Re: Youtube CDN unreachable over IPv6

[Seth Mos]

Op 6-11-2015 om 19:17 schreef Christopher Schmidt via NANOG:
> Hi all,
> 
> Thanks for the reports.
> 
> To the best of our knowledge, this issue has been resolved at this
> time. If you are still having problems connecting to YouTube CDN
> nodes, please feel free to let me know, and I will investigate
> further.

It's here again since this tuesday.

lsintra:~# host r2---sn-8xgn5uxa-i5he.googlevideo.com
r2---sn-8xgn5uxa-i5he.googlevideo.com is an alias for
r2.sn-8xgn5uxa-i5he.googlevideo.com.
r2.sn-8xgn5uxa-i5he.googlevideo.com has address 62.214.62.205
r2.sn-8xgn5uxa-i5he.googlevideo.com has IPv6 address 2001:1438:1:2::d
lsintra:~# telnet 62.214.62.205 443
Trying 62.214.62.205...
Connected to cache.google.com (62.214.62.205).
Escape character is '^]'.
^]
telnet> quit
Connection closed.
lsintra:~# telnet 2001:1438:1:2::d 443
Trying 2001:1438:1:2::d...
^]quit
^]^[^]^C
lsintra:~#

Is it possible for Google to realize some form of internal monitoring to
catch these defunct dual stack nodes?

Kind regards,

Seth


> On Fri, Nov 6, 2015 at 12:48 PM, Blair Trosper <blair.tros...@gmail.com> 
> wrote:
>> This was happening two weeks ago in the Bay Area as well.  It happens quite
>> a lot, actually...search for my old threads.  I gave up trying to get it
>> noticed.
> 
> Blair,
> 
> I'm not aware of a similar issue with IPv6 being unavailable while
> IPv4 is available recently.
> 
> I did not see any threads with information in them with the name
> "Blair" attached in either the October archive
> (http://mailman.nanog.org/pipermail/nanog/2015-October/thread.html) or
> the September archive
> (http://mailman.nanog.org/pipermail/nanog/2015-September/thread.html)
> .
> 
> If this issue is ongoing, I would be happy to look into this;
> otherwise, I don't believe there is any action I can take to assist at
> this time.
> 
> All the best.
> 
> 
>>> * seth@dds.nl (Seth Mos) [Fri 06 Nov 2015, 09:00 CET]:
>>>> Dear Google,
>>>>
>>>> It appears that one of the Youtube CDN's (in Europe, NL) is not
>>>> reachable over IPv6 from AS 20844. Can someone get back to us on this,
>>>> the company can't access any of the videos currently, although the
>>>> mainpage loads fine (over IPv6).
>>>>
>>>> Kind regards,
>>>>
>>>> Seth
>>>>
>>>> telnet r6---sn-5hne6n76.googlevideo.com 443
>>>> Trying 2a00:1450:401c:4::b...
>>>> telnet: connect to address 2a00:1450:401c:4::b: Connection timed out
>>>> Trying 74.125.100.203...
>>>> Connected to r6.sn-5hne6n76.googlevideo.com (74.125.100.203).
>>>> Escape character is '^]'.
>>>> Connection closed by foreign host.
>>>>
>>>> telnet www.youtube.com 443
>>>> Trying 2a00:1450:4013:c01::5d...
>>>> Connected to youtube-ui.l.google.com (2a00:1450:4013:c01::5d).
>>>> Escape character is '^]'.
>>>> Connection closed by foreign host.
>>>
> 

Re: Youtube CDN unreachable over IPv6

[Seth Mos]

Op 14-1-2016 om 16:37 schreef valdis.kletni...@vt.edu:
> On Thu, 14 Jan 2016 16:04:54 +0100, Seth Mos said:
> 
>> lsintra:~# telnet 62.214.62.205 443
> 
>> lsintra:~# telnet 2001:1438:1:2::d 443
> 
>> Is it possible for Google to realize some form of internal
>> monitoring to catch these defunct dual stack nodes?
> 
> A traceroute to both would help greatly in determining whether it's
> really Google's fault, or if your ipv6 routing is borked.
> 

I can reach the rest of the Google IPv6 services over IPv6, the player
loads, but the video stream does not.

I've pasted the traceroute below.

seth@ratchet:~$ traceroute 62.214.62.205
traceroute to 62.214.62.205 (62.214.62.205), 30 hops max, 60 byte packets
 1  edge-c2f.coltex.nl (91.227.27.41)  88.901 ms  88.932 ms  89.008 ms
 2  91.227.27.3 (91.227.27.3)  0.522 ms  0.568 ms  0.628 ms
 3  90-145-28-101.network.unet.nl (90.145.28.101)  2.104 ms  3.673 ms
 3.665 ms
 4  dus002isp005.versatel.de (80.249.209.109)  11.773 ms  11.612 ms
11.594 ms
 5  10g-9-4.esn001isp005.versatel.de (62.214.110.234)  12.181 ms
12.306 ms  12.  416 ms
 6  ge-05-01-803.dor002isp005.versatel.de (62.214.111.26)  12.174 ms
ge-5-1-853.  dor002isp006.versatel.de
(62.214.111.30)  12.252 ms ge-05-01-803.dor002isp005.ve
   rsatel.de (62.214.111.26)  12.069 ms
 7  dor2is2.versatel.de (62.214.104.170)  13.174 ms
fra20ip6.versatel.de (62.214  .104.174)
12.954 ms  13.159 ms
 8  10g-9-4.hhb002isp005.versatel.de (62.214.110.110)  18.732 ms
10g-8-4.hhb002i  sp005.versatel.de
(62.214.110.122)  19.051 ms  18.653 ms
 9  * * *

seth@ratchet:~$ traceroute 2001:1438:1:2::d
traceroute to 2001:1438:1:2::d (2001:1438:1:2::d), 30 hops max, 80
byte packets
 1  * * cltx-gw.coltex.nl (2001:67c:226c:ff00::1)  4.302 ms
 2  2001:67c:226c:ff01::3 (2001:67c:226c:ff01::3)  0.418 ms  0.418 ms
 0.451 ms
 3  2a02:120:0:200::3:1 (2a02:120:0:200::3:1)  2.205 ms  2.376 ms
2.360 ms
 4  dus002isp005.versatel.de (2001:7f8:1::a500:8881:1)  11.594 ms
11.364 ms  11.523 ms
 5  2001:1438:0:1::4e2 (2001:1438:0:1::4e2)  12.522 ms
2001:1438:0:1::212 (2001:1438:0:1::212)  12.704 ms 2001:1438:0:1::222
(2001:1438:0:1::222)  12.676 ms
 6  2001:1438:0:1::2a2 (2001:1438:0:1::2a2)  63.452 ms
2001:1438:0:1::2b2 (2001:1438:0:1::2b2)  63.572 ms 2001:1438:0:1::2a2
(2001:1438:0:1::2a2)  63.538 ms
 7  2001:1438:0:1::112 (2001:1438:0:1::112)  13.318 ms  13.225 ms
2001:1438:0:1::522 (2001:1438:0:1::522)  13.087 ms
 8  2001:1438:0:1::92 (2001:1438:0:1::92)  18.879 ms
2001:1438:0:1::172 (2001:1438:0:1::172)  19.088 ms 2001:1438:0:1::92
(2001:1438:0:1::92)  18.959 ms
 9  * * *

Re: Broadband Router Comparisons

[Seth Mos]

Smallnetbuilder.com has quite a few models of routers tested, which is decent. 
I've bugged them about ipv6 testing before but not too much progress there. 
Powerconsumption is not listed either, which can be as expensive as the router 
itself at 21 cents per kWh.

Regards,
Seth


 Oorspronkelijk bericht 
Van: Lorell Hathcock  
Datum: 24-12-2015  03:49  (GMT+01:00) 
Aan: nanog@nanog.org 
Onderwerp: Broadband Router Comparisons 

All:

Not all consumer grade customer premises equipment is created equally.  But end 
customers sure think it is.  I have retirement aged customers buying the 
crappiest routers and then blaming my cable network for all their connection 
woes.  The real problem is that there were plenty of problems on the cable 
network to deal with, so it was impossible to tell between a problem that a 
customer was having with their CPE versus a real problem in my network.

Much of that has been cleared up on my side now, but customers were used to 
blaming us for everything so that they don't even consider that their equipment 
could be to blame.

I want to be able to point out a third party list of all (most) broadband 
routers that rates them by performance.  Or that rates them by crappiness that 
I can send them to so they can look up their own router and determine if other 
users have had problems with that router and what can be done to fix it.

So far my search has been in vain.

Any thoughts?

Thanks in advance.

Lorell Hathcock

Sent from my iPad

Re: Google Chrome 47.0.2526.73M broken NTLM proxy authentication

[Seth Mos]

A quick update, Google Chrome engineering did cut a new release with a
fix for this but it's not available yet.

https://code.google.com/p/chromium/issues/detail?id=544255

The current workaround is to shrink your return headers smaller then
4096 bytes to prevent the authentication popup.

Get ready for a rough monday morning, we've already had to field quite a
few calls, and the GPO policy doesn't work, yay.

Dear Google, your internet browser doesn't browse the internet, please
make haste.

Kind regards,

Seth


Op 3-12-2015 om 9:04 schreef Seth Mos:
> Dear Google,
> 
> As of Dec 2nd the Google Chrome 47.0.2526.73M breaks NTLM proxy
> authentication. This is unfortunate as nobody can get off the company
> network now, which is secure I suppose, but not quite what I had in mind.
> 
> https://productforums.google.com/forum/#!topic/chrome/G_9eXH9c_ns;context-place=forum/chrome
> 
> So if anybody gets called that Google Chrome is throwing a
> username/password prompt for every website you try, listing the website
> as the authentication domain, instead of the proxy server, this is for you.
> 
> If you are ahead of the curve, you can make a GPO to disable Chrome
> updates for the time being until this is fixed. If the browser already
> updated, well, sorry.
> 
> Kind regards,
> 
> Seth
> 

Google Chrome 47.0.2526.73M broken NTLM proxy authentication

[Seth Mos]

Dear Google,

As of Dec 2nd the Google Chrome 47.0.2526.73M breaks NTLM proxy
authentication. This is unfortunate as nobody can get off the company
network now, which is secure I suppose, but not quite what I had in mind.

https://productforums.google.com/forum/#!topic/chrome/G_9eXH9c_ns;context-place=forum/chrome

So if anybody gets called that Google Chrome is throwing a
username/password prompt for every website you try, listing the website
as the authentication domain, instead of the proxy server, this is for you.

If you are ahead of the curve, you can make a GPO to disable Chrome
updates for the time being until this is fixed. If the browser already
updated, well, sorry.

Kind regards,

Seth

Youtube CDN unreachable over IPv6

[Seth Mos]

Dear Google,

It appears that one of the Youtube CDN's (in Europe, NL) is not
reachable over IPv6 from AS 20844. Can someone get back to us on this,
the company can't access any of the videos currently, although the
mainpage loads fine (over IPv6).

Kind regards,

Seth

telnet r6---sn-5hne6n76.googlevideo.com 443
Trying 2a00:1450:401c:4::b...
telnet: connect to address 2a00:1450:401c:4::b: Connection timed out
Trying 74.125.100.203...
Connected to r6.sn-5hne6n76.googlevideo.com (74.125.100.203).
Escape character is '^]'.
Connection closed by foreign host.

telnet www.youtube.com 443
Trying 2a00:1450:4013:c01::5d...
Connected to youtube-ui.l.google.com (2a00:1450:4013:c01::5d).
Escape character is '^]'.
Connection closed by foreign host.

Re: another tilt at the Verizon FIOS IPv6 windmill

[Seth Mos]

Ricky Beam schreef op 18-7-2015 om 1:14:
On Fri, 17 Jul 2015 06:25:26 -0400, Christopher Morrow 
morrowc.li...@gmail.com wrote:

mean that your UBee has to do dhcpv6? (or the downstream thingy from
the UBee has to do dhcpv6?)


The Ubee router is in bridge mode. Customers have ZERO access to the 
thing, even when it is running in routed mode. So I have no idea what 
it's trying to do.  All I can say is no RAs are coming from it 
(through it/whatever) It *could* be it's blocking it -- it's 
multicast, so who knows what it's doing with it.  Without RAs, nothing 
connected to it will even attempt IPv6 -- the RA being the indicator 
to use DHCP or not, and who's the router.


And further, when I tell my Cisco 1841 to do DHCP anyway, I get no 
answer.


So, the blanket statement that it's ready isn't true.
For a point of interest, the Ubee 320 and 321 wireless routers/modems 
are in use by Ziggo in the Netherlands.


Although they've rolled back the 320 modems to a older firmware, the 321 
is still active on their IPv6 rollout. The problems were not strictly 
related to Ipv6 perse, but the newer firmware broken Voice on these 
all-the -things-in-one devices.


The 321 appears to be unaffected and is still active, although in just a 
few regions at this point of the rollout.


What's very specific about this rollout in relation to the above, is 
that Ziggo is currently only supporting IPv6 with the Ubee in router 
mode (with the wifi hotspot). The good news is that it also operates a 
DHCP-PD server so that you can connect your own router to the Ubee and 
still get IPv6 routed to you out of the /56 allocated to the customer.


For now, all the customers with the Ubee in bridge mode are SOL. It's 
not clear what the reason is, but Ubee in bridge mode with IPv6 is 
listed on the road map. If that's intentional policy or that the 
firmware isn't ready yet is not clear at this point.


Regards,
Seth

Re: Remember Internet-In-A-Box?

