from:"Rafael Possamai"

Re: About emails impersonating Path Network

2023-02-07 Thread Rafael Possamai

I've found this article before and implemented it for domains that we own, but 
do not use for e-mail purposes. 
https://www.gov.uk/guidance/protect-domains-that-dont-send-email

Might be worth checking it out.

Cheers,
Rafael

- Original message -
From: Konrad Zemek 
To: nanog@nanog.org
Subject: About emails impersonating Path Network
Date: Monday, February 06, 2023 12:25

Hi Nanog,

It looks like someone with an axe to grind against our company has decided to 
email every AS contact they could find on PeeringDB, impersonating us and 
sometimes spoofing our domains.

We're aware of the emails and are sorry for the inconvenience. We've since 
added SPF records to the domains we own but don't use (the perps have since 
name-squatted some new ones). We're also actively working with law enforcement 
on the matter.

Thanks
Konrad Zemek
CTO Path Network
AS396998

Telia->ATT at 350 Cermak

2022-08-11 Thread Rafael Possamai

After some time monitoring/troubleshooting, we are seeing what looks like 
congestion between AS1299 and AS7018 at 350 Cermak during typical peak hours. 
Could someone please reach out off-list if possible? Much appreciated.

Thanks,
Rafael

Re: HE.net and BGP Communities

2022-07-25 Thread Rafael Possamai

>I wish they'd add one more that turns off their "prefer routes learned from a 
>customer" rule.   I'm having to split my blocks in >half and announce them 
>that way to get them to send my traffic directly to me through our IX peering 
>session as opposed to >one of my transit providers.
>I'd rather they just let shortest path selection work. 

I think this is by design so you don't end up with free inbound transit.

If one of their transit customers is trying to reach your prefixes, my guess 
it'd make sense to offload that over IX first, although I'm not sure if that's 
always happens due to path selection.

Re: Verizon no BGP route to some of AS38365 (182.61.200.0/24)

2022-07-21 Thread Rafael Possamai

>but that it would be incumbent on Verizon to do the legwork to fix it since 
>they are the ones who know their peering >agreements and have these contacts. 
>Unfortunately it seems like policy that Verizon pushes any issues that aren't 
>internal >routing issues to an external party, but surely they have a 
>responsibility to maintain their peering and routes to external >services as 
>well.
>Any thoughts?

You're probably right they have a responsibility to maintain their peering and 
routes, but rather than move mountains to get a large network to do "the right 
thing" (either vzw or baidu), I'd think most of the time it's much easier to 
pick a different provider to work with instead.

RE: Aftermarket switches that were manufactured in any sort of quantity?

2022-06-09 Thread Rafael Possamai

This may sound bad at first but look into FS.com if you're in a pinch. They may 
not be seen as the typical true enterprise grade (I don't know?) but you can 
probably buy a a new one and a new spare for the price of one overpriced used 
switch.

From: NANOG  On 
Behalf Of Drew Weaver
Sent: Thursday, June 9, 2022 11:42 AM
To: 'nanog@nanog.org' 
Subject: Aftermarket switches that were manufactured in any sort of quantity?

Hello,

We had been purchasing some used 48 port 1BaseT switches /w 6x QSFP28 ports 
for around $3000 until about 2021.

In 2021 the aftermarket pricing went from $3,000 each to $15,000 each.

Now these particular switches are selling for $20,000 each (and people are 
still buying them[?]...)

Obviously I cannot pay $20k for a used switch so I am trying to find 
alternatives that perhaps aren't as rare.

I'm trying to determine whether this pricing is just based on the model I am 
trying to buy or if it is basically every switch from every MFG.

Just trying to see if anyone else has had any luck getting any hardware at 
around a fair price lately?

I'm aware of the macro-economic environment, inflation, chip shortages, etc.. 
Just looking for another option.

Thanks,
-Drew

RE: Github/gist list of modern telemetry/networking polling tools

2022-05-12 Thread Rafael Possamai

Here is a list: https://github.com/kahun/awesome-sysadmin#monitoring

Personally, I've used smokeping for over a decade (mrtg works too, or rrd and a 
cron job), as well as librenms/prtg and as of the last couple of years a 
software "stack" such as telegraf+influxdb+grafana, although that's more 
resource intensive than the old school stuff that just works.

From: NANOG  On 
Behalf Of Drew Weaver
Sent: Thursday, May 12, 2022 7:50 AM
To: nanog@nanog.org
Subject: Github/gist list of modern telemetry/networking polling tools

Hello,

If you guys are like me I find something that works and I just stick with it.

Now that we're getting to a place where we can re-tool some of our monitoring 
and telemetry for our network I am looking for information/recommendations on 
new tools.

Specifically I am looking a list of NMS, SNMP poller/grapher, sflow/netflow 
cap/dump tools that people are enjoying.

I know a lot of times people post lists of tools over on github or a gist so I 
am just wondering if anyone has any lists for this that they like?

Thanks,
-Drew

Re: Texas internet connectivity declining due to blackouts

2021-02-17 Thread Rafael Possamai

Buried high voltage lines require expensive/complex insulation (oil, etc). It's 
really expensive to build and to maintain these at enormous scale like the 
continental USA. Not saying it's not possible, but definitely challenging. 
Repairing damage to these lines is a lot more complicated than splicing fiber 
(freeze plugs, huge holes in the ground, etc). Most HV aerial lines can be 
repaired online with helicopters, whereas the stuff in the ground needs to come 
offline for any sort of repair involving the conductors.

I think because one USA state is the size of an entire EU country (or larger) 
then your HV lines would  have to span multiple states (several countries in 
Europe), it'd be an insane effort to build and maintain these for 50+ years.



- Original message -
From: Rod Beck 
To: Peter Beckman 
Cc: "nanog@nanog.org" 
Subject: Re: Texas internet connectivity declining due to blackouts
Date: Wednesday, February 17, 2021 03:17

I have lived in France and now Hungary. I have never seen power lines above 
ground, but I have heard there are some in rural France. 

I disagree with your conclusion - essential infrastructure should be buried if 
possible. The US makes too many excuses for second rate performance. Level3 
buried its infrastructure. This is a case where sacrificing short term profits 
for better long term performance is well worth it.

Re: ISPs are hit hardest by COVID-19 disruption

2020-08-07 Thread Rafael Possamai

This reminded me of a quote I read a long time ago: "Most people use statistics 
like a drunk man uses a lamppost; more for support than illumination"

Re: BGP route hijack by AS10990

2020-08-03 Thread Rafael Possamai

To your point with regards to multiple failures combined causing an outage, 
here's some basic reading on the Swiss cheese model: 
https://en.wikipedia.org/wiki/Swiss_cheese_model 

>From over here it looks like the legacy filter was a latent failure, and the 
>BGP automation from the downstream peer of Telia was an active failure 
>(combined caused the outage). Now from the downstream peer's point of view, 
>perhaps the cause of their BGP automation failure was latent also, but we 
>wouldn't know without more details.

Pretty interesting topic.

Re: CloudFlare Issues?

2020-07-19 Thread Rafael Possamai

Noticed high latency from some smokeping instances from about 16:10 until 16:35 
(central time). One of the worst variances was from ~20ms to upwards of 100ms 
RTT.

Re: Wifi Calling Firewall Holes to Punch

2020-07-19 Thread Rafael Possamai

Also do wifi calls from Android phone on VZW behind NAT, with no issues. I do 
have a "network extender" which has GPS link and ethernet (also behind NAT) and 
it does give me 5 bars around the house (up to 70mbps ish of download over 
LTE). 

Now, your NAT setup could possibly interefere? In my case at home I have 
FreeBSD with pf and NAT reflection disabled by default.

Re: MX204 Rails

2020-07-16 Thread Rafael Possamai

Doesn't the mx204 have rackmount brackets rather than rails?

Re: Citrix Sales Reps?

2016-03-23 Thread Rafael Possamai

I wonder if the actual support service will be the same later on.

*Rafael Possamai*
Founder & CEO at E2W Solutions
*office:* (414) 269-6000
*e-mail:* raf...@e2wsolutions.com


On Wed, Mar 23, 2016 at 3:25 AM, Paul Stewart <p...@paulstewart.org> wrote:

> You too ?  I gave up ... after calling their local offices, their toll
> free number, emails, phone calls, etc.
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Scott Fisher
> Sent: Tuesday, March 22, 2016 1:34 PM
> To: NANOG list <nanog@nanog.org>
> Subject: Citrix Sales Reps?
>
> I have sent 4 requests to Citrix for pricing questions on XenServer
> support options and have gotten not a single call back. (Requested via
> email, form, and calls).
>
> Can someone from Citrix please hit me up offlist or can someone direct me
> to an actual person I can hit up?
>
> --
> Scott
>
>

Re: Why the US Government has so many data centers

2016-03-23 Thread Rafael Possamai

Circuit utilization, capacity and availability shouldn't be calculated
separately in a data center environment. If you look at each separately you
risk making some expensive mistakes.


*Rafael Possamai*
Founder & CEO at E2W Solutions
*office:* (414) 269-6000
*e-mail:* raf...@e2wsolutions.com


On Tue, Mar 22, 2016 at 11:11 AM, Sean Donelan <s...@donelan.com> wrote:

> On Tue, 22 Mar 2016, Jay R. Ashworth wrote:
>
>> But when some Armenian script kiddie DDoSing Netflix takes down your TSA
>> terrorist lookup service, and you come to me asking why the plane blew up,
>> I'm going to tell you "because you fucking ignored my written advice on
>> the matter", while I'm packing my desk.
>>
>
> DOCI is about physical data center opimization, not about network or
> service availability.
>
> DCOI metrics:
> - Energy metering
> - Power Usage Effectiveness (PUE)
> - Virtualization
> - Server Utilization & Automated Monitoring
> - Facility Utilization
>
> Why do you have two circuits with only 40% utilization. The auditor says
> that's waste, and you only need one circuit at 80% utilization for half
> the cost.
>
>
>

Re: ICYMI: FBI looking into LA fiber cuts, Super Bowl

2016-01-19 Thread Rafael Possamai

I fail to see how drones relate to fiber cuts and the superbowl. Did the
article author just throw that in there? The news helicopter getting aerial
footage also poses a risk, so not sure what's special about drones.

On Tue, Jan 19, 2016 at 2:42 PM, Alain Hebert  wrote:

> Well,
>
> ( In context )
>
> I can tell you that a 4 propeller's drone to the face kinda hurt.
>
> Because that was the context where that quote was ripped from.
>
> -
>
> What's more, the memo also asserted that drones used by "malicious"
> actors "may present a low-altitude hazard to aviation assets supporting
> the event, allow unauthorized video coverage of events, or pose a risk
> of injury to event-goers if an operator loses control."
>
> -
> Alain Hebertaheb...@pubnix.net
> PubNIX Inc.
> 50 boul. St-Charles
> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
>
> On 01/19/16 15:37, Bacon Zombie wrote:
> > Am I the only one who thinks the below line is BS?
> >
> >  "...pose a risk of injury to event-goers if an operator loses control."
> >
> > If there is not safeguards in-place for "normal" network issues then
> > we would of heard of injuries before.
> >
> > On 19 January 2016 at 21:30, Grant Ridder 
> wrote:
> >> Broke ground in April 2012
> >>
> http://www.mercurynews.com/southbayfootball/ci_20434376/49ers-break-ground-this-evening-stadium-at-center
> >>
> >> -Grant
> >>
> >> On Tue, Jan 19, 2016 at 12:12 PM, Jay R. Ashworth 
> wrote:
> >>
> >>> - Original Message -
>  From: "Owen DeLong" 
>  Correct me if I’m wrong, but these FO vandalisms have been going on in
> >>> the bay
>  area since before the stadium
>  was even funded.
> 
>  This leads me to believe that this is just another example of an LE
> >>> landgrab.
> >>>
> >>> How old's the stadium?  The article does mention late '14.
> >>>
> >>> Cheers,
> >>> -- jra
> >>> --
> >>> Jay R. Ashworth  Baylink
> >>> j...@baylink.com
> >>> Designer The Things I Think
>  RFC
> >>> 2100
> >>> Ashworth & Associates   http://www.bcp38.info  2000 Land
> >>> Rover DII
> >>> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727
> 647
> >>> 1274
> >>>
> >
> >
>
>

Re: verizon fios bounced a legit private email of mine telling me it was spam and they would not allow it

2016-01-14 Thread Rafael Possamai

What a disgrace.

On Wed, Jan 13, 2016 at 3:55 PM, Dan Hollis  wrote:

> This is what's going on at verizon.
>
> http://www.spamhaus.org/news/article/726/
>
> -Dan
>
>

Re: Best Source for ARIN Region /24

2016-01-11 Thread Rafael Possamai

If you apply for an IPv6 block, as an ISP, and you have the intention of
truly utilizing it, then you can apply for a /24 to facilitate that
transition.

It will cost you about $1500 or so, which is about half of what a /24 is
going for in the transfer market.

Thing is, if you take the IPv6 block just to use the /24 they give you,
then one could argue you are cheating the system.

On Mon, Jan 11, 2016 at 1:19 PM, Matthew D. Hardeman 
wrote:

> I’m looking to buy a /24 of space for a new multi-homed network in the
> ARIN region.  Can anyone out there speak to going rates for a /24 and best
> places to shop?
>
>

Re: Best Source for ARIN Region /24

2016-01-11 Thread Rafael Possamai

Makes sense. In that case, I think only way out is to go through a broker
to find a suitable party for a transfer. I would read the rules and
regulations regarding transfer of ARIN blocks, they have some details and
the process requires some paperwork.


On Mon, Jan 11, 2016 at 8:35 PM, Matthew D. Hardeman <mharde...@ipifony.com>
wrote:

> I’m aware of the /24 block for facilitation concept, but my client’s use
> case can qualify as an end-user rather than as an ISP, thus their annual
> operating cost is smaller than even the X-SMALL ISP category, which they’d
> land in — if they opted for the smaller /36 initial IPv6 direct allocation,
> rather than the default /32 direct allocation.
>
> That seems to balance toward buying an existing /24.
>
>
> On Jan 11, 2016, at 8:00 PM, Rafael Possamai <rafaelpo...@gmail.com>
> wrote:
>
> If you apply for an IPv6 block, as an ISP, and you have the intention of
> truly utilizing it, then you can apply for a /24 to facilitate that
> transition.
>
> It will cost you about $1500 or so, which is about half of what a /24 is
> going for in the transfer market.
>
> Thing is, if you take the IPv6 block just to use the /24 they give you,
> then one could argue you are cheating the system.
>
>
>
> On Mon, Jan 11, 2016 at 1:19 PM, Matthew D. Hardeman <
> mharde...@ipifony.com> wrote:
>
>> I’m looking to buy a /24 of space for a new multi-homed network in the
>> ARIN region.  Can anyone out there speak to going rates for a /24 and best
>> places to shop?
>>
>>
>
>

Re: Internap route optimization

2015-11-06 Thread Rafael Possamai

A few years ago I had a couple boxes in a datacenter in Chicago that had
its traffic optimized by Internap. Latency wise, it was always the lowest
to my other applications, compared to other locations I had on-line. I am
not sure what other benefits it brought aside from lower latency. One thing
to remember is that they had several uplinks, so if you only have a couple
I can't imagine the impact to be great.

Just my 2cents.

On Thu, Nov 5, 2015 at 2:03 AM, Paras  wrote:

> Does anyone know or have any experience with Internap's route
> optimization? Is it any good?
>
> I've heard of competing solutions as well, such as the one provided by
> Noction.
>
> Thanks for your input,
> Paras
>
>

Re: Cogent BGP Woes

2015-10-16 Thread Rafael Possamai

Similar to low-cost airlines, where you have to pay for a drink and a 4oz
bag of peanuts.

On Fri, Oct 16, 2015 at 3:36 AM, Mike Hammett  wrote:

> Nickles and dimes...
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>
> - Original Message -
>
> From: "Carlos Alcantar" 
> To: "Justin Wilson - MTIN" , "NANOG" 
> Sent: Friday, October 16, 2015 12:12:05 AM
> Subject: Re: Cogent BGP Woes
>
> Sales now handled it because they bill now for having a bgp session.
>
>
>
> Carlos Alcantar
> Race Communications / Race Team Member
> 1325 Howard Ave. #604, Burlingame, CA. 94010
> Phone: +1 415 376 3314 / car...@race.com / http://www.race.com
>
>
> 
> From: NANOG  on behalf of Justin Wilson - MTIN <
> li...@mtin.net>
> Sent: Thursday, October 15, 2015 8:47 PM
> To: NANOG
> Subject: Re: Cogent BGP Woes
>
> I am trying to turn up BGP on a circuit that ha never had it. In the past,
> you went to the support portal, filled out the questionnaire and in a day
> or so you would have you bgp info. When I did that this time I received a
> prompt response back from support saying this is now handled by sales and
> gave me the sales person to contact.
>
> Contacted sales person almost 3 weeks ago. Had to wait until the direct
> draft credited before they could put any new orders in. On a side note,
> Cogent is the only provider I know of that does not credit electronic
> payments within 24-48 hours. All of ours take 5 business days. Once thats
> done, e-mail the sales person back. No response for a few days. Call a
> manager and get them involved. 2 more weeks we still don’t have BGP on this
> circuit. A minimum of 1 e-mail a day asking for status updates. Last
> response was “Everything was entered in the system”.
>
> I guess I don’t understand why a sales order has to be entered for BGP.
> This adds an extra step, which in this case has been a major fail.
>
>
> Justin Wilson
> j...@mtin.net 
>
> ---
> http://www.mtin.net  Owner/CEO
> xISP Solutions- Consulting – Data Centers - Bandwidth
>
> http://www.midwest-ix.com  COO/Chairman
> Internet Exchange - Peering - Distributed Fabric
>
> On Oct 15, 2015, at 2:47 PM, james machado > wrote:
>
> Justin,
>
> What are you trying to do? I had a similar situation as my rep got
> the wrong product for BGP. I actually cleaned it up by talking to
> support and I had to fill out a second BGP questionnaire but it was
> resolved and turned up in a couple of days.
>
> James
>
> On Thu, Oct 15, 2015 at 11:38 AM, Justin Wilson - MTIN  > wrote:
> Have the rest of you been having as hard a time I am having in turning up
> BgP sessions with Cogent? They have made it a sales order nowadays instead
> of support. I filled out the questionnaire on the support site over 3 weeks
> ago and was directed to sales. I am going on 3 weeks waiting on a session
> to be turned up.
>
> Just wondering if I am alone.
>
>
> Justin Wilson
> j...@mtin.net 
>
> ---
> http://www.mtin.net  Owner/CEO
> xISP Solutions- Consulting – Data Centers - Bandwidth
>
> http://www.midwest-ix.com  COO/Chairman
> Internet Exchange - Peering - Distributed Fabric
>
>
>
>
>

Re: ARIN Region IPv4 Free Pool Reaches Zero

2015-09-24 Thread Rafael Possamai

T-Mobile implemented 464XLAT successfully, but I have no idea how long they
will still depend on IPv4 because of that setup.

