RE: Level(3) DNS Spoofing All Domains

2019-11-19 Thread Ryan, Spencer 
Are you a CL/L3 customer? Those resolvers have only ever been for “customers” 
even though they would resolve for anyone. They started injecting NXDOMAIN 
redirects a while ago for non-customers.


From: NANOG  On Behalf Of Marshall, Quincy
Sent: Monday, November 18, 2019 12:45 PM
Subject: Level(3) DNS Spoofing All Domains

This message originated outside of NETSCOUT. Do not click links or open 
attachments unless you recognize the sender and know the content is safe.
This is mostly informational and may have already hit this group. My google-foo 
failed me if so.

I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are 
spoofing all domains. If the hostname begins with a “w” and does not exist in 
the authoritative zone these hosts will return two Akamai hosts.

[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.202.231.167
23.217.138.108

My apologies if this is old news.

Lawrence Q. Marshall



This email has been scanned for email related threats and delivered safely by 
Mimecast.
For more information please visit 
http://www.mimecast.com

RE: 40G reforming

2018-02-05 Thread Ryan, Spencer 
Looks like you’re right. Too many 7xxx model numbers. Either way, same result. 
The MAC layer in the switch treats it like a QSFP port would be.

From: Tim Jackson [mailto:jackson@gmail.com]
Sent: Monday, February 5, 2018 9:11 PM
To: Ryan, Spencer <sr...@arbor.net>
Cc: Hunter Fuller <hf0002+na...@uah.edu>; nanog list <nanog@nanog.org>
Subject: RE: 40G reforming

I'm pretty sure that this is only available on 7150S which is FM6000, not 
broadcom at all.



On Feb 5, 2018 8:00 PM, "Ryan, Spencer" 
<sr...@arbor.net<mailto:sr...@arbor.net>> wrote:
You don’t use 40G modules at all. Just 4 x 10G SFP+.

The Broadcom trident chip is configured at the MAC layer for 40G, so it’s 
identical to a real 40G port inside.

Some more reading:

https://www.arista.com/assets/data/pdf/Whitepapers/AgilePorts_over_DWDM_Final.pdf<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arista.com_assets_data_pdf_Whitepapers_AgilePorts-5Fover-5FDWDM-5FFinal.pdf=DwMFaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIjaFRfuA=1GOFqbxSE-spnoqK6oWQyxvqITqv3mK5XVCJqjQhA74=E99kPeHk0OBu00zJn7reL1aPDNkD3rMtzGZMWJPAcvI=>


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net<mailto:sr...@arbor.net><mailto:sr...@arbor.net<mailto:sr...@arbor.net>>
Arbor Networks | The security division of NETSCOUT
+1.734.794.5033<tel:%2B1.734.794.5033> (d) | 
+1.734.846.2053<tel:%2B1.734.846.2053> (m)
www.arbornetworks.com<http://www.arbornetworks.com><http://www.arbornetworks.com/>



From: Hunter Fuller [mailto:hf0002+na...@uah.edu<mailto:hf0002%2bna...@uah.edu>]
Sent: Monday, February 5, 2018 2:57 PM
To: Ryan, Spencer <sr...@arbor.net<mailto:sr...@arbor.net>>
Cc: Marian Ďurkovič <m...@bts.sk<mailto:m...@bts.sk>>; Baldur Norddahl 
<baldur.nordd...@gmail.com<mailto:baldur.nordd...@gmail.com>>; 
nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: 40G reforming

I suspect that implies that you can just take a 40Gbase-SR4 module and break it 
out into individual "10G" multi-mode pairs for DWDM use. Has anyone tried this? 
I'm also very interested in using that strategy.
On Mon, Feb 5, 2018 at 1:36 PM Ryan, Spencer 
<sr...@arbor.net<mailto:sr...@arbor.net><mailto:sr...@arbor.net<mailto:sr...@arbor.net>>>
 wrote:
Indeed. Arista does (did?) make at least one platform where you can do this.

-Original Message-
From: NANOG 
[mailto:nanog-boun...@nanog.org<mailto:nanog-boun...@nanog.org><mailto:nanog-boun...@nanog.org<mailto:nanog-boun...@nanog.org>>]
 On Behalf Of Marian Durkovic
Sent: Monday, February 5, 2018 2:33 PM
To: Baldur Norddahl 
<baldur.nordd...@gmail.com<mailto:baldur.nordd...@gmail.com><mailto:baldur.nordd...@gmail.com<mailto:baldur.nordd...@gmail.com>>>
Cc: 
nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:nanog@nanog.org>>
Subject: Re: 40G reforming

Many switches based on BCM Trident ASIC allow you to configure 4 consecutive
SFP+ ports as 40G link (not LACP, but using real hardware 40G framing).
In such case, you can plug 4 DWDM SFP+ modules directly into the switch, 
without the need for any reformer.

   M.