[Seth Mos]

So, if i get this right. The problem is not quite as bad to fix.
It just needs a dnscache/dnsproxy process bound to the ipv4 localhost that uses 
the ipv6 dns server.
Basically what dnsmasq does. Biggest problem is that it wouldn't follow 
autoconfigure and thus require manual intervention. That is a no go for dynamic 
networks of any sort.
Cheers Oorspronkelijk bericht Van: Owen DeLong 
o...@delong.com Datum: 16-07-2015  08:51  (GMT+01:00) Aan: Mark Andrews 
ma...@isc.org Cc: nanog@nanog.org Onderwerp: Re: Remember 
Internet-In-A-Box? 
 On Jul 15, 2015, at 19:32 , Mark Andrews ma...@isc.org wrote:
 
 
 In message 55a682e6.1050...@matthew.at, Matthew Kaufman writes:
 On 7/14/2015 11:22 PM, Mark Andrews wrote:
 
 Yet I can take a Windows XP box.  Tell it to enable IPv6 and it
 just works.  Everything that a node needed existed when Windows XP
 was released.  The last 15 years has been waiting for ISP's and CPE
 vendors to deliver IPv6 as a product.  This is not to say that every
 vendor deployed all the parts of the protocol properly but they
 existed.
 
 This is only true for dual-stacked networks. I just tried to set up an 
 IPv6-only WiFi network at my house recently, and it was a total fail due 
 to non-implementation of relatively new standards... starting with the 
 fact that my Juniper SRX doesn't run a load new enough to include RDNSS 
 information in RAs, and some of the devices I wanted to test with 
 (Android tablets) won't do DHCPv6.
 
 You can blame the religious zealots that insisted that everything
 DHCP does has to also be done via RA's.  This means that everyone
 has to implement everything twice.  Something Google should have
 realised when they releases Android.

Actually, no.

In this case, the problem isn’t the things RA does, but the things his
implementation of RA doesn’t do (RDNSS).

Without RDNSS, android would still be brain-damaged and unable
to figure out what an IPv6 nameserver is. The only way it would be
able to talk to the IPv6 internet was if it got nameservers from DHCP4.

At least with RDNSS, a thin lightweight client can get nameservers on IPv6.
At least with RDNSS, a network administrator that doesn’t want to have
to do DHCPv6 doesn’t have to in most cases.

 The XP box is in an even worse situation if you try to run it on a 
 v6-only network.
 
 Which is fixable with a third party DHCPv6 client / manual configuration
 of the nameservers.

Nope… XP’s resolver is utterly and completely incapable of transmitting
an IPv6 DNS request.

You _HAVE_ to have an IPv4 resolver reachable to the box or forego any
idea of using DNS.

Owen

Re: 'gray' market IPv4

[Seth Mos]

We had the same thing finding a broker for a /24 pi in the RIPE region. Not all 
of the brokers have the size you want, eg a /20 when you need a /24.
It ends up being between 2500 to 4000 euros depending on notary fees and if you 
already have a LIR agreement.
Cheers
 Oorspronkelijk bericht Van: Nicholas Warren 
nwar...@barryelectric.com Datum: 14-07-2015  15:19  (GMT+01:00) Aan: 
nanog@nanog.org Onderwerp: 'gray' market IPv4 
Where is one of these v4 markets that we can buy some IPv4 space from?
I would prefer to have a place where we could see recent transactions, 
something along the lines of x amount of addresses for y amount of monies.

Google search is failing me for some reason..

- Thanks,
Nich

Re: Dual stack IPv6 for IPv4 depletion

[Seth Mos]

Meanwhile, I'm sitting here on a patio at a cafe on Samos, Greece. And the free 
wifi gives me native v6 to my tablet and phone without any intervention.

Test-ipv6.com tells me that the score is 10/10 and all the google bits just 
work.

So, surely it just works.

I wish we had it this easy in the Netherlands. There, sales still asks, what 
for (Vodafone fiber).

Cheers,
Seth



Verzonden vanaf Samsung-tablet


 Oorspronkelijk bericht 
Van: Karl Auer ka...@biplane.com.au 
Datum: 10-07-2015 14:16 (GMT+01:00) 
Aan: NANOG List nanog@nanog.org 
Onderwerp: Re: Dual stack IPv6 for IPv4 depletion 

On Fri, 2015-07-10 at 02:08 -0400, Ricky Beam wrote:
 And planning for a future that doesn't happen because you're too caught up  
 in *planning* that future is irrelevant, too.

Advocating for fewer limits is not planning. It's the opposite of it.
It's about retaining more flexibility - as a matter of principle.

 And in ~15 years when they have a jobs, they can change what we built.  
 (assuming ever let the paint dry long enough to use it.)

We've had twenty years to implement IPv6 and golly haven't we done a
great job? I suppose we could all hope that our kids will be less
hopeless than we have been. Still... I'd prefer to leave them something
that is easier to change and improve than the last thing we built.

 IPv6 will never get there until it, too, just works.

No - so why do so many people just keep on and on moaning about how IPv6
doesn't just work, forgetting that once upon a time IPv4 didn't just
work either?

Getting there and just working are two things that have to be
developed together. One doesn't follow the other, they both become true
side by side, or neither happens at all.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882

Re: Dual stack IPv6 for IPv4 depletion

[Seth Mos]

Residential users just buy another router for wifi coverage at the local wall 
mart. They have no clue about anything internet.
That is why isp CPE devices should always perform dhcp-pd on their own to 
provide a prefix to the downstream devices so those have globally routed ipv6 
too.
For that to work you need concepts like route aggregation in the form of a /48 
for the CPE so it can hand out a /56 to the customer bought CPE.
Seth


 Oorspronkelijk bericht 
Van: Mike Hammett na...@ics-il.net 
Datum: 09-07-2015  04:03  (GMT+01:00) 
Aan: nanog@nanog.org 
Onderwerp: Re: Dual stack IPv6 for IPv4 depletion 

I wasn't aware that residential users had (intentionally) multiple layers of 
routing within the home. 

I'm also not sure what address length has to do with routability, other than 
networks filtering prefix lengths. If that's an issue, that customer is covered 
by the ISP's larger allocation, or they get their own PI space if they're 
BGPing. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 


- Original Message -

From: Karl Auer ka...@biplane.com.au 
To: nanog@nanog.org 
Sent: Wednesday, July 8, 2015 8:36:41 PM 
Subject: Re: Dual stack IPv6 for IPv4 depletion 

On Wed, 2015-07-08 at 19:57 -0500, Mike Hammett wrote: 
 Isn't /56 the standard end-user allocation? 

No - it's just a common one. And a bad one. /48s for all opens up a 
whole different world of end-user reachability, routability and 
flexibility that a mere /56 does not. 

Regards, K. 