On Thu, Sep 24, 2015 at 2:41 PM, Steve Mikulasik 
wrote:

> Let's just hope carriers don't try to fix IPv4 instead of going to IPv6.
> I'd like my children to grow up in a worlds without cgnat.
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Stephen Satchell
> Sent: Thursday, September 24, 2015 1:38 PM
> To: nanog@nanog.org
> Subject: Re: ARIN Region IPv4 Free Pool Reaches Zero
>
> On 09/24/2015 09:49 AM, Dovid Bender wrote:
> > The issue now is convincing clients that they need it. The other issue
> > is many software vendors still don't support it.
>
> And this may trigger a refresh on routers, as people old or refurbed
> equipment find they need to change.  The whole reason for the inertia
> against going to IPv6 is "it ain't broke, so I not gonna 'fix' it."
>
> Now it's broke.
>
>

Re: Level(3) ex-twtelecom midwest packet loss (4323)

2015-08-26 Thread Rafael Possamai

I have been seeing the same issues, but haven't heard anything back yet. It
has improved in the last 30 minutes or so, see below.


http://imgur.com/KVAzetA



On Wed, Aug 26, 2015 at 4:34 PM, Ryan K. Brooks r...@hack.net wrote:

 Seeing packet loss on AS4323 since 2:30 Central time.   NOC is
 unresponsive to phone and email.  Anyone have an idea what's going on over
 there?

Re: Data Center operations mail list?

2015-08-21 Thread Rafael Possamai

Quick update: I moved away from Amazon SES to a private smtp server
provided by Chris, who is also helping moderate the list.

I left Amazon SES configured as a backup since the bounce rate after
thousands of emails peaked at only 0.08%

Thanks!


Rafael



On Thu, Aug 20, 2015 at 10:43 AM, Rich Kulawiec r...@gsp.org wrote:


 It appears that this list is sending its outbound traffic via Amazon's
 cloud operation.

 This is a profoundly horrible idea, not through any fault of yours, but
 because Amazon's cloud operation is a massive, non-stop fountain of spam
 and Amazon personnel flatly refuse to lift a finger to do anything about
 it.
 As a result of this incompetence/negligence, some folks out there have
 taken defensive measures which may include firewalling, blocking,
 discarding,
 rejecting, etc.  Thus this is not someplace that you want to try to send
 mail from if you really care about having it delivered.

 I recommend moving it elsewhere.  And I'm perfectly willing to assist with
 that (either selecting another location or facilitating the move or both).

 ---rsk

Re: Data Center operations mail list?

2015-08-21 Thread Rafael Possamai

My 2 cents: I use it for other services and haven't had any issues over the
past few months, but one problem I was having with SES + Mailman is that
even though my account was out of their sandbox, I still had some smtp
errors due to email not verified which is annoying. So I had to tell
mailman to wrap every message, hence the via NADCOG you probably seen
before. Now that option is back to default by using Chris' server.

Their support sent me a canned message so I decided not to waste too much
time there. As long as 99% of members get their emails I don't think it
really matters whose server they are going through.

Honestly, most things out there are designed to fit the 95th percentile
scale, so if you are on either extreme, one is better off figuring out how
to adapt than to require the whole system to change, that is, if your email
server is blocking more messages than it should, fix your email server,
don't try to fix the whole world wide web.







On Fri, Aug 21, 2015 at 8:49 PM, Mike Hammett na...@ics-il.net wrote:

 I'm on a mailing list hosted at Amazon, uses their API, etc. Other than
 the bumps in the migration to Amazon, I haven't seen any real issues.
 Hundreds of people on the list posting hundreds (total, not each) of
 messages per day. No complaints. *shrugs*




 -
 Mike Hammett
 Intelligent Computing Solutions
 http://www.ics-il.com

 - Original Message -

 From: Rich Kulawiec r...@gsp.org
 To: Rafael Possamai raf...@gav.ufsc.br
 Cc: nanog@nanog.org
 Sent: Friday, August 21, 2015 8:46:00 PM
 Subject: Re: Data Center operations mail list?

 On Fri, Aug 21, 2015 at 08:18:59PM -0500, Rafael Possamai wrote:
  Quick update: I moved away from Amazon SES to a private smtp server
  provided by Chris, who is also helping moderate the list.

 That's a good idea. I noticed.

  I left Amazon SES configured as a backup since the bounce rate after
  thousands of emails peaked at only 0.08%

 The bounce rate is not an effective metric, for a number of reasons, not
 the least of which is that some unknown and unknowable number of sites
 are configured to quarantine email. (This is a horrible idea that I've
 railed against many times, but that notwithstanding, ignorant people do it
 every day.) Any site which quarantines mail will not generate a bounce
 (or a reject) but will silently consign incoming traffic to a location
 which may, or may not, be eventually seen by a human being.

 The bounce rate yields precisely zero insight into the extent of this
 problem. Nor does it yield any insight into other similar (related)
 problems which are not manifested via the SMTP transaction.

 The best course here is to completely avoid any contact with the
 horribly-mismanaged Amazon cloud operation until such time as those
 running it demonstrate a bare minimum of professionalism -- which,
 to date, they have unfortunately not. In this particular case, it
 would be preferable to defer/queue any outbound mail traffic instead of
 attempting to deliver via Amazon: there is unlikely to be anything
 traversing that mailing list which would suffer by being delayed
 by an hour or a day.

 ---rsk

Re: Data Center operations mail list?

2015-08-20 Thread Rafael Possamai

Hi Rich,

Thank you for letting me know, I expected Amazon to actually take care of
spammers and not let it be a free for all. I can definitely switch it
elsewhere, so please let me know what you have in mind.

I can let the mailman server do deliveries as well, so that's a second
option.


Best regards,
Rafael



On Thu, Aug 20, 2015 at 10:43 AM, Rich Kulawiec r...@gsp.org wrote:


 It appears that this list is sending its outbound traffic via Amazon's
 cloud operation.

 This is a profoundly horrible idea, not through any fault of yours, but
 because Amazon's cloud operation is a massive, non-stop fountain of spam
 and Amazon personnel flatly refuse to lift a finger to do anything about
 it.
 As a result of this incompetence/negligence, some folks out there have
 taken defensive measures which may include firewalling, blocking,
 discarding,
 rejecting, etc.  Thus this is not someplace that you want to try to send
 mail from if you really care about having it delivered.

 I recommend moving it elsewhere.  And I'm perfectly willing to assist with
 that (either selecting another location or facilitating the move or both).

 ---rsk

Re: Data Center operations mail list?

2015-08-18 Thread Rafael Possamai

I actually suggested this to Chris while discussing what to have in the
website, I definitely think it would be nice to have a platform to help
plan and schedule local events for social and networking purposes.

I am working with a few people on designing a website, so I am guessing
some time in September we will have this in place.


On Sun, Aug 16, 2015 at 2:33 PM, Idafe Houghton idafe.hough...@gmail.com
wrote:

 While I am recent incorporation, have you ever thought about organizing a
 few meetups? I am not from America, but there has been a boom recently, on
 a few cities around the world striving to make a global linked community
 network of techlabs.

 Probably, it isn't suited for this community mailing-list, that is pretty
 specialized, but just saying. I have been lately interested in these forms
 of communication, knowledge and experience sharing.

 My tips.


 On dom, ago 16, 2015 at 9:22 , Chris Boyd cb...@gizmopartners.com wrote:


  On Aug 15, 2015, at 12:13 PM, Martin Hannigan hanni...@gmail.com
 wrote:

  There is reasonable demand for a forum.  It might need a little
 marketing
  to get a list with traction going.


 There seems to be some traction, with 268 members on the NADCOG list so
 far.

 —Chris

Re: Drops in Core

2015-08-15 Thread Rafael Possamai

Hi Glen,

If you first list the causes of a dropped packet, then you can figure out
how likely they are at different points in time (first\last\peer\etc) by
making some assumptions.

Here's an **example**:

*Cause | Location | Likelihood*
Congestion | Last mile | Low
Congestion | First mile | Low
Congestion | Peering | Medium
Layer 1 | First mile | Low
Layer 1 | Core | Low
Layer 1 | Last mile | High

You can even go as far as drawing a cause and effect diagram for each
location. Then you can collect real world data and fine tune your
assumptions.


Rafael


On Sat, Aug 15, 2015 at 11:47 AM, Glen Kent glen.k...@gmail.com wrote:

 Hi,

 Is it fair to say that most traffic drops happen in the access layers, or
 the first and the last miles, and the % of packet drops in the core are
 minimal? So, if the packet has made it past the first mile and has
 entered the core then chances are high that the packet will safely get
 across till the exit in the core. Sure once it gets off the core, then all
 bets are off on whether it will get dropped or not. However, the key point
 is that the core usually does not drop too many packets - the probability
 of drops are highest in the access side.

 Is this correct?

 Glen

Re: Drops in Core

2015-08-15 Thread Rafael Possamai

That was just an example, that list has to be completed on a specific
network or scenario, it changes dramatically. Imagine you were to create a
list for a DoD network instead of public peering based network, it would
change dramatically.



On Sat, Aug 15, 2015 at 12:28 PM, Glen Kent glen.k...@gmail.com wrote:

 Why do you say that Layer 1 issues in the last mile would be very high?
 How is it any different from the first mile?

 On Sat, Aug 15, 2015 at 10:56 PM, Rafael Possamai raf...@gav.ufsc.br
 wrote:

 Hi Glen,

 If you first list the causes of a dropped packet, then you can figure out
 how likely they are at different points in time (first\last\peer\etc) by
 making some assumptions.

 Here's an **example**:

 *Cause | Location | Likelihood*
 Congestion | Last mile | Low
 Congestion | First mile | Low
 Congestion | Peering | Medium
 Layer 1 | First mile | Low
 Layer 1 | Core | Low
 Layer 1 | Last mile | High

 You can even go as far as drawing a cause and effect diagram for each
 location. Then you can collect real world data and fine tune your
 assumptions.


 Rafael


 On Sat, Aug 15, 2015 at 11:47 AM, Glen Kent glen.k...@gmail.com wrote:

 Hi,

 Is it fair to say that most traffic drops happen in the access layers, or
 the first and the last miles, and the % of packet drops in the core are
 minimal? So, if the packet has made it past the first mile and has
 entered the core then chances are high that the packet will safely get
 across till the exit in the core. Sure once it gets off the core, then
 all
 bets are off on whether it will get dropped or not. However, the key
 point
 is that the core usually does not drop too many packets - the probability
 of drops are highest in the access side.

 Is this correct?

 Glen

Re: Data Center operations mail list?

2015-08-14 Thread Rafael Possamai

Thanks! That works for Apache2.2. For those interested that are using
Apache2.4, make this change:

-Order deny,allow
-Deny from all
+Require all denied

The rest should be the same. Here is some more info:
http://httpd.apache.org/docs/2.4/upgrading.html


Best,
Rafael




On Fri, Aug 14, 2015 at 2:16 PM, Jim Popovitch jim...@gmail.com wrote:

 That's a very old (in Internet Years) Mailman problem that was solved
 with session cookies in v2.1.16 (16-Oct-2013).  If you're still
 paranoid, and don't want to piss your users off with privacy leaking
 captcha, then just set up some referer checking in your apache or
 nginx configs:

 Apache:

   # Prevent subscription request spam
  SetEnvIf Referer lists\.example\.com localreferer
  Location /mailman/subscribe
 Order deny,allow
 Deny from all
 Allow from env=localreferer
  /Location
 -Jim P.

Re: Data Center operations mail list?

2015-08-12 Thread Rafael Possamai

Robert, the first few people who expressed interested were subscribed
manually. Everyone else has been using the list website to subscribe! There
should have been a message sent out with the subscription email explaining
it :)



On Wed, Aug 12, 2015 at 10:28 AM, Robert Webb rw...@ropeguru.com wrote:

 Interesting... I just went to the web site to subscribe and I received an
 email that I was already subscribed.

 I don't remember doing that... So how did this happen??

 Robert


 On Wed, 12 Aug 2015 07:33:05 -0500
  Rafael Possamai raf...@gav.ufsc.br wrote:

 I was actually surprised with how many people subscribed already. I think
 we are close to 100 already in less than 24 hours.

 I could use some help drafting some basic mailing list rules (no spam, no
 soliciting, etc) and if anyone has any suggestions, please let me know.


 On Wed, Aug 12, 2015 at 1:34 AM, Mark Tinka mark.ti...@seacom.mu wrote:


 On 11/Aug/15 17:46, Alex Brooks wrote:
  With the lack of interest compared to NANOG (especially seeing how the
  old list simply dried up) it might be best making the list global
  rather than North America only to get the traffic levels up a bit.

 Tend to agree that a list with global scope might be more useful.

 Mark.

Re: Data Center operations mail list?

2015-08-12 Thread Rafael Possamai

I was actually surprised with how many people subscribed already. I think
we are close to 100 already in less than 24 hours.

I could use some help drafting some basic mailing list rules (no spam, no
soliciting, etc) and if anyone has any suggestions, please let me know.


On Wed, Aug 12, 2015 at 1:34 AM, Mark Tinka mark.ti...@seacom.mu wrote:



 On 11/Aug/15 17:46, Alex Brooks wrote:
  With the lack of interest compared to NANOG (especially seeing how the
  old list simply dried up) it might be best making the list global
  rather than North America only to get the traffic levels up a bit.

 Tend to agree that a list with global scope might be more useful.

 Mark.

Re: Data Center operations mail list?

2015-08-11 Thread Rafael Possamai

I am setting one up and invited Chris to moderate it with me. I've always
looked for a list that covers that topic as well. I followed the same name
style as nanog and registered the nadcog.org domain.

On Mon, Aug 10, 2015 at 8:11 PM, Ryan Finnesey r...@finnesey.com wrote:

 Did you come across one?

 Sent from my Windows Phone
 
 From: Chris Boydmailto:cb...@gizmopartners.com
 Sent: ‎8/‎6/‎2015 1:04 PM
 To: NANOGmailto:nanog@nanog.org
 Subject: Data Center operations mail list?

 Is there a mail list that’s analogous to NANOG, but focused on the data
 center infrastructure and operations?  The shorty.com hosted list is
 defunct.

 Thanks, and apologies for the tangential topic.

 —Chris

Re: Data Center operations mail list?

2015-08-11 Thread Rafael Possamai

Exactly. I figured if it can be organized with the help of the community
and provide other benefits aside from a mailing list, I wouldn't have a
problem with helping.

On Tue, Aug 11, 2015 at 10:07 AM, mikea mi...@mikea.ath.cx wrote:

 On Tue, Aug 11, 2015 at 07:59:41AM -0700, James Downs wrote:
 
   On Aug 11, 2015, at 06:01, Rafael Possamai raf...@gav.ufsc.br wrote:
 
   style as nanog and registered the nadcog.org domain.
 
  Nad Cog?

 North American Data Center Operations Group, perhaps?

 --
 Mike Andrews, W5EGO
 mi...@mikea.ath.cx
 Tired old sysadmin

Re: Data Center operations mail list?

2015-08-11 Thread Rafael Possamai

What is the mailman URL?

On Tue, Aug 11, 2015 at 10:15 AM, Marcin Cieslak sa...@saper.info wrote:

 On Tue, 11 Aug 2015, James Downs wrote:

 
   On Aug 11, 2015, at 06:01, Rafael Possamai raf...@gav.ufsc.br wrote:
 
   style as nanog and registered the nadcog.org domain.
 
  Nad Cog?


 datacenterops.org is still available *hint*hint*

 ~Marcin

Re: Data Center operations mail list?

2015-08-11 Thread Rafael Possamai

The list just went live at lists.nadcog.org. I am open to any
suggestions, just let me know. When you say move forward with the concept,
do you mean get the organization started as well, not just the mailing list?


Thanks,
Rafael


On Tue, Aug 11, 2015 at 7:10 PM, Mike the.li...@mgm51.com wrote:

 On 8/11/2015 3:27 PM, Simon Lockhart wrote:
  On Tue Aug 11, 2015 at 01:35:28pm -0400, Jay Ashworth wrote:
  Absolutely feel free to use it; I haven't seen a single message on it
 in...
  well, it was 3 years ago I was in datacenters regularly, so I'm goin
 with
  3 years.  :-)
 
  There's a message there now... :)
 
  Rather than fragmenting further, I'd suggest building up demand first on
  existing infrastructure. If it gets to the size of NANOG and needing a
  support organisation around it, then it can split off then...
 
  Simon
 


 At some point (hopefully sooner than later) the OP should just move
 forward in some manner with the concept.

 If I've learned anything about mailing lists in the past 35+ years,
 things will be discussed and discussed and discussed and...


 Parkinson's Law of Triviality comes to mind...

 http://www.greatleadershipbydan.com/2012/12/parkinsons-law-of-triviality.html

Re: Data Center operations mail list?

2015-08-11 Thread Rafael Possamai

Haha, are you saying some people out there put nanog on their resume? I
thought 2008 was long gone.

On Tue, Aug 11, 2015 at 10:12 PM, Randy Bush ra...@psg.com wrote:

  Rather than fragmenting further, I'd suggest building up demand first
  on existing infrastructure. If it gets to the size of NANOG and
  needing a support organisation around it, then it can split off
  then...

 no!  we need committees, and different colored badges, and web sites,
 and deadlines, and lots of stuff the insecure can put on their resumes.

 randy

Re: Leak or legit ? 11/8

2015-08-01 Thread Rafael Possamai

This is interesting, the DoD has a half trillion dollar budget, so not sure
what the motivation was to get rid of a /8.

On Sat, Aug 1, 2015 at 3:24 AM, Jérôme Nicolle jer...@ceriz.fr wrote:

 Hello,

 Just saw something suprising : 11/8 just came live from AS23352
 (ServerCentral)
 http://lg.ring.nlnog.net/prefix_detail/lg01/ipv4?q=11.0.0.0 .

 ARIN's registry didn't change :

 Net Range   11.0.0.0 - 11.255.255.255
 CIDR11.0.0.0/8
 NameDODIIS
 Handle  NET-11-0-0-0-1
 Parent
 Net TypeDirect Allocation
 Origin AS
 OrganizationDoD Network Information Center (DNIC)
 Registration Date   1984-01-19
 Last Updated2007-08-22

 But on ALTDB it's declared as legit :

 http://www.altdb.net/whois.cgi?query=11.0.0.0%2F8

 So it's unlikely a mistake. What do you think happened here ?

 Best regards,

 --
 Jérôme Nicolle

Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

2015-07-21 Thread Rafael Possamai

Yeah, it hurts to see advanced analytics being used to sort the kitten
videos you're most likely to watch, but somehow they make money off of it.
On the other hand, their datacenter and new switching technologies are
really interesting, so that's an opposite example where their corporate
investments can benefit society in general.


On Tue, Jul 21, 2015 at 8:22 AM, Mike Hammett na...@ics-il.net wrote:

 Facebook uses similar technology to figure out what kind of useless news
 to display on your feed.