On Mon, 5 Feb 2018 20:03:33 +0100, Baldur Norddahl wrote
> I may need to clarify that I do not want to break the port into 4x10G
> as such. To the switch this will be an ordinary 40G link to another
> switch far away.
>
> I want to take advantage of the fact that 40G is transported as four
> individual streams. Each of the four streams are to be converted from
> 850 nm to a 1550 DWDM channel (one channel per stream). And the
> reverse at the other end of the link.
>
> The point of doing this is that 40G DWDM modules are not generally
> available and neither are 80 km modules.
>
> I need a true 40G channel so 4x10G LACP is not an option here. For the
> same reason I am unable to accept a solution that splits the 40G port
> into 4x10G and then perhaps recombines using LACP. Instead I am
> looking at an optical solution that is invisible to the switch hardware.
>
> The only doubt I have about the proposed solution is whether the frame
> format of the 10G substreams is somehow incompatible with what goes on
> in the reformer. As I understand these reformers they are little more
> than two SFP(+) modules connected back to back. And therefore it
> should not matter that the frame format may be different.
>
> Regards
>
> Baldur
>
> Den 5. feb. 2018 7.20 PM skrev "Paul Zugnoni" 
> <p...@wish.com<mailto:p...@wish.com><mailto:p...@wish.com<mailto:p...@wish.com>>>:
>
> Whether a 40G port can be broken into 4x10G is dependent on the
> router/switch hardware and the optic you use. Good news is that most
> 40G ports are capable of being broken out into 4x10G, sin

RE: 40G reforming

2018-02-05 Thread Ryan, Spencer 
You don’t use 40G modules at all. Just 4 x 10G SFP+.

The Broadcom trident chip is configured at the MAC layer for 40G, so it’s 
identical to a real 40G port inside.

Some more reading:

https://www.arista.com/assets/data/pdf/Whitepapers/AgilePorts_over_DWDM_Final.pdf


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net<mailto:sr...@arbor.net>
Arbor Networks | The security division of NETSCOUT
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com<http://www.arbornetworks.com/>



From: Hunter Fuller [mailto:hf0002+na...@uah.edu]
Sent: Monday, February 5, 2018 2:57 PM
To: Ryan, Spencer <sr...@arbor.net>
Cc: Marian Ďurkovič <m...@bts.sk>; Baldur Norddahl <baldur.nordd...@gmail.com>; 
nanog@nanog.org
Subject: Re: 40G reforming

I suspect that implies that you can just take a 40Gbase-SR4 module and break it 
out into individual "10G" multi-mode pairs for DWDM use. Has anyone tried this? 
I'm also very interested in using that strategy.

On Mon, Feb 5, 2018 at 1:36 PM Ryan, Spencer 
<sr...@arbor.net<mailto:sr...@arbor.net>> wrote:
Indeed. Arista does (did?) make at least one platform where you can do this.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org<mailto:nanog-boun...@nanog.org>] On 
Behalf Of Marian Durkovic
Sent: Monday, February 5, 2018 2:33 PM
To: Baldur Norddahl 
<baldur.nordd...@gmail.com<mailto:baldur.nordd...@gmail.com>>
Cc: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: 40G reforming

Many switches based on BCM Trident ASIC allow you to configure 4 consecutive
SFP+ ports as 40G link (not LACP, but using real hardware 40G framing).
In such case, you can plug 4 DWDM SFP+ modules directly into the switch, 
without the need for any reformer.

   M.

On Mon, 5 Feb 2018 20:03:33 +0100, Baldur Norddahl wrote
> I may need to clarify that I do not want to break the port into 4x10G
> as such. To the switch this will be an ordinary 40G link to another
> switch far away.
>
> I want to take advantage of the fact that 40G is transported as four
> individual streams. Each of the four streams are to be converted from
> 850 nm to a 1550 DWDM channel (one channel per stream). And the
> reverse at the other end of the link.
>
> The point of doing this is that 40G DWDM modules are not generally
> available and neither are 80 km modules.
>
> I need a true 40G channel so 4x10G LACP is not an option here. For the
> same reason I am unable to accept a solution that splits the 40G port
> into 4x10G and then perhaps recombines using LACP. Instead I am
> looking at an optical solution that is invisible to the switch hardware.
>
> The only doubt I have about the proposed solution is whether the frame
> format of the 10G substreams is somehow incompatible with what goes on
> in the reformer. As I understand these reformers they are little more
> than two SFP(+) modules connected back to back. And therefore it
> should not matter that the frame format may be different.
>
> Regards
>
> Baldur
>
> Den 5. feb. 2018 7.20 PM skrev "Paul Zugnoni" 
> <p...@wish.com<mailto:p...@wish.com>>:
>
> Whether a 40G port can be broken into 4x10G is dependent on the
> router/switch hardware and the optic you use. Good news is that most
> 40G ports are capable of being broken out into 4x10G, since a 40G port
> is usually operating as 4x10G internally anyway to the ASIC. The QSFP
> you'll need would be a 40G-SR4 for MTP/Multimode or 40G-LR4 for
> MTP/Singlemode (or a lower power, less expensive equivalent). This is
> a pretty common use of 40G ports. All 4 10G ports would then be at
> 850nm or 1310nm, which you can then plug into any 10G SR or LR ports.
>
> What router or switch platform is driving the 40G?
>
> Paul Z
>
> On Mon, Feb 5, 2018 at 7:57 AM, Baldur Norddahl
> <baldur.nordd...@gmail.com<mailto:baldur.nordd...@gmail.com>>
> wrote:
>
> > Hello
> >
> > Is it possible to reform a 40G signal as individual 10G links?
> >
> > The idea is to use a 40G QSFP multimode MTP module such as
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_prod
> > ucts_44058.html=DwIDaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIj
> > aFRfuA=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y=_rJfOmyDlGmPG
> > C6M5FbhQ1V8_mho1OCpkcuYRNlaOvA=. Then connect it using a MTP
> > breakout cable such as
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_prod
> > ucts_68049.html=DwIDaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIjaFRfuA=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y=Cz0mCyM3dtcHoZ7lGy7uyroI_Y7AwmKXdnYNFIF0rPI=
> >  to get four dual fiber connectors. These are then connected to four 10G 
> > SFP+ multimode modules such as 
> > https://

RE: 40G reforming

2018-02-05 Thread Ryan, Spencer 
Indeed. Arista does (did?) make at least one platform where you can do this. 