-- 
~~~ 
Karl Auer (ka...@biplane.com.au) 
http://www.biplane.com.au/kauer 
http://twitter.com/kauer389 

GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4 
Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882 

Re: Youtube / IPv6 / Netherlands

[Seth Mos]

Marco Davids schreef op 25-6-2015 om 14:33:
 Hi,
 
 Would anyone from Google care to explain to me off-list why certain
 Youtube-content is blocked in the Netherlands while using IPv6 when it
 is working fine via IPv4?
 
 Geolocation imperfections perhaps?
 
 The IPv6-address is within 2a02:a47f:e000::/36
 (actually, it is: 2a02:a444:443b:0::::)

To add to Marco,

The entire 2a02:a400::/25 prefix is used by KPN Netherlands for consumer
and small business DSL internet.

http://bgp.he.net/ip/2A02:A400:C17F:0::

Kind regards,

Seth

Re: Youtube / IPv6 / Netherlands

[Seth Mos]

 Op 25 jun. 2015, om 16:44 heeft Max Tulyev max...@netassist.ua het volgende 
 geschreven:
 
 Hi,
 
 +1.
 
 Our 2a01:d0::/32 is floating by Google's geo all around the world, it
 was Iran, now it is Russia... and I can't do anything with it, and have
 no human contact in Google for complaint.

That sounds like a software problem where it does not match anything in the 
database and then proceeds to return the last known value of the variable. :/

That’s even worse then saying “We don’t know”.

Regards,

Seth
 
 On 25.06.15 15:33, Marco Davids wrote:
 Hi,
 
 Would anyone from Google care to explain to me off-list why certain
 Youtube-content is blocked in the Netherlands while using IPv6 when it
 is working fine via IPv4?
 
 Geolocation imperfections perhaps?
 
 The IPv6-address is within 2a02:a47f:e000::/36
 (actually, it is: 2a02:a444:443b:0::::)
 
 Thank you.
 
 
 

Re: Recommended 10GE ISCSI SAN switch

[Seth Mos]

Paul S. schreef op 12-5-2015 om 15:36:
 Hi guys,
 
 We're shortly going to be getting some 10G SANs, and I was wondering
 what people were using as SAN switches for 10G SANs.

In one location a HP Procurve 8212zl with 8 SFP+ module, and a 8Gbe
module. Here i'm using a Dell EQL PS6210 SSD cabinet and 24 SATA disk
EQL cabinet on 10G.

In another location on a budget a Netgear M7100 24X with a Dell EQL
PS6010 with Intel S3500 800GB SSDs.

In both locations the switches appear to be doing fine in combination
with VMware ESXi 5.5 and Intel X540-2 cards.

 It is my understanding that low buffer sizes make most 'normal' 10G
 ethernet switches unsuitable for the job.

Not so sure on that, opinions vary a lot here. Similar to the stance on
Flow Control where one vendor will advocate using it and another
advocates against it.

If you only have a single link, then Flow control will sleep the
connection which can impact your performance with a higher Queue depth.
For multiple 1G links the impact is ofcourse a lot less overall.

If you are going to invest in a new SAN make sure to ditch spinning
rust, it's the biggest breakthrough in storage since a while and it's a
factor of a *lot*.

The price doesn't break the bank either, the Dell EQL 6110 was out of
warranty, retail value around $3500 us. The 18 Intel S3500 SSDs were
about 11k euro (16 + 2 spare). In raid 6 that's a good 10TB of storage.
It's a shame that SAN HQ keeps emailing us once a day that the drives
are not original ;)

With that sheer amount of space it's going to take a while before it
ever breaks (wears out). It'll be out of service long before then.

Also, you can max out a single 10G link with about 4-6 recent SSDs, so
smaller cabinets with more uplinks make all the sense. In that respect
the newer cabinets (Dell EQL PS6210) with 24 drives and just 2 10Ge
uplinks are a bit odd. Still, it's nice to do 300-400MB/s in a VM on a 5
year old ESX on a dime. :)

 We're pretty much an exclusive Juniper shop, but are not biased in any
 way -- best tool for the job is what I've been tasked with to find.
 
 Keeping that in mind, how would something like a EX4550 fare in the
 role? Are there better devices in the same price range?

If the switches work for you and you are comfortable with them I'd count
that as a better argument.

Only budget switches are likely to cause you real grief here.

Kind regards,

Seth

Re: Frontier: Blocking port 22 because of illegal files?

[Seth Mos]

Stephen Satchell schreef op 26-3-2015 om 12:24:
 On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote:
 After getting a few helpful users on the phone to run some quick
 tests, we found port 22 was blocked.
 
 It's been a while since I did this, but you can select an additional
 port to accept SSH connections.  A Google search indicates you can
 specify multiple ports in OpenSSH.  Picking the right port to use is an
 exercise, though, that will depend on what other services you are
 running on your server.
 
 People with sane ISPs can use the standard port.  People on Frontier can
 use the alternate port, which shouldn't be firewalled by the provider.
 If Frontier is running a mostly-closed firewall configuration, then you
 have to be damn careful about the port you select.

Ahem, just to clarify, he is not talking about inbound on the Frontier
connection, but outbound *from* the Frontier network.

Akin to the Let's block outbound port 25 (smtp).

This is just a really really bad idea m'kay.

Cheers

Re: Recommended wireless AP for 400 users office

[Seth Mos]

Op 29 jan. 2015, om 17:18 heeft Tyler Mills tylermi...@gmail.com het volgende 
geschreven:

 Most of the issues are related to firmware.  Most of my UBNT experience was
 with the UAP-Pro and the UAP-AC, and it wasn't a good experience.
 Production firmwares seem to be of beta quality.

It’s meh, but it’s good enough. Getting wifi „right” is really hard considering 
the sheer amount of different hardware, network stacks etc.

 For features, they can't compete with Ruckus.  One thing I can think of off
 the top of my head is support for tagging management on its own VLAN and
 tagging wired traffic onto another.  If you were to implement this on the
 UBNT products you would have to SSH into every single one and implement the
 features as you would on a linux box, and it might work.  Ruckus, you
 configure the VLAN's how you would want through the Zonedirector or the
 AP's GUI and it will just work.

That’s not true in my experience.

Fyi, I just setup a new site here using the Unifi Pro AP’s and I’ve been doing 
the reverse. Management is untagged, and tag all the traffic VLANs. That works 
just fine, have been doing that since 2013.

The networks are all plain WPA2, but most devices on our wifi seem fine roaming 
throughout the building without dropping much traffic. The management tool is 
quite allright, more so when considering the prices and the lack of a 
subscription model.

Really, the subscription models offered for some of the other gear is off the 
wall.

The Unifi gear is by no means bad, but it’s still way better then manually 
configuring wireless APs without any management. It’s still far better then the 
3Com/H3C gear I had before that was 3 times as expensive and still lacks proper 
english for the management.

We have a site with 26 APs, and a new one with 8. You can now manage multiple 
sites from the same server too.

 
 They cost more, but you get what you pay for.

Yup!

Cheers,

Seth

Re: Got a call at 4am - RAID Gurus Please Read

[Seth Mos]

symack schreef op 9-12-2014 22:03:
 * Can I change from an active (ie, disks with data) raid 5 to raid 10.
 There are 4 drives

Dump and restore. I've used Acronis succesfully in the past and today,
they have a bootable ISO. Also, if you have the option, they have
universal restore so you can restore Windows on another piece of
hardware (you provide the drivers).

 in the unit, and I have two on the shelf that I can plug in.
 * If so, will I have less of performance impact with RAID 10 + write-thru
 then RAID 5 + write through

Raid10 is the only valid raid format these days. With the disks as big
as they get these days it's possible for silent corruption.

And with 4TB+ disks that is a real thing.  Raid 6 is ok, if you accept
rebuilds that take a week, literally. Although the rebuild rate on our
11 disk raid 6 SSD array (2TB) is less then a day.

If it accepts sata drives, consider just using SSDs instead. They're
just 600 euros for a 800GB drive. (Intel S3500)

 Given I can move from RAID 5 to RAID 10 without loosing data. How long to
 anticipate downtime for this process? Is there heavy sector re-arranging
 happening here? And the same for write-thru, is it done quick?

Heavy sectory re-arranging, yes, so just dump and restore, it's faster
and more reliable. Also, you then have a working bare metal restore backup.

Regards,

Seth

Mozilla performing pdf.js DNS queries?

[Seth Mos]

Hi,

Whilst rummaging through some DNS (dnsmasq) logs I've noticed quite a
decent amount of queries for pdf.js from what appear to be mozilla browsers.

Seems rather odd that it is performing DNS queries for a internal PDF
viewer.

Has anyone else come across these lookups?

Kind regards,

Seth

Re: Mozilla performing pdf.js DNS queries?

[Seth Mos]

David Hofstee schreef op 13-11-2014 14:39:
 Pdf is quite a standard. One might wonder what it cannot do. One could call 
 it evil. 
 
 http://superuser.com/questions/368486/link-to-image-within-pdf-and-have-the-image-displayed
  

Ah yes, a image within a PDF could definitely do this I suppose. I just
thought it odd that the browser would leak this out.

dnsmasq[3151]: query[A] pdf.js from 10.6.24.11
dnsmasq[3151]: query[] pdf.js from 10.6.24.11
dnsmasq[3151]: query[A] pdf.js from 10.6.24.11
dnsmasq[3151]: query[] pdf.js from 10.6.24.11

This could become a whole can of worms if a .js TLD ever makes it to the
internet and registers this domain name.

We see this from Ubuntu terminals running Mozilla Firefox 33.0

Best regards,

Seth

 
 
 
 David Hofstee
 
 Deliverability Management
 MailPlus B.V. Netherlands (ESP)
 
 
 -Oorspronkelijk bericht-
 Van: NANOG [mailto:nanog-boun...@nanog.org] Namens Seth Mos
 Verzonden: Thursday, November 13, 2014 2:26 PM
 Aan: NANOG list
 Onderwerp: Mozilla performing pdf.js DNS queries?
 
 Hi,
 
 Whilst rummaging through some DNS (dnsmasq) logs I've noticed quite a decent 
 amount of queries for pdf.js from what appear to be mozilla browsers.
 
 Seems rather odd that it is performing DNS queries for a internal PDF viewer.
 
 Has anyone else come across these lookups?
 
 Kind regards,
 
 Seth
 
 

Re: anyone from vodafone(.nl) around?

[Seth Mos]

David Hofstee schreef op 23-10-2014 11:02:
 Hi,
 
 Is anyone from Vodafone around? We are having connectivity loss with 
 smtp.vodafone.nl and the helpdesk is not cooperating...

I've had good succes getting a out of date bogon filter issue for all
Vodafone NL customers resolved after contacting the following address
from the WHOIS information on bgp.he.net.

nmc...@vodafone.com

Kind regards,

Seth

Re: Netalyzr Android: call for volunteers

[Seth Mos]

Srikanth Sundaresan schreef op 6-10-2014 0:43:
 Hi all,
 
 Netalyzr is a free network measurement and debugging app developed 
 by the International Computer Science Institute, Berkeley.
 
Hi,

Maybe it's just me, but my Xperia T (LT30p) does have IPv6 on Wifi and
test-ipv6.com validates it. It runs Android 4.3.

However, the Netalyzer apps has told me in 2 consecutive runs that it
does not have IPv6 support.

That does not appear intended.

Kind regards,

Seth

Re: Ars Technica on IPv4 exhaustion

[Seth Mos]

Op 18 jun. 2014, om 11:41 heeft Martin Geddes m...@martingeddes.com het 
volgende geschreven:

 IPv6 will never become the defacto standard until the vast majority of
 users have access to IPv6 connectivity.
 
 It may never become the defacto standard, period. Nearly 20 years to reach
 2% penetration is a strong hint that the costs outweigh the benefits.

To be fair, it is only now that there is considerable leverage to actually use 
IPv6 outside of a academic scope. Our company is ready now, and it’s just a 
commercial retailer. I know we are way ahead of the curve but I didn’t find it 
all that hard.

I see a lot of people crying foul, still, but IPv6 capable equipment is readily 
available now, and, it is up to you if you find it worthwhile to purchase. The 
worldwide IPv6 transit network is complete and most ISPs can actually deliver 
on IPv6 if you push them for it and don’t let them ship you off with „we can’t 
do it yet”.

As such we’ve had IPv6 at work since 2012, and we got to talk to engineers and 
it wasn’t really that much of a problem. Also, the free BGP tunnel from HE.net 
really is a lifesaver in getting at least backup peering in place, and that 
worked fine for over a year.

 IP's global addressing system is broken from the outset. See John Day's
 presentation Surviving Networking’s Dark Ages - or How in the Hell Do You
 Lose a Layer!?
 http://irati.eu/wp-content/uploads/2013/01/1-LostLayer130123.pdf (or,
 indeed, lots of them at once.)

I don’t know, 64 bits for the networks, and 64 bits for the hosts seems fine, 
although to be fair, a 96/32 split could have worked too, more about networks 
and aggregated routes, less about hosts. It’s also really good that there is a 
„absolute split” at 64 bits to designate the network prefix part. That makes 
network identifying a lot easier. I suppose that is where the shorter network 
prefix is coming from, it’s easier to remember.

 It's really all about scopes, not layers - the TCP/IP architecture is
 divided up the wrong way, and it will never be fixed. It's an escaped 1970s
 lab experiment that was able to extract the statistical multiplexing gain
 faster than rivals, but on a performance and security buy now, pay later
 basis.

I like that IPv6 is close enough to IPv4 that I can just run with it. That’s 
not a drawback. If you understand classless subnetting you can work with Ipv6. 

 May all your intentional semantics become operational,
 Martin

I didn’t find it all that hard to become operational. Not everything I have at 
work does IPv6, but that’s not really a requirement, is it?

I don’t care enough for backwards compatability with IPv4, actually, I’m really 
glad it isn’t so failure states are much easier to diagnose. I can see how 
IPv4.2 SP2 would have subtle issues with IPv4.3 SP1, but there is a hot fix for 
that, but not for your model. SOL.

Not very different if I must say.

Cheers,
Seth



 
 On 17 June 2014 23:12, Andrew Fried andrew.fr...@gmail.com wrote:
 
 IPv6 will never become the defacto standard until the vast majority of
 users have access to IPv6 connectivity.
 
 Everything I have at the colo is dual stacked, but I can't reach my own
 systems via IPv6 because my business class Verizon Fios connection is
 IPv4 *only*.  Yes, Comcast is in the process of rolling out IPv6, but my
 Comcast circuit in Washington DC is IPv4 only.  And I'd suspect that
 everyone with Time Warner, ATT, Cox, etc are all in the same boat.
 
 Whether the reason for the lack of IPv6 deployment is laziness or an
 intentional omission on the part of large ISPs to protect their income
 from leasing IPv4 addresses doesn't matter to the vast majority of the
 end users;  they simply can't access IPv6 via IPv4 only networks,
 without using some kludgy, complicated tunneling protocols.
 
 Andy
 
 --
 Andrew Fried
 andrew.fr...@gmail.com
 
 On 6/17/14, 5:48 PM, Jared Mauch wrote:
 
 On Jun 17, 2014, at 5:41 PM, Lee Howard l...@asgard.org wrote:
 
 
 
 On 6/17/14 4:20 PM, Jay Ashworth j...@baylink.com wrote:
 
 Here's what the general public is hearing:
 
 But only while they still have IPv4 addresses:
 ~$ dig  arstechnica.com +short
 ~$
 
 
 
 
 
 
 http://arstechnica.com/information-technology/2014/06/with-the-americas-ru
 nning-out-of-ipv4-its-official-the-internet-is-full/
 
 
