 3000 with an OC interface, or even a Metaswitch would be the "big boys" way of doing. Before going any route, knowing our options are good no? Option 1: OC3 muxed down to 84 T1s -> 7 X 12 T1s Asterisk Boxes > IP Option 2: Metaswitch, Audiocodes swtich Michael Loftis said: >> If you're doing internal stuff you're better off forgetting about SS7 crap, >> and just doing >> IP/SIP over your OC3. No transcoding, you'll get as good or better audio >> quality, and, more available channels. I would love to cut a deal with a CLEC or and ILEC to sell us a piece of their network (i.e., place our equipment at their location and cut us a piece of the signaling) but no go. Channels are their bread and butter and they are sticking to it. At $6-$15 per circuit, rolling blackout like the kind you would see in Tikrit, Iraq, no thank you To answer your question this is for external. We are trying to place ourselves strategically and offer a hosted PRI solution, along with maintaining our existing customer's SIP<-->PSTN network. >> If you're interfacing with the PSTN with SS7 your options are a lot more >> limited as SS7 support is fairly poor in the FOSS world. Very true!!! However, there is no one doing SIGTRAN or SS7 over IP that we know of. We are really trying to stay away from reselling someone's service, as opposed to managing our own trunks as we've been doing for over 10 years. Only now we are looking to scale up and market it. >> Most modern gear can go all the way to individual DS0's in a single >> card without a MUX of any kind. OC3/STM-1 is only like 155mbit. Please elaborate, we are not liking the MUX idea. But we're kind of between a hard spot and a rock :). Phil Fagan said: >> Nick are you trying to run these codecs on linux? Yes but whether we do it by muxing the OC to multiple T1's plugged into *, or using this thing: http://www.gl.com/OC3-OC12-analysis-emulation-card.html I could not resist Not sure how many people used this on deployed system. Which brings us to Option 3: Straight OC3 branched out to * with a really cool "Lightseed 1000" like interface on asterisk boxes. No hit for the MUX, not as many * boxes needed Life would be so good Cheers, N.
Re: OC3/STM-1 Line Card
Anyone? Good quality SIGTRAN/SS7 on STM-1/OCN? Kind Regards, Nick.
OC3/STM-1 Line Card
Hello Everyone, Anyone know of a way of bypassing the 90K audiocodes mediant 3000 equipped for STM-1 interface using line cards and a linux box :). What we are looking to do is replace our traditional ISDN DS3 equipped for voice using an STM-1/OC3 backbone and our own put together linux box. Again, this will be used for voice signaling... Kind Regards, Nick.
Re: PRISM: NSA/FBI Internet data mining project
Server maintenance at 00 on my end.
Re: PRISM: NSA/FBI Internet data mining project
Sorry for the top post
Re: PRISM: NSA/FBI Internet data mining project
Tax payer money.. :) On 6/7/13, Mark Seiden wrote: > what a piece of crap this article is. > > the guy doesn't understand what sniffing can and can't do. obviously he > doesn't understand peering or routing, and he doesn't understand what cdns > are for. > > he doesn't understand the EU safe harbor, saying it applies to govt > entitites, when it's purely about companies hosting data of EU citizens. > > he quotes a source who suggests that the intel community might have > privileged search access to facebook, which i don't believe. > > he even says "company-owned equipment" might refer to the NSA, which i > thought everybody calls the "agency" so to not confuse with the CIA. > > and he suggests that these companies might have given up their "master > decryption keys" (as he terms them) so that USG could decrypt SSL. > > and the $20M cost per year, which would only pay for something the size of a > portal or a web site, well, that's mysterious. > > sheesh. > > this is not journalism. > > > On Jun 7, 2013, at 3:54 PM, Paul Ferguson wrote: > >> Also of interest: >> >> http://www.guardian.co.uk/world/2013/jun/07/nsa-prism-records-surveillance-questions >> >> - ferg >> >> >> On Fri, Jun 7, 2013 at 3:49 PM, Michael Hallgren >> wrote: >> >>> Le 07/06/2013 19:10, Warren Bailey a écrit : Five days ago anyone who would have talked about the government having this capability would have been issued another tin foil hat. We think we know the truth now, but why hasn't echelon been brought up? I'm not calling anyone a liar, but isn't not speaking the truth the same thing? >>> >>> >>> ;-) >>> >>> mh >>> Sent from my Mobile Device. Original message From: Matthew Petach Date: 06/07/2013 9:34 AM (GMT-08:00) To: Cc: NANOG Subject: Re: PRISM: NSA/FBI Internet data mining project On Thu, Jun 6, 2013 at 5:04 PM, Matthew Petach wrote: > > On Thu, Jun 6, 2013 at 4:35 PM, Jay Ashworth wrote: > >> Has fingers directly in servers of top Internet content companies, >> dates to 2007. Happily, none of the companies listed are transport >> networks: >> >> >> http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html >> >> Cheers, >> -- jra >> -- >> Jay R. Ashworth Baylink >> j...@baylink.com >> Designer The Things I Think >> RFC >> 2100 >> Ashworth & Associates http://baylink.pitas.com 2000 Land >> Rover DII >> St Petersburg FL USA #natog +1 727 >> 647 1274 >> >> > I've always just assumed that if it's in electronic form, > someone else is either reading it now, has already read > it, or will read it as soon as I walk away from the screen. > > Much less stress in life that way. ^_^ > > Matt > > When I posted this yesterday, I was speaking somewhat tongue-in-cheek, because we hadn't yet made a formal statement to the press. Now that we've made our official reply, I can echo it, and note that whatever fluffed up powerpoint was passed around to the washington post, it does not reflect reality. There are no optical taps in our datacenters funneling information out, there are no sooper-seekret backdoors in the software that funnel information to the government. As our formal reply stated: "Yahoo does not provide the government with direct access to its servers, systems, or network." I believe the other major players supposedly listed in the document have released similar statements, all indicating a similar lack of super-cheap government listening capabilities. Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it: tap in, and funnel copies of all traffic back to distant monitoring posts, or have local servers digesting and filtering, just extracting the few nuggets they want, and sending
Re: Canadian Hosting Providers - how do you handle copyright and trademark complaints
On 6/5/13, Sameer Khosla wrote: > My personal favorite is the number of notices that we receive as DMCA > takedown notices, citing the specific laws. > I'm not sure US copyright laws even apply to us here in Canada? What countries have no internet laws? N.