 In this case, it'll be of no use whatsoever. ;-)




 -
 Mike Hammett
 Intelligent Computing Solutions
 http://www.ics-il.com

 - Original Message -

 From: Rafael Possamai raf...@gav.ufsc.br
 To: Jared Mauch ja...@puck.nether.net
 Cc: nanog@nanog.org
 Sent: Tuesday, July 21, 2015 8:07:34 AM
 Subject: Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in
 last 24 hours

 Has anyone tried to implement real-time SQC in their network? You can
 calculate summary statistics and use math to determine if traffic is
 normal or if there's a chance it's garbage. You won't be able to notice
 one-off attacks, but anything that repeats enough times should pop up.
 Facebook uses similar technology to figure out what kind of useless news to
 display on your feed.

 In summary, instead of blocking an entire country, we should be able to
 analyze traffic as it comes, and determine a DDoS attack without human
 intervention.

 On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch ja...@puck.nether.net
 wrote:

  On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
  
   DNS is still largely UDP.
 
  Water is also still wet :) - but you may not be doing 10% of your
  links as UDP/53.
 
  DNS can also use TCP as well, including sending more than one
  query in a pipelined fashion.
 
  The challenge that Cameron is trying to document here
  is when seeing large volumes of UDP it becomes necessary to do
  something to keep the network up. This response is frustrating for those
  of us who prefer to have a unfiltered e2e network but maintaining
  the network as up in the face of these adverse conditions is important.
 
  - Jared
 
  
   --Curtis
  
   On 7/20/2015 5:40 PM, Ca By wrote:
   Folks, it may be time to take the next step and admit that UDP is too
   broken to support
   
   https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
   
   Your comments have been requested
   
   
   
   On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver drew.wea...@thenap.com
  wrote:
   
   Has anyone else seen a massive amount of illegitimate UDP 1720
 traffic
   coming from China being sent towards IP addresses which provide VoIP
   services?
   
   I'm talking in the 20-30Gbps range?
   
   The first incident was yesterday at around 13:00 EST, the second
  incident
   was today at 09:00 EST.
   
   I'm assuming this is just another DDoS like all others, but I would
 be
   interested to hear if I am not the only one seeing this.
   
   On list or off-list is fine.
   
   Thanks,
   -Drew
   
   
  
   --
   Best Regards
   Curtis Maurand
   Principal
   Xyonet Web Hosting
   mailto:cmaur...@xyonet.com
   http://www.xyonet.com
 
  --
  Jared Mauch | pgp key available via finger from ja...@puck.nether.net
  clue++; | http://puck.nether.net/~jared/ My statements are only
  mine.

Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

2015-07-21 Thread Rafael Possamai

Pavel, what kind of resources does the analysis of a 100G circuit require?
Or is it just counting packets?

On Tue, Jul 21, 2015 at 8:11 AM, Pavel Odintsov pavel.odint...@gmail.com
wrote:

 You could do SQC with FastNetMon. We have per subnet / per host and
 per protocol counters. We are working on multi 100GE mode very well :)

 On Tue, Jul 21, 2015 at 4:07 PM, Rafael Possamai raf...@gav.ufsc.br
 wrote:
  Has anyone tried to implement real-time SQC in their network? You can
  calculate summary statistics and use math to determine if traffic is
  normal or if there's a chance it's garbage. You won't be able to notice
  one-off attacks, but anything that repeats enough times should pop up.
  Facebook uses similar technology to figure out what kind of useless news
 to
  display on your feed.
 
  In summary, instead of blocking an entire country, we should be able to
  analyze traffic as it comes, and determine a DDoS attack without human
  intervention.
 
  On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch ja...@puck.nether.net
 wrote:
 
  On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
  
   DNS is still largely UDP.
 
  Water is also still wet :) - but you may not be doing 10% of
 your
  links as UDP/53.
 
  DNS can also use TCP as well, including sending more than one
  query in a pipelined fashion.
 
  The challenge that Cameron is trying to document here
  is when seeing large volumes of UDP it becomes necessary to do
  something to keep the network up.  This response is frustrating for
 those
  of us who prefer to have a unfiltered e2e network but maintaining
  the network as up in the face of these adverse conditions is important.
 
  - Jared
 
  
   --Curtis
  
   On 7/20/2015 5:40 PM, Ca By wrote:
   Folks, it may be time to  take the next step and admit that UDP is
 too
   broken to support
   
   https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
   
   Your comments have been requested
   
   
   
   On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver drew.wea...@thenap.com
 
  wrote:
   
   Has anyone else seen a massive amount of illegitimate UDP 1720
 traffic
   coming from China being sent towards IP addresses which provide VoIP
   services?
   
   I'm talking in the 20-30Gbps range?
   
   The first incident was yesterday at around 13:00 EST, the second
  incident
   was today at 09:00 EST.
   
   I'm assuming this is just another DDoS like all others, but I would
 be
   interested to hear if I am not the only one seeing this.
   
   On list or off-list is fine.
   
   Thanks,
   -Drew
   
   
  
   --
   Best Regards
   Curtis Maurand
   Principal
   Xyonet Web Hosting
   mailto:cmaur...@xyonet.com
   http://www.xyonet.com
 
  --
  Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
  clue++;  | http://puck.nether.net/~jared/  My statements are only
  mine.
 



 --
 Sincerely yours, Pavel Odintsov

Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

2015-07-21 Thread Rafael Possamai

Has anyone tried to implement real-time SQC in their network? You can
calculate summary statistics and use math to determine if traffic is
normal or if there's a chance it's garbage. You won't be able to notice
one-off attacks, but anything that repeats enough times should pop up.
Facebook uses similar technology to figure out what kind of useless news to
display on your feed.

In summary, instead of blocking an entire country, we should be able to
analyze traffic as it comes, and determine a DDoS attack without human
intervention.

On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch ja...@puck.nether.net wrote:

 On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
 
  DNS is still largely UDP.

 Water is also still wet :) - but you may not be doing 10% of your
 links as UDP/53.

 DNS can also use TCP as well, including sending more than one
 query in a pipelined fashion.

 The challenge that Cameron is trying to document here
 is when seeing large volumes of UDP it becomes necessary to do
 something to keep the network up.  This response is frustrating for those
 of us who prefer to have a unfiltered e2e network but maintaining
 the network as up in the face of these adverse conditions is important.

 - Jared

 
  --Curtis
 
  On 7/20/2015 5:40 PM, Ca By wrote:
  Folks, it may be time to  take the next step and admit that UDP is too
  broken to support
  
  https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
  
  Your comments have been requested
  
  
  
  On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver drew.wea...@thenap.com
 wrote:
  
  Has anyone else seen a massive amount of illegitimate UDP 1720 traffic
  coming from China being sent towards IP addresses which provide VoIP
  services?
  
  I'm talking in the 20-30Gbps range?
  
  The first incident was yesterday at around 13:00 EST, the second
 incident
  was today at 09:00 EST.
  
  I'm assuming this is just another DDoS like all others, but I would be
  interested to hear if I am not the only one seeing this.
  
  On list or off-list is fine.
  
  Thanks,
  -Drew
  
  
 
  --
  Best Regards
  Curtis Maurand
  Principal
  Xyonet Web Hosting
  mailto:cmaur...@xyonet.com
  http://www.xyonet.com

 --
 Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
 clue++;  | http://puck.nether.net/~jared/  My statements are only
 mine.

Re: SIP trunking providers

2015-07-20 Thread Rafael Possamai

When I originally posted the thread, I had asked Chicago due to physical
proximity, and my assumption being the lesser the number of hops, the lower
the probability of running into issues (latency, jitter and congestion). On
the other hand, one of my sandboxes are out of Las Vegas and I haven't had
any issues yet, but the number of test calls I've ran aren't enough to say
with confidence that distance and hops don't matter (indirect ways of
measuring latency, etc).

Another thing is, having your packets stay in Chicago and in Chicago only
is a nice thing, the efficiency of your overall system would be higher for
what it's worth, but as an example, the 2nd hop this e-mail is taking to
get delivered to Nanog is about 100 miles, who knows about the other ones.



On Mon, Jul 20, 2015 at 8:49 AM, Naslund, Steve snasl...@medline.com
wrote:

 End to end delay is not the most limiting factor.  Jitter is the issue and
 packet drops are the other issue that matters (more importantly the
 distribution of drops).  I think the best reason to select the local
 provider over the distant one is that the sooner he gets off the IP network
 the less impairments he will run into.  The TDM network as antiquated as it
 is, is less susceptible to congestion and call impairments than an IP
 backbone network is.  I can tell you from running a bunch of International
 VOIP networks that they are just not as reliable as TDM.  The average
 internet connection just does not meet the reliability standards that the
 TDM voice network has achieved.  IP networks are affected by congestion and
 routing issues whereas the TDM network seldom has these type of problems.
 An outage on a TDM circuit rarely affects other TDM circuits so they see a
 lot less higher level outages.  I can understand why he does not want to
 haul his voice cross country over IP when he is exiting locally most of the
 time.

 Yes, I understand that the carrier might very well be hauling that traffic
 via IP even after he gets to his gateway point but at that point it becomes
 their problem to deal with.

 Steven Naslund
 Chicago IL


 If you’re going to the PSTN, who gives a shit where you do the
 interconnect as long as its within 100ms.
 
 If most of your calls are VOIP-VOIP within Chicago, then it makes some
 sense to set up a box and just send the external calls out to the trunking
 provider where you no longer really care where they are.
 
 Absent significant network  suckage, there’s no place in the contiguous
 US that isn’t within 100 ms of any other place in the contiguous US these
 days.
 
 Owen

Re: another tilt at the Verizon FIOS IPv6 windmill

2015-07-18 Thread Rafael Possamai

The best way to complain is to simply move the service to another
provider (when possible). 50 bucks a month of revenue to them is not worth
the hassle of having a tech user asking for all sorts of non-standard
configs. It shouldn't be that way, but that's how it usually goes. Think
about it, everyone else (almost literally) is watching cat videos on
youtube and streaming shows on Netflix, so as long as that works, they will
be making their money and not caring about anything else.

 When I got TWC business class a while back, I asked the account manager to
draft a month to month contract. When I realized their DOCSIS network
sucked, and that my gateway was going dark several times a week, I just
cancelled, didn't bother arguing with them. I bet I was the only person in
my block that cared about 99.9% uptime, so why would they bother doing
anything.






On Sat, Jul 18, 2015 at 1:08 PM, Andrew Kirch trel...@trelane.net wrote:

 I had to beat up on ATT quite a bit, but instead of letting them make
 notes, escalate to tier-2 because you can't reach work.  Explain that you
 must have IPv6 to reach work to the tier-2.  If they won't help demand to
 be escalated further.  Your time on the phone costs them money.

 On Sat, Jul 18, 2015 at 6:45 AM, Seth Mos seth@dds.nl wrote:

  Ricky Beam schreef op 18-7-2015 om 1:14:
 
   On Fri, 17 Jul 2015 06:25:26 -0400, Christopher Morrow 
  morrowc.li...@gmail.com wrote:
 
  mean that your UBee has to do dhcpv6? (or the downstream thingy from
  the UBee has to do dhcpv6?)
 
 
  The Ubee router is in bridge mode. Customers have ZERO access to the
  thing, even when it is running in routed mode. So I have no idea what
 it's
  trying to do.  All I can say is no RAs are coming from it (through
  it/whatever) It *could* be it's blocking it -- it's multicast, so who
 knows
  what it's doing with it.  Without RAs, nothing connected to it will even
  attempt IPv6 -- the RA being the indicator to use DHCP or not, and who's
  the router.
 
  And further, when I tell my Cisco 1841 to do DHCP anyway, I get no
 answer.
 
  So, the blanket statement that it's ready isn't true.
 
  For a point of interest, the Ubee 320 and 321 wireless routers/modems are
  in use by Ziggo in the Netherlands.
 
  Although they've rolled back the 320 modems to a older firmware, the 321
  is still active on their IPv6 rollout. The problems were not strictly
  related to Ipv6 perse, but the newer firmware broken Voice on these
 all-the
  -things-in-one devices.
 
  The 321 appears to be unaffected and is still active, although in just a
  few regions at this point of the rollout.
 
  What's very specific about this rollout in relation to the above, is that
  Ziggo is currently only supporting IPv6 with the Ubee in router mode
 (with
  the wifi hotspot). The good news is that it also operates a DHCP-PD
 server
  so that you can connect your own router to the Ubee and still get IPv6
  routed to you out of the /56 allocated to the customer.
 
  For now, all the customers with the Ubee in bridge mode are SOL. It's not
  clear what the reason is, but Ubee in bridge mode with IPv6 is listed on
  the road map. If that's intentional policy or that the firmware isn't
 ready
  yet is not clear at this point.
 
  Regards,
  Seth

Re: Speaking of NTP...

2015-07-16 Thread Rafael Possamai

Depending on how exactly you have these servers configured with relation to
one another, small variations from one single source can be augmented down
the line.

https://en.wikipedia.org/wiki/Propagation_of_uncertainty



On Mon, Jul 13, 2015 at 8:17 AM, Matthew Huff mh...@ox.com wrote:

 We have 5 NTP server:  2 x stratum 1 rubidium oscillator time servers with
 GPS sync, and 3 servers running NTP 4.2.6p5-3 synced to external internet
 based NTP stratum 1 servers. We monitor our NTP environment closely, and
 over the last 10+ years, normally all of our NTP servers are sync'ed within
 +/- 2 msec. Starting last Friday, we started seeing some remote NTP servers
 with GPS reference consistently offset by 10 msec.

 Any one else seeing this?

 
 Matthew Huff | 1 Manhattanville Rd
 Director of Operations   | Purchase, NY 10577
 OTA Management LLC   | Phone: 914-460-4039
 aim: matthewbhuff| Fax:   914-694-5669

Re: in-cabinet PDU safety regs?

2015-07-02 Thread Rafael Possamai

I've referenced article 645 before, but you have to look at anything
upstream or downstream of the PDU as well, as the system as a whole needs
to be within standards.

On Wed, Jul 1, 2015 at 11:42 AM, William Herrin b...@herrin.us wrote:

 Hi Folks,

 Do you know of any regulations, standards or publications covering the
 safe installation and use of the little 1U and 2U PDUs in rack
 cabinets? My google fu is failing me. All I've found is OSHA
 1926.403(i)(1)(i)
 (
 https://www.osha.gov/pls/oshaweb/owadisp.show_document?p_table=STANDARDSp_id=10704
 )
 and I'm not 100% sure it applies.

 Thanks in advance,
 Bill Herrin

 --
 William Herrin  her...@dirtside.com  b...@herrin.us
 Owner, Dirtside Systems . Web: http://www.dirtside.com/

Re: ARIN just subdivided their last /17, /18, /19, /20, /21 and /22. Down to only /23s and /24s now. : ipv6

2015-06-27 Thread Rafael Possamai

Randy,

How long do you think it will take to completely get rid of IPv4? Or is it
even going to happen at all?

On Sat, Jun 27, 2015 at 4:57 AM, Randy Bush ra...@psg.com wrote:

 the rirs have run out of their free source of short ints to rent to us.
 i am sure everyone will move to ipv6 in a week.  news at eleven.

 randy

Re: World's Fastest Internet™ in Canadaland

2015-06-27 Thread Rafael Possamai

Good for you.

On Sat, Jun 27, 2015 at 6:36 PM, Irwin, Kevin kevin.ir...@cinbell.com
wrote:

Based on our 1Gbps residential customers usage, I believe you just sit at
home and run speedtest all day.

Sent from my iPhone

On Jun 26, 2015, at 2:41 PM, Rafael Possamai raf...@gav.ufsc.br wrote:

How does one fully utilize a gigabit link for home use? For a single
person
it is overkill. Similar to the concept of price elasticity in economics,
going from 50mbps to 1gbps doesn't necessarily increase your average
transfer rate, at least I don't think it would for me. Anyone care to
comment? Just really curious, as to me it's more of a marketing push than
anything else, even though gigabit to the home sounds really cool.

On Fri, Jun 26, 2015 at 1:13 PM, Eric Dugas edu...@zerofail.com
wrote:

Nice try Bell.. So-Net did it two years ago, 2Gbps FTTH in Japan.

Article: http://bgr.com/2013/06/13/so-net-nuro-2gbps-fiber-service/

If you read Japanese: http://www.nuro.jp/hikari/

Eric

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Hank Disuko
Sent: June 26, 2015 2:04 PM
To: NANOG
Subject: World's Fastest Internet™ in Canadaland

Bell Canada is apparently gearing up to provide the good people of
Toronto
with the World's Fastest Internet™.

http://www.thestar.com/news/city_hall/2015/06/25/bell-canada-to-give-toronto-worlds-fastest-internet.html

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you receive
this in error, please contact the sender and destroy any copies of this
document.

Re: Level3 NOC Contact

2015-06-26 Thread Rafael Possamai

The portal should have some stats where you can do basic troubleshooting.
It's really easy to get registered on the portal, you just need account
number and customer name (which is scary, but go figure...).





On Fri, Jun 26, 2015 at 11:10 AM, Michael Loftis mlof...@wgops.com wrote:

 AFAIK theres no longer any way to get their attention unless you're a
 customer AND have signed up for their online portal system at
 https://my.level3.com/ - and I wouldn't expect anything stellar
 then either. You'll likely have to do your own troubleshooting through them
 as my recent experiences have shown little to no clue or assistance from
 them. They were happy to do as asked but weren't able, or willing, or
 whatever to do anything on their own. Make certain you get the problem
 category right too or you'll be stuck in the wrong team without any of them
 telling you that.



 On Friday, June 26, 2015, Nathanael C. Cariaga 
 nathanael.cari...@adec-innovations.com wrote:

  Hi,
 
  Any Level3 NOC contacts on the list?  Our link in Irvine has been on and
  off for few minutes already.  Would appreciate replies offline..
 
 
  Thanks!
 
  -nathan
 


 --

 Genius might be described as a supreme capacity for getting its possessors
 into trouble of all kinds.
 -- Samuel Butler

Re: World's Fastest Internet™ in Canadaland

2015-06-26 Thread Rafael Possamai

How does one fully utilize a gigabit link for home use? For a single person
it is overkill. Similar to the concept of price elasticity in economics,
going from 50mbps to 1gbps doesn't necessarily increase your average
transfer rate, at least I don't think it would for me. Anyone care to
comment? Just really curious, as to me it's more of a marketing push than
anything else, even though gigabit to the home sounds really cool.



On Fri, Jun 26, 2015 at 1:13 PM, Eric Dugas edu...@zerofail.com wrote:

 Nice try Bell.. So-Net did it two years ago, 2Gbps FTTH in Japan.

 Article: http://bgr.com/2013/06/13/so-net-nuro-2gbps-fiber-service/

 If you read Japanese: http://www.nuro.jp/hikari/

 Eric

 -Original Message-
 From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Hank Disuko
 Sent: June 26, 2015 2:04 PM
 To: NANOG
 Subject: World's Fastest Internet™ in Canadaland

 Bell Canada is apparently gearing up to provide the good people of Toronto
 with the World's Fastest Internet™.

 http://www.thestar.com/news/city_hall/2015/06/25/bell-canada-to-give-toronto-worlds-fastest-internet.html

Re: World's Fastest Internet™ in Canadaland

2015-06-26 Thread Rafael Possamai

That comment was made from a customer perspective (myself) while I wonder
if I ever would wanna pay for it, although it seems like it's pretty cheap
already. As an entrepreneur, business, etc... then yes, I agree. Shoot for
the stars and land on the moon. :)


On Fri, Jun 26, 2015 at 3:02 PM, Karl Auer ka...@biplane.com.au wrote:

 On Fri, 2015-06-26 at 13:39 -0500, Rafael Possamai wrote:
  How does one fully utilize a gigabit link for home use? For a single
 person
  it is overkill.