 Can't tech news sites *please* run dual stack while they're spouting
 end-of-IPv4 stories?
 
 wishful thinking=on
 
 I would love to see a few more properties do IPv6 by default, such as
 ARS, Twitter and a few others.  After posting some links and being a log
 stalker last night the first 3 hits from non-bots were from users on IPv6
 enabled networks.
 
 It does ring a bit hollow that these sites haven't gotten there when
 others (Google, Facebook) have already shown you can publish  records
 with no adverse public impact.  Making IPv6 available by default for users
 would be an excellent step.  People like ATT who control the 'attwifi'
 ssid could do NAT66 at their 

Re: The Cidr Report

[Seth Mos]

Op 26 apr. 2014, om 20:05 heeft Hank Nussbacher h...@efes.iucc.ac.il het 
volgende geschreven:

 At 22:00 25/04/2014 +, cidr-rep...@potaroo.net wrote:
 This report has been generated at Fri Apr 25 21:13:54 2014 AEST.
 The report analyses the BGP Routing Table of AS2.0 router
 and generates a report on aggregation potential within the table.
 
 Check http://www.cidr-report.org/2.0 for a current version of this report.
 
 Recent Table History
Date  PrefixesCIDR Agg
18-04-14499254  282312
19-04-14499492  282427
20-04-14499557  282428
21-04-14499371  282193
22-04-14499156  282325
23-04-14499260  282597
24-04-14499642  282663
25-04-14500177  282878
 
 Historic event - 500K prefixes on the Internet.

And now we wait for everything to fall over at 512k ;)

Re: Requirements for IPv6 Firewalls

[Seth Mos]

On 18-4-2014 8:57, Matt Palmer wrote:
 On Thu, Apr 17, 2014 at 09:05:17PM -0500, Timothy Morizot wrote:
 On Apr 17, 2014 7:52 PM, Matthew Kaufman matt...@matthew.at wrote:
 While you're at it, the document can explain to admins who have been
 burned, often more than once, by the pain of re-numbering internal services
 at static addresses how IPv6 without NAT will magically solve this problem.

 If you're worried about that issue, either get your own end user
 assignment(s) from ARIN or use ULA internally and employ NAT-PT (prefix
 translation) at the perimeter. That's not even a hard question.
 
 Why use NAT-PT in that instance?  Since IPv6 interfaces are happy running
 with multiple addresses, the machines can have their publically-accessable
 address and also their ULA address, with internal services binding to (and
 referring to, via DNS, et al) the ULA address; when you change providers,
 the publically-accessable address changes (whoopee!), but the internal
 service address doesn't.

Sounds good in theory, I tried it but it got ugly really fast. Before
you know it you have a layers of obfuscation, and even more work to get
it to work right. That's really not a good argument for the general IPv6
case.

Then there's the issue of making not just hosts do address selection but
bringing that down to making applications choose address selection. As a
admin I really don't want to go there. I just want a central point where
I can pass, block or redirect.

Just keep it as simple as possible, but not simpler. A host with a IPv4
and GLA IPv6 address is as complicated as you want it.

The only case I see for NPt is for cheap multi wan where you have the
primary prefix on your LAN and perform NPt for that prefix when it
goes out the 3G stick. Note that you would still need the same
(delegated) prefix size on both connections (e.g. /64, /56 or /48)

What is also nice is that in the case of NPt the firewall rules for both
WAN and 3G can be the same as the destination address (after
performing NPt) is still the same. Manageable.

Kind regards,

Seth

Re: Requirements for IPv6 Firewalls

[Seth Mos]

Op 17 apr. 2014, om 20:50 heeft William Herrin b...@herrin.us het volgende 
geschreven:

 On Thu, Apr 17, 2014 at 2:32 PM, Eugeniu Patrascu eu...@imacandi.net wrote:
 It's a bigger risk to think that NAT somehow magically protects you against
 stuff on the Internet.
 
 You are entitled to your opinion and you are entitled to run your
 network in accordance with your opinion.
 
 To vendors who would sell me product, I would respectfully suggest
 that attempts to forcefully educate me as to what I *should want*
 offers neither a short nor particularly successful path to closing a
 sale.

Having deployed IPv6 at the internet point and halfway into the company I work 
for I can tell you that I am *really* glad that I can now see what a firewall 
rule does properly instead of also having to peer at the NAT table which is 1:1 
or a port forward etc. Also, when IPv4 NAT and rules don’t match up, hilarity 
ensues.

It greatly improves my workflow, it’s just become a whole lot easier for me.

NAT66 definitely has a place, and I’m a huge proponent for it so the small SMB 
people and home users so they can do Multi Wan without BGP. The part that isn’t 
solved yet by the IETF, but at least there is a really good RFC for NPt.

In my experience it improves security because of the transparency.

For anything resembling  100 people, get a ASN, PI and BGP. You’ll thank me 
later, unlikely to have to renumber anything(1).

Kind regards,

Seth

(1) Yeah I know, unless you grow from a /48 to a /32
 
 Regards,
 Bill Herrin
 
 
 -- 
 William D. Herrin  her...@dirtside.com  bill@herrin.us09o
 3005 Crane Dr. .. Web: http://bill.herrin.us/
 Falls Church, VA 22042-3004
 

Re: Cisco ADSL2/VDSL2 Voip Router

[Seth Mos]

On 13-12-2013 14:54, Nick Cameo wrote:
 Hello Everyone,
 
 I have a customer that is looking for a voip router. The router part
 is easy however,
 they need it to support their ADSL/VDSL connection PPoE, and all that lovely
 stuff. Can you gents and ladies kindly recommend something that would fit
 all. preferably the cisco route.
 
 If you have one not in use, we would be interested in hearing from you.

Something entirely different:

Draytek Vigor 2850, maybe?

Cheers

Re: ATT UVERSE Native IPv6, a HOWTO

[Seth Mos]

On 2-12-2013 22:25, Ricky Beam wrote:
 On Fri, 29 Nov 2013 08:39:59 -0500, Rob Seastrom r...@seastrom.com wrote:

 Handing out /56's like Pez is just wasting address space -- someone *is*
 paying for that space. Yes, it's waste; giving everyone 256 networks

You clearly have no understanding of route aggregation which just made
it's entry into the soho.

The router will set up it's own DHCP-PD prefix delegation for downstream
routers. Without a /56 or larger it is very hard to do automatically.

It is not wasting it is required for proper operation of a routing
internet. You can't just NAT a downstream router and still have IPv6.

People buy extra wifi routers at their favorite shop and *will* plug the
cable into the Internet port. With IPv6 and DHCP-PD they will still
get working IPv6 internet. Great!

Cheers,
Seth

Re: Meraki

[Seth Mos]

Op 22 nov 2013, om 06:37 heeft Jay Ashworth het volgende geschreven:

 - Original Message -
 Anecdote:
 
 My local IHOP finally managed to get Wifi internet access in the restaurant.
 
 For reasons unknown to me, it's a Meraki box, backhauled *over T-mobile*.
 
 That's just as unpleasant as you'd think it would be, And More!
 
 Both the wifi and 3G (yes, 3G) boxes lock up on a fairly regular basis, 
 requiring a power cycle, which, generally, they'll only do because I've
 been eating there for 20 years, and they trust me when I ask them to.
 
 I can't say whether this provides any illumination on the rest of their
 product line, but...

To compound matters, i'd go as far as to say that any wireless solution on 
2.4Ghz isn't really a wireless solution. It's just not feasible anymore in 
2013, there is just *so much* interference from everything using the unlicensed 
2.4Ghz band that it's own success is it's greatest downfall.

Reliable wireless isn't (to use the famous war quote friendly fire isn't)

For whatever reasons, whomever I talk to they all tell me that ISP here 
sucks, and if I ask further if they are using the wireless thingamabob that the 
ISP shipped them, they says yes. So, that's about right then.

I've been using a PCengines.ch Alix router for years now (AMD Geode, x86, 256MB 
ram, CF) with a cable modem in bridge mode with seperate dual band access 
points in the places where I need them (living room, attic office) and I can't 
say that my experiences with the ISP here mesh with theirs.

Anyhow, if you are going to deploy wireless, make sure to use dual band, and 
name the 2.4Ghz SSID internet and the 5Ghz SSID faster-internet. You'll see 
people having a heck of a better time. Social engineering works :)

When we chose the Ubiquity wireless kit we could deploy twice as many APs for 
the same price of one of the other APs. This effectively means we have a very 
dense wireless network that covers the entire building, and lot's of kit that 
can actually see and use the 5Ghz band.

Setup was super easy, I added a unifi DNS name that points to my unifi 
controller host and I get a email that a new AP is ready to be put into 
service. Having a local management host instead of some cloud was a hard 
requirement. I also like that I can just apt-get update; apt-get upgrade the 
software. By using DNS remote deployment was super easy too, send the unit off 
and let them plug it in, it then comes onto the network and registers itself.

I believe every current Apple iDevice currently supports the 5Ghz band, and all 
the Dell gear we purchase also comes ordered with it. Heck, even my 2011 Sony 
Xperia T has 5Ghz wireless now, as do the current Samsung Galaxy S3, S4

Best regards,

Seth

Re: Meraki

[Seth Mos]

Op 19 nov 2013, om 18:25 heeft Hank Disuko het volgende geschreven:

 Hi folks, 
 
 I've traditionally been a Cisco Catalyst shop for my switching gear.
 
 I am doing a significant hardware refresh in one of my offices, which will 
 entail replacing about 20 access switches and a couple core devices.  Pretty 
 simple L3 VLAN environment with VRRP/HSRP, on the physical end I have 1G 
 fibre/copper and 10G fibre.  My core switch of choice will likely be the Cat 
 4500 series.
 
 I'm considering Cisco's Meraki platform for my access layer and I'm looking 
 for deployment stories of folks that have deployed Meraki in the 
 past...good/bad/ugly kinda stuff.
 
 I know Meraki hardcores were upset when Cisco acquired them, but not exactly 
 sure why.
 
 Anyway, any thoughts would be useful.  Thanks!

We used to use the 3Com wireless kit before it became H3C, and then HP, which 
worked ok but the engrish in the UI was horrid.

We've since purchased 25 Ubiquity wireless access points, specifically the 300N 
Pro access points, they work really well, pricing is competitive priced and the 
management is nice.

I've setup a Debian VM, installed their management software from their APT repo 
and just go from there. The version 3 software also supports multi-site which 
is really nice.

It's a huge upgrade over our previous wireless though.

Cheers,
Seth

Re: Verizon DSL moving to CGN

[Seth Mos]

On 9-4-2013 1:10, Jay Ashworth wrote:
 - Original Message -
 From: Huasong Zhou huas...@kalorama.com
 
 We got this modem and router all in one box from Comcast directly. And
 by the way, home use routers don't assign 10.0.0.0 numbers.
 
 I have seen consumer NAT routers assign addresses in all three RFC1918
 blocks, though I couldn't cite particular models for you.  10./ is less
 common than 172./, but not impossible.

Early Alcatel/Lucent Speedtouch modems assigned 10/8 to the LAN,
effectively breaking all VPN networking to our office. No fun to be had
in that one. Luckily all these shipped without Wifi and have now all
been replaced by Thomson wifi models that use 192.168.[01]/24

Some of the AlliedData Copperjet modems use 172.x

Regards,

Seth

Re: NOC display software

[Seth Mos]

On 13-2-2013 16:19, JoeSox wrote:
 Just wondering if anyone can recommend Windows software (it could be
 Linux too but I might need to create a separate host for that
 configuration)
 that enables rotating [on one monitor] several webpages (dashboards)
 or windows (application dashboards).
 It would be nice if it was freeware or open source but whatever works
 best is what I am looking for.
 For example, if I wanted one monitor to cycle thru my local SolarWinds
 Orion, Office 365 Health Status, and anyother webdashboards.

We use a Dell Optiplex that drives 2 rotated FullHD 42 inch TV's.

This gives us effectively a 2k x 4k resolution to work with.

We have written a custom webpage that refreshes divs automatically, it
has a country map and puts the various sites on the map where the outage
is. This is mainly handy for DSL outages.

The left TV is almost entirely a map of the Netherlands with a few
Nagios summaries and refresh counters underneath.

The right TV pane lists the nagios detail and various business processes
as well as open tickets from our ticket system.

We use Chrome in kiosk mode, but Firefox could work too.

Cheers,
Seth

Re: IPV6 in enterprise best practices/white papaers

[Seth Mos]

Op 26 jan 2013, om 18:47 heeft William Herrin het volgende geschreven:

 On Sat, Jan 26, 2013 at 4:26 AM, Pavel Dimow paveldi...@gmail.com wrote:
 I can start to create
  record and PTR recors in DNS and after that I should configure my
 dhcp servers and after all has been done I can test ipv6 in LAN and
 after that I can start configure bgp with ISP.
 Is this correct procedure?
 
 Nope.
 
 In their infinite(simal) wisdom the architects of IPv6 determined that
 a host configured with both a global scope IPv6 address and an IPv4
 address will attempt IPv6 in preference to IPv4. If you configure IPv6
 on a LAN without first installing your IPv6 Internet connection, that
 LAN will break horribly.
 
 Work your way from the outside in: start with BGP, then the interior
 routers and configure the LAN last.

+3

That's what I did too, it works the best, you really need to make sure that the 
connectivity you turn up actually works. I started with the internet 
connections, and luckily HE.net also offers free BGP tunnels for PI 
connectivity, which will do in a pinch and you still can maintain redundancy of 
only 1 ISP can actually do native yet.

From there I started with the firewalls and routers, dual stacked those first. 
I then did some servers, some Linux, some Windows. DNS was first, then email. I 
wish more ISPs dual stacked their email servers, they are prime candidate 
because nothing dies instantly and delivery is retried. It seems so obvious, 
and everybody is focusing on port 80, weird. Email for offices also seems like 
the prime candidate for end-to-end for businesses. More then websites.

I still see plenty of companies hosting their own email.

Oh, and if you add a IPv6 on a AD server, do all of them at once. Because ipv6 
is preferred, they will all try that single server with a IPv6 address. That is 
address preference for you!

So make sure that for some of the steps you deploy it just like IPv4, not a 
little bit, but all the way.

Add all the IPv6 addressing to your monitoring before going any further. You 
don't want to fly this blind. We use Nagios, it works well enough, I can't see 
BGP table size, but I can monitor next hop with ping6, so that worked fine.

The clients still don't have IPv6, but everybody browses the net via a dual 
stack squid proxy, so they didn't even notice. At some point in 2013 the 
clients will get a IPv6 address too, dhcp6 only, no autoconfig for management 
reasons.

Not that the clients can actually get out to the internet, they can't now with 
IPv4, so no change there.

Regards,

Seth

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Seth Mos]

On 18-1-2013 15:03, William Herrin wrote:
 On Thu, Jan 17, 2013 at 11:15 PM, Constantine A. Murenin
 muren...@gmail.com wrote:

 On the technical side, enterprises have been doing large-scale NAT for
 more than a decade now without any doomsday consequences. CGN is not