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Marian Durkovic
Sent: Monday, February 5, 2018 2:33 PM
To: Baldur Norddahl 
Cc: nanog@nanog.org
Subject: Re: 40G reforming

Many switches based on BCM Trident ASIC allow you to configure 4 consecutive
SFP+ ports as 40G link (not LACP, but using real hardware 40G framing).
In such case, you can plug 4 DWDM SFP+ modules directly into the switch, 
without the need for any reformer.

   M.

On Mon, 5 Feb 2018 20:03:33 +0100, Baldur Norddahl wrote
> I may need to clarify that I do not want to break the port into 4x10G 
> as such. To the switch this will be an ordinary 40G link to another 
> switch far away.
> 
> I want to take advantage of the fact that 40G is transported as four 
> individual streams. Each of the four streams are to be converted from 
> 850 nm to a 1550 DWDM channel (one channel per stream). And the 
> reverse at the other end of the link.
> 
> The point of doing this is that 40G DWDM modules are not generally 
> available and neither are 80 km modules.
> 
> I need a true 40G channel so 4x10G LACP is not an option here. For the 
> same reason I am unable to accept a solution that splits the 40G port 
> into 4x10G and then perhaps recombines using LACP. Instead I am 
> looking at an optical solution that is invisible to the switch hardware.
> 
> The only doubt I have about the proposed solution is whether the frame 
> format of the 10G substreams is somehow incompatible with what goes on 
> in the reformer. As I understand these reformers they are little more 
> than two SFP(+) modules connected back to back. And therefore it 
> should not matter that the frame format may be different.
> 
> Regards
> 
> Baldur
> 
> Den 5. feb. 2018 7.20 PM skrev "Paul Zugnoni" :
> 
> Whether a 40G port can be broken into 4x10G is dependent on the 
> router/switch hardware and the optic you use. Good news is that most 
> 40G ports are capable of being broken out into 4x10G, since a 40G port 
> is usually operating as 4x10G internally anyway to the ASIC. The QSFP 
> you'll need would be a 40G-SR4 for MTP/Multimode or 40G-LR4 for 
> MTP/Singlemode (or a lower power, less expensive equivalent). This is 
> a pretty common use of 40G ports. All 4 10G ports would then be at 
> 850nm or 1310nm, which you can then plug into any 10G SR or LR ports.
> 
> What router or switch platform is driving the 40G?
> 
> Paul Z
> 
> On Mon, Feb 5, 2018 at 7:57 AM, Baldur Norddahl 
> 
> wrote:
> 
> > Hello
> >
> > Is it possible to reform a 40G signal as individual 10G links?
> >
> > The idea is to use a 40G QSFP multimode MTP module such as 
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_prod
> > ucts_44058.html=DwIDaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIj
> > aFRfuA=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y=_rJfOmyDlGmPG
> > C6M5FbhQ1V8_mho1OCpkcuYRNlaOvA=. Then connect it using a MTP 
> > breakout cable such as 
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_prod
> > ucts_68049.html=DwIDaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIjaFRfuA=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y=Cz0mCyM3dtcHoZ7lGy7uyroI_Y7AwmKXdnYNFIF0rPI=
> >  to get four dual fiber connectors. These are then connected to four 10G 
> > SFP+ multimode modules such as 
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_products_11589.html=DwIDaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIjaFRfuA=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y=l-9OAiUxeydRJCJc7d1kTKPVSkwQlkV4xkZFlbFxyRs=.
> >  The reformer could be 
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_products_43721.html=DwIDaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIjaFRfuA=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y=NwCHiC_boNNs7zCOgJFRZ5nmZOVEPBovGYNTtdQ_pCE=.
> >  And finally the reformed signal can be transported using anything 
> > including DWDM modules such as 
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_products_44058.html=DwIDaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIjaFRfuA=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y=_rJfOmyDlGmPGC6M5FbhQ1V8_mho1OCpkcuYRNlaOvA=.
> >
> > Just using fs.com as a reference to the kind of equipment I am 
> > talking about. Many other vendors offer simelar products.
> >
> > The motivation for doing this is to get access to the many options 
> > that are available for 10G optics but not possible with 40G.
> >
> > Regards,
> >
> > Baldur
> >
> >

RE: 40G reforming

2018-02-05 Thread Ryan, Spencer 
40G is either 4 x 10G over a single pair, or broken out into 8 fibers in the 
short or parallel versions.

Almost all Ethernet platforms support running most or all of their 40G ports as 
1 x 40 or 4 x 10. 

When using the breakout cables though your options are usually more limited. A 
1U switch as a 4 x SFP+ to 1 x QSFP(28) converter will work, depending on your 
use case. 


Spencer Ryan | Senior Systems Administrator | sr...@arbor.net Arbor Networks | 
The security division of NETSCOUT
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Baldur Norddahl
Sent: Monday, February 5, 2018 10:57 AM
To: nanog@nanog.org
Subject: 40G reforming

Hello

Is it possible to reform a 40G signal as individual 10G links?