 This sentiment keeps popping up. It's a failure of vision. To suggest
 that single people or ordinary people or any other set of presumably
 average and uninteresting people will never be able to fully utilise the
 amazing properties of X, and that they can and should be satisfied with
 some limited version of X or the even more limited alternative Y, is to
 completely miss the point. And to actually provide no more than that is
 to build a self-fulfilling prophecy.

 Look at pretty much any modern technology and you can be sure that when
 it was first invented someone wearing the then equivalent of a brown
 cardigan said yes, that's all very well, but what use will ordinary
 people ever have for it?.

 When the first little fire sputtered into life in some Neanderthal cave
 you can bet that some troglodyte said no point make bigger, me warm
 enough, more hot waste of effort, but of course he hadn't thought of
 bronze, iron, steel, glass, welding or rocketry. Or the steam engine or
 the internal combustion engine. What luck that his kids ignored him, eh?

 As William Gibson wrote, the street finds its uses for things.

 I can't think of anything I would or could do with a terabit Internet
 link - but it's not me who needs it. It's the kids now in school who
 will build it, and their kids will think it commonplace. And they will
 look back at you and me and think how did our grandparents ever manage
 with only a couple of gigabits? How limiting! And while they are
 thinking that, some bright young things will report that they think
 they've got a primitive exabit link working...

 Regards, K.

 PS: There are only three real values for network speeds, just as there
 are only three values for amount of personal fortune, RAM, disk space
 and CPU speed. The three values are not enough, enough and I don't
 know. Always aspire to I don't know.