 different.

Well yeah, but everything is under control of the IT department to setup
rules and forwards. That's not the same as a end user that wants a port
forward to host a xbox 360 game on their fiber connection and can't set
it up.

I've tried getting the firewall disabled that denies ALL incoming
traffic on my 3G stick and it's simply not possible, that is the sort of
flexibility that the market is selling.

Most of the ISPs I have personally and professionally worked with have
the flexibility of a piece of mahogany.

I'm pretty sure that some of the dedicated online game hosters are
looking forward to this. Those investments should turn out great.

Regards,

Seth

MTU issues s0.wp.com

[Seth Mos]

Hi,

Since about a week or so it's become impossible to reach wp.com content 
over IPv6.


IPv4 content does work fine, using the IPv6 literal returns a 404 which 
is small enough to fit in a smaller 1480 byte MTU.


I have another test site that has a clean 1500 byte mtu and I can fetch 
the s0.wp.com page from there.


It looks like tunneled IPv6 users might be in hurt here.

Is anyone else experiencing similar issues?

My traceroute shows they are employing a CDN for s0.wp.com, so not 
everyone might be affected.


 7  asd2-rou-1022.NL.eurorings.net (2001:680:0:800f::291)  6.460 ms 
6.203 ms  6.188 ms
 8  asd2-rou-1044.eurorings.net (2001:680::134:222:85:63)  6.447 ms 
6.494 ms  6.495 ms
 9  adm-b5-link.telia.net (2001:2000:3080:6f::1)  6.818 ms  6.936 ms 
6.891 ms
10  ldn-b3-v6.telia.net (2001:2000:3018:5::1)  15.290 ms  27.481 ms 
15.380 ms
11  edgecast-ic-147468-ldn-b3.c.telia.net (2001:2000:3080:378::2) 
15.116 ms  15.174 ms  15.176 ms
12  2606:2800:234:1922:15a7:17bf:bb7:f09 
(2606:2800:234:1922:15a7:17bf:bb7:f09)  15.496 ms  15.327 ms  15.460 ms


Kind regards,

Seth

Re: IPv4 address length technical design

[Seth Mos]

Op 3-10-2012 18:33, Kevin Broderick schreef:

I'll add that in the mid-90's, in a University Of Washington lecture hall, Vint 
Cerf expressed some regret over going with 32 bits.  Chuckle worthy and at the 
time, and a fond memory
- K


Pick a number between this and that. It's the 80's and you can still 
count the computers in the world. :)


It is/was a experiment and you have the choice between a really large 
and a larger number. Humans are not too good in comparing really large 
numbers. If it was ever decided to use a smaller value, for the size of 
the experiment it might have went quite different. The safe (larger) 
choice ended up bringing more pain.


As a time honored ritual, the temporary solution becomes the production 
solution.


Oops... And that was not quite what Mr Cerf meant to do.

Regards,

Seth

Re: Throw me a IPv6 bone (sort of was IPv6 ignorance)

[Seth Mos]

Op 21-9-2012 21:42, Mark Radabaugh schreef:


Running dual stack to residential consumers still has huge issues with 
CPE.  It's not an environment where we have control over the router 
the customer picks up at Walmart.   There is really very little point 
in spending a lot of resources on something the consumer can't 
currently use.  I don't think saying we missed the boat really applies 
- and the consumer CPE ship is sinking at the dock.


Enable dual stack per default, the old routers ignore it anyhow. The new 
ones that do support it, and really,  Linksys and D-Link as well as 
Netgear do support it now will use it and should just work. I recommend 
DHCP-PD, it seems to work well with relatively low overhead. AVM seems 
to know just how to make these relatively cheap all-in-ones with a great 
feature set and reasonable quality.


There is a lot of room for improvement, there always have been. It's not 
like the original Linksys WRT54G was really _that_ good, was it?


The other good news is that there is a new Wifi standard! You'll see a 
new surge of people swapping out 30$ routers because they are convinced 
that the new 30$ router will be a lot better then the previous one. 
Maybe it is.


I know it's a chicken and egg problem, and shoving it out further means 
you just decided for the ISP that you need a far beefier CGN box in the 
future. I am not totally convinced that was your long term plan.


Most ISPs in asia that are now pouring significant monetary resources 
into a CGN box that might be almost pointless in 5 years is not the 
investment they were looking for.

Re: Big Temporary Networks

[Seth Mos]

Op 18-9-2012 22:50, William Herrin schreef:

On Tue, Sep 18, 2012 at 4:31 PM, Nick Hilliard n...@foobar.org wrote:

On 18/09/2012 21:24, William Herrin wrote:

IPv6 falls down compared to IPv4 on wifi networks when it responds to a
router solicitation with a multicast (instead of unicast) router
advertisement.

You mean it has one extra potential failure mode in situations where radio
retransmission doesn't deal with the packet loss - which will cause RA to
retry.  Fall down is a slight overstatement.

Potayto, potahto. Like I said, I have no interest in defending IPv6.
But I'm very interested in how to implement an IPv6 network that's as
or more reliable than the equivalent IPv4 network. That makes me
interested in the faults which get in the way.

Regards,
Bill Herrin

Yes, radvd has a configuration option to send unicast packets. But I 
think the effects are slightly overstated.


Unless someone fudged the lifetime counters on the ra config nobody will 
ever notice a RA getting lost. Once every few seconds a RA message will 
be sent and it will be valid for atleast a couple of minutes. Within 
that time there will be multiple RA announcements, and unless you missed 
5 minutes of RA advertisements everything is fine.


And if you do miss 5 minutes of RA multicast traffic, really, you have 
bigger problems. I see network stacks springing to life in the space of 
3 seconds on the 1st message I send out. That's pretty stellar, and 
faster then some clients perform the DHCPv4 request.


Also note that some wifi networks eat DHCPv4 broadcasts too, which is 
pretty much the same deal as what you are referring to above. They will 
retry the DHCPv4 request, and so do client that perform router 
sollicitation requests. No different.


And if the wifi network is so bad that you have icmp and udp dropping 
like mad, I doubt anybody would want to use it. You are more likely that 
they will disable wifi altogether and use 3g. The 2.4Ghz wifi band is so 
crowded now that this has become the effective standard. Unless you are 
a happy camper that actually has a wifi card that supports the 5Ghz 
band. Which is far too uncommon in phones and tablets. boo.


Cheers,

Seth

Re: The Department of Work and Pensions, UK has an entire /8

[Seth Mos]

Op 19-9-2012 14:35, Leo Bicknell schreef:

In a message written on Tue, Sep 18, 2012 at 09:11:50PM -0700, Mike Hale wrote:

I'd love to hear the reasoning for this.  Why would it be bad policy
to force companies to use the resources they are assigned or give them
back to the general pool?

There's also a ROI problem.  People smarter than I have done the
math, and figured out that if X% of the address space can be reclaimed
via these efforts, that gains Y years of address space.  Turns out
Y is pretty darn small no matter how agressive the search for
underutilized space.  Basically the RIR's would have to spin up
more staff and, well, harass pretty much every IP holder for a
couple of years just to delay the transition to IPv6 by a couple
of years.  In the short term moving the date a couple of years may
seem like a win, but in the long term its really insignificant.
It's also important to note that RIR's are paid for by the users,
the ramp up in staff and legal costs of such and effort falls back
on the community.  Is delaying IPv6 adoption worth having RIR fees
double?
Forcing a government organization to renumber their (large!) network to 
10/8 just to give it back it to ARIN would be a massive undertaking. 
There are considerable drawbacks:


1. The renumbering of a government organization is payed for by the UK 
taxpayers. I'm sure the UK can use the funds somewhere else right now.
2. The time taken to complete this operation would likely run into 
years, see 1.
3. Even if the renumbering completes by 2015 it would be far too late, 
since we need it now rather then later.
4. The actual value of the sale of the /8 could either be huge in 
2015, or insignificant in 2015.


So the irony is that the taxpayer lobbying for return wants to have the 
/8 returned to or sell it. But there is a significant non-zero cost and 
he would be paying for it himself.


I also like the idea of public services to be reachable in the future. 
Just because it is not in use now, I'll see them using it in the future.


Regards,

Seth

Re: The Department of Work and Pensions, UK has an entire /8

[Seth Mos]

Op 20 sep 2012, om 07:34 heeft Mark Andrews het volgende geschreven:

 
 In message 
 caaawwbw2oh0-cpsvwyrfdodvjotavaq8wdlussqvshs5cot...@mail.gmail.com
 , Jimmy Hess writes:
 
 The work to fix this on most OS is minimal.  The work to ensure
 that it could be used safely over the big I Internet is enormous.
 It's not so much about making sure new equipment can support it
 than getting servers that don't support it upgraded as well as every
 box in between.


I'm only afraid it may operate worse then 1/8.

Not sure how happy you would be as an ISP or a customer in that range.

Cheers,

Seth

Re: The Department of Work and Pensions, UK has an entire /8

[Seth Mos]

Op 18 sep 2012, om 18:39 heeft George Herbert het volgende geschreven:

 
 I'm having problems finding any announcements for this net 10/8, too.  Can 
 someone talk to these IANA folks about reclaiming it, too?  They have a 
 bunch of other space in 172.x they should be able to use...

Don't worry, they'll give in and assign us some more.

Seth
;-)

 
 
 George William Herbert
 Sent from my iPhone
 
 On Sep 18, 2012, at 8:36 AM, John Levine jo...@iecc.com wrote:
 
 John Graham-Cumming, who found this unused block, wrote in a blog post that
 the DWP was in possession of 51.0.0.0/8 IPv4 addresses.
 
 
 Please, don't anyone tell him about 25/8.
 
 
 

Re: using reserved IPv6 space

[Seth Mos]

Op 17-7-2012 8:43, Owen DeLong schreef:


On Jul 16, 2012, at 10:36 PM, Seth Mos wrote:


Hi,

Op 16 jul 2012, om 18:34 heeft valdis.kletni...@vt.edu het volgende geschreven:
To highlight what the current NAT66 is useful for, it's a RFC for Network 
Prefix translation. It has nothing do with obfuscation or hiding the network 
anymore. It's current application is multihoming for the poor.


And it's a really poor way to do multihoming.

You don't have to spend a lot of money to multihome properly.


Did you see I mentioned poor? Poor as in unwilling to pay anything more 
then the cost for the 2 internet connections they already have.


If you are a individual this likely applies. 3G stick anyone? If you are 
a business, see B for Business and B for BGP.


Also, I hope Mobile Internet providers will be supporting DHCP6 and 
DHCP6-PD for hotspots. Another place where I can see cruft being made.


On that note, the world of Mobile internet providers seems to be full of 
assumptions about the use of the devices and connection. It can probably 
never be saved anymore. If there ever was a mobile network that not 
respected the users/clients interests this would be it.



Example:
You have a Cable and a DSL, they both provide IPv6 and you want to provide 
failover. You then use ULA or one of the Global Addresses on the LAN network, 
and set up NAT66 mappings for the secondary WAN, or both if you are using ULA.


I have that and I use BGP with an ARIN prefix using the Cable and DSL as layer 
2 substrates for dual-stack tunnels.


So can any user just send them an email Hey, I dual home, can I have a 
/48 please?. That's not even considering that I need to terminate the 
prefix on a BGP router somewhere that someone surely wants money for.



Works pretty well and doesn't cost much more than the NAT66 based solution.


It's in your words doesn't cost much more which translates to too 
much, we're all cheapskates :-)



Once you go to tunnels, why not go all the way and put BGP across the tunnels?


Because by using 2 tunnels from 2 different providers you actually hope 
to increase redundancy, we are not talking 2 Hurricane Electric tunnels 
here. It's one /48 from HE.net and another /48 Sixxs.


I've had a bit too much the past few months where a number of the HE.net 
tunnelbrokers have been the target for a DDoS attack.


Nothing I can blame HE.net for, but it does illustrate my point that 
having 2 different upstream (tunnel) providers work best.


Regards,

Seth

Re: using reserved IPv6 space

[Seth Mos]

Hi,

Op 16 jul 2012, om 18:34 heeft valdis.kletni...@vt.edu het volgende geschreven:

 On Mon, 16 Jul 2012 11:09:28 -0500, -Hammer- said:
 ---That is clearly a matter of opinion. NAT64 and NAT66 wouldn't be there
 if there weren't enough customers asking for it. Are all the customers naive?
 I doubt it. They have their reasons. I agree with your purist definition 
 and
 did not say I was using it. My point is that vendors are still rolling out 
 base
 line features even today.
 
 Sorry to tell you this, but the customers *are* naive and asking for stupid
 stuff. They think they need NAT under IPv6 because they suffered with it in
 IPv4 due to addressing issues or a (totally percieved) security benefit (said
 benefit being *entirely* based on the fact that once you get NAT working, you
 can build a stateful firewall for essentially free).  The address crunch is
 gone, and stateful firewalls exist, so there's no *real* reason to keep
 pounding your head against the wall other than we've been doing it for 15
 years.

To highlight what the current NAT66 is useful for, it's a RFC for Network 
Prefix translation. It has nothing do with obfuscation or hiding the network 
anymore. It's current application is multihoming for the poor.

Example:
You have a Cable and a DSL, they both provide IPv6 and you want to provide 
failover. You then use ULA or one of the Global Addresses on the LAN network, 
and set up NAT66 mappings for the secondary WAN, or both if you are using ULA.

This will not hide *anything* as your machines will now be *visible* on 2 
global prefixes at the same time. And yes, you still use the stateful firewall 
rules on each WAN for the incoming traffic. And you can redirect traffic as 
needed out each WAN. It's the closest thing to the existing Dual WAN that 
current routers support.

Also note that this also works fine with 2 IPv6 tunnels. Bind each tunnel to a 
WAN and you have the same failover for IPv6 as IPv4.

Cheers,

Seth

Re: NAT66 was Re: using reserved IPv6 space

[Seth Mos]

Op 17 jul 2012, om 04:56 heeft Grant Ridder het volgende geschreven:

 If you are running an HA pair, why would you care which box it went back
 through?

Because it could be/is a stateful firewall and the backup will drop the 
traffic. (FreeBSD CARP)

Cheers,

Seth

 
 -Grant
 
 On Monday, July 16, 2012, Mark Andrews wrote:
 
 
 In message CAD8GWsswFwnPKTfxt=
 squumzofs3_-yrihy8o4gt3w9+x6f...@mail.gmail.com javascript:;, Lee
 writes:
 On 7/16/12, Owen DeLong o...@delong.com javascript:; wrote:
 
 Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is
 being
 able to eliminate NAT. NAT was a necessary evil for IPv4 address
 conservation. It has no good use in IPv6.
 
 NAT is good for getting the return traffic to the right firewall.  How
 else do you deal with multiple firewalls  asymmetric routing?
 
 Traffic goes where the routing protocols direct it.  NAT doesn't
 help this and may actually hinder as the source address cannot be
 used internally to direct traffic to the correct egress point.
 