The idea is to use a 40G QSFP multimode MTP module such as 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_products_44058.html=DwICaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIjaFRfuA=6Ncau5mGbJHTsn49WZBhiGcOVEmu482YmvfcECst4Mw=n2mTvNLQoiqsoG6Xi1BrMs_SjV3eJO4k15Bo0EUujAg=.
 Then connect it using a MTP breakout cable such as 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_products_68049.html=DwICaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIjaFRfuA=6Ncau5mGbJHTsn49WZBhiGcOVEmu482YmvfcECst4Mw=QQafQeEfacv-FvVFG7i3lwVhi_0mf3k9if5ROFPqpF0=
 to get four dual fiber connectors. These are then connected to four 10G SFP+ 
multimode modules such as 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_products_11589.html=DwICaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIjaFRfuA=6Ncau5mGbJHTsn49WZBhiGcOVEmu482YmvfcECst4Mw=kHc5CkRMpHo-GOihA9giouVj-Ua8mfpDWy8-PFEoi7U=.
 The reformer could be 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_products_43721.html=DwICaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIjaFRfuA=6Ncau5mGbJHTsn49WZBhiGcOVEmu482YmvfcECst4Mw=1ZjK8WS9SvmkSJZuO3ONs20yRL2BLAJTfdYxi-SCu9A=.
 And finally the reformed signal can be transported using anything including 
DWDM modules such as 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_products_44058.html=DwICaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIjaFRfuA=6Ncau5mGbJHTsn49WZBhiGcOVEmu482YmvfcECst4Mw=n2mTvNLQoiqsoG6Xi1BrMs_SjV3eJO4k15Bo0EUujAg=.

Just using fs.com as a reference to the kind of equipment I am talking about. 
Many other vendors offer simelar products.

The motivation for doing this is to get access to the many options that are 
available for 10G optics but not possible with 40G.

Regards,

Baldur

RADB - aut-num policy question

2018-02-05 Thread Ryan, Spencer 
Hello all,

I'm a bit out of my element on this one and hoping someone can help.

I'm putting together an aut-num entry for RADB and have a question about our 
Comcast peerings.

We peer with AS7922 in several sites, but if you look at the actual pathing via 
bgp.he.net or just the routes themselves you can see that the first AS in the 
path after ours is either 7015 or 33668 depending on region for the paths that 
prefer comcast's network.

For the import/export policy can I just reference 7922 or do I also need to 
include the others?


Thanks in advance!


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks | The security division of NETSCOUT
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

ATT AVPN BGP Communities

2017-11-29 Thread Ryan, Spencer 
Hey All,

Does anyone know if AVPN lets end users set/add their own communities to 
routes? I see that they stamp several on the routes we originate (Community: 
13979:2741 13979:2943 13979:5000 13979:6551) and curious if anyone had luck 
adding their own before I go start mucking around.

Thanks!



Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks | The security division of NETSCOUT
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

Re: Two BGP peering sessions on single Comcast Fiber Connection?

2016-10-13 Thread Ryan, Spencer 
Run your IPv4 peer to one router and IPv6 to another. Boom, redundancy!


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: NANOG  on behalf of Jörg Kost 
Sent: Thursday, October 13, 2016 3:59:29 PM
To: rar
Cc: nanog@nanog.org
Subject: Re: Two BGP peering sessions on single Comcast Fiber Connection?


On 13 Oct 2016, at 19:48, rar wrote:

> Comcast said they could not support two separate BGP peering sessions
> on the same circuit.  Does anyone have any counter examples?  We used
> to have this setup with Comcast 5+ years ago, but now they say they
> can't support it.
>

So how do they connect ip6 sessions? ;-)

Jörg

Re: Excessive Netflix DNS Traffic?

2016-10-13 Thread Ryan, Spencer 
I was going to point you to the reddit thread about it, but it looks to be your 
thread :)


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: NANOG  on behalf of Eamon Bauman 

Sent: Thursday, October 13, 2016 10:26:57 AM
To: nanog@nanog.org
Subject: Excessive Netflix DNS Traffic?

Hi all,

Is anyone seeing excessive DNS traffic from game consoles (Xbox One, PS4)
running Netflix? Starting 9/29 we have been seeing significant volume of
DNS traffic from game consoles on our campus to our caching recursive
boxes. Logs show repeated requests for api-global.netflix.com and
nrdp.nccp.netflix.com.

Anyone else experiencing this?

Eamon

Re: charges for prefix filter updates (was Re: Any ISPs using AS852 for IP Transit?)

2016-09-26 Thread Ryan, Spencer 
I've used HE's tunnelbroker (BGP) a few times to get our ARIN space to a site 
while waiting on a local carrier to turn up v6, get the proper LOA, etc.


I've received better service from the NOC there for a service I didn't pay for 
than I have from any ISP I've ever given money. They are doing a great job over 
there. A LOA change (/48-->/40 le 48) took about an hour.


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: NANOG  on behalf of Ken Chase 
Sent: Monday, September 26, 2016 10:51:51 AM
To: Jason Lixfeld
Cc: NANOG
Subject: Re: charges for prefix filter updates (was Re: Any ISPs using AS852 
for IP Transit?)

Followup: we did the quote/PO/sign-the-order dance. That took about 3-4 days
not including our side's lag (which was not insignificant, Im not the guy with
the pen). But now it's gone to provisioning and will be a standard *5 days*.