 --
 ~~~
 Karl Auer (ka...@biplane.com.au)
 http://www.biplane.com.au/kauer
 http://twitter.com/kauer389

 GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
 Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882

Re: Re: World's Fastest Internet™ in Canadaland

2015-06-26 Thread Rafael Possamai

Good points. But just like I won't take more than one shower at a time, I
probably won't watch more than one Netflix stream session at a time
(assuming that for myself only). Downloading a large ISO image in seconds
is definitely a plus, although at the office I never reach a steady 120MB/s
from some Linux mirror out there. I've recently created a Debian mirror and
the 1500GB or so of data came at an average speed of 270mbps using a 1gbps
datacenter link.

I think it will still be a while until we can saturate a 1gbps link inside
the average home. While there are people working hard to deliver 1gbps
FTTH, there are others working equally as hard in developing video
compression algorithms to utilize less bandwidth on the content provider
side.

Not arguing against it, I'm just throwing gas at the fire to see what
different perspectives come out.


On Fri, Jun 26, 2015 at 4:56 PM, Mark Andrews ma...@isc.org wrote:


 In message 
 cajb2g-h2cccqud7_bhpoydo+beysyzpy+js2p+hj6ruk0qx...@mail.gmail.com
 , Rafael Possamai writes:
  How does one fully utilize a gigabit link for home use? For a single
 person
  it is overkill. Similar to the concept of price elasticity in economics,
  going from 50mbps to 1gbps doesn't necessarily increase your average
  transfer rate, at least I don't think it would for me. Anyone care to
  comment? Just really curious, as to me it's more of a marketing push than
  anything else, even though gigabit to the home sounds really cool.

 Overkill is good provided it doesn't cost too much more.  You want
 the connection speed to not be a limitation on what you are trying
 to do.  1G does that at a good price point these days.  At some
 point in the future 1G will seem slow and there will be a new speed
 that stops the link speed being the limitation.

 You don't think about the size of power lines coming into a house
 as they are overkill for just about anything you will do in the
 house.

 You don't think about the size of water pipes coming into a house
 as they are overkill for just about anything you will do in the
 house.  Very occasionally you will want to connect directly to the
 mains (filling a pool) but otherwise the pipe is more that sufficient.

 The worry should be over the gigabytes transfered, the kilowatthours
 and the kilolitres consumed which are the actual resources being
 delivered.

 Unfortunately ISP's have made it about link speed rather than what
 it really is about because link speed was the limiting factor.

 Mark
 --
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Any Verizon datacenter techs about?

2015-06-25 Thread Rafael Possamai

Be prepared to drop a lot of money for colocation with Verizon. Also,
quoting process is rather long and you will have to sign a NDA most likely,
which just makes it even more fun. For the size of your project I'd pick a
provider that focuses on colocation for small and medium businesses and is
easier to work with.



On Wed, Jun 24, 2015 at 1:46 PM, John Musbach johnmusba...@gmail.com
wrote:

 Hello,

 I'm a techie that recently moved to South Jersey for a tech job. To my
 astonishment, I discovered that there appears to be a Verizon
 datacenter near my house that has colocation:

 http://imgur.com/a/PdGno

 It's in Somers Point, NJ. While I could not find an address on the
 building, it is on the corner of Bethel Rd and N New Rd. I've tried
 walking around back to see if I could talk to anyone about colocation
 but could not find anyone outside. I've also tried calling Verizon but
 support wasn't very helpful. My question is, what does it take to get
 some colocation space inside of that building? Me and my roommate both
 have a 1u we'd like to rack and having it racked in a datacenter
 walking distance from where we live would be awesome. What we'd need:

 2u space
 4 power drops for the servers (2 psu per server)
 2 100Mbps ethernet drops with static IPs

 I'm not sure if that's too little to ask for colocation or not, but
 that really is all we'd need. Is there anyone about that knows what
 we'd need to acquire such space, cost, badging, etc? If so, can you
 please reply offlist?

 Thanks,

 John M

Re: Residential VSAT experiences?

2015-06-23 Thread Rafael Possamai

Reading about SIP made it seem like latency alone is not an issue, aside
from delays which impact verbal communication as previously mentioned. What
is going to be much worse is jitter and packet loss. You can eventually get
used to a significant delay, but dropped calls and chopped sound renders
the service useless.

On Tue, Jun 23, 2015 at 3:44 AM, Tim Franklin t...@pelican.org wrote:

  Interesting that you say that about sip. We had a client that would use
 it
  for sip on ships all the time. It wasn't the best but it worked. Ping
 times
  were between 500-700ms.

 It really depends on your expectations - or more to the point, your
 end-users' expectations.

 I've tested SIP in the lab up to 2000ms RTT.  The protocols all hang
 together and keep working, but it's obviously very much in walkie-talkie
 mode, you can't hold a normal duplex conversation.  500ms there's more of
 the talking over each other / sorry, you go / no, you go dance, but it
 *is* workable.  If your end-user is expecting land-line replacement
 though...

 Regards,
 Tim.

Re: Data Center Network Monitoring with TAPs

2015-06-22 Thread Rafael Possamai

Here's a recent forum thread that discussed the same exact topic. You might
find some insight:
http://www.reddit.com/r/networking/comments/3aip3p/data_center_network_monitoring/


On Sat, Jun 20, 2015 at 11:06 AM, Mitch Howards hbf9...@hotmail.com wrote:

 Hello All,

 Was wondering what folks are using to monitor traffic
  on their networks. Looking into Ixia and APCON devices for dedup and
 other filtering features as well as passive fiber TAPs to capture the
 traffic.

 How are folks handling TAP'ing large data center
 networks? TAPs at the distribution layer would be the best fit for my
 network but that would require a ton of passive fiber TAPs for the
 incoming fibers to the distribution switches. The end goal is to not
 only capture the north-south traffic on the network but also east-west
 traffic. It seems more efficient to just use SPANs but there are many
 limitations using SPANs.

 Thanks in advance for any suggestions.

 Mitch

Re: Whats' a good product for a high-density Wireless network setup?

2015-06-21 Thread Rafael Possamai

No wonder IPv4 is depleted. People's shoes have a MAC address nowadays...

On Sun, Jun 21, 2015 at 8:32 AM, Rob Seastrom r...@seastrom.com wrote:


 Stephen Satchell l...@satchell.net writes:

  ... They just couldn't believe that 300 people could max out their system
  ...
  Last year, the group AVERAGED four devices each.

 A *camping* event that I go to, that is by and large not a
 technology-oriented consituency, averaged 2.6 devices per
 attendee.

 -r

Re: Whats' a good product for a high-density Wireless network setup?

2015-06-20 Thread Rafael Possamai

I don't think there's an actual standard for density, at least I am not
aware of one. Independent of the vendor you use, this guide should be valid
at 80% of implementations:

http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1250-series/design_guide_c07-693245.html

On Meraki's website there's a case study of an entertainment venue that has
about 2,000 users per night, so I am assuming 1,000 which is your cause
should be doable.

On Sat, Jun 20, 2015 at 5:41 AM, Sina Owolabi notify.s...@gmail.com wrote:

 Thanks everybody. I've been corrected on density... I've been informed that
 it's to be a minimum of 1000 users per building.
 That's 8,000 users. (8 buildings, not counting walkways and courtyards,
 admin, etc.)
 Does this qualify as high-density?

 On Sat, Jun 20, 2015 at 5:33 AM Ray Soucy r...@maine.edu wrote:

  Well, I could certainly be wrong, but it's news to me if UBNT started
  supporting DFS in the US.
 
  Your first screenshot is listing the UAP for 5240 which is channel 48,
  U-NII-1.  The second show 5825 which is the upper limit of U-NNI-3.  I
  don't see any U-NII-2 in what you posted.
 
  This forum post may be a bit out of date, but I haven't seen any
  announcement or information on the forums to indicate the situation has
  changed, and I'm pretty good at searching:
 
  https://community.ubnt.com/t5/UniFi-Wireless/DFS/m-p/700461#M54771
 
  From this thread it looks like the ability to configure DFS channels in
 the
  US was a UI bug and only showing for ZH anyway.  IIRC they actually got
 in
  a bit of trouble with the FCC over not restricting the use of these
  channels enough.
 
  Regardless of whether or not the FCC has cleared UBNT indoor products for
  U-NII-2 and U-NII-2-extended (and I haven't seen evidence of that yet),
  until you can configure APs to use those channels in the controller
 without
  violating FCC regulations I don't consider them usable.
 
  The UAP-AC doesn't seem to support DFS channels at all even without FCC
  restrictions, which kind of kills the point of AC, only 4 x 40 MHz or 2 x
  80 MHz channels doesn't cut it when we're talking about density.
 
  Note we're talking about indoor wireless and there ARE some UBNT products
  for outdoor WISP use that do support DFS and have been cleared by the
 FCC,
  but we would only be looking at the UAP-PRO or UAP-AC in this case so
 maybe
  that's the point of confusion here.
 
 
 
 
  On Fri, Jun 19, 2015 at 11:36 PM, Faisal Imtiaz 
 fai...@snappytelecom.net
  wrote:
 
   FCC Cert claims different.
  
   :)
  
   Faisal Imtiaz
   Snappy Internet  Telecom
   7266 SW 48 Street
   Miami, FL 33155
   Tel: 305 663 5518 x 232
  
   Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net
  
   --
  
   *From: *Josh Luthman j...@imaginenetworksllc.com
   *To: *Faisal Imtiaz fai...@snappytelecom.net
   *Cc: *NANOG list nanog@nanog.org, Ray Soucy r...@maine.edu
   *Sent: *Friday, June 19, 2015 9:16:37 PM
  
   *Subject: *Re: Whats' a good product for a high-density Wireless
 network
   setup?
  
   Uhm he's not wrong...
  
   Josh Luthman
   Office: 937-552-2340
   Direct: 937-552-2343
   1100 Wayne St
   Suite 1337
   Troy, OH 45373
   On Jun 19, 2015 9:13 PM, Faisal Imtiaz fai...@snappytelecom.net
  wrote:
  
   The thing you need to watch out for with Ubiquiti is that they
 don't
   support DFS, so the entire U-NII-2 channel space is off limits for 5
  GHz.
  
   Huh 
  
   Please verify your facts before making blanket statements which are
 not
   accurate ...
  
  
  
   Faisal Imtiaz
   Snappy Internet  Telecom
  
  
   - Original Message -
From: Ray Soucy r...@maine.edu
To: Sina Owolabi notify.s...@gmail.com
Cc: nanog@nanog.org list nanog@nanog.org
Sent: Friday, June 19, 2015 7:07:01 PM
Subject: Re: Whats' a good product for a high-density Wireless
 network
   setup?
   
I know you don't want to hear this answer because of cost but I've
 had
   good
luck with Cisco for very high density (about 1,000 clients in a
 packed
auditorium actively using the network as they follow along with the
presenter).
   
The thing you need to watch out for with Ubiquiti is that they don't
support DFS, so the entire U-NII-2 channel space is off limits for 5
   GHz.
That's pretty significant because you're limited to 9 x 20 MHz
  channels
   or
4 x 40 MHz channels.  Keeping the power level down and creating
 small
   cells
is essential for high density, so with less channels your hands are
   really
tied in that case.  Also, avoid the Zero Handoff marketing nonsense
  they
advertise; I'm sure it can work great for a low client residential
  area
   but
it requires all APs to share a single channel and depends upon
   coordinating
only one active transmitter at a time, so it simply won't scale.
   
I don't have experience with other vendors at large scale or high
   density.
   
I don't think

Re: SIP trunking providers

2015-06-20 Thread Rafael Possamai

Thanks everyone for your responses.

On Fri, Jun 19, 2015 at 4:40 PM, Rafael Possamai raf...@gav.ufsc.br wrote:

 Would anyone in the list be able to recommend a SIP trunk provider in the
 Chicago area? Not a VoIP expert, so just looking for someone with previous
 experience.


 Thanks,
 Rafael

Re: Whats' a good product for a high-density Wireless network setup?

2015-06-20 Thread Rafael Possamai

That's interesting, I will take a look. Thanks!

On Sat, Jun 20, 2015 at 7:40 AM, Marco Teixeira ad...@marcoteixeira.com
wrote:

Rafael,
At some scales, the WiFi standard alone will not cut it... Research on
MERUNETWORKS virtual cell tecnology. I have done a trial with them. All the
others are far behind on density. Check their case studies.
Em 20/06/2015 13:02, Rafael Possamai raf...@gav.ufsc.br escreveu:

I don't think there's an actual standard for density, at least I am not
aware of one. Independent of the vendor you use, this guide should be
valid
at 80% of implementations:

http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1250-series/design_guide_c07-693245.html

On Meraki's website there's a case study of an entertainment venue that
has
about 2,000 users per night, so I am assuming 1,000 which is your cause
should be doable.

On Sat, Jun 20, 2015 at 5:41 AM, Sina Owolabi notify.s...@gmail.com
wrote:

Thanks everybody. I've been corrected on density... I've been informed
that
it's to be a minimum of 1000 users per building.
That's 8,000 users. (8 buildings, not counting walkways and courtyards,
admin, etc.)
Does this qualify as high-density?

On Sat, Jun 20, 2015 at 5:33 AM Ray Soucy r...@maine.edu wrote:

Well, I could certainly be wrong, but it's news to me if UBNT started
supporting DFS in the US.

Your first screenshot is listing the UAP for 5240 which is channel 48,
U-NII-1. The second show 5825 which is the upper limit of U-NNI-3. I
don't see any U-NII-2 in what you posted.

This forum post may be a bit out of date, but I haven't seen any
announcement or information on the forums to indicate the situation
has
changed, and I'm pretty good at searching:

https://community.ubnt.com/t5/UniFi-Wireless/DFS/m-p/700461#M54771

From this thread it looks like the ability to configure DFS channels
in
the
US was a UI bug and only showing for ZH anyway. IIRC they actually
got
in
a bit of trouble with the FCC over not restricting the use of these
channels enough.

Regardless of whether or not the FCC has cleared UBNT indoor products
for
U-NII-2 and U-NII-2-extended (and I haven't seen evidence of that
yet),
until you can configure APs to use those channels in the controller
without
violating FCC regulations I don't consider them usable.

The UAP-AC doesn't seem to support DFS channels at all even without
FCC
restrictions, which kind of kills the point of AC, only 4 x 40 MHz or
2 x
80 MHz channels doesn't cut it when we're talking about density.

Note we're talking about indoor wireless and there ARE some UBNT
products
for outdoor WISP use that do support DFS and have been cleared by the
FCC,
but we would only be looking at the UAP-PRO or UAP-AC in this case so
maybe
that's the point of confusion here.

On Fri, Jun 19, 2015 at 11:36 PM, Faisal Imtiaz
fai...@snappytelecom.net
wrote:

FCC Cert claims different.

Faisal Imtiaz
Snappy Internet Telecom
7266 SW 48 Street
Miami, FL 33155
Tel: 305 663 5518 x 232

Help-desk: (305)663-5518 Option 2 or Email:
supp...@snappytelecom.net

*From: *Josh Luthman j...@imaginenetworksllc.com
*To: *Faisal Imtiaz fai...@snappytelecom.net
*Cc: *NANOG list nanog@nanog.org, Ray Soucy r...@maine.edu
*Sent: *Friday, June 19, 2015 9:16:37 PM

*Subject: *Re: Whats' a good product for a high-density Wireless
network
setup?

Uhm he's not wrong...

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Jun 19, 2015 9:13 PM, Faisal Imtiaz fai...@snappytelecom.net
wrote:

The thing you need to watch out for with Ubiquiti is that they
don't
support DFS, so the entire U-NII-2 channel space is off limits for
5
GHz.

Huh

Please verify your facts before making blanket statements which are
not
accurate ...

Faisal Imtiaz
Snappy Internet Telecom

- Original Message -
From: Ray Soucy r...@maine.edu
To: Sina Owolabi notify.s...@gmail.com
Cc: nanog@nanog.org list nanog@nanog.org
Sent: Friday, June 19, 2015 7:07:01 PM
Subject: Re: Whats' a good product for a high-density Wireless
network
setup?

I know you don't want to hear this answer because of cost but
I've
had
good
luck with Cisco for very high density (about 1,000 clients in a
packed
auditorium actively using the network as they follow along with
the
presenter).

The thing you need to watch out for with Ubiquiti is that they
don't
support DFS, so the entire U-NII-2 channel space is off limits
for 5
GHz.
That's pretty significant because you're limited to 9 x 20 MHz
channels
or
4 x 40 MHz

SIP trunking providers

2015-06-19 Thread Rafael Possamai

Would anyone in the list be able to recommend a SIP trunk provider in the
Chicago area? Not a VoIP expert, so just looking for someone with previous
experience.


Thanks,
Rafael

Re: Is it safe to use 240.0.0.0/4

2015-06-17 Thread Rafael Possamai

Using CGNAT doesn't sound right either, although I haven't read the whole
thing, but it seems reasonable to use that block for CGNAT only.

https://tools.ietf.org/html/rfc1918


On Wed, Jun 17, 2015 at 4:13 PM, Tony Wicks t...@wicks.co.nz wrote:

 Use 100.64.0.0/10, this is the CGNAT reserved range.I would most
 definitely not recommend 240.0.0.0



 -Original Message-
 From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Luan Nguyen
 Sent: Thursday, 18 June 2015 9:07 a.m.
 To: nanog@nanog.org
 Subject: Is it safe to use 240.0.0.0/4

 Is that safe to use internally? Anyone using it?
 Just for NATTING on Cisco gears...

Re: Anycast provider for SMTP?

2015-06-17 Thread Rafael Possamai

https://www.google.com/intl/en/ipv6/statistics.html



On Mon, Jun 15, 2015 at 8:26 PM, Matt Palmer mpal...@hezmatt.org wrote:

 On Mon, Jun 15, 2015 at 05:07:22PM -0700, Dave Taht wrote:
  On Mon, Jun 15, 2015 at 5:00 PM, Randy Bush ra...@psg.com wrote:
   What about IPv6? We have a plan! We plan to be dead before customers
   demand IPv6.
   I am pretty sure the authors are still alive(?).
  
   and customer demand for ipv6 still holds strong, right?
 
  Does seem to be on the uptick!

 It's certainly stronger than it has *ever* been before.

 - Matt

 --
 I am cow, hear me moo, I weigh twice as much as you. I'm a cow, eating
 grass, methane gas comes out my ass. I'm a cow, you are too; join us all!
 Type apt-get moo.

Re: Anycast provider for SMTP?

2015-06-16 Thread Rafael Possamai

Any luck on a DNS based solution?

On Mon, Jun 15, 2015 at 12:50 PM, Joe Hamelin j...@nethead.com wrote:

 I have a mail system where there are two MX hosts, one in the US and one in
 Europe.  Both have a DNS MX record metric of 10 so a bastardized
 round-robin takes place.  This does not work so well when one site goes
 down.   My solution will be to place a load balancer in a hosting site
 (virtual, of course) and have it provide HA.  But what about HA for the
 LB?  At first glance anycasting would seem to be a great idea but there is
 a problem of broken sessions when routes change.

 Have any of you seen something like this work in the wild?


 --
 Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474

Re: Anycast provider for SMTP?

2015-06-15 Thread Rafael Possamai

I could be mistaken, but you might get all of this done with AWS's Route53.
I would read this:
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-geo

The other step would be to setup HA in each SMTP node (US and France) such
as LB or Failover. Just an idea.



On Mon, Jun 15, 2015 at 12:50 PM, Joe Hamelin j...@nethead.com wrote:

 I have a mail system where there are two MX hosts, one in the US and one in
 Europe.  Both have a DNS MX record metric of 10 so a bastardized
 round-robin takes place.  This does not work so well when one site goes
 down.   My solution will be to place a load balancer in a hosting site
 (virtual, of course) and have it provide HA.  But what about HA for the
 LB?  At first glance anycasting would seem to be a great idea but there is
 a problem of broken sessions when routes change.

 Have any of you seen something like this work in the wild?


 --
 Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474

Re: Anycast provider for SMTP?

2015-06-15 Thread Rafael Possamai

You're welcome. I hope that helps.

On another note, if your internet pipe in Europe isn't as stable as your
pipe in the US, then you could also try and have your infrastructure
provider blend your uplink with two or more carrier-grade paths. You
wouldn't have to worry about signing up for and maintaining an AS, but you
could improve your uptime significantly.


On Mon, Jun 15, 2015 at 2:52 PM, Joe Hamelin j...@nethead.com wrote:

 On Mon, Jun 15, 2015 at 12:45 PM, Rafael Possamai raf...@gav.ufsc.br
  wrote:


 The other step would be to setup HA in each SMTP node (US and France)
 such as LB or Failover. Just an idea.

 I'll look at the AWS doc, thanks.

 The mailserver is seldom the problem (it's an AS/400) but the ISP pipe
 experiences prolonged outages.



 --
 Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474

Re: AS4788 Telecom Malaysia major route leak?

2015-06-14 Thread Rafael Possamai

Does anyone know if there's an official ruling as to who gets to pay for
the SLA breaches?

On Sun, Jun 14, 2015 at 5:56 PM, Mel Beckman m...@beckman.org wrote:

 Raymond,

 But you said A simple 'sorry' would have done. Now you're asking for
 lots more detail. Why the change?

  -mel beckman

  On Jun 14, 2015, at 2:32 PM, Raymond Dijkxhoorn raym...@prolocation.net
 wrote:
 
  Hello Mel,
 
  Must just be me then.
 
  I was most likely expecting a more in depth report. Strange things
 happened. Perhaps they could post a 'what exactly happened' since this
 wasnt a average route leak.
 
  Thanks,
  Raymond Dijkxhoorn
 
  Op 14 jun. 2015 om 23:27 heeft Mel Beckman m...@beckman.org het
 volgende geschreven:
 
  Raymond,
 
  They provided a simple sorry:
 
We apologise for any inconvenience caused by the service disruption.
 
  It doesn't get much more simple than that.
 
  -mel beckman
 
  On Jun 14, 2015, at 2:21 PM, Raymond Dijkxhoorn 
 raym...@prolocation.net wrote:
 
  Hai!
 
  Mark, mistakes and oopses happen. No problem at all. I understand that
 completely. There is human faillure and this happenes.
 
  A simple 'sorry' would have done. Yet their whole message tells 'they
 did ok' In my very limited view they did NOT ok. Did i misread?
 
  I am also very much looking how level3 is going to prevent things like
 this. But out of own experience they will not. We have seen before that
 they implemented filtering based on customer lists. But not a per customer
 filter. They did this globally. So any l3 customer can announce routes of
 another l3 customer. While this can be changed this outage tells there is
 certainly room for improvements.
 
  I hope people will learn from what happened and implement proper
 filtering. Thats even more important then a message from a operator that
 didnt even understand fully what they caused to the internet globally.
 
  Thanks,
  Raymond Dijkxhoorn
 
  Op 14 jun. 2015 om 23:04 heeft Mark Tinka mark.ti...@seacom.mu het
 volgende geschreven:
 
 
 
  On 14/Jun/15 22:55, Raymond Dijkxhoorn wrote:
  Hai!
 
  Wouw! This is what they came up with?!
 
  Hopefully Level3 will take appropriate measures. Its amazing. Really.
 
  'Some internationally routes'
 
  Have they any idea what they did at all?
 
  Its amazing that with parties like that the internet still works as
 is tm ...
 
  I wouldn't be as hard. Stuff happens - and as they said, during a
  maintenance activity, they boo-boo'ed.
 
  Are Level(3) going to own up and say they should have had filters in
  place? I certainly hope they do.
 
  But more importantly, are Level(3) going to implement the filters
  against TM's circuit? Are they going to run around the network looking
  for any additional customer circuits that need plugging? That's my
  concern...
 
  Mark.

Re: AS4788 Telecom Malaysia major route leak?

2015-06-14 Thread Rafael Possamai

Well, I was wondering the same. I am guessing it depends on the SLA
contract since they are all very unique and specific. I assume they would
have to, granted the issue lasted for a couple hours. Now, it depends on
how they define the outage. A fiber cut that yields a customer's service
unusable would be an easy SLA breach. Their legal team most likely removed
any liability due to someone else's negligence, although you could argue