 Instead you need internal routers that have to try to track traffic
 flows rather than making simple decisions based on source and
 destination addresess.
 
 Applications that use multiple connections may not always end up
 with consistent external source addresses.
 
 Yes, it's possible to get traffic back to the right place without NAT.
 But is it as easy as just NATing the outbound traffic at the
 firewall?
 
 It can be and it can be easier to debug without NAT mangling
 addresses.
 
 The only thing helpful NAT66 does is delay the externally visible
 source address selection until the packet passes the NAT66 box.
 
 Mark
 --
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: ma...@isc.orgjavascript:;
 
 

Re: ipv6 book recommendations?

[Seth Mos]

Op 5-6-2012 23:23, William Herrin schreef:

On 6/5/12, David Hubbarddhubb...@dino.hostasaurus.com  wrote:
Hi David,

Instead of going the book route, I'd suggest getting some tunneled
addresses from he.net and then working through
http://ipv6.he.net/certification/ .

They have the basics pretty well covered, it's interactive and it's free.

+1 it's one of the best ways to learn. Do.


Some additional thoughts:

1. Anybody who tells you that there are security best practices for
IPv6 is full of it. It simply hasn't seen enough use in the
environment to which we're now deploying it and rudimentary
technologies widely used in IPv4 (e.g. NAT/PAT to private address
space) haven't yet made their transition.

Well, not quite, but firewall rules work just the same as before. Use those.
The longer version is that some people used from internet to any rules 
on their wan which in a IPv4 NAT really translated to allow everything 
to my external address. Unless you used 1:1 ofcourse, but I digress.


In IPv6 such a rule really means anything internal. People that have 
administered firewalls that route public addresses will know exactly 
what I mean.



d. Default customer assignments should be /56 or /48 depending on who
you ask. /48 was the IETF's original plan. Few of your customers
appear to use tens of LANS, let alone thousands. Maybe that will
change but the motivations driving such a thing seem a bit pie in the
sky. /56 let's the customer implement more than one LAN (e.g. wired
and wireless) but burns through your address space much more slowly.
/60 would do that too but nobody seems to be using it. /64 allows only
one LAN, so avoid it.
You seem to miss a semi important thing here. Daisy chaining of routers 
in the premises.
Some routers (pfSense included) allow for setting up prefix delegation, 
this means that you can connect routers behind the one you have and 
still have native v6.


Although the automatic setup system I wrote for this works with /56 
networks it will only setup PD for /64 networks at this point. I 
allocate a part of the assigned /56 network for prefix delegation 
automatically.


If the PD is /48 I can delegate /56 networks to the subrouters, which on 
their turn can delegate /64 networks to another sub router.


It's not that the user itself will actually assign all those networks, 
but routers will do automatically and you need proper route aggregation. 
It's unlikely that all networks will be directly assinged as /64 
networks either, it could also be multiple routers.


Even if it was done manually I'd assign a /60 route out of  a /56 PD. 
The notion that it will always be a /64 is... well.


Regards,

Seth

Re: Our first inbound email via IPv6 (was spam!)

[Seth Mos]

Op 5-6-2012 16:10, Livingood, Jason schreef:

In preparation for the World IPv6 Launch, inbound (SMTP) email to the
comcast.net domain was IPv6-enabled today, June 5, 2012, at 9:34 UTC.
Roughly one minute later, at 9:35:30 UTC we received our first
  inbound email over IPv6 from 2001:4ba0:fff4:1c::2. That first bit of mail
was spam, and was caught by our Cloudmark messaging anti-abuse platform
(the sender attempted a range of standard spam tactics in subsequent
connections).

In the past several hours we have of course seen other messages from a
range of hosts, many of which were legitimate email ­ so it wasn't just
spam! ;-)

Since the Internet is of course more than just the web, we encourage
others to start making non-HTTP services available via IPv6 as well.


I always wondered why (ISPs) never started with rolling out IPv6 email 
servers first, the fallback from 6 to 4 is transparent and invisible to 
the end user at a delay of a maximum of 30 seconds.


I enabled v6 for my email before my website since the impact if it 
didn't work on the 1st try was almost nil.


Still waiting for the 1st Country to top Romania' 6% deployment. I'm 
sure we can do better then 0.21.


IMHO Asking users if they want IPv6 is the wrong way round, you enable 
IPv6 and then allow for opt-out in the service portal.


That's basically what the Romanian ISP did. They have not gone bankrupt 
either, so maybe it's not all as bad as we think.


Cheers,

Seth

Re: ipv6 book recommendations?

[Seth Mos]

Op 5-6-2012 16:29, David Hubbard schreef:

Does anyone have suggestions on good books to really get
a thorough understanding of v6, subnetting, security practices,
etc.  Or a few books.  Just turned up dual stack with our
peers and a test network but I'd like to be a lot more
comfortable with it before looking at our customer network.


I liked the O'reilly IPv6 essentials. I've read a few chapters when I 
needed it.


Cheers,

Seth

Re: Automatic IPv6 due to broadcast

[Seth Mos]

Op 17-4-2012 10:33, Carlos Martinez-Cagnazzo schreef:

IMO it's much easier to disable one rogue than to disable IPv6 on the
whole network. That is if you can find it, but with some proper
tcpdumping and/or CLI commands (depending on the switches that you have)
it should be relatively easy.


Even better, the IPv6 gateway you got assigned is based on the MAC 
address. That means you can also find what brand of device is advertising.


http://standards.ieee.org/develop/regauth/oui/public.html

You can most likely find which IPv4 address the MAC corresponds too as 
well. Was that so hard?



Not to mention that, as pointed by others, this provides a wonderful
opportunity to look into this new (*grin*) protocol.


Indeed!



Cheers!

~Carlos


Cheers,

Seth

Re: IPv6 support via Charter | Ideas on BGP Tunnel via HE

[Seth Mos]

Hi,

Op 11 apr 2012, om 20:16 heeft Anurag Bhatia het volgende geschreven:

 Also, does it makes sense to go for BGP Tunnel for now? I just setup IPv6
 Tunnel via Hurricane Electric. Latency seems pretty much OK ~ 10-15ms of
 overhead. Yet to test other parameters. I heard Tunnels are usually bad.
 Can someone tell how to test this tunnel setup to confirm if there is a
 performance issue or not? I am thinking of writing a quick bash script and
 run via cron to test latency, packet loss and bandwidth throughput for
 couple of days. If anyone has better idea, please let me know.

Also using a HE.net BGP tunnel for our IPv6, simply because having just 1 
native provider with Ipv6 isn't redundant. That and it's 8mbit.

The v4 connection which the tunnel connects over is 90mbit, and the tunnel 
needs to travel from NL to DE for the FRA BGP peering.

I'm getting about 40mbit through the IPv6 tunnel, so i'd say it works well, 
although the throughput has slowly been dropping to the 30's range over the 
last 6 months. But that's probably because of the latency.

For something that is provided for free I'm really glad we have it.

I should have peered with their UK PoP as it's much closer by latency, thus 
faster.

Cheers,

Seth

Re: Shim6, was: Re: filtering /48 is going to be necessary

[Seth Mos]

On 12-3-2012 16:07, Robert E. Seastrom wrote:
 
 Doug Barton do...@dougbarton.us writes:
 

 Grass-roots, bottom-up policy process
 +
 Need for multihoming
 +
 Got tired of waiting
 =
 IPv6 PI

+
Cheap End Users
=
IPv6 NPt (IPv6 Prefix Translation)

Cheers,

Seth

Re: Shim6, was: Re: filtering /48 is going to be necessary

[Seth Mos]

Hi,

Op 12 mrt 2012, om 18:09 heeft Owen DeLong het volgende geschreven:

 +
 Cheap End Users
 =
 IPv6 NPt (IPv6 Prefix Translation)
 
 Cheers,
 
 Seth
 
 I don't get the association between cheap end users and NPT. Can you explain 
 how one relates to the other, given the added costs of unnecessarily 
 translating prefixes?

Well, to explain cheap here I would like to explain it as following:

- The existing yumcha plastic soap box that you can buy at your local 
electronics store is powerful enough. About as fast in v6 as it does v4 since 
it is all software anyhow. It only gets faster from there.

- Requires no cooperation from the ISP. This gets excessively worse where n  
1. Some have 8 or more for added bandwidth.

- The excessive cost associated by current ISP practices that demand you use a 
business connection (at reduced bandwidth and increased cost). Somehow there 
was a decision that you can't have PI on consumer connections.

- Traffic engineering is a cinch, since it is all controlled by the single box. 
For example round robin the connections for increased download speed. Similar 
to how we do it in v4 land.

- It is mighty cheap to implement in current software, a number of Cisco and 
Jumiper releases support it. The various *bsd platforms do and linux is in 
development.

- Not to underestimate the failover capabilities when almost all routers 
support 3G dongles for backup internet these days.

There are considerable drawbacks ofcourse:

- Rewriting prefixes breaks voip/ftp again although without the port rewriting 
the impact is less, but significant. I'd really wish that h323, ftp and voip 
would go away. Or other protocols the embed local IP information inside the 
datagram. But I digress.

- People balk at the idea of NAT66, not to underestimate a very focal group 
here. All for solutions here. :-)

- It requires keeping state, so no graceful failover. This means dropping 
sessions ofcourse but the people that want this likely won't care for the price 
they are paying.

Probably missed a bunch of arguments the people will complain about. It is 
probably best explained in the current experimental draft for NPt.
http://tools.ietf.org/html/rfc6296

Cheers,

Seth

Re: ATT home DSL IPv6 configuration?

[Seth Mos]

Op 10 mrt 2012, om 03:40 heeft Chris Adams het volgende geschreven:

 
 Can anybody tell me how they are configuring their IPv6 setup?

They deploy using 6rd. In other words, they get to deploy IPv6 _again_ in about 
a few years time.

Basically any router with 6rd support and the knobs in the ui to input their 
6rd border relay and you should be good.

It's nice that you can use their border relay from outside the US too. 

Regards,

Seth

Re: enterprise 802.11

[Seth Mos]

Hi,

We chose the 3Com, now H3C wx3012 controller and AP9552 accesspoints.

Initial issues where that blackberries could not connect to the wifi, the 
support initially was mediocre.

Do note that this was at the time that everything got sold to HP. And they did 
pick up the issue and came around with a fix in about a month time.

It's been working swell since then, I mean, the spelling errors in the UI I can 
live with. It's been stable so far. It was also by far the most reasonably 
priced. That counts for something.

Vlans, radius, captive portal etc, worked for me. Ui is good enough to use and 
diagnose clients. Wireless coverage, is ... well, it's wireless.

Reliable wireless isn't. Unless it's 5Ghz, and stopped by 1 floor or wall. I 
digress.

Regards,

Seth 
Op 15 jan 2012, om 20:57 heeft Mike Hale het volgende geschreven:

 Cisco's wireless solutions are pretty badass.  The APs I've used are
 absolutely rock solid.  Set up will take a bit of time, but once you're
 done, maintenance is minimal.
 On Jan 15, 2012 11:54 AM, Mike Lyon mike.l...@gmail.com wrote:
 
 Ubiquity (www.ubnt.com) has their Unifi line of products. It's still
 pretty new in the marketspace and this, working out the bugs. I use
 their other products exclusively for outdoor wireless.
 
 However, in the offices ive done, ive used Cisco's WLC 4402 controller
 which supports 12 access points. They have controllers which support
 more APs as well.
 
 Hit me up offlist if you have any quesrions.
 
 -mike
 
 Sent from my iPhone
 
 On Jan 15, 2012, at 11:39, Meftah Tayeb tayeb.mef...@gmail.com wrote:
 
 Ubiquity
 or ubikity, maybe is miss spelled
 Someone correct the spelling for him please
 thank you
 - Original Message - From: Ken King kk...@yammer-inc.com
 To: nanog@nanog.org
 Sent: Sunday, January 15, 2012 9:30 PM
 Subject: enterprise 802.11
 
 
 I need to choose a wireless solution for a new office.
 
 up to 600 devices will connect.  most devices are mac books and mobile
 phones.
 
 we can see hundreds of access points in close proximity to our new
 office space.
 
 what are the thoughts these days on the best enterprise solution/vendor?
 
 Thanks for your replies.
 
 
 Ken King
 
 
 
 
 
 
 
 __ Information from ESET NOD32 Antivirus, version of virus
 signature database 6793 (20120113) __
 
 The message was checked by ESET NOD32 Antivirus.
 
 http://www.eset.com
 
 
 
 
 __ Information from ESET NOD32 Antivirus, version of virus
 signature database 6793 (20120113) __
 
 The message was checked by ESET NOD32 Antivirus.
 
 http://www.eset.com
 
 
 
 
 
 

IPv6 resolvers

[Seth Mos]

Hi Nanog, Owen,

I was wondering if many people are seeing horrendous latency on the free 
Hurricane Electric resolvers?

Both accessing the v4 or v6 resolvers have horrendous latency. This could well 
be coupled to their free nature and popularity.

So far when contacting Hurricane Electric they restart the resolver on their 
end and all is well again, but now other pfSense users in the US were noticing 
these latency issues as well, leading me to believe it is a larger issue.

But I was wondering if a more permanent solution for these resolvers exist.


 74.82.42.42 2373 msec 
 2001:470:20::2  2592 msec

The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok 
too.
 2001:4860:4860::884416 msec 

Kind regards,

Seth Mos

Re: IPv6 resolvers

[Seth Mos]

Hi,

Just pointing out to other responding to this thread that I was referring to 
the *query* response times, I said nothing about ICMP which is perfectly fine.

So please stop responding with ping response times already :-)

No, pfSense does not set these per default, they are in wide use because these 
are part of the Google DNS whitelist for V6 records.

Op 4 jan 2012, om 21:33 heeft Mark Kamichoff het volgende geschreven:

 ;; ANSWER SECTION:
 cnn.com.  299 IN  A   157.166.226.26
 cnn.com.  299 IN  A   157.166.255.19
 cnn.com.  299 IN  A   157.166.255.18
 cnn.com.  299 IN  A   157.166.226.25

And a similar mistake I see others respond too as well, this is another domain 
with just a IPv4 record. That was not really what I was complaining about but I 
was not specific enough in my email

When requesting the DNS for the hostname with a Quad A the story is entirely 
different!

Try www.pfsense.com or www.didi.nl

Those will definitely hit the issue, otherwise one can always use Nanog.org 
like below.

 74.82.42.42 2204 msec 
 2001:4860:4860::884417 msec 
 2001:470:20::2  2890 msec
   
Best regards,

Seth

 
 ;; Query time: 38 msec
 ;; SERVER: 74.82.42.42#53(74.82.42.42)
 ;; WHEN: Wed Jan  4 15:27:17 2012
 ;; MSG SIZE  rcvd: 89
 
 (neodymium:15:32)% dig @2001:470:20::2 cnn.com. A
 
 ;  DiG 9.7.3  @2001:470:20::2 cnn.com. A
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41382
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;cnn.com. IN  A
 
 ;; ANSWER SECTION:
 cnn.com.  295 IN  A   157.166.226.25
 cnn.com.  295 IN  A   157.166.255.18
 cnn.com.  295 IN  A   157.166.255.19
 cnn.com.  295 IN  A   157.166.226.26
 
 ;; Query time: 20 msec
 ;; SERVER: 2001:470:20::2#53(2001:470:20::2)