Cogent will do this in about 1-6 hours if you provide the LOA's with the 
request.
So will HE. And many others.

/kc


On Thu, Sep 15, 2016 at 02:28:50PM -0400, Ken Chase said:
  >I feel this can be a public topic:
  >
  >Rogers just charged us that for an update (one update, multiple entries).
  >We had to go through their quotation machinery too, took like 4-5 days. 
Additional
  >time was wasted because we contacted their tech dept directly at the start. 
(which
  >is what I do for all my other upstreams...)
  >
  >Kinda brutal.
  >
  >Cogent and HE nor NAC or Yipes or Tata ever did that to us.
  >
  >Nickle and diming -- why, cuz transit is a cheap commodity now, gotta make 
the
  >cash somewhere?
  >
  >That said Cogent offered us a static /26 along side our BGP years ago then 
warned
  >us it'd be $50/mo or something for that # of ips going forward. We didnt 
need it
  >so dispensed with it.
  >
  >/kc
  >
  >
  >On Thu, Sep 15, 2016 at 02:07:01PM -0400, Jason Lixfeld said:
  >  >If there are any ISPs who use TELUS/AS852 for IP Transit over BGP, I???d 
be interested in hearing from you.
  >  >
  >  >I???d like to compare notes to see if you are also paying $250 for each 
BGP prefix filter updated request, or if we???re the only ones???
  >  >
  >  >Thanks in advance!
  >
  >--
  >Ken Chase - m...@sizone.org Toronto Canada

Re: "Defensive" BGP hijacking?

2016-09-13 Thread Ryan, Spencer 
What would you have done if the personal harassment didn't stop? What would you 
have done if they simply switched to a new source range/different set of bots?


Seems like a very slippery slope to me.


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: NANOG  on behalf of Bryant Townsend 

Sent: Tuesday, September 13, 2016 3:22:43 AM
To: nanog@nanog.org
Subject: Re: "Defensive" BGP hijacking?

Hello Everyone,


I would like to give as much insight as I can in regards to the BGP hijack
being discussed in this thread. I won’t be going into specific details of
the attack, but we do plan to release more information on our website when
we are able to. I also wanted to let Hugo (who started the thread) know
that we harbor no hard feelings about bringing this topic up, as it is
relevant to the community and does warrant discussion. Hugo, you may owe me
a beer the next time we meet. :)



We agree with others that NANOG is the most appropriate venue to answer any
questions and discuss the topic at hand. I have been attending NANOG for
the past 3-4 years, and I can assure you that it is of the utmost
importance to me how the community views my company, my employees, and
myself. There are many people in this community that I personally have the
upmost respect for, and it would sadden me If I were to lose the respect of
mentors, colleagues, and friends by not responding. That being said, I
think there are a fair number of people in NANOG that would vouch for my
character and ethics relating to the intent of my actions, even if I were
to remain silent.  I would also like to preface that my explanation of the
events that occurred and actions taken by BackConnect are not to justify or
provide excuses. My goal is to simply show what happened and give insight
into our actions.



I will start with a little background to bring anyone up to speed that is
not aware of the events that transpired.


*About the company, BackConnect, Inc.*: We are a new (~4 months old)
open-sourced based DDoS mitigation and network security provider that
specializes in custom intrusion detection and prevention systems. We also
provide threat intelligence services, with an emphasis on active botnets,
new and upcoming DDoS attack patterns, and boot services. From time to
time, this information flows through our network for collection purposes.


*Events leading to the Hijack*: On 9/6/2016, ~10:30AM PST, one of our
clients and our website received a large and relatively sophisticated DDoS
attack. The attack targeted entire subnets and peaked over 200 Gbps and
40Mpps. Although the attack was automatically detected and mostly filtered,
there was initially a small leak. In response we quickly applied new
security rules that rendered it entirely ineffective. The attackers
continued to attack our network and client for roughly 6 hours before
giving up.


*Events that caused us to perform the BGP hijack*: After the DDoS attacks
subsided, the attackers started to harass us by calling in using spoofed
phone numbers. Curious to what this was all about, we fielded various calls
which allowed us to ascertain who was behind the attacks by correlating
e-mails with the information they provided over the phone. Throughout the
day and late into the night, these calls and threats continued to increase
in number. Throughout these calls we noticed an increasing trend of them
bringing up personal information of myself and employees. At this point I
personally filled a police report in preparation to a possible SWATing
attempt.  As they continued to harass our company, more and more red flags
indicated that I would soon be targeted. This was the point where I decided
I needed to go on the offensive to protect myself, my partner, visiting
family, and my employees. The actions proved to be extremely effective, as
all forms of harassment and threats from the attackers immediately stopped.
In addition to our main objective, we were able to collect intelligence on
the actors behind the bot net as well as identify the attack servers used
by the booter service.



*Afterthoughts*: The decision to hijack the attackers IP space was not
something I took lightly. I was fully aware there were services that
reported such actions and knew that this could potentially be brought up in
discussion and hurt BackConnect’s image. Even though we had the capacity to
hide our actions, we felt that it would be wrong to do so. I have spent a
long time reflecting on my decision and how it may negatively impact the
company and myself in some people’s eyes, but ultimately I stand by it. The
experience and feedback I have gained from these events has proven
invaluable and will be used to shape the policies surrounding the future
handling of similar situations. I

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Ryan, Spencer 
I'm in the "never acceptable" camp. Filtering routes/peers? Sure. Disconnecting 
one of your own customers to stop an attack originating from them? Sure. 
Hijacking an AS you have no permission to control? No.