they were negligent as well. So in this case they can claim the whole best
effort thing and get away with it. I am not a L3 customer, so was just
wondering out of curiosity.

On Sun, Jun 14, 2015 at 8:07 PM, Aftab Siddiqui aftab.siddi...@gmail.com
wrote:

 Hi Rafael,

 I get that much, just wondering if Level3 would have to pay an SLA breach
 to its customers given the mess started with TM (even though it could have
 been avoided). And I am guessing if they do, they wouldn't be able to
 recover anything from TM.


 I doubt if L3 has to pay anything to its customers in terms of SLA breach,
 its best effort. Are you aware of any such agreement which suggest
 otherwise? that would be interesting.

Re: AS4788 Telecom Malaysia major route leak?

2015-06-14 Thread Rafael Possamai

I get that much, just wondering if Level3 would have to pay an SLA breach
to its customers given the mess started with TM (even though it could have
been avoided). And I am guessing if they do, they wouldn't be able to
recover anything from TM.

On Sun, Jun 14, 2015 at 7:07 PM, Mel Beckman m...@beckman.org wrote:

  SLAs are part of a contract, and thus only apply to the parties of the
 contract. There are no payments due to other parties. The Internet is a
 best effort network, with zero guarantees.

  -mel beckman

 On Jun 14, 2015, at 4:06 PM, Rafael Possamai raf...@gav.ufsc.br wrote:

   Does anyone know if there's an official ruling as to who gets to pay
 for the SLA breaches?

 On Sun, Jun 14, 2015 at 5:56 PM, Mel Beckman m...@beckman.org wrote:

 Raymond,

 But you said A simple 'sorry' would have done. Now you're asking for
 lots more detail. Why the change?

  -mel beckman

  On Jun 14, 2015, at 2:32 PM, Raymond Dijkxhoorn 
 raym...@prolocation.net wrote:
 
  Hello Mel,
 
  Must just be me then.
 
  I was most likely expecting a more in depth report. Strange things
 happened. Perhaps they could post a 'what exactly happened' since this
 wasnt a average route leak.
 
  Thanks,
  Raymond Dijkxhoorn
 
  Op 14 jun. 2015 om 23:27 heeft Mel Beckman m...@beckman.org het
 volgende geschreven:
 
  Raymond,
 
  They provided a simple sorry:
 
We apologise for any inconvenience caused by the service
 disruption.
 
  It doesn't get much more simple than that.
 
  -mel beckman
 
  On Jun 14, 2015, at 2:21 PM, Raymond Dijkxhoorn 
 raym...@prolocation.net wrote:
 
  Hai!
 
  Mark, mistakes and oopses happen. No problem at all. I understand
 that completely. There is human faillure and this happenes.
 
  A simple 'sorry' would have done. Yet their whole message tells 'they
 did ok' In my very limited view they did NOT ok. Did i misread?
 
  I am also very much looking how level3 is going to prevent things
 like this. But out of own experience they will not. We have seen before
 that they implemented filtering based on customer lists. But not a per
 customer filter. They did this globally. So any l3 customer can announce
 routes of another l3 customer. While this can be changed this outage tells
 there is certainly room for improvements.
 
  I hope people will learn from what happened and implement proper
 filtering. Thats even more important then a message from a operator that
 didnt even understand fully what they caused to the internet globally.
 
  Thanks,
  Raymond Dijkxhoorn
 
  Op 14 jun. 2015 om 23:04 heeft Mark Tinka mark.ti...@seacom.mu
 het volgende geschreven:
 
 
 
  On 14/Jun/15 22:55, Raymond Dijkxhoorn wrote:
  Hai!
 
  Wouw! This is what they came up with?!
 
  Hopefully Level3 will take appropriate measures. Its amazing.
 Really.
 
  'Some internationally routes'
 
  Have they any idea what they did at all?
 
  Its amazing that with parties like that the internet still works as
 is tm ...
 
  I wouldn't be as hard. Stuff happens - and as they said, during a
  maintenance activity, they boo-boo'ed.
 
  Are Level(3) going to own up and say they should have had filters in
  place? I certainly hope they do.
 
  But more importantly, are Level(3) going to implement the filters
  against TM's circuit? Are they going to run around the network
 looking
  for any additional customer circuits that need plugging? That's my
  concern...
 
  Mark.

Re: Open letter to Level3 concerning the global routing issues on June 12th

2015-06-13 Thread Rafael Possamai

A lot of these things are for show only.. Like a big corporation donating
to non-profits and sponsoring feel good events. You can see that a lot of
these same businesses also lobby Washington like crazy, so there you go...
This was either an isolated incident or they really don't care much.

On Sat, Jun 13, 2015 at 1:54 PM, Hank Nussbacher h...@efes.iucc.ac.il
wrote:

At 17:32 12/06/2015 +0200, Martin Millnert wrote:

Interesting that Level3 is a member of http://www.routingmanifesto.org/

or see

http://www.internetsociety.org/news/network-operators-around-world-demonstrate-their-commitment-secure-and-resilient-internet

to quote Level3
As one of the most connected Internet providers in the world, security of
the Internet is top-of-mind at Level 3 Communications. We are dedicated to
supporting and protecting the Internet ecosystem and work each day to
safeguard customers' critical communications. The Internet is a shared
responsibility, and only through these important collaborative efforts can
we continue to ensure the protection of this collective infrastructure.

-Hank

Dear Level3,

The Internet is a cooperative effort, and it works well only when its
participants take constructive actions to address errors and remedy
problems.
Your position as a major Internet Carrier bestows upon you a certain
degree of responsibility for the correct operation of the Internet all
across (and beyond) the planet. You have many customers. Customers will
always occasionally make mistakes. You as a major Internet Carrier have
a responsibility to limit, not amplify, your customers' mistakes.
Other major carriers implement technical measures that severely limits
the damages from customer mistakes from having global impact.
Other major carriers also implement operational procedures in addition
to technical measures.
In combination, these measures drastically reduce the outage-hours as a
result of customer configuration errors.

At 08:44 UTC on Friday 12th of June, one of your transit customers,
Telekom Malaysia (AS4788) began announcing the full Internet table back
to you, which you accepted and propagated to your peers and customers,
causing global outages for close to 3 hours.
[ https://twitter.com/DynResearch/status/609340592036970496 ]
During this 3 hour window, it appears (from your own service outage
reports) that you did nothing to stop the global Internet outage, but
that Telekom Malaysia themselves eventually resolved it. This lack of
action on your end, and your disregard for the correct operation of the
global Internet is astonishing. These mistakes do not need to happen.
AS4788 under normal circumstances announces ~1900 IPv4 prefixes to the
Internet. You accepted multiple hundred thousand prefixes from them - a
max prefix setting would have severely limited the damage. We expect
that these are your practices as well, but they failed. When they do, it
should not take ~3 hours to shut down the session(s).

Many operators, in despair, turned down their peering sessions with you
once it was clear you were causing the outages and no immediate fix was
in sight. This improved the situation for some - but not all did. Had
you deployed proper IRR-filtering to filter the bad announcements the
impact would've been far less critical.

As a direct consequence of your ~3 hours of inaction, as a local
example, Swedish payment terminals were experiencing problems all over
the country. The Swedish economy was directly affected by your inaction.
There were queues when I was buying lunch! Imagine the food rage. The
situation was probably similar at other places around the globe where
people were awake.

Operators around the planet are curious:
- Did Level3 not detect or understand that it was causing global
Internet outages for ~3 hours?
- If Level3 did in fact detect or understand it was causing global
Internet outages, why did it not properly and immediately remedy the
situation?
- What is Level3 going to do to address these questions and begin work
on restoring its credibility as a carrier?

We all understand that mistakes do happen (in applying customer
interface templates, etc.). However the Internet is all too pervasive in
everyday life today for anything but swift action by carriers to remedy
breakage after the fact. It is absolutely not sufficient to let a
customer spend 3 hours to detect and fix a situation like this one. It
is unacceptable that no swift action was taken on your end to limit the
global routing issues you caused.

Sincerely,
Martin Millnert
Member of Internet Community - no carrier / ISP affiliation.

Hardware monitoring

2015-06-13 Thread Rafael Possamai

Hi everyone,

I know this is slightly off-topic, but since it's still related to the
list, I thought I'd give it a try. I am wondering what systems are out
there (open source, preferably) for data collection and processing of
hardware health data (temperature, CPU clock, fan speeds, etc). Ideally
brand agnostic and location agnostic as well.

I know of Cacti, but it would require SNMP enabled devices AFAIK, so
room/generator/misc monitors wouldn't necessarily be included.


Thanks in advance.

Rafael

Re: Open letter to Level3 concerning the global routing issues on June 12th

2015-06-13 Thread Rafael Possamai

Something about Malaysia, first the airplanes... now BGP leaks?

On Fri, Jun 12, 2015 at 10:32 AM, Martin Millnert milln...@gmail.com
wrote:

 Dear Level3,

 The Internet is a cooperative effort, and it works well only when its
 participants take constructive actions to address errors and remedy
 problems.
 Your position as a major Internet Carrier bestows upon you a certain
 degree of responsibility for the correct operation of the Internet all
 across (and beyond) the planet. You have many customers. Customers will
 always occasionally make mistakes. You as a major Internet Carrier have
 a responsibility to limit, not amplify, your customers' mistakes.
 Other major carriers implement technical measures that severely limits
 the damages from customer mistakes from having global impact.
 Other major carriers also implement operational procedures in addition
 to technical measures.
 In combination, these measures drastically reduce the outage-hours as a
 result of customer configuration errors.

 At 08:44 UTC on Friday 12th of June, one of your transit customers,
 Telekom Malaysia (AS4788) began announcing the full Internet table back
 to you, which you accepted and propagated to your peers and customers,
 causing global outages for close to 3 hours.
 [ https://twitter.com/DynResearch/status/609340592036970496 ]
 During this 3 hour window, it appears (from your own service outage
 reports) that you did nothing to stop the global Internet outage, but
 that Telekom Malaysia themselves eventually resolved it. This lack of
 action on your end, and your disregard for the correct operation of the
 global Internet is astonishing. These mistakes do not need to happen.
 AS4788 under normal circumstances announces ~1900 IPv4 prefixes to the
 Internet. You accepted multiple hundred thousand prefixes from them - a
 max prefix setting would have severely limited the damage. We expect
 that these are your practices as well, but they failed. When they do, it
 should not take ~3 hours to shut down the session(s).

 Many operators, in despair, turned down their peering sessions with you
 once it was clear you were causing the outages and no immediate fix was
 in sight. This improved the situation for some - but not all did. Had
 you deployed proper IRR-filtering to filter the bad announcements the
 impact would've been far less critical.

 As a direct consequence of your ~3 hours of inaction, as a local
 example, Swedish payment terminals were experiencing problems all over
 the country. The Swedish economy was directly affected by your inaction.
 There were queues when I was buying lunch! Imagine the food rage. The
 situation was probably similar at other places around the globe where
 people were awake.

 Operators around the planet are curious:
   - Did Level3 not detect or understand that it was causing global
 Internet outages for ~3 hours?
   - If Level3 did in fact detect or understand it was causing global
 Internet outages, why did it not properly and immediately remedy the
 situation?
   - What is Level3 going to do to address these questions and begin work
 on restoring its credibility as a carrier?

 We all understand that mistakes do happen (in applying customer
 interface templates, etc.). However the Internet is all too pervasive in
 everyday life today for anything but swift action by carriers to remedy
 breakage after the fact. It is absolutely not sufficient to let a
 customer spend 3 hours to detect and fix a situation like this one. It
 is unacceptable that no swift action was taken on your end to limit the
 global routing issues you caused.

 Sincerely,
 Martin Millnert
 Member of Internet Community - no carrier / ISP affiliation.

Re: eBay is looking for network heavies...

2015-06-11 Thread Rafael Possamai

+1 for experience.. being able to teach yourself just about anything drops
you into the top 20% of any industry (with maybe a few exceptions). one
thing I noticed is that the best professionals I met out there are just as
good with people as they are with routers and console screens. IT is
usually just a cost center (unless you work for a tech company), so if you
learn how to navigate office politics and push change, then you will have a
spot with the packet wrangling Gods.

On Thu, Jun 11, 2015 at 9:27 AM, Steve Mikulasik steve.mikula...@civeo.com
wrote:

 25 year old neteng reporting in. I got into networking when I wanted to
 play Quake against my brother and trying to share a single dial-up
 connection between all the computers in the house.

 Well I still have a long way to go (employed full time in IT for just over
 6 years), I think I am ahead of most IT pros in my age group. At the end of
 the day us young kids learned the same way most of you did, bit of
 education, and the vast majority from experience.

 I am at the point know where my self-education skills are effective enough
 that I can learn whatever I don't know and solve most any problem I come
 across. From what others have said, I think this is the key to success in
 this field, although I think this is a skill you develop early in life or
 you never get it. I am now trying to learn the things I didn't know I
 needed to know to solve problems I didn't know existed.

 I do agree there isn't a big interest from youth in this field. A lot of
 people get introduced to networking through education and never develop a
 passion for it. When they graduate they choose IT areas more interesting to
 themselves. Most schools are teaching recycled CCNA curriculum and/or
 thinking from the early 90s. Can't blame anyone who hasn't developed a
 passion for networking outside of education for not entering the field.
 Memorizing what an Ethernet frame looks like doesn't build an appreciation
 for networking, unless you can see the bigger picture.

 Steve Mikulasik

 -Original Message-
 From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ray Soucy
 Sent: Thursday, June 11, 2015 7:37 AM
 To: William Waites
 Cc: NANOG
 Subject: Re: eBay is looking for network heavies...

 I really wonder how people get into this field today.  It has gotten
 incredibly complex and I've been learning since before I was a teenager
 (back when it was much more simple).

 I'm 31 now, but I started getting into computers and specifically
 networking at a very young age (elementary school).  We had a pair of
 teachers that were enthusiasts and built up a computer lab with everything
 on token ring running Novell.  I thought the fact that I could change to a
 different PC by driver letter in DOS was the most amazing thing I had ever
 seen in the 3rd grade.  From there I was really hooked, got really into
 BBSing, and when the first dial-up ISPs started popping up I made it a
 point to get a job with them.

 My school district didn't offer a technical program for Internetworking
 but they had a technical school that competed in the SkillsUSA competitions
 and approached me about competing in the Internetworking event, without any
 education or mentor I won the gold medal at the State level both years I
 competed and went on to the nationals (where that lack of guidance and
 access to equipment to train on meant I got my slice of humble pie).  I
 held my own, but the guys who won at the national level were just so much
 more prepared.  Despite the stigma of SkillsUSA being trades focused, the
 Internetworking competition was a really great experience that mixed
 physical networking and basically a CCNA level of theory (they actually
 used an old copy of the CCNA as the exam).

 During this same time I got a paid internship for the local hospital and
 rebuilt their entire network after seeing the nightmare it was (they had
 the AS400 with all their healthcare data sitting on a public IP address
 with no firewall and default QSECOFR credentials sitting there for the
 taking with 5020 over IP enabled).  It was pretty crazy for a high school
 student to be doing a full redesign of a network for a healthcare provider,
 even building frame-relay links between facilities and convincing the local
 cable company to provide dark fiber between a few.

 When I went to university I made it a point to get student employment with
 the NOC they ran to provide all of the public schools and libraries in the
 state with their Internet access, and that evolved into a full time job for
 them within a few years.

 Looking back, it's been like a perfect storm of opportunity that I just
 don't think exists today.  I'm really happy I was born when I was and able
 to have a front row seat to see the explosion of the Internet.  I don't
 know if I'm just getting old but I feel like technology has gotten so
 easy for young people that most of them have no idea how it works, and no
 desire to know.

Re: Should I Reboot, and Why? (was Re: [RDD] No Play out on Cart Wall)

2015-06-04 Thread Rafael Possamai

I also reboot for kernel updates!

On Thu, Jun 4, 2015 at 11:57 AM, Jay Ashworth j...@baylink.com wrote:

 - Original Message -
  From: Cowboy c...@cwf1.com

  On Sunday 31 May 2015 03:49:10 pm Graham Wilman wrote:

   after getting the play out working on clienta terminal for the past
   6 days
   the decision was taken today to get clientb terminal working which
   it now partially is
   unfortunately once all 3 terminals the server.clienta and clientb
   were rebooted I could
   not get play out to work on clienta again
 
  Re-booted why ?
  I've often said that rebooting a *nix machine is usually a bad idea.

 And, again, a good to recap some of Good Sysadmin Practice:

 In the Windows world, it's often recommended that you reboot a machine that
 is acting -- as we say in support -- hincky.  That's because Windows is
 sufficiently complicated and fragile that things can get corrupt at
 runtime, and the simple fact you rebooted it can fix a problem.

 That's traditionally not been true in the *nix world; particularly on
 purpose-built single function servers, there simply isn't enough code
 running at once to allow for the sort of complicated, multiplicative
 complexity failures that you see in many Windows machines.

 But does that mean you should never reboot a Linux box, just because
 you usually don't *have* to, to fix your problem?

 No, it doesn't, and here's why:

 Some of the things you might change in your configuration can affect
 how things start *when* you boot up, and if you've adjusted one of them,
 the time to boot it and find out *is right now, when you've just made the
 change and it's fresh in your mind*, not 6 months from now at 3 in the
 morning, when you don't remember what you did.

 Well, I suppose you could look in your logbook.  Or check your ticketing
 system.  :-)

 Cheers,
 -- jra
 --
 Jay R. Ashworth  Baylink
 j...@baylink.com
 Designer The Things I Think   RFC
 2100
 Ashworth  Associates   http://www.bcp38.info  2000 Land
 Rover DII
 St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647
 1274

Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation

2015-06-04 Thread Rafael Possamai

You could look into LXD for that type of deployment.

On Thu, Jun 4, 2015 at 12:55 PM, Pavel Odintsov pavel.odint...@gmail.com
wrote:

 Brilliant idea! But in Docker we could offer only sflow and sflow. Port
 mirror capture need support from the kernel side. Will try shortly!

 On Thursday, June 4, 2015, Roberto Bertó roberto.be...@gmail.com wrote:

  What about we build a Docker?
 
  2015-06-04 14:47 GMT-03:00 Alexander Maassen outsi...@scarynet.org
  javascript:;:
 
   It's a security tool. So ppl using it want to publicly hide the fact
 they
   use it in case you screw up and it contains leaks ;)
  
    Oorspronkelijk bericht 
   Van: Pavel Odintsov pavel.odint...@gmail.com javascript:;
   Datum:
   Aan: Jim Popovitch jim...@gmail.com javascript:;
   Cc: nanog@nanog.org javascript:;
   Onderwerp: Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS
   mitigation
  
   Looks like many folks want hide company emails ;) I'm good guy and will
  not
   spam or offer slmething ;)))
  
   But I'm impressed about amount of off list requests. Really huge
 interest
   in tool.
  
   On Thursday, June 4, 2015, Jim Popovitch jim...@gmail.com
  javascript:; wrote:
  
There's a surprising amount of GMail (yes, including me) and new-ness
in this thread.Should I be impressed with the freshness or
concerned about astroturfing?   :-)
   
Bah Humbug!
   
-Jim P.
   
  
  
   --
   Sincerely yours, Pavel Odintsov
  
 


 --
 Sincerely yours, Pavel Odintsov

Re: AWS Elastic IP architecture

2015-06-03 Thread Rafael Possamai

we are starting to waste packets arguing over some private intellectual
property

On Wed, Jun 3, 2015 at 3:24 PM, Christopher Morrow morrowc.li...@gmail.com
wrote:

 On Wed, Jun 3, 2015 at 7:56 AM, Owen DeLong o...@delong.com wrote:
  For example, let’s say you have 20 machines for whom you want to allow
 inbound SSH access. In the IPv4 world, with NAT, you have to configure an
 individual port mapping for each machine and you have to either configure
 all of the SSH clients, or, specify the particular port for the machine you
 want to get to on the command line.

 in the original case in question the fact that there's nat happeng
 isn't material... so all of this discussion of NAT is a red herring,
 right? the user of AWS services cares not that 'nat is happening',
 because they can simply RESTful up a VM instance and ssh into it in
 ~30 seconds, no config required.

 let's skip all NAT discussions on this topic from here on out, yes?

Re: stacking pdu

2015-05-29 Thread Rafael Possamai

You could run a PDU in paralallel so that you don't use more current than
the wires are rated for (although the PDU should trip the circuti anyways
in case you overload it). Only problem is matching the receptacles. You
probably don't want to half-ass it, so I'd just add an extra PDU and run an
extra ethernet cable so you can monitor it.

On Fri, May 29, 2015 at 4:29 PM, William Herrin b...@herrin.us wrote:

 On Fri, May 29, 2015 at 4:32 PM, shawn wilson ag4ve...@gmail.com wrote:
  Is there a way to stack PDUs? like, with 30A 220, we need more plugs
  than power but I'd like them to communicate to make sure we don't over
  power the circuit. Do any APC or Triplite systems support this?

 Isn't it against the NEC and the fire code to stack power strips? We
 all do it, but isn't it against code?

 Regards,
 Bill Herrin

 --
 William Herrin  her...@dirtside.com  b...@herrin.us
 Owner, Dirtside Systems . Web: http://www.dirtside.com/

Re: gmail security is a joke

2015-05-27 Thread Rafael Possamai

Security is an illusion - Confucius probably

On Wed, May 27, 2015 at 8:42 AM, Joel Maslak jmas...@antelope.net wrote:

 I also suspect not every telco validates number porting requests against
 social engineering properly.

 A telephone number isn't something you have, it is something your provider
 has.

 On Wednesday, May 27, 2015, Saku Ytti s...@ytti.fi wrote:

  On (2015-05-27 14:19 +0200), Owen DeLong wrote:
 
  Hey,
 
   If someone has the ability to hijack your BGP, then you???ve got bigger
  problems than
   having them take over your Gmail account.
 
  This is second reply to this notion. I don't understand what is attempted
  to
  communicate. I'm sure no one on nanog thinks BGP hijacks are rare,
  difficult
  or yield to consequences when called out.
 
   That???s interesting??? Why do you choose to give access to your