 ;; WHEN: Wed Jan  4 15:32:27 2012
 ;; MSG SIZE  rcvd: 89
 
 That being said, keep in mind these are anycasted.  I'm using
 216.66.22.2 [tserv13.ash1.ipv6.he.net] for IPv4 and 209.51.161.14
 [tserv4.nyc4.ipv6.he.net] according to the A record returned by
 whoami.akamai.net.  I might not be hitting the same server you are.
 
 - Mark
 
 -- 
 Mark Kamichoff
 p...@prolixium.com
 http://www.prolixium.com/

Re: IPv6 RA vs DHCPv6 - The chosen one?

[Seth Mos]

Op 26 dec 2011, om 20:46 heeft Steven Bellovin het volgende geschreven:

 Not quite what you're asking for, but I was very pleasantly surprised to see
 that some (at least) Brother printers support IPv6.  Progress...

Indeed, my Mac has no issues printing or scanning to my MFC-9465DCN I purchased 
recently.

I was pleasantly surprised, only SLAAC though, but it does register through 
mDNS and bonjour.

Cheers,

Seth

Re: IPv6 RA vs DHCPv6 - The chosen one?

[Seth Mos]

Hi,

Op 21 dec 2011, om 20:16 heeft Tomas Podermanski het volgende geschreven:

 Hi,
 
 from my perspective the short answer for this never-ending story is:

To be fair, SLAAC was designed as a light weight method to configure addressing 
on the hosts.

Hosts. We don't have hosts on the internet anymore, we stopped using dialup 
ages ago (or so it seems). We now address routers, and those have very 
different requirements, like needing routing and firewalling and some way to 
get subnets routed to them, that is where dhcp6 prefix delegation comes in. 
SLAAC serves no purpose for routers bar making the configure process awkward 
and error prone.

That wasn't what we needed.

I recently had a conversation with a promoter of the SLAAC method.

A 64KB ram device can configure a address and work as a autonomous sensor.

I raised the concern that the device might need to connect to a host, since you 
couldn't find it in a /64 of address space. He honestly suggested that you 
could just configure to have it connect to a static address.

Really, and nobody renumbers networks, at all? That's false.

And that is still a host, not a router.

And since then we've come a lot farther then 64KB sensor devices. Considering 
we can buy (wireless) routers at the local mall that have more ram and 
processing power then we used to have in a computer in the 90s now in a tablet, 
phone or other embedded device.

Having built DHCP6 support in a open source firewall I agree that the (+IPv6) 
configuration of routers has become overly complicated and error prone, even 
more so due to possible renumbering. RA will have one thought, and the DHCP6 
client another, not even going into multiple (possible differing) feeds of both 
IPv4 and IPv6 DNS servers.

It was intended for hosts, not really minding that, but please, can we stop 
using it for routers?

Regards,

Seth

Re: Dynamic (changing) IPv6 prefix delegation

[Seth Mos]

Hi,

Op 24 nov 2011, om 21:09 heeft Joel jaeggli het volgende geschreven:

 On 11/21/11 14:18 , Nathan Eisenberg wrote:
 Look at the number that are refusing to make generous prefix
 allocations
 to residential end users and limiting them to /56, /60, or even worse,
 /64.
 
 Owen,
 
 What does Joe Sixpack do at home with a /48 that he cannot do with a /56 or 
 a /60?
 
 prefix delegation to a downstream device via dhcp-pd

Joe Sixpack might not even realize that his device even does this. I actually 
added a dhcpv6 server that can do just this. Still considering if it should do 
that automatically.

Contrary to proper networking, I frequently see double nat routers because they 
purchased a new wifi routers which is then daisy chained to the old one.

Or they had a non-wifi model and plugged in the port labeled (internet) of the 
new wifi router into the existing one. Which is more common.

With dhcp-pd in each, you could daisy chain a few times before it gives out. 
You know what, let's just build that because I can, it's a few hours of coding, 
but nothing too serious. Most hooks are already in place. I just didn't start a 
dhcpdv6 automatically yet.

In a nutshell. Yes, Please.

Regards,

Seth

Dynamic (changing) IPv6 prefix delegation

[Seth Mos]

Hello List,

As a pfSense developer I recently ran into a test system that (actually)
gets a IPv6 prefix from it's ISP. (Hurrah).

What is bewildering to me is that each time the system establishes a new
PPPoE session to the ISP they assign a different IPv6 prefix via
delegation together with a differing IPv4 address for the WAN.

Is this going to be forward for other consumer ISPs in the world?

One of the thoughts that came to mind is T-Online in Germany that still
disconnects it's (PPPoE) user base every 24 hours for a new random IP.

Short of setting really short timers on the RA messages for the LAN I
can see a multitude of complications for consumers in the long run.

People that configure their NAS, Media Player and Printer on their own
network. And using ULA for either is not workable unless they somehow
manage to grow DNS skill on the end user. Their NAS probably wants to
download from the 'net and access videos from the NAS. The media player
wants to be able to access youtube and the laptop needs to (reliably)
find it's printer each time.

I really hope that ISPs will commit to assigning the same prefix to the
same user on each successive connection.

Here is to hoping.

Kind regards,

Seth

Re: Firewalls - Ease of Use and Maintenance?

[Seth Mos]

On 9-11-2011 0:06, Jones, Barry wrote:
 Hello all.
 I am potentially looking at firewall products and wanted suggestions as to 
 the easiest firewalls to install, configure and maintain? I have a few small 
 networks ( 50 nodes at one site, 50 odd at another, and maybe 20 at another. 
 I have worked with Cisco Pix, ASA, Netscreen, and Checkpoint (Nokia), and 
 each have strong and not as strong features for ease of use. Like everyone, 
 I'm resource challenged and need an easy solution to stand up and operate.

I am biased because I am a pfSense developer.

pfSense is a free open source FreeBSD based firewall with the pf packet
filter. http://www.pfsense.org

It supports various features and installable packages that might fill
your needs. Commercial support is also available.

One of the reasons I use it at work is because it is by far the cheapest
solution to gigabit redundant (Active/Passive) firewalls. It runs on x86
machines from the low end PCengines.ch Alix 2D3 to something like a dual
core Intel Atom for or the higher end on a normal server.

It is administered entirely via the webUI, saves the config in a XML
file you can backup and then restore on pretty much any other hardware
you have around should it need to be replaced.

The (readable) XML file was also really easy to provision things like
hundreds of VPN tunnels instead of clicking through the UI.

The PHP command interface allows you to perform scripting operations on
the XML as well which comes in handy on mass mutations.

Kind regards,

Seth

Re: Firewalls - Ease of Use and Maintenance?

[Seth Mos]

On 9-11-2011 11:07, Tom Hill wrote:
 On Wed, 2011-11-09 at 09:13 +0100, Seth Mos wrote:
 I am biased because I am a pfSense developer.

 pfSense is a free open source FreeBSD based firewall with the pf
 packet filter. http://www.pfsense.org
 
 I'm a very happy user of m0n0wall and I know pfSense is often seen as
 the more 'grown up' variant.
 
 Still though, I hear bad things of the IPv6 support in pfSense. It's
 available but not stock-standard  supported.

That is correct, it is in the 2.1 branch. Our code has diverged a lot
from m0n0wall where it came from so porting it was not easy. Instead I
wrote the code from scratch.

I wrote the IPv6 code in pfSense 2.1 for the last year and I've been
using it in production for quite a while now. Since February this year
to be precise.

It is true that until 2.1 is released somewhere next year the latest
official release is pfSense 2.0.

The people running Commercial support do support 2.1 with IPv6 if you
need it though. There are already a number of customers running it in
production because they needed IPv6 support.

The biggest holdup is lack of commercial VPN client support for
dual-stack. Viscosity, TunnelBlick I am looking at you. We do ship a
working Windows OpenVPN dual stack client solution in the Client
exporter on 2.1.

Working dual stack for your VPN solution is kind of important if you
expect to be able to reach your corporate servers. Much grief/fun to be
had here. If the corporate LAN advertises quad A records then it will
confuse your VPN clients if they have a v4 VPN address but only a v6
internet address.

 How does the pfSense developer attitude towards filtering the entire
 Internet, IPv6 included, currently stand?

I do not quite understand your question. If you are referring to a
default deny policy on incoming traffic, then yes.

The default rule is to deny incoming traffic over IPv6 as it did over
IPv4. You will need to create rules to allow it through. Default LAN
rule is allow both IPv4 and IPv6 out. Ofcourse you can alter the
firewall rules as you see fit.

If I misunderstood your question then please verify.

Kind regards,

Seth

Re: Performance Issues - PTR Records

[Seth Mos]

On 7-11-2011 14:46, sth...@nethelp.no wrote:
 The practice of filling out the reverse zone with fake PTR record
 started before there was wide spread support for UPDATE/DNS.  There
 isn't any need for this to be done anymore.  Machines are capable
 of adding records for themselves.

 How do I setup this for DHCPv6-PD?  Say, I delegate 2001:db8:42::/48 to
 the end user.  Should I delegate reverse DNS as well?  If so, to whom?

 Or is it the CPEs responibility to dynamically add records for whatever
 addresses it sees on the internal LAN(s)?  Are there CPEs capable of
 doing this?

 Or will the end systems themselves do the update against my DNS server?
 If so, how do I authenticate that?
 
 With my ISP hat on, I find the idea of customer CPEs updating their
 own PTR records to be completely unacceptable. So I guess I'll either
 live without the reverse DNS, or use a name server that can synthesize
 answers on the fly.

That seems like a really nice feature, create a reverse record to spoof
a mail server and the reverse DNS will match up.

If the domain does not employ SPF it will look legit, forward and
reverse won't match up ofcourse. Not sure how many mailservers have
issues with that if the reverse matches up.

Sounds like a fine way to employ a spam botnet.

Regards,

Seth

Re: routing issue for verizon dsl customers in western massachusetts

[Seth Mos]

Congratulations on your nat444 connection. I suspect a autoblocklist of sorts. 
They somehow always end up blocking the hosts you are using.

I vaguely remember my watchguard firebox 1000 doing so. It was red too.

Regards and good luck,

Seth

typed on a tiny touchscreen, why exactly?

Steve Bohrer skboh...@simons-rock.eduschreef:

On Sep 15, 2011, at 3:39 PM, Christopher Morrow wrote:

 On Thu, Sep 15, 2011 at 3:34 PM, Brian Gold bg...@simons-rock.edu  
 wrote:
 Over the past week, we've discovered that there is an issue with  
 the way
 some Verizon DSL customers are being routed in Western  
 Massachusetts that is
 preventing them from reaching my employers public IPs. The problem  
 is only
 limited to Verizon DSL customers, everyone else can reach these IP  
 addresses
 just fine. After many hours on the phone with Verizon tech support, I
 finally managed to get myself and one of my coworker's home dsl  
 connections
 switched from a redback router to a juniper router which  
 resolved the
 issue, but only for us.

[...]

 If you buy verizon services at your day job you can probably make
 noise through your sales droids better than here (sadly)... verizon
 likes to jump when customers have problems, if the customer is a large
 corporation or other 'important' customer.


That is just the problem! The college does not buy any Verizon network  
stuff directly, so we don't really have any access to their support.  
(We have a few cell phones, but not enough to be important.)

Brian Gold (who first posted) happens to have their DSL to his house,  
and he was one of five who have reported the problem, so that gave him  
a slight in. But the only techs he could reach as an end user were  
not high enough up to fix this problem in a general way. After  
pressing them for literally hours, he was able to get transfered to  
their NOC, and get the problem resolved for his one address. But, they  
would not give him the NOC contact, and he had to repeat this multi- 
hour process to get it fixed for an other user. Verizon's DSL support  
suggested that we get our bandwith provider involved, and so they  
tried to pitch in, but they don't have any Verizon NOC contact either,  
especially since this issue is purely within a small corner of  
Verizon's DSL network, not on any of Verizon's links to our provider.

This issue hits only a few Verizon DSL users in NW Mass. It does not  
really seem like a routing problem, because the affected users can  
reach many of the servers in our AS, but not some addresses.  
Unfortunately, the blocked addresses include our web server and our  
mail server, so our staff who live out there noticed the issue pretty  
quickly. Traceroutes from Brian's house show that for our blocked  
hosts, the users don't get beyond Verizon's NAT.

The Verizon tech's fix of re-patching Brian's DSL line in to a  
different router feels to me like there is a config problem in the  
other router, but the tech we got is not authorized to alter the  
config. It would be nice if we could reach someone who could actually  
edit the broken config and make it right. Anyone from Verzion's NOC  
for Western Mass reading this? Or, does anyone else have useful  
contact info for them?

FWIW, Simon's Rock is 208.81.88.0/21, AS 19345. Here are a failed and  
a good trace from Brian's house, to different servers on our campus :

FAILS:
Tracing route to wilbur.simons-rock.edu [208.81.88.15]
over a maximum of 30 hops:

  11 ms1 ms1 ms  192.168.10.1
  2 1 ms 1 ms 1 ms  192.168.1.1
  353 ms   104 ms   116 ms  10.14.1.1
  4 *** Request timed out.
  5 *** Request timed out.
  6 *** Request timed out.
  7 *** Request timed out.

WORKS:
Tracing route to dev.simons-rock.edu [208.81.88.25]
over a maximum of 30 hops:

11 ms1 ms1 ms  192.168.10.1
2 1 ms 1 ms 1 ms  192.168.1.1
387 ms54 ms54 ms  10.14.1.1
499 ms   109 ms   103 ms at-0-3-0-1711.WMA-CORE-RTR2.verizon- 
gni.net [130.81.10.77]
516 ms18 ms16 ms  so-7-3-1-0.NY5030-BB-RTR2.verizon- 
gni.net [130.81.20.6]
619 ms17 ms17 ms  0.xe-3-1-0.BR3.NYC4.ALTER.NET  
[152.63.2.81]
718 ms21 ms18 ms  204.255.168.194
8   108 ms   188 ms   116 ms  pos5-0-2488M.cr1.BOS1.gblx.net  
[67.17.94.57]
924 ms28 ms23 ms  pos0-0-0-155M.ar1.BOS1.gblx.net  
[67.17.70.162]
10   121 ms   160 ms   127 ms  64.213.79.250
1177 ms77 ms78 ms  208.81.88.25

Trace complete.

Anyways, thanks for any suggestions you can offer.

Steve Bohrer
Network Administrator
ITS, Bard College at Simon's Rock
413-528-7645

Re: NAT444 or ?

[Seth Mos]

Op 7 sep 2011, om 19:06 heeft jean-francois.tremblay...@videotron.com het 
volgende geschreven:

 On Wed, Sep 07, 2011 at 12:16:28PM +0200, Randy Bush wrote:
 I'm going to have to deploy NAT444 with dual-stack real soon now.
 you may want to review the presentations from last week's apnic meeting
 in busan.  real mesurements.  sufficiently scary that people who were
 heavily pushing nat444 for the last two years suddenly started to say
 it was not me who pushed nat444, it was him!  as if none of us had a
 memory. 
 
 Hm, I fail to find relevant slides discussing that. Could you please
 point us to those?
 
 I had the same question. I found Miyakawa-san's presentation has some 