Obviously my views and not of my employer.

Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: NANOG  on behalf of Blake Hudson 
Sent: Monday, September 12, 2016 11:24:03 AM
To: nanog@nanog.org
Subject: Re: "Defensive" BGP hijacking?


Hugo Slabbert wrote on 9/11/2016 3:54 PM:
> Hopefully this is operational enough, though obviously leaning more towards 
> the policy side of things:
>
> What does nanog think about a DDoS scrubber hijacking a network "for 
> defensive purposes"?
>
> http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/
>
> "For about six hours, we were seeing attacks of more than 200 Gbps hitting 
> us,” Townsend explained. “What we were doing was for defensive purposes. We 
> were simply trying to get them to stop and to gather as much information as 
> possible about the botnet they were using and report that to the proper 
> authorities.”
>


https://bgpstream.com/event/54711

My suggestion is that BackConnect/Bryant Townsend should have their ASN
revoked for fraudulently announcing another organization's address
space. They are not law enforcement, they did not have a warrant or
judicial oversight, they were not in immediate mortal peril, etc, etc.

RE: comcast and msoft ports

2016-09-11 Thread Ryan, Spencer 
Having those ports exposed to the Internet is scary. Comcast is right in 
blocking them.



Sent from my Verizon, Samsung Galaxy smartphone


 Original message 
From: Randy Bush 
Date: 9/11/16 2:48 PM (GMT-05:00)
To: Ca By 
Cc: North American Network Operators' Group 
Subject: Re: comcast and msoft ports

sigh.  well that was some fun hours debugging; not.

thanks

randy

RE: comcast and msoft ports

2016-09-11 Thread Ryan, Spencer 
https://customer.xfinity.com/help-and-support/internet/list-of-blocked-ports/




Sent from my Verizon, Samsung Galaxy smartphone


 Original message 
From: Randy Bush 
Date: 9/11/16 2:35 PM (GMT-05:00)
To: North American Network Operators' Group 
Subject: comcast and msoft ports

anyone know if comcast residential filters 139/445?

randy

Re: Use of unique local IPv6 addressing rfc4193

2016-09-08 Thread Ryan, Spencer 
I agree with Karl.


We use the ULA space for our internal test labs. The /48's we have in use get 
routed around internally but have no chance of leaking to the internet.


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: NANOG  on behalf of Karl Auer 

Sent: Thursday, September 8, 2016 8:49:34 PM
To: nanog@nanog.org
Subject: Re: Use of unique local IPv6 addressing rfc4193

On Thu, 2016-09-08 at 23:43 +, Pshem Kowalczyk wrote:
> both ways - if we decide to use it we'll have to either overlay it
> with public IPv6 space (and provide the NAT/proxy for where we don't
> have any public IPv6 assigned) or simply not use the fc00::/7 and
> skip the NAT/proxy aspects of it.

There is no necessary link between ULA addresses and NAT. You don't
have to NAT ULA, *ever*. If you need public addresses, go get them.
There are enough.

IMHO one should use ULA in only three situations:

- a completely isolated network
- for internal communications e.g. fabric management)
- for testing

Regards, K.

--
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

Re: Level 3 voice outage?

2016-08-29 Thread Ryan, Spencer 
Ran across this earlier, it sounds bad.


https://www.reddit.com/r/networking/comments/504xbo/level_3_voice_outage_global_ticket_being_worked/


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: NANOG  on behalf of David Hubbard 

Sent: Monday, August 29, 2016 10:31:19 AM
To: nanog@nanog.org
Subject: Level 3 voice outage?

Curious if anyone else is having issues with Level 3 (legacy Twtelecom 
specifically) enterprise SIP?  I’m at minute 45 of being on hold with them, so 
I suspect they are having known issues.  Our sales rep mentioned a toll free 
outage being tracked under master ticket 11377637 but I don’t have the details 
of that yet.

We’re seeing our toll free numbers completely down, since what I believe to be 
4a EST time frame.  Most of our toll numbers have an unusual 25 second delay 
before we get any SIP traffic from their equipment, but the call does 
ultimately connect.

David

Re: Managed global low latency network with any to any connectivity

2016-08-24 Thread Ryan, Spencer 
AT's AVPN product (Layer 3 VPN/"MPLS") does any-any routing and constantly 
changes L3 hops for the best pathing.


I've used the service at a few jobs and the product itself is quite good. 
Dealing with them for things like MACD's can be...frustrating.


We've never had a location they couldn't service either directly or via another 
last mile carrier.


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: NANOG  on behalf of Arqam Gadit 

Sent: Wednesday, August 24, 2016 11:13:56 AM
To: nanog@nanog.org
Subject: Managed global low latency network with any to any connectivity

Hello guys,

I am looking for a global network with:

   - lowest possible latency
   - lowest possible jitter (packet loss and latency variation)
   - lowest possible monetary cost

The few providers I have talked to until now, they all provide a
point-to-point low latency link. However, what I am looking for is
any-to-any connectivity so I can get from one point to another in least
possible time and least possible cost.

Would appreciate if you guys can point me in the right direction.

Thanks!

Arqam

Re: Arista unqualified SFP

2016-08-23 Thread Ryan, Spencer 
It won't work. They require the hashed key that support/your AM has to generate 
for your org.