  personal SMS messages
   to so many of your coworkers?
 
  I don't, but they can provision my number to any SIM they want to.
 
  --
++ytti

Re: gmail security is a joke

2015-05-27 Thread Rafael Possamai

You can also register a U2F key.

On Wed, May 27, 2015 at 3:17 AM, valdis.kletni...@vt.edu wrote:

 On Wed, 27 May 2015 09:13:47 +0530, Anil Kumar said:
  that link, since I have two-step verification set up, I was presented
  with a demand for a number provided by the Google Authenticator
  app on my phone. I provided that number and only then was I allowed
  to reset the password.

 And you have to pre-register the phone number.

 Sounds about as secure as you're going to get when trying to scale to 10
 digits of users

 And as I said earlier - if your threat model involves needing more security
 than that, you have bigger problems.. :)

Re: Capacity/transit costs vs growth

2015-05-27 Thread Rafael Possamai

If I understand your question correctly, the answer is: it depends. You can
model the cost of delivering your service and keep track of three types of
cost: fixed, variable and marginal. Here is a really good video that
explains these:

https://youtu.be/bBQVaRnHqLs

You might find an industry average for certain economies of scale, but each
system is so unique in it's cost structure that you have to model it from
scratch. Just keep in mind that every model works with TRASH IN = TRASH
OUT, so if you make the wrong assumptions, your answers won't be realistic.

On Wed, May 27, 2015 at 6:54 PM, Jean-Francois Mezei 
jfmezei_na...@vaxination.ca wrote:

 On 15-05-27 19:20, Faisal Imtiaz wrote:

  The above hypothesis why imply that the 20% linear increase is not fair,
 vs directly making the case that the base rate, set in some point in the
 past is not fair/appropriate anymore ?

 These rates cover aggregation between an end user's CO and a central CO
 where an ISP connects. For instance, a Toronto based ISP can serve all
 of Bell Canada's DSL footprint by connecting to the Adelaide Street CO
 in Toronto.  BUT, Bell charges $1016 per 100mbps to carry traffic
 between that point and the CO serving an end user. (for Cable, I am not
 100% sure if it include the fibre to the node, or just aggregation to
 the CMTS).

 there is a separate fixed fee for the last mile infrastructure.

 The point i am trying to make that that during the period where usage
 increase, the cost per gbps decreases, so it shgould not be a 1:1
 relationship over time.  Currently, the CRTC sets 1:1 relationship over
 10 years.

 So having *rough* idea of decreases in per gbps of capacity over the
 years would help me make the point that the current rate structure is
 flawed.  (I don't need precise at this point, just rough ideas).


 Different slant to question:

 when you move from 1gbps to 10gbps to 40gbps links, what sort of
 price/gnps reduction do you get ? 20% ? 30% ?

Re: Peering and Network Cost

2015-05-21 Thread Rafael Possamai

James, curious to know... what size ISPs are they? In the last few years
with the larger ones it has always been about lowering cost and increasing
revenue, which throws the original idea of peering out the window (unless
you are willing to pay).

On Thu, May 21, 2015 at 4:52 AM, James Bensley jwbens...@gmail.com wrote:

 On 17 April 2015 at 16:53, Justin Wilson - MTIN li...@mtin.net wrote:
  Peering and peering on an exchange are two different things.  Peering at
 an exchange has several benefits other than the simple cost of transit.  If
 you are in a large data center which charges fees for cross connects a
 single cross connect to an exchange can save you money.
 
  Peering can also be a sales tool.  If you buy from a VOIP provider and
 are peered with them your latency and such will go down.  You also have
 more control over the QOS over that peer.  This can be spun into marketing.
 
  Not to toot our own horn but we put together a list of benefits for our
 IX customers:
  http://www.midwest-ix.com/blog/?p=15
 
 
  Also, a good article at:
 
 http://blog.webserver.com.my/index.php/the-benefits-of-hosting-at-internet-exchange-point/


 I also have a similar working document that I'd welcome feedback on to
 improve;


 https://docs.google.com/document/d/1i2bPZDt75hAwcR4iKMqaNSGIeM-nJSWLZ6SLTTnuXNs/edit?usp=sharing

 I've used it once to help an ISP evalutate peering and started them in
 the world of public peering. I'm now going through that proces again
 with another ISP and again they will start public peering soon, having
 used this doc in both cases as an intro/FAQ for them.

 Cheers,
 James.

Re: Low Cost 10G Router

2015-05-20 Thread Rafael Possamai

Since you are considering multiple options, I'd build a decision matrix.
You can put down all the requirements, score each option, and then
normalize it to give each a final score. After that you can calculate some
other things such as throughput per dollar, etc.

http://asq.org/learn-about-quality/decision-making-tools/overview/decision-matrix.html

Regarding the Mikrotik, there's a difference between Multithreading and
Multiprocessing.


On Wed, May 20, 2015 at 11:44 AM, Colton Conor colton.co...@gmail.com
wrote:

 So are the rest of the processes in Mikrotik OS multi threaded? I would
 hope so to take advantage of 36 cores!

 What is up with all of these network vendors not supporting more than one
 core in their OS? I just don't get it.



 On Tue, May 19, 2015 at 9:49 PM, Josh Baird joshba...@gmail.com wrote:

  The BGP daemon on the CCR routers is not multi-threaded; it only will use
  one core.
 
  Josh
 
  On Tue, May 19, 2015 at 10:06 PM, Colton Conor colton.co...@gmail.com
  wrote:
 
   So this new $1295 Mikrotik CCR1036-8G-2S+EM  has a 36 core Tilera CPU
  with
  16GB of ram. Each core is running at 1.2Ghz? I assume that Mikrotik is
  multicore in software, so why does this box not outperform these intel
  boxes that everyone is recommending? Is it just a limitation of ports?
 
 
 
  On Tue, May 19, 2015 at 6:03 PM, Faisal Imtiaz 
 fai...@snappytelecom.net
  wrote:
 
  
  
  
I've seen serious, unusual performance bottlenecks in Mikrotik CCR,
 in
   some
cases not even achieving a gigabit speeds on 10G interfaces.
  Performance
drops more rapidly then Cisco with smaller packet sizes.
   
 -mel beckman
  
  
   Folks often forget that Mikrotik ROS can also run on x86 machines.
  
   Size your favorite hardware (server) or network appliance with
  appropriate
   ports, add MT ROS on a CF card, and you are good to go.
  
   We use i7 based network appliance with dual 10g cards (you can use a
  quad
   10g card, such as those made by hotlav).
  
   with a 2gig of ram, you can easily do multiple (4-5 or more full bgp
   peers), and i7 are good for approx 1.2mill pps.
  
  
   Best of luck.
  
  
   Faisal Imtiaz
   Snappy Internet  Telecom

Re: Low Cost 10G Router

2015-05-19 Thread Rafael Possamai

Here is what I found on Google about Cisco's options:
http://www.cisco.com/c/en/us/products/routers/asr-1000-series-aggregation-services-routers/models-comparison.html

And when it comes to Juniper, you might be able to get it done with MX40
(look at their options, there are different combinations of chassis and
cards), and you can always upgrade to a MX80 later.

Just not sure you can find anything low cost when you need to route 10gbps.

On Tue, May 19, 2015 at 12:22 PM, Colton Conor colton.co...@gmail.com
wrote:

 What options are available for a small, low cost router that has at least
 four 10G ports, and can handle full BGP routes? All that I know of are the
 Juniper MX80, and the Brocade CER line. What does Cisco and others have
 that compete with these two? Any other vendors besides Juniper, Brocade,
 and Cisco to look at?

Re: Low Cost 10G Router

2015-05-19 Thread Rafael Possamai

Oops, Cisco ASR 1k series might not cut it, you can take a look at their 9k
seriers:
http://www.cisco.com/c/en/us/products/routers/asr-9000-series-aggregation-services-routers/models-comparison.html

On Tue, May 19, 2015 at 12:22 PM, Colton Conor colton.co...@gmail.com
wrote:

 What options are available for a small, low cost router that has at least
 four 10G ports, and can handle full BGP routes? All that I know of are the
 Juniper MX80, and the Brocade CER line. What does Cisco and others have
 that compete with these two? Any other vendors besides Juniper, Brocade,
 and Cisco to look at?

Re: Route Optimization Products

2015-05-15 Thread Rafael Possamai

Internap also has a product called MIRO, although I am not sure how it
differs from FCP.

On Fri, May 15, 2015 at 10:19 AM, Mike Hammett na...@ics-il.net wrote:

 What is out there for route optimization products? I can think of Noction
 (no inbound) or Internap FCP (old).



 -
 Mike Hammett
 Intelligent Computing Solutions
 http://www.ics-il.com



 Midwest Internet Exchange
 http://www.midwest-ix.com

Re: Route Optimization Products

2015-05-15 Thread Rafael Possamai

I've been a customer before of a datacenter in Chicago that uses/used
Internap's optimized routes and latency was always better than in
comparison to other locations I tested against. That was around 2011 or
2012.

On Fri, May 15, 2015 at 10:19 AM, Mike Hammett na...@ics-il.net wrote:

 What is out there for route optimization products? I can think of Noction
 (no inbound) or Internap FCP (old).



 -
 Mike Hammett
 Intelligent Computing Solutions
 http://www.ics-il.com



 Midwest Internet Exchange
 http://www.midwest-ix.com

Re: Rasberry pi - high density

2015-05-12 Thread Rafael Possamai

Here's someone's comparison between the B and B+ in terms of power:

http://raspi.tv/2014/how-much-less-power-does-the-raspberry-pi-b-use-than-the-old-model-b

On Mon, May 11, 2015 at 10:25 PM, Joel Maslak jmas...@antelope.net wrote:

 Rather then guessing on power consumption, I measured it.

 I took a Pi (Model B - but I suspect B+ and the new version is relatively
 similar in power draw with the same peripherials), hooked it up to a lab
 power supply, and took a current measurement.  My pi has a Sandisk SD card
 and a Sandisk USB stick plugged into it, so, if anything, it will be a bit
 high in power draw.  I then fired off a tight code loop and a ping -f from
 another host towards it, to busy up the processor and the network/USB on
 the Pi.  I don't have a way of making the video do anything, so if you were
 using that, your draw would be up.  I also measured idle usage (sitting at
 a command prompt).

 Power draw was 2.3W under load, 2.0W at idle.

 If it was my project, I'd build a backplane board with USB-to-ethernet and
 ethernet switch chips, along with sockets for Pi compute modules (or
 something similar).  I'd want one power cable and one network cable per
 backplane board if my requirements allowed it.  Stick it all in a nice card
 cage and you're done.

 As for performance per watt, I'd be surprised if this beat a modern video
 processor for the right workload.


 On Mon, May 11, 2015 at 5:16 PM, Rafael Possamai raf...@gav.ufsc.br
 wrote:

  Maybe I messed up the math in my head, my line of thought was one pi is
  estimated to use 1.2 watts, whereas the nuc is at around 65 watts. 10
 pi's
  = 12 watts. My comparison was 65watts/12watts = 5.4 times more power than
  10 pi's put together. This is really a rough estimate because I got the
  NUC's power consumption from the AC/DC converter that comes with it,
 which
  has a maximum output of 65 watts. I could be wrong (up to 5 times) and
  still the pi would use less power.
 
  Now that I think about it, the best way to simplify this is to calculate
  benchmark points per watt, so rasp pi is at around 406/1.2 which equals
  338. The NUC, roughly estimated to be at 3857/65 which equals 60. Let's
 be
  very skeptical and say that at maximum consumption the pi is using 5
 watts,
  then 406/5 is around 81. At this point the rasp pi still scores better.
 
  Only problem we are comparing ARM to x86 which isn't necessarily fair (i
 am
  not an expert in computer architectures)
 
 
 
 
 
  On Mon, May 11, 2015 at 5:24 PM, Hugo Slabbert h...@slabnet.com wrote:
 
   Did I miss anything? Just a quick comparison.
  
  
   If those numbers are accurate, then it leans towards the NUC rather
 than
   the Pi, no?
  
   Perf:   1x i5 NUC = 10x Pi
   $$: 1x i5 NUC = 10x Pi
   Power:  1x i5 NUC = 5x Pi
  
   So...if a single NUC gives you the performance of 10x Pis at the
 capital
   cost of 10x Pis but uses half the power of 10x Pis and only a single
   Ethernet port, how does the Pi win?
  
   --
   Hugo
  
  
   On Mon 2015-May-11 17:08:43 -0500, Rafael Possamai raf...@gav.ufsc.br
 
   wrote:
  
Interesting! Knowing a pi costs approximately $35, then you need
   approximately $350 to get near an i5.. The smallest and cheapest
 desktop
   you can get that would have similar power is the Intel NUC with an i5
  that
   goes for approximately $350. Power consumption of a NUC is about 5x
 that
   of
   the raspberry pi, but the number of ethernet ports required is 10x
 less.
   Usually in a datacenter you care much more about power than switch
  ports,
   so in this case if the overhead of controlling 10x the number of nodes
  is
   worth it, I'd still consider the raspberry pi. Did I miss anything?
  Just a
   quick comparison.
  
  
  
   On Mon, May 11, 2015 at 4:40 PM, Michael Thomas m...@mtcc.com
 wrote:
  
As it turns out, I've been playing around benchmarking things lately
   using
   the tried and true
   UnixBench suite and here are a few numbers that might put this in
 some
   perspective:
  
   1) My new Rapsberry pi (4 cores, arm): 406
   2) My home i5-like thing (asus 4 cores, 16gb's from last year): 3857
   3) AWS c4.xlarge (4 cores, ~8gb's): 3666
  
   So you'd need to, uh, wedge about 10 pi's to get one half way modern
  x86.
  
   Mike
  
  
   On 5/11/15 1:37 PM, Clay Fiske wrote:
  
On May 8, 2015, at 10:24 PM, char...@thefnf.org wrote:
  
  
   Pi dimensions:
  
   3.37 l (5 front to back)
   2.21 w (6 wide)
   0.83 h
   25 per U (rounding down for Ethernet cable space etc) = 825 pi
  
   Cable management and heat would probably kill this before it ever
   reached completion, but lol…
  
  
   This feels like it should be a Friday thread. :)
  
   If you’re really going for density:
  
   - At 0.83 inches high you could go 2x per U (depends on your
 mounting
   system and how much space it burns)
   - I’d expect you could get at least 7 wide if not 8 with the right
   micro-USB power connector
   - In most datacenter racks I’ve

Re: Rasberry pi - high density

2015-05-11 Thread Rafael Possamai

Interesting! Knowing a pi costs approximately $35, then you need
approximately $350 to get near an i5.. The smallest and cheapest desktop
you can get that would have similar power is the Intel NUC with an i5 that
goes for approximately $350. Power consumption of a NUC is about 5x that of
the raspberry pi, but the number of ethernet ports required is 10x less.
Usually in a datacenter you care much more about power than switch ports,
so in this case if the overhead of controlling 10x the number of nodes is
worth it, I'd still consider the raspberry pi. Did I miss anything? Just a
quick comparison.



On Mon, May 11, 2015 at 4:40 PM, Michael Thomas m...@mtcc.com wrote:

 As it turns out, I've been playing around benchmarking things lately using
 the tried and true
 UnixBench suite and here are a few numbers that might put this in some
 perspective:

 1) My new Rapsberry pi (4 cores, arm): 406
 2) My home i5-like thing (asus 4 cores, 16gb's from last year): 3857
 3) AWS c4.xlarge (4 cores, ~8gb's): 3666

 So you'd need to, uh, wedge about 10 pi's to get one half way modern x86.

 Mike


 On 5/11/15 1:37 PM, Clay Fiske wrote:

 On May 8, 2015, at 10:24 PM, char...@thefnf.org wrote:

 Pi dimensions:

 3.37 l (5 front to back)
 2.21 w (6 wide)
 0.83 h
 25 per U (rounding down for Ethernet cable space etc) = 825 pi

 Cable management and heat would probably kill this before it ever
 reached completion, but lol…


 This feels like it should be a Friday thread. :)

 If you’re really going for density:

 - At 0.83 inches high you could go 2x per U (depends on your mounting
 system and how much space it burns)
 - I’d expect you could get at least 7 wide if not 8 with the right
 micro-USB power connector
 - In most datacenter racks I’ve seen you could get at least 8 deep even
 with cable breathing room

 So somewhere between 7x8x2 = 112 and 8x8x2 = 128 per U. And if you get
 truly creative about how you stack them you could probably beat that
 without too much effort.

 This doesn’t solve for cooling, but I think even at these numbers you
 could probably make it work with nice, tight cabling.


 -c

Re: Rasberry pi - high density

2015-05-11 Thread Rafael Possamai

Maybe I messed up the math in my head, my line of thought was one pi is
estimated to use 1.2 watts, whereas the nuc is at around 65 watts. 10 pi's
= 12 watts. My comparison was 65watts/12watts = 5.4 times more power than
10 pi's put together. This is really a rough estimate because I got the
NUC's power consumption from the AC/DC converter that comes with it, which
has a maximum output of 65 watts. I could be wrong (up to 5 times) and
still the pi would use less power.

Now that I think about it, the best way to simplify this is to calculate
benchmark points per watt, so rasp pi is at around 406/1.2 which equals
338. The NUC, roughly estimated to be at 3857/65 which equals 60. Let's be
very skeptical and say that at maximum consumption the pi is using 5 watts,
then 406/5 is around 81. At this point the rasp pi still scores better.

Only problem we are comparing ARM to x86 which isn't necessarily fair (i am
not an expert in computer architectures)





On Mon, May 11, 2015 at 5:24 PM, Hugo Slabbert h...@slabnet.com wrote:

 Did I miss anything? Just a quick comparison.


 If those numbers are accurate, then it leans towards the NUC rather than
 the Pi, no?

 Perf:   1x i5 NUC = 10x Pi
 $$: 1x i5 NUC = 10x Pi
 Power:  1x i5 NUC = 5x Pi

 So...if a single NUC gives you the performance of 10x Pis at the capital
 cost of 10x Pis but uses half the power of 10x Pis and only a single
 Ethernet port, how does the Pi win?

 --
 Hugo


 On Mon 2015-May-11 17:08:43 -0500, Rafael Possamai raf...@gav.ufsc.br
 wrote:

  Interesting! Knowing a pi costs approximately $35, then you need
 approximately $350 to get near an i5.. The smallest and cheapest desktop
 you can get that would have similar power is the Intel NUC with an i5 that
 goes for approximately $350. Power consumption of a NUC is about 5x that
 of
 the raspberry pi, but the number of ethernet ports required is 10x less.
 Usually in a datacenter you care much more about power than switch ports,
 so in this case if the overhead of controlling 10x the number of nodes is
 worth it, I'd still consider the raspberry pi. Did I miss anything? Just a
 quick comparison.



 On Mon, May 11, 2015 at 4:40 PM, Michael Thomas m...@mtcc.com wrote:

  As it turns out, I've been playing around benchmarking things lately
 using
 the tried and true
 UnixBench suite and here are a few numbers that might put this in some
 perspective:

 1) My new Rapsberry pi (4 cores, arm): 406
 2) My home i5-like thing (asus 4 cores, 16gb's from last year): 3857
 3) AWS c4.xlarge (4 cores, ~8gb's): 3666

 So you'd need to, uh, wedge about 10 pi's to get one half way modern x86.

 Mike


 On 5/11/15 1:37 PM, Clay Fiske wrote:

  On May 8, 2015, at 10:24 PM, char...@thefnf.org wrote:


 Pi dimensions:

 3.37 l (5 front to back)
 2.21 w (6 wide)
 0.83 h
 25 per U (rounding down for Ethernet cable space etc) = 825 pi

 Cable management and heat would probably kill this before it ever
 reached completion, but lol…


 This feels like it should be a Friday thread. :)

 If you’re really going for density:

 - At 0.83 inches high you could go 2x per U (depends on your mounting
 system and how much space it burns)
 - I’d expect you could get at least 7 wide if not 8 with the right
 micro-USB power connector
 - In most datacenter racks I’ve seen you could get at least 8 deep even
 with cable breathing room

 So somewhere between 7x8x2 = 112 and 8x8x2 = 128 per U. And if you get
 truly creative about how you stack them you could probably beat that
 without too much effort.

 This doesn’t solve for cooling, but I think even at these numbers you
 could probably make it work with nice, tight cabling.


 -c

Re: Rasberry pi - high density

2015-05-09 Thread Rafael Possamai

From the work that I've done in the past with clusters, your need for
bandwidth is usually not the biggest issue. When you work with big data,
let's say 500 million data points, most mathematicians would condense it
all down into averages, standard deviations, probabilities, etc, which then
become much smaller to save in your hard disks and also to perform data
analysis with, as well as transfer these stats from master to nodes and
vice-versa. So for one project at a time, your biggest concern is cpu
clock, ram, interrupts, etc. If you want to run all of the BIG 10s academic
projects into one big cluster for example, then networking might become an
issue solely due to volume.

The more data you transfer, the longer it would take to perform any
meaningful analysis on it, so really your bottleneck is TFLOPS rather than
packets per second. With Facebook it's the opposite, it's mostly pictures
and videos of cats coming in and out of the server with lots of reads and
writes on their storage. In that case, switching tbps of traffic is how
they make money.

A good example is creating a dockr container with your application and
deploying a cluster with CoreOS. You save all that capex and spend by the
hour. I believe Azure and EC2 already have support for CoreOS.




On Sat, May 9, 2015 at 12:48 AM, Tim Raphael raphael.timo...@gmail.com
wrote:

 The problem is, I can get more processing power and RAM out of two 10RU
 blade chassis and only needing 64 10G ports...

 32 x 256GB RAM per blade = 8.1TB
 32 x 16 cores x 2.4GHz = 1,228GHz
 (not based on current highest possible, just using reasonable specs)

 Needing only 4 QFX5100s which will cost less than a populated 6513 and
 give lower latency. Power, cooling and cost would be lower too.

 RPi = 900MHz and 1GB RAM. So to equal the two chassis, you'll need:

 1228 / 0.9 = 1364 Pis for compute (main performance aspect of a super
 computer) meaning double the physical space required compared to the
 chassis option.

 So yes, infeasible indeed.

 Regards,

 Tim Raphael

  On 9 May 2015, at 1:24 pm, char...@thefnf.org wrote:
 
 
 
  So I just crunched the numbers. How many pies could I cram in a rack?
 
  Check my numbers?
 
  48U rack budget
  6513 15U (48-15) = 33U remaining for pie
  6513 max of 576 copper ports
 
  Pi dimensions:
 
  3.37 l (5 front to back)
  2.21 w (6 wide)
  0.83 h
  25 per U (rounding down for Ethernet cable space etc) = 825 pi
 
  Cable management and heat would probably kill this before it ever
 reached completion, but lol...

Re: Thousands of hosts on a gigabit LAN, maybe not

2015-05-08 Thread Rafael Possamai

- The more switches a packet has to go through, the higher the latency, so
your response times may deteriorate if you cascade too many switches.
Legend says up to 4 is a good number, any further you risk creating a big
mess.

- The more switches you add, the higher your bandwidth utilized by
broadcasts in the same subnet.
http://en.wikipedia.org/wiki/Broadcast_radiation

- If you have only one connection between each switch, each switch is going
to be limited to that rate (1gbps in this case), possibly creating a
bottleneck depending on your application and how exactly it behaves.
Consider aggregating uplinks.

- Bundling too many Ethernet cables will cause interference (cross-talk),
so keep that in mind. I'd purchase F/S/FTP cables and the like.

Here I am going off on a tangent: if your friends want to build a super
computer then there's a way to calculate the most efficient number of
nodes given your constraints (e.g. linear optimization). This could save
you time, money and headaches. An example: maximize the number of TFLOPS
while minimizing number of nodes (i.e. number of switch ports). Just a
quick thought.






On Fri, May 8, 2015 at 1:53 PM, John Levine jo...@iecc.com wrote:

 Some people I know (yes really) are building a system that will have
 several thousand little computers in some racks.  Each of the
 computers runs Linux and has a gigabit ethernet interface.  It occurs
 to me that it is unlikely that I can buy an ethernet switch with
 thousands of ports, and even if I could, would I want a Linux system
 to have 10,000 entries or more in its ARP table.

 Most of the traffic will be from one node to another, with
 considerably less to the outside.  Physical distance shouldn't be a
 problem since everything's in the same room, maybe the same rack.