Re: High throughput bgp links using gentoo + stipped kernel
Sorry for the top post!!! N.
Re: High throughput bgp links using gentoo + stipped kernel
+1 on the interrupt cpu assignment N. On 5/24/13, Nick Hilliard wrote: > On 24/05/2013 20:21, Joe Greco wrote: >> Luigi did the polling stuff more than a decade ago. Polling fixes some >> issues and seems to cause others. > > interrupt mitigation helps more than polling these days. Make sure you're > using modern hardware. > > Nick > > >
Re: High throughput bgp links using gentoo + stipped kernel
On 5/19/13, Zachary Giles wrote: > I had two Dell R3xx 1U servers with Quad Gige Cards in them and a few small > BGP connections for a few year. They were running CentOS 5 + Quagga with a > bunch of stuff turned off. Worked extremely well. We also had really small > traffic back then. > > Server hardware has become amazingly fast under-the-covers these days. It > certainly still can't match an ASIC designed solution from Cisco etc, but > it should be able to push several GB of traffic. > In HPC storage applications, for example, we have multiple servers with > Quad 40Gig and IB pushing ~40GB of traffic of fairly large blocks. It's not > network, but it does demonstrate pushing data into daemon applications and > back down to the kernel at high rates. > Certainly a kernel routing table with no iptables and a small Quagga daemon > in the background can push similar. > > In other words, get new hardware and design it flow. What we are having a hard time with right now is finding that "perfect" setup without going the whitebox route. For example the x3250 M4 has one pci-e gen 3 x8 full length (great!), and one gen 2 x4 (Not so good...). The ideal in our case would be a newish xserver with two full length gen 3 x8 or even x16 in a nice 1u for factor humming along and being able to handle up to 64 GT/s of traffic, firewall and NAT rules included. Hope this is not considered noise to an old problem however, any help is greatly appreciated, and will keep everyone posted on the final numbers post upgrade. N.
Re: High throughput bgp links using gentoo + stipped kernel
> This is some fairly ancient hardware, so what you can get out if it will > be limited. Though gige should not be impossible. > Agreed!!! > The usual tricks are to make sure netfilter is not loaded, especially > the conntrack/nat based parts as that will inspect every flow for state > information. Either make sure those parts are compiled out or the > modules/code never loads. > > If you have any iptables/netfilter rules, make sure they are 1) > stateless 2) properly organized (cant just throw everything into FORWARD > and expect it to be performant). > We do use a statefull iptables on our router, some forward rules... This is known to be on of our issues, not sure if having a separate iptables box would be the best and only solution for this? > You could try setting IRQ affinity so both ports run on the same core, > however I'm not sure if that will help much as its still the same cache > and distance to memory. On modern NICS you can do tricks like tie rx of > port 1 with tx of port 2. Probably not on that generation though. Those figures include IRQ affinity tweaks at the kernel and APIC level. > > The 82571EB and 82573E is, while old, PCIe hardware, there should not be > any PCI bottlenecks, even with you having to bounce off that stone age > FSB that old CPU has. Not sure well that generation intel NIC silicon > does linerate easily though. > > But really you should get some newerish hardware with on-cpu PCIe and > memory controllers (and preferably QPI). That architectural jump really > upped the networking throughput of commodity hardware, probably by > orders of magnitude (people were doing 40Gbps routing using standard > Linux 5 years ago). Any ideas of the setup??? Maybe as far as naming some chipset, interface? And xserver that is the best candidate. Will google.. :) > Curious about vmstat output during saturation, and kernel version too. > IPv4 routing changed significantly recently and IPv6 routing performance > also improved somewhat. > > Will get that output during peak on monday for you guys. Newest kernel 3.6 or 7... Thank you so much for your insight, Nick.