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: NANOG  on behalf of Ryan Gelobter 

Sent: Tuesday, August 23, 2016 10:58:36 AM
To: Stanislaw
Cc: nanog list
Subject: Re: Arista unqualified SFP

Instead of patching the python what happens if you just run 'no errdisable
recovery cause xcvr-unsupported'

On Thu, Aug 18, 2016 at 5:24 AM, Stanislaw  wrote:

> Hi all,
> If somebody is following my epic adventure of getting uqualified SFP to
> work on Aristas, here is the unhappy end of it.
>
> I've written to Arista support and got the following dialogue:
> Support guy:
> Hi,
> Thank you for contacting Arista Support. My name is  and I'll be
> assisting you on this case.
> Could you please provide the "show version" output from this switch?
>
> Me:
> Hi,
> Here it is:
> 
>
> Support guy:
> Hi,
> Thank you for the information.
> Unfortunately, we are unable to activate your 3rd party components. To
> ensure ongoing quality, Arista devices are designed to support only
> properly qualified transceivers.
> Please let me know if you have any other questions.
>
> Me:
> I do not understand,
> But there is a command which allows using non-Arista transceivers. Why
> have you implemented it but don't provide an access key to your customers
> when they ask for it?
> If it is required to sign some papers which declare that I am aware of all
> the risks and losing my warranty - I agree with that, lets do it. Any way
> what are the conditions to receive that access key?
>
> Support guy:
> I'm afraid that there is nothing I'm able to do regarding this situation.
> If you have any other questions regarding enabling 3rd party options in
> Arista switches, I suggest to contact your local account team (or sales)
> for further discussion on this matter.
>
>
> Next, i've tried inserting various QSFP+ DAC cables I have - none of them
> has been even detected on the switch, it was acting like nothing has been
> inserted. I guess that even if I get the key, most of my transceivers/DAC
> (which work like a champ in Juniper or Extreme switches) cables wouldnt
> work.
>
> I'm writing this post to make somebody who considers buying their switches
> be aware of what they'd get. Just buy Juniper instead.
>
>
>
> Stanislaw wrote at 2016-08-17 23:25:
>
>> Hi Tim,
>>
>> Thanks for your expressive answer. Will try it :)
>>
>> Tim Jackson писал 2016-08-17 22:57:
>>
>> I'd suggest bitching and moaning at your account team & support until
>>> they give you the key to unlock them..
>>>
>>> --
>>> Tim
>>>
>>> On Wed, Aug 17, 2016 at 2:50 PM, Stanislaw  wrote:
>>>
>>> Hi all,
 Is there a way for unlocking off-brand transceivers usage on Arista
 switches?

 I've got an Arista 7050QX switch with 4.14 EOS version. Then it has
 been found out that Arista switches seem to not have possibility to unlock
 off-brand xcievers usage (by some service command or so).

 I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the
 checking function bypass the actual check and it helped: ports are not in
 errdisable state anymore. But despite of xceivers are detected correctly,
 links aren't coming up (they are in notconnect state).

 If anyone possibly have does have a sacred knowledge of bringing
 off-branded transceivers to life on Arista switches, your help'd be very
 appreciated. Thanks.

>>>

Re: Arista unqualified SFP

2016-08-18 Thread Ryan, Spencer 
All of our X520's don't care if you use Arista or Proline DAC cables (the two 
brands we have around).


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: NANOG  on behalf of Ryan DiRocco 

Sent: Thursday, August 18, 2016 9:49:14 AM
To: Mikael Abrahamsson; Mark Tinka
Cc: nanog list
Subject: RE: Arista unqualified SFP

If you are running Intel NIC(s) such as the X520-DA2 with 3rd party optics for 
something like DWDM, there are driver option flags for linux/windows, etc to 
permit the use of the optics. In deployments we've used various branded dac 
cables to connect Intel branded nics to cisco/arista/brocade, without issue.

As with any vendor, there is a work around procedure.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mikael Abrahamsson
Sent: Thursday, August 18, 2016 8:33 AM
To: Mark Tinka
Cc: nanog list
Subject: Re: Arista unqualified SFP

On Thu, 18 Aug 2016, Mark Tinka wrote:

> All other vendors, explicitly or silently, adopt the same approach.

I've heard from people running Intel NICs and HP switches, that this can't be 
turned off there. You run into very interesting problems when you're trying to 
use DAC cables between multi vendor.

Any pointers to how to turn this of on Intel NICs and HP switches?

--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: Arista unqualified SFP

2016-08-17 Thread Ryan, Spencer 
Yes, email support and ask for the unlock code, they will make you agree that 
you know that 3rd party optics may explode the switch and it's not their fault.


The command they give you will have a key/hash built into it (but will work on 
any switch) that ties the "unlock" to your org.


Ours looks like this:


service unsupported-transceiver DescriptionOfKeyFromAristaGoesHere 00 
(hex key)


Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: NANOG  on behalf of Stanislaw 
Sent: Wednesday, August 17, 2016 3:50:12 PM
To: nanog@nanog.org
Subject: Arista unqualified SFP

Hi all,
Is there a way for unlocking off-brand transceivers usage on Arista
switches?

I've got an Arista 7050QX switch with 4.14 EOS version. Then it has been
found out that Arista switches seem to not have possibility to unlock
off-brand xcievers usage (by some service command or so).

I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the
checking function bypass the actual check and it helped: ports are not
in errdisable state anymore. But despite of xceivers are detected
correctly, links aren't coming up (they are in notconnect state).