 What's the rule of thumb for number of hosts per switch, cascaded
 switches vs. routers, and whatever else one needs to design a dense
 network like this?  TIA

 R's,
 John

Re: Question about co-lo in APAC region

2015-05-06 Thread Rafael Possamai

Personal opinion: developing countries tend to have unstable utility
service (power is what matters here), so your DC of choice in India should
be Tier 4 preferably, which are hard to find and really expensive. Budget
allowing, I'd stick to Hong Kong, Shangai or Singapore as you mentioned
initially. These cities have pretty large financial services industries
(which rely heavily on IT  telco in general) and large companies like
Equinix/Digital Realty have already done the heavy lifting for you in terms
of scoping a good location for an APAC datacenter.


On Wed, May 6, 2015 at 11:28 AM, c b bz_siege...@hotmail.com wrote:

 This is a pre-project discovery question... any help would be greatly
 appreciated.
 We have upcoming partnerships (opportunities) in APAC. The original plan
 was to place the hub in Singapore. Just weeks before everyone was ready to
 begin the RFP, it turns out that one of our partner businesses owns a Co-Lo
 in India. Not sure what the name or the size of this business is yet. While
 it would be nice to take advantage of this, we have potential partnerships
 in China and other areas of APAC in development... we are hesitating to put
 our APAC hub in India just based on latency and where the undersea cables
 run.
 So, I'm reaching out to NANOG... some of you guys have either worked with
 businesses (or work in provider space) in both India and Singapore (and
 elsewhere, such as Japan). Is there a clear reason to use/not-use India as
 a hub? What would the pros/cons be? Is there a clear advantage to using
 Singapore as we originally planned?
 Again, we appreciate the feedback.
 LFoD

Re: ADSL Line Extenders

2015-04-30 Thread Rafael Possamai

Yes, you are correct, P2MP is what I meant to say. I'd also suggest
Ubiquiti radios, some of their models being capable of doing 1gbps+.

On Thu, Apr 30, 2015 at 7:59 AM, Shimon Hochbaum 
shimon.hochb...@teliswitch.com wrote:

 I second wholeheartedly the idea of wireless for this application, except
 that Rafael probably meant point to multipoint solutions: Trango
 https://www.trangosys.com/altum-ac or Waveip
 http://www.waveip.com/products/overview/ are 2 good options.

 Line extenders supporting ADSL2+ won't do much good: the 2 and the +
 denote improvements in the short range, less than 5000', probably not
 relevant in your case. If wired is your preferred option, you might want to
 consider HDSL based products, which are meant to drive 1.5M symmetric over
 long distances, power fed from the 2 sides for simplicity, with ability to
 go higher when pairs are bundled. Adtran should be the 1st place to look at.

 Good luck, Shimon

  -Original Message-
  From: Rafael Possamai [mailto:raf...@gav.ufsc.br]
  Sent: Wednesday, April 29, 2015 17:37
  To: Jean-Francois Mezei
  Cc: nanog@nanog.org
  Subject: Re: ADSL Line Extenders
 
  Semi-related question: in instances like this, wouldn't a point-to-point
 link
  provide larger throughput and be less expensive? Unless you are talking
 about
  several subscribers that are already installed and operating.
  Depending on the situation, it might make sense to set a few sectorial
  antennas at a high-point and link everyone with small inexpensive CPE
  antennas. Just a quick thought.
 
  Good luck,
  Rafael
 
 
  On Tue, Apr 28, 2015 at 4:24 PM, Jean-Francois Mezei 
  jfmezei_na...@vaxination.ca wrote:
 
  
   A friend on a rural DSl association asked about ADSL line extenders.
  
   A search on Google yields many products dating back to the days of
   ADSL-1 advertising 1mbps profiles, but a few seem more recent and
   support ADSL2+ (not sure if any support VDSL2).
  
   Are these thing out of date and no longer deployed ? Were they ever
   effective, or just vapourware that didn't really improve things ?
  
  
   Do any Telcos still deploy them ?  Anyone know of deployments in
 Canada ?
  
   I just need a reality check on those devices.
  
   jf

Re: ADSL Line Extenders

2015-04-29 Thread Rafael Possamai

Semi-related question: in instances like this, wouldn't a point-to-point
link provide larger throughput and be less expensive? Unless you are
talking about several subscribers that are already installed and operating.
Depending on the situation, it might make sense to set a few sectorial
antennas at a high-point and link everyone with small inexpensive CPE
antennas. Just a quick thought.

Good luck,
Rafael


On Tue, Apr 28, 2015 at 4:24 PM, Jean-Francois Mezei 
jfmezei_na...@vaxination.ca wrote:


 A friend on a rural DSl association asked about ADSL line extenders.

 A search on Google yields many products dating back to the days of
 ADSL-1 advertising 1mbps profiles, but a few seem more recent and
 support ADSL2+ (not sure if any support VDSL2).

 Are these thing out of date and no longer deployed ? Were they ever
 effective, or just vapourware that didn't really improve things ?


 Do any Telcos still deploy them ?  Anyone know of deployments in Canada ?

 I just need a reality check on those devices.

 jf

Re: rack cable length

2015-04-17 Thread Rafael Possamai

Hi Shawn,

If you don't leave slack, you can't really pull the server out of the RU
for maintenance (hot swaps, etc). Your best choice is to purchase cable
management trays if that makes sense (Dell servers usually come with
those).  Otherwise you just need to deal with the loops and whatnot the
best way you can. If your colo hardware is really random (dells, HPs,
supermicros) then it gets worse, but if your hardware is homogeneous then
you can come up with some way of attaching brackets to the side of the rack
that could help you avoid a rats nest in the back of your rack (granted you
can't find cable management trays or they are too expensive to justify the
investment).



On Fri, Apr 17, 2015 at 1:44 PM, shawn wilson ag4ve...@gmail.com wrote:

 This is probably a stupid question, but

 We've got a few racks in a colo. The racks don't have any decent cable
 management (square metal holes to attach velcro to). We either order
 cable too long and end up with lots of loops which get in the way (no
 place to loop lots of excess really) or too short to run along the
 side (which is worse). It appears others using the same racks have
 figured this out, but...

 Do y'all just order 10 of each size per rack in every color you need
 or is there a better way to figure this out? I'm guessing something
 like 24 inches + 1.75 inchex x Us) + 24 inches and round up to
 standard length...?

Spam coming from (possibly) GoDaddy servers - anyone on the list?

2015-03-10 Thread Rafael Possamai

Received some fake FedEx emails coming from secureserver.net servers that
afaik belong to GoDaddy.

I can give more details if someone speaks up. GMail anti-spam only picked
up a few of these, others went straight through to inbox.


Regards,
Rafael

Re: Comcast Support (from NANOG Digest, Vol 84, Issue 23)

2015-02-24 Thread Rafael Possamai



On Tue, Feb 24, 2015 at 10:27 AM, Kain, Rebecca (.) bka...@ford.com wrote:

 Ah, Comcast support.  Those people who keep calling my Ford Motor Company
 phone, to threaten to shut off service to my home, which I don't have (I
 have uverse).  They keep saying they will take my Ford number off the
 account (which of course, I don't know the account number because I don't
 have an account) and then they call again, with the same threat.

 Real winners.  And yes, I've been saving the chats with support.



 -Original Message-
 From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Jay Ashworth
 Sent: Tuesday, February 24, 2015 11:23 AM
 To: NANOG
 Subject: Re: Comcast Support (from NANOG Digest, Vol 84, Issue 23)

 I thought you were just supposed to give your Geek License number.  :-)

 #nothingScales

 - Original Message -
  From: Kevin McElearney kevin_mcelear...@cable.comcast.com
  To: Peter Loron pet...@standingwave.org, John Brzozowski 
 john_brzozow...@cable.comcast.com
  Cc: nanog@nanog.org
  Sent: Monday, February 23, 2015 9:16:37 AM
  Subject: Re: Comcast Support (from NANOG Digest, Vol 84, Issue 23)
  You forgot to use the word “Shibboleet” when you called care.
  Contacted
  Peter off-list
 
 
  - Kevin
 
  On 2/23/15, 1:25 AM, Peter Loron pet...@standingwave.org wrote:
 
  Apologies for a bit off topic, but I’m trying to get an issue
  resolved
  and am having trouble reaching anybody who seems clue positive.
  
  From home via Comcast cable, I’m having trouble reaching some
  destinations. According to mtr, there is a particular node
  (be-11-pe02.11greatoaks.ca.ibone.comcast.net) which is suffering 
  30%
  loss. Contacting the Comcast consumer support folks is useless (what
  are
  the lights on your modem doing? Did you power cycle it?). When this
  is
  happening, I usually am told they need to send a tech to my house.
  insert facepalm.
  
  Is there a way to drop a note to the NOC or other folks who would
  understand the info and be able to act on it?
  
  Thanks!
  
  -Pete
   On Jan 23, 2015, at 09:14, Brzozowski, John
  john_brzozow...@cable.comcast.com wrote:
  
   Folks,
  
   The thread below was sent to me a few times, apologies for not
   catching
  it sooner.
  
   Janet,
  
   I sent you mail unicast with a request for some information. I am
  happy to help you out.
  
   For the larger NANOG audience, Comcast has recently launched IPv6
  support for our BCI products, these are our DOCSIS based commercial
  offerings. This means that if you gateway device is in fact in RG
  mode
  you will be delegated a dynamic IPv6 prefix, by default customers
  are
  delegated a /56 prefix along with a single IPv6 address that is
  assigned
  to the WAN of the gateway device. IPv6 support applies to the
  following
  makes and models:
  
   SMC D3G CCR (http://mydeviceinfo.comcast.net/device.php?devid=216)
   Cisco BWG (http://mydeviceinfo.comcast.net/device.php?devid=347)
   Netgear CG3000D
   (http://mydeviceinfo.comcast.net/device.php?devid=347)
  
   For customers where you bring your own cable modem or have one of
   the
  above in bridge mode we have enabled IPv6 support for you as well.
  However, your router behind the modem must be running software and
  configured with IPv6 support. Specifically, your router needs to be
  support stateful DHCPv6 for IPv6 address and prefix acquisition. We
  have received a number of reports from customers that the Juniper
  SRX
  does not appear to properly support IPv6. We are working with
  Juniper
  and also recommend that you reach out to Juniper as well.
  
   Please keep checking http://www.comcast6.net for updates, we will
   post
  some additional information here in the next week or so. In the mean
  time if you have questions feel free to send me mail or post them
  here
  on the NANOG list.
  
   HTH,
  
   John
   =
   John Jason Brzozowski
   Comcast Cable
   p) 484-962-0060
   w) www.comcast6.net
   e) john_brzozow...@cable.comcast.com
   =
  
  
  
   -Original Message-
   From: nanog-requ...@nanog.orgmailto:nanog-requ...@nanog.org
  nanog-requ...@nanog.orgmailto:nanog-requ...@nanog.org
   Reply-To: NANOG nanog@nanog.orgmailto:nanog@nanog.org
   Date: Friday, January 23, 2015 at 07:00
   To: NANOG nanog@nanog.orgmailto:nanog@nanog.org
   Subject: NANOG Digest, Vol 84, Issue 23
  
   Date: Thu, 22 Jan 2015 22:42:17 +
   From: Janet Sullivan
   jan...@nairial.netmailto:jan...@nairial.net
   To: 'nanog@nanog.orgmailto:'nanog@nanog.org'
  nanog@nanog.orgmailto:nanog@nanog.org
   Subject: Comcast Support
   Message-ID:
  
 
 cy1pr0701mb1164f3448b35404bbae671a8dc...@cy1pr0701mb1164.namprd07.prod.o
  utlook.commailto:
 CY1PR0701MB1164F3448B35404BBAE671A8DC490@CY1PR0701MB116
  4.namprd07.prod.outlook.com
   Content-Type: text/plain; charset=us-ascii
  
   I hate to use NANOG for this, but support has now ended a chat with
   me

Re: Intrusion Detection recommendations

2015-02-14 Thread Rafael Possamai

Thanks for the awesome response, you have valid points. This could be me
trying to simplify things by suggesting something like Cisco ASA, but the
FreeBSD solution will need much more than just a well written ipfw or pf
set of rules. In his scenario, I would also most likely need to setup VPN,
CARP, etc, which requires decent amount of knowledge. If you use newer
NICs, most likely will need to go with 10.0 or higher, which requires
constant updates/patches since it's new release.





On Sat, Feb 14, 2015 at 11:31 AM, BPNoC Group bpnoc.li...@gmail.com wrote:

 On Fri, Feb 13, 2015 at 6:45 PM, Rafael Possamai raf...@gav.ufsc.br
 wrote:

 I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
 use a fairly well tested security appliance like Cisco's ASA.


 Or maybe Juniper, Cisco's Ironport, IPSO?

 They are all FreeBSD based, big and large critical networks ready.

 FreeBSD's ipfw codebase exists for longer than most commercial products
 you somehow believe to be more mature. So, FreeBSD's firewalling code at
 least, as well tested as commercial vendors products.


 Depending on
 the traffic you have on your fiber uplink, you can get a redundant pair of
 ASAs running for less than $2,000 in the US.


 For this traffic rate the best part on a commercial product is just
 irrelevant: good specifics hardware. Whatever can be done with a USD 2K
 Cisco based solution can be done on cheap low capacity x86 hardware with
 FreeBSD.


 I just find it less stressful
 to use a solution like ASA rather than worrying about patching your kernel
 every so often and worrying about possible vulns in the ipfw/pf codes.


 One does not need to svn update, build kernel, build world if he does not
 want to. It's just a matter of adding freebsd-update to crontab (or having
 you own manual updating cycle in place).


 That, and you have to make sure EVERYTHING is taken into account when you
 create your rules, which requires some intense knowledge on either ipfw,
 pf
 or both.


 Another point I am completely inclined to disagree.

 My team is made up of junior level, trainees, to +20yr experience
 professionals.

 There is absolutely no relevant learning curve for someone who has
 configured a Cisco or Juniper firewall to a PF or IPFW firewall. If the
 guys comes from a Linux background he finds ridiculously simple to have a
 PF firewall up and running, after all for someone used to that weird
 iptables syntax and semantics, a firewall where rules are linear and
 natural syntax are a piece of cake.

 For new professionals, they quickly learn PF/IPFW better than Linux or
 Fortigate which is another product we also have in place (heterogenous /
 mixed team and technologies here).

 The tool is just the tool, it should a matter of what the tool can or can
 not do, but not a matter on how to use it. Cisco ASA and PF are completely
 different animals, sure, but learning 'em from scratch or coming from other
 animals like Linux or Fortigate is straightforward.

 While products like fortigate have a nice GUI interface, it's just limited
 and low productive. My team tendo to configura fortinet on CLI, and guess
 what? Fortinet team are usually joked by BSD team when they see someone
 using Fortinet cli.

 It just takes 5 times more to configure several edit  blocks, creating
 objects, putting it all together to have a simple firewall rule in the end,
 when the BSD guys do a one line rule with macros and tables sorted all for
 equivalent object  advantages. Nobody cares for GUI in my team, but if a
 fancy GUI is required they send pfSense screenshots for the Fortinet guys
 just to keep the making fun...

 I strongly believe in the idea that open source has it's place and
 commercial products have their place on different scenarios and
 requirements. And in this scenario Mr Andy is asking about, IMO there's no
 reason not to go with open source BSD.

 Specially because he seems already familiar with FreeBSD.

 I am not an expert in intrusion detection, so with regards to that, I'd
 just setup a honeypot and monitor activity. You can also regularly run
 penetration tests on your own network and see how well you are protected.
 Just make sure the appropriate people know about these tests so you don't
 get wrongfully reported.


 Not the same thing, same goal or same results.




 Rafael


 On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth a...@newslink.com
 wrote:

  NANOG'ers,
 
  I've been tasked by our company president to learn about, investigate
 and
  recommend an intrusion detection system for our company.
 
  We're a smaller outfit, less than 100 employees, entirely Apple-based.
  Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to
 the
  world. We are protected by a FreeBSD firewall setup, and we stay
 current on
  updates/patches from Apple and FreeBSD, but that's as far as my
 expertise
  goes.
 
  Initially, what do people recommend for:
 
  1. Crash course in intrusion detection as a whole

Re: [OT] Re: Intellectual Property in Network Design

2015-02-13 Thread Rafael Possamai

Thank you for looking up facts, laws, etc... The rest is merely opinion,
and wouldn't necessarily help someone trying to protect their network
designs.

On Fri, Feb 13, 2015 at 11:25 AM, valdis.kletni...@vt.edu wrote:

 On Fri, 13 Feb 2015 10:28:25 -0500, William Herrin said:

  I have to disagree with you there. This particular ship sailed four
 decades
  ago when CONTU found computer software to be copyrightable and the
  subsequent legislation and litigation agreed.

 The output of craft is copyrightable even if it doesn't count as art,
 as long as it meets the requirement of 17 USC 102(a)(1) - literary works.

 The issue with software wasn't if it was art, but if it was a literary
 work
 (they struggled for a while with the concept of machine-readable versus
 human
 readable).

 Furthermore, the House Report discussing the Act states:
 The term literary works does not connote any criterion of literary merit
 or
 qualitative value: it includes catalogs, directories, and similar factual,
 reference, or instructional works and compilations of data. It also
 includes
 computer data bases, and computer programs to the extent that they
 incorporate
 authorship in the programmer's expression of original ideas, as
 distinguished from the ideas themselves. {FN8: H.R. Rep. No. 94-1476 at 54}

 http://digital-law-online.info/lpdi1.0/treatise17.html

 If catalogs and directories are covered, config files are... :)

Re: Intrusion Detection recommendations

2015-02-13 Thread Rafael Possamai

I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
use a fairly well tested security appliance like Cisco's ASA. Depending on
the traffic you have on your fiber uplink, you can get a redundant pair of
ASAs running for less than $2,000 in the US. I just find it less stressful
to use a solution like ASA rather than worrying about patching your kernel
every so often and worrying about possible vulns in the ipfw/pf codes.
That, and you have to make sure EVERYTHING is taken into account when you
create your rules, which requires some intense knowledge on either ipfw, pf
or both.

I am not an expert in intrusion detection, so with regards to that, I'd
just setup a honeypot and monitor activity. You can also regularly run
penetration tests on your own network and see how well you are protected.
Just make sure the appropriate people know about these tests so you don't
get wrongfully reported.


Rafael


On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth a...@newslink.com wrote:

 NANOG'ers,

 I've been tasked by our company president to learn about, investigate and
 recommend an intrusion detection system for our company.

 We're a smaller outfit, less than 100 employees, entirely Apple-based.
 Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the
 world. We are protected by a FreeBSD firewall setup, and we stay current on
 updates/patches from Apple and FreeBSD, but that's as far as my expertise
 goes.

 Initially, what do people recommend for:

 1. Crash course in intrusion detection as a whole
 2. Suggestions or recommendations for intrusion detection hardware or
 software
 3. Other things I'm likely overlooking

 Thank you all in advance for your wisdom.


 
 Andy Ringsmuth
 a...@newslink.com
 News Link – Manager Technology  Facilities
 2201 Winthrop Rd., Lincoln, NE 68502-4158
 (402) 475-6397(402) 304-0083 cellular

Re: Intrusion Detection recommendations

2015-02-13 Thread Rafael Possamai

What is the alternative then... Does he have the time to become a BSD guru
and master ipfw and pf? Probably not feasible with all other job duties,
unless he locks himself in his mom's basement for the next 5 years.


On Fri, Feb 13, 2015 at 3:27 PM, Rich Kulawiec r...@gsp.org wrote:

 On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote:
  I am a huge fan of FreeBSD, but for a medium/large business I'd
 definitely
  use a fairly well tested security appliance like Cisco's ASA.

 Closed-source software is faith-based security.

 ---rsk

Re: Comcast Static IP Changed With New Modem?

2015-02-11 Thread Rafael Possamai

I've had a similar mistake happen with TWC. It's most likely a glitch in
their config system which should use the gateway's mac address in order to
assign a static IP on the docsis modem. Tech support should figure this out
pretty quick without escalating it much further. I've had an instance where
a second line/modem was added with the same gateway IP, and that brought us
down for over a day until they got around to fixing it.

My suggestions is to always keep your gateways/edges monitored with a
service like Monitis. I use ping monitors every single minute from three
different locations in the US (abroad available too) and get email/SMS/call
whenever something fails once, twice, etc from one, two or more locations.
Really cool monitoring system.

Hope this helps.



On Mon, Feb 9, 2015 at 10:32 AM, Justin Krejci jkre...@usinternet.com
wrote:

 Has anyone run into the situation where their static IP address from
 Comcast (on the business class cable modem Internet service) was changed
 when the modem was replaced?

 We have a remote site that uses Comcast as a backup Internet connection
 and when we went to use it recently our VPN tunnel would not establish.
 After working with the Comcast support group we discovered Comcast changed
 our static IP address. I am working through trying to figure out the when
 and the why with Comcast still and suspect it was changed when the modem
 was replaced back in December. The modem was replaced by Comcast as our
 previous modem was apparently EOL'ed.

 We're now setting up additional monitoring to verify the accessibility of
 our remote site via the Comcast connection so we don't have any future
 uh-ohs when we need to use our backup connection and it too is not fully
 functional.

 TIA,
 -Justin

Re: abuse reporting tools

2014-11-18 Thread Rafael Possamai

Some folks might disagree with this, but if it's an important service that
I have running on a network, I will block a series of garbage AS's (closer
to /8 the better) at the firewall (not at the edge) and that reduces the
headaches by 50%. This isn't practical at the edge, but for system
administration is the only way I have found to minimize the problem. A lot
of times the owners of these IPs don't really care and won't take action.
For example, the amount of garbage that comes out of FDC Servers in Chicago
at times and not much is done.

On Tue, Nov 18, 2014 at 6:58 PM, Mike mike-na...@tiedyenetworks.com wrote:

 Hello,

 I provide broadband connectivity to mostly residential users. Over the
 past few years, instances of DDoS against the network - specfically
 targeting end users - has been on the rise, and today I can qualify many
 of these as simple acts of revenge where someone will engage a dos
 (possibly, services like 'booters' or similar) because they lost an
 online game or had some interactive in a forum they didn't like. I have
 good 'consumer broadband' filtering rules in place which make sense and
 protect against quite a lot of obviously ddos oriented traffic streams.
 The next step I want to engage, for those types of traffic which I can
 positively identify as not spoofed, is to send out abuse reports to
 owners of ip ranges used to launch these attacks. Ideally I'd like to be
 able to write up some form letter describing the attack, the source
 ip(s) of note, some disassembled sample packets, and then feed a list of
 IP source addresses and have it mail it out to the abuse contact at each
 source network. I am wondering if anyone has a pointer or reference to
 any tools which might help facillitate this?

 Thank you.

 Mike-

1 2 >

1 - 100 of 109 matches

Mail list logo