Re: High throughput bgp links using gentoo + stipped kernel
> Hi Nick, > > You're done. You can buy more recent server hardware and get another > small bump. You may be able to tweak interrupt rates from the NICs as > well, trading latency for throughput. But basically you're done: > you've hit the upper bound of what slow-path (not hardware assisted) > networking can currently do. > > Options: > > 1. Buy equipment with a hardware fast path, such as the higher end > Juniper and Cisco routers. > > 2. Split the load. Run multiple BGP routers and filter some portion of > the /8's on each of them. On your IGP, advertise /8's instead of a > default. > > Regards, > Bill Herrin > Hey Bill, thanks for your reply Yeah option 1.. I think we will do whatever it takes to avoid that route. I don't have a good reason for it, it's just preference. Great manufactures/produts etc..., we just like the flexibility we get with how things are setup right now. Not to mention extra rack space! Option 2 is exactly what we are looking at. But before that, we are looking at upgrading to a PCIe 3 x8 or x16 as mentioned earlier for that "small bump". If we hit 25% increase in throughout then that would keep the barracudas in suits at bay. But for now, they are really breathing down my back... :) N.
Re: High throughput bgp links using gentoo + stipped kernel
On 5/19/13, Nikola Kolev wrote: > You might be maxing out your server's PCI bus throughput, so it might be a > better idea if you can get Ethernet NICs that are sitting at least on PCIe > x8 slots. > > Nikola, thank you so much for your response! It kind of looks that way, and we do have another candidate machine that has a PCIe 3 x8. First thing, I never liked riser card and the candidate IBM x3250 M$ does use them. Not sure how much of a hit I will take for that. Secondly are there any proven intel 4 port cards in PCIe 3 preferably pro 1000. > Leaving that aside, I take it you've configured some sort of CPU/PCI > affinity? For interrupts we disabled CONFIG_HOTPLUG_CPU in the kernel, and assigned interrupts to the less used core using APIC. I am not sure if there is anything more we can do? > As for migration to another OS, I find FreeBSD better as a matter of network > performance. The last time I checked OpenBSD was either lacking or was in > the early stages of multiple cores support. I know I mentioned migration, but gentoo has been really good to us, and we grew really fond of her :). Hope I can tune it further before retiring it as our OS of choice. Nick.
Re: High throughput bgp links using gentoo + stipped kernel
On 5/18/13, Michael McConnell wrote: > Hello Nick, > > Your email is pretty generic, the likelihood of anyone being able to provide > any actual help or advice is pretty low. I suggest you check out Vyatta.org, > its an Open Source router solution that uses Quagga for its underlying BGP > management, and if you desire you can purpose a support package a few grand > a year. > > Cheers, > Mike > > -- > > Michael McConnell > WINK Streaming; > email: mich...@winkstreaming.com > phone: +1 312 281-5433 x 7400 > cell: +506 8706-2389 > skype: wink-michael > web: http://winkstreaming.com > > On May 18, 2013, at 9:39 AM, Nick Khamis wrote: > >> Hello Everyone, >> >> We are running: >> >> Gentoo Server on Dual Core Intel Xeon 3060, 2 Gb Ram >> Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >> Controller (rev 06) >> Ethernet controller: Intel Corporation 82573E Gigabit Ethernet >> Controller (rev 03) >> >> 2 bgp links from different providers using quagga, iptables etc >> >> We are transmitting an average of 700Mbps with packet sizes upwards of >> 900-1000 bytes when the traffic graph begins to flatten. We also start >> experiencing some crashes at that point, and not have been able to >> pinpoint that either. >> >> I was hoping to get some feedback on what else we can strip from the >> kernel. If you have a similar setup for a stable platform the .config >> would be great! >> >> Also, what are your thoughts on migrating to OpenBSD and bgpd, not >> sure if there would be a performance increase, but the security would >> be even more stronger? >> >> Kind Regards, >> >> Nick >> > > Hello Michael, I totally understand how my question is generic in nature. I will defiantly take a look at Vyatta, and weigh the effort vs. benefit topic. The purpose of my email is to see how people with similar setups managed to get more out of their system using kernel tweaks or further stripping on their OS. In our case, we are using Gentoo. Nick.
High throughput bgp links using gentoo + stipped kernel
Hello Everyone, We are running: Gentoo Server on Dual Core Intel Xeon 3060, 2 Gb Ram Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (rev 06) Ethernet controller: Intel Corporation 82573E Gigabit Ethernet Controller (rev 03) 2 bgp links from different providers using quagga, iptables etc We are transmitting an average of 700Mbps with packet sizes upwards of 900-1000 bytes when the traffic graph begins to flatten. We also start experiencing some crashes at that point, and not have been able to pinpoint that either. I was hoping to get some feedback on what else we can strip from the kernel. If you have a similar setup for a stable platform the .config would be great! Also, what are your thoughts on migrating to OpenBSD and bgpd, not sure if there would be a performance increase, but the security would be even more stronger? Kind Regards, Nick