If anyone possibly have does have a sacred knowledge of bringing
off-branded transceivers to life on Arista switches, your help'd be very
appreciated. Thanks.

RE: Email to text - vtext.com blacklisting ip

2016-08-16 Thread Ryan, Spencer 
I agree. Pay Pager duty or a SMS gateway with a SLA. Relying on  the free 
service for anything critical is asking for trouble.



Sent from my Verizon, Samsung Galaxy smartphone


 Original message 
From: Josh Luthman 
Date: 8/16/16 6:09 PM (GMT-05:00)
To: Mike 
Cc: NANOG list 
Subject: Re: Email to text - vtext.com blacklisting ip

If it's critical I'd suggest a service than can depended on...

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Aug 16, 2016 5:45 PM, "Mike"  wrote:

> Hi,
>
>
> I have a server that monitors my network and issues text messages if
> there are events of note that require human intervention. There is some
> process filtering that ensures it also is not able to issue more than 1
> alert maximum per 5 minutes, to ensure it doesn't flood pagers with
> messages all screaming the sky is falling when things are not going well.
> Recently however, this server is no longer able to deliver messages to
> vtext.com - it gets nothing but 554 errors:
>
>
> telnet 69.78.67.53 25
> Trying 69.78.67.53...
> Connected to 69.78.67.53.
> Escape character is '^]'.
> 554 txslspamp10.vtext.com
> Connection closed by foreign host.
>
> Granted on some days during challenging times it can send 30 or 40
> messages before we get to it and get it squelched / silenced, but it's
> otherwise reasonably well behaved IMHO and I don't think we are any heavy
> volume sender. So I am trying to figure out why it's blacklisted then and
> am rolling snake eyes.  If anyone who is an admin for verizon or who has
> any insight to share I'd certainly appreciate it. Email to text is a
> critical function we depend on.
>
>
> Thank you.
>
>
>

RE: ARIN Route Registry Issue

2016-08-13 Thread Ryan, Spencer 
It says email will be online. Not that anyone will be there to answer them.



Sent from my Verizon, Samsung Galaxy smartphone


 Original message 
From: Randy Bush 
Date: 8/13/16 6:30 PM (GMT-05:00)
To: Frank Bulk 
Cc: North American Network Operators' Group 
Subject: Re: ARIN Route Registry Issue

> They are moving offices.
> https://www.arin.net/announcements/2016/20160804.html

"All other customer support business systems (website, email, ARIN
Online, RESTful Provisioning, Whois, RDAP, IRR, RPKI repository, etc.)
will remain operational during the move."

Re: IPv6 Deployment for Mobile Subscribers

2016-07-22 Thread Ryan, Spencer 
> I would love to test it, but it will be no surprise that none of the four
carriers enabled IPv6.


Verizon Wireless has been dual stack for many years, before they ran out of 
public IPv4 addresses and switched handsets to RFC1918 space for v4.


From: NANOG  on behalf of Baldur Norddahl 

Sent: Friday, July 22, 2016 4:10:41 PM
To: nanog@nanog.org
Subject: Re: IPv6 Deployment for Mobile Subscribers

Den 22. jul. 2016 20.25 skrev "Ca By" :

> Phones, as in 3gpp? If so, each phone alway gets a /64, there is no
choice.
>
> https://tools.ietf.org/html/rfc6459

Here the cell companies are marketing their 4G LTE as an alternative to
DSL, Coax and fiber for internet access in your home with a 4G wifi router.
If they can not do prefix delegation it is no alternative!

I would love to test it, but it will be no surprise that none of the four
carriers enabled IPv6.

Regards

Baldur

Re: IPv6 Deployment for Mobile Subscribers

2016-07-22 Thread Ryan, Spencer 
As far as I'm aware Android still today does not support DHCPv6.


https://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_operating_systems


From: NANOG  on behalf of james machado 

Sent: Friday, July 22, 2016 12:57:58 PM
To: Ricardo Ferreira
Cc: NANOG
Subject: Re: IPv6 Deployment for Mobile Subscribers

Ricardo,

I know from previous discussions on this list that Android phones are
looking for DHCPD leases and not /128's or /64's.  From what I remember
this is due to the current requirement for multiple ipv6 subnets for
various applications (vpns among others) to function correctly.  As a
result Google has disabled Android from receiving a DHCP lease as it wasn't
long enough.

if you look back about 6 months there is probably 100+ posts on the subject.

All I really know is that I can not provide an ipv6 dhcp lease to an
android phone and have it receive the address.


james

On Fri, Jul 22, 2016 at 1:54 AM, Ricardo Ferreira <
ricardofbferre...@gmail.com> wrote:

> Is there anyone here working in an ISP where IPv6 is deployed?
> We are starting to plan the roll-out IPv6 to mobile subscribers (phones) I
> am interesting in knowing the mask you use for the assignment; whether it
> is /64 or /128.
>
> In RFC 3177, it says:
> 3. Address Delegation Recommendations
>
>The IESG and the IAB recommend the allocations for the boundary
>between the public and the private topology to follow those general
>rules:
>
>   -  /48 in the general case, except for very large subscribers.
>   -  /64 when it is known that one and only one subnet is needed by
>  design.
>   -  /128 when it is absolutely known that one and only one device
>  is connecting.
>
> Basically a sole device will be connecting to the internet so I am
> wondering if this rule is follwed.
>
> Cheers
>
> --
> Ricardo Ferreira
>