 dramatic examples of CGN NAT444 effects using Google Maps: 
 http://meetings.apnic.net/__data/assets/file/0011/38297/Miyakawa-APNIC-KEYNOTE-IPv6-2011-8.pptx.pdf
  
 
 
 However these are with a very high address-sharing ratio (several 
 thousands users per address). Using a sparser density (= 64 users per 
 address) is likely to show much less dramatic user impacts. 

I think you have the numbers off, he started with 1000 users sharing the same 
IP, since you can only do 62k sessions or so and with a normal timeout on 
those sessions you ran into issues quickly.

The summary is that with anything less then 20 tcp sessions per user 
simultaneous google maps or earth was problematic. From 15 and downwards almost 
unsable.

He deducted from testing that about 10 users per IP was a more realistic limit 
without taking out the entire CGN experience.

On a personal note, this isn't even taking into question things like broken 
virus scanners or other software updates that will happily try to do 5 sessions 
per second, or a msn client lost trying to do 10 per second. The most the 
windows IP stack will allow on client versions.

The real big issue that will be the downfall of NAT444 is the issue with ACLS 
and automatic blocklists and the loss of granular access control on that which 
the ISP has no control of. Which roughly estimates to the internet.
 
Regards,

Seth

Re: NAT444 or ?

[Seth Mos]

Op 8 sep 2011, om 07:26 heeft Geoff Huston het volgende geschreven:

 
 On 08/09/2011, at 2:41 AM, Leigh Porter wrote:
 
 It may not be what Randy was referring to above, but as part of that program 
 at APNIC32 I reported on the failure rate I am measuring for Teredo. I'm not 
 sure its all in the slides I was using, but what I was trying to say was that 
 STUN is simply terrible at reliably negotiating a NAT. I was then wondering 
 what pixie dust CGNs were going to use that would have any impact on the ~50% 
 connection failure rate I'm observing in Teredo. And if there is no such 
 thing as pixie dust (damn!) I was then wondering if NATs are effectively 
 unuseable if you want anything fancier than 1:1 TCP connections (like 
 multi-user games, for example). After all, a 50% connection failure rate for 
 STUN is hardly encouraging news for a CGN deployer if your basic objective is 
 not to annoy your customers.

The striking thing I picked up is that NTT considers the CGN equipment a big 
black hole where money goes into. Because it won't solve their problem now or 
in the future and it becomes effectively a piece of equipment they need to buy 
and then scrap soon after.

They acknowledge the need, but they'd rather not buy one.
That and they (the isp) get called for anything which doesn't work.

Regards,

Seth

Re: Point to MultiPoint VPN w/qos

[Seth Mos]

On 6-9-2011 15:49, Positively Optimistic wrote:

Greetings



Does anyone have a suggestion for a single piece of hardware that would
support 8 or less Ethernet interfaces and the two vpn tunnels ?


Single piece of hardware, no. If 2, then yes.

A PCengines Alix 2D3 with pfSense/m0n0wall and OpenVPN UDP tunnels to 
the datacenter combined with a Power over Ethernet switch would seem a 
likely combination. A HP Procurve 8 Port gigabit desktop switch with PoE 
comes to mind. Not too expensive, fanless, quiet, reliable does VLANS.


That way you can power the router and phones from the same (smallish) 
UPS. Say a 700VA APC.


Regards,
Seth

Re: iCloud - Is it going to hurt access providers?

[Seth Mos]

Op 3 sep 2011, om 19:49 heeft Jimmy Hess het volgende geschreven:

 On Sat, Sep 3, 2011 at 6:20 AM, Skeeve Stevens ske...@eintellego.net wrote:
 
 My guess is that 99% of consumer internet access is Asymmetrical (DSL, 
 Cable, wireless, etc) and iCloud when launched will 'upload' obscene amounts 
 of gigs of music, tv, backups, email, photos, documents/data and so on to 
 their data centres.
 

 since a majority of music files backed up would be file-identical
 with  material  someone else had already backed up,
 and identical to material  already in  the iTunes store  (which they
 could pre-seed their database with).

How would storage vendors otherwise sell de duplication. I mean you could make 
the application smarter but that wouldn't sell more spinning rust or licenses.

Regards,

Seth

Re: in defense of lisp

[Seth Mos]

Op 13-7-2011 16:09, Randy Bush schreef:
  btw, a litte birdie told me to take another look at

The free Open Source FreeBSD based pfSense firewall supports this. Not
everyone can get BGP, specifically calling out residential connections here.

As a 1:1 NAT mechanism it works pretty well, I can reach the outside,
and the outside can reach me. Which I think is what was intended in the
specifications. And pretty much the internet.

It took me 4 months to write the IPv6 support in pfSense to what it is
today. Which is not feature complete. But the NPT part was just a few
hours in the grand scheme.

I've also contacted the nice people from the draft that we support it.

Since then we've got v4 and v6 with BGP at work so it's moot. But I digress.

Kind regards,

Seth Mos
pfSense developer.


 
  6296 IPv6-to-IPv6 Network Prefix Translation. M. Wasserman, F. Baker.
   June 2011. (Format: TXT=73700 bytes) (Status: EXPERIMENTAL)
 
  which also could be considered to be in the loc/id space
 
  randy
 
 

Re: Address Assignment Question

[Seth Mos]

Op 20 jun 2011, om 23:24 heeft Tony Finch het volgende geschreven:

 On 20 Jun 2011, at 16:26, Jérôme Nicolle jer...@ceriz.fr wrote:
 
 But most RBL managers are shitheads anyway, so help them evade, that'll be 
 one more proof of spamhaus co. uselessness and negative impact on the 
 Internet's best practices.
 
 An organization that blocks 90% of spam with no false positives is incredibly 
 useful.

Using a greylisting system is equally effective without the black list part.

My milter-greylist installation is aimed at allowing as much mail through as it 
can, instead of the other way around. Milter-greylist has a nice urlcheck 
feature and/or ldap verification for users. In my case it's a PHP script.

If I can verify the IP to be inside a /22 of the MX records, www records or 
domain records that is sufficient to bypass the greylisting. The timers are 
also quite lenient. Just 15 minutes of wait is enough, of they are persistent 
if we've seen them before by domain. We get the email regardless and phone 
calls are rare, and I never run the risk of never getting the email.

This has turned out to be a really effective way to allow normal email through 
without much delay. After just 2 days at work it's whitelisted over 75% of the 
active domains we do business with.

We have about 17 domains and I know what the poster is asking, we've been 
emailing our customers before, subscribed customers none the less. We've had 
our share of blacklisting before. And we even sent the emails with unsubscribe 
links.

But some of them will click the report this as spam link in their favourite 
mail agent as a means to unsubscribe. I mean, clicking a link is hard. The end 
result is that we end up on various block lists. It's a good thing that the 
email servers at large isps are often sensible enough to let the email through.

Some of the smaller ones had rather odd draconian limits set. This makes the 
situation for all of us worse.

Regards,

Seth

Re: Address Assignment Question

[Seth Mos]

Op 20 jun 2011, om 23:55 heeft John Levine het volgende geschreven:

 An organization that blocks 90% of spam with no false positives is
 incredibly useful.
 
 Using a greylisting system is equally effective without the black
 list part.
 
 Hi.  I'm the guy who wrote the CEAS paper on greylisting.
 
 Greylisting is useful, but anyone who thinks it's a substitute for
 DNSBLs has never run a large mail system.

We use the black lists for scoring spam messages, but we never outright block 
messages. I was not implying that blacklists are not useful at all. I just see 
things in shades of grey over black and white.

Of the 17 domains we have with roughly 250 users it does well enough.

Regards,

Seth

Re: Question about migrating to IPv6 with multiple upstreams.

[Seth Mos]

Op 14 jun 2011, om 19:04 heeft Ray Soucy het volgende geschreven:

 My guess is within the next year we'll see something pop up that does this.

Ehm, It's already here, you searched google right?

I finished it 4 months ago. And a number of commercial platforms already 
support it. Although Owen doesn't like it much.

I really wish there was a more bomb proof lite version of the BGP protocol.
- One that has proper authentication not based on a single MD5.
- One that does not allow the client side to define the networks.
- That will only support default routes, it's easier if it can not carry the 
world.

I think a evolved version of ebgp multihop is workable, but you'd still need 
some lightweight form of hooking back into the BGP table.

Ideally, ISPs could deploy a number of these route guides that would inject 
the proper route into the real BGP table, but by then it is filtered and the 
ISP has proper control over what ends up in it. Some ISPs could mark this up as 
a luxury version.

Perhaps a form of PI bound to country (Exchange) would be a workable solution. 
So request a piece of country PI that is delegated explicitly to the roaming 
guide(s).

Regards,

Seth

Re: Question about migrating to IPv6 with multiple upstreams.

[Seth Mos]

Op 12 jun 2011, om 03:50 heeft Randy Carpenter het volgende geschreven:

 
 I have an interesting situation at a business that I am working on. We 
 currently have the office set up with redundant connections for their mission 
 critical servers and such, and also have a (cheap) cable modem for general 
 browsing on client machines.

So basically policy routing?

 The interesting part is that the client machines need to access some customer 
 networks via the main redundant network, so we have a firewall set up to 
 route those connections via the redundant connections, and everything else 
 via the cheaper, faster cable modem. NAT is used on both outbound connections.

Yep that sounds like policy routing.

 With IPv6, we are having some trouble coming up with a way to do this. Since 
 there is no NAT, does anyone have any ideas as to how this could be 
 accomplished?

Sure there is NAT, you can use prefix translation to translate your Global 
Address Range from the redundant ISP to the Cable ISP Global address range when 
leaving that interface. I've run a similar setup with 3 independent ISPs with 
IPv6 netblocks.

Whichever connection the traffic went out it got the right GUA mapped onto it. 
Note that this is 1:1 NAT and not N:1.

In my case there was no primary GUA range, I used a ULA on the LAN side of 
things, and mapped the corresponding GUA onto it when leaving the network. I 
had 3 rules, 1 for each WAN and mapped the ULA/56 to the GUA/56.

In your case you already have a primary connection of sorts, so I'd suggest 
using that on the LAN side and only map the other GUA onto it when it leaves 
the other interfaces.

The policy routing rules on your firewall can make all the routing decissions 
for you.

If you search google for IPv6 network prefix translation there will be a 
firewall listed that can do this somewhere in the middle of the page.

Cheers,

Seth

Re: The stupidity of trying to fix DHCPv6

[Seth Mos]

Op 12 jun 2011, om 12:05 heeft Daniel Roesen het volgende geschreven:

 VRRP communications itself is via link-local addresses. There is a
 requirement to have a link-local virtual address as well, but there
 might be many more, e.g. global scope.

In FreeBSD with pfSense I use CARP with a v6 addresses which are GUA, the isp 
routes my /48 to the GUA address, failover time when rebooting firewalls is in 
the order of seconds. I see no missed http requests and no existing requests 
drop.

The servers behind it are also configured to use the LAN side GUA CARP ipv6 
address as the default gateway.

pfsync makes sure that traffic state is being kept.

 
 Otherwise a whole lot of IPv6 VRRP setups won't be working here. :)
 We use global scope addresses as VRRP virtual router addresses.

Indeed, same here. We have a open ticket iirc to patch our radvd daemon to also 
announce properly when active on a v6 CARP Address. It's that or being able to 
manually sending a GUA address as being the gateway.

Wait, that sounds suspicously like trying to send a gateway bit by way of DHCP. 
Luckily servers are statically configured. But now comes the deal that I want 
all my client nodes on the corporate lan to also use the GUA address (which has 
stateful failover) for the gateway instead of the link local address of one of 
my CARP cluster nodes.

Other options include crafting a link local address for the CARP address and 
make sure that radvd uses that. The backup carp node won't hear anything or be 
heard when the address has BACKUP status. It's on the todo list.

Regards,

Seth

Re: Facebook Engineering, on WIPv6D:

[Seth Mos]

Hi Jay,

Can you correlate the user from the access logs and send them a email that 
their IPv6 internet is not working correctly?

Regards,

Seth

Op 9 jun 2011, om 05:03 heeft Jay Ashworth het volgende geschreven:

 
 World IPv6 Day came to an end earlier today. We successfully enabled IPv6 on 
 our site for 24 hours, with great results. We saw over 1 million users reach 
 us over IPv6.
 
 We’re pleased that we did not see any increase in the number of users seeking 
 help from our Help Center. The estimated 0.03% of users who may have been 
 affected would have experienced slow page loads during the test. 
 
 Based on the encouraging results, we’ve decided to leave our Developer site 
 dual-stacked, supporting both IPv4 and IPv6. And we will continue to adapt 
 our entire code base and tools to support IPv6.
 
 We are glad to have joined with the Internet Society, major Web companies, 
 and other industry players to enable IPv6 for this test day. It was a great 
 opportunity to test our infrastructure and IPv6 readiness.
 
 IPv6 is vital to the continued growth of the Internet, and World IPv6 Day was 
 a great step in the advancement of the protocol.  We hope the overall success 
 of the 24 hour test will encourage others in the industry to establish 
 reliable IPv6 connectivity and develop robust IPv6 products.
 
 Donn is glad the Internet didn't break today.
 
 
 That last was in italics... :-)
 
 Cheers,
 -- jra
 -- 
 Jay R. Ashworth  Baylink   
 j...@baylink.com
 Designer The Things I Think   RFC 2100
 Ashworth  Associates http://baylink.pitas.com 2000 Land Rover DII
 St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274
 

Re: SIXXS contact

[Seth Mos]

Op 27-4-2011 0:38, Andrew Kirch schreef:
 On 4/26/2011 12:11 PM, Brielle Bruns wrote:
 I've run a volunteer/free hosting service since 1997 or so - it never
 ceases to amaze me how people will complain about free things, but
 when you ask them to pony up a little monthly support its like you
 killed their puppy.  I just term people who are more of a hassle then
 they are worth.
 
 I'm not complaining, but I would point out that if these free brokers
 are the public face of IPv6 for many hobbyists (and much of the various
 software run on/over the internet is written by volunteers, and/or given
 away for free), we aren't going to get there.  The big deafening silence
 from SIXXS is really unfortunate in that it does actively affect my
 opinion of IPv6, my willingness to spend time implementing it, pestering
 my upstream about it, or having my business give a damn about it.  Yes I
 know they're volunteers, but how much does that matter?

This same silence you mention is also my personal experience.

I work on a open source firewall project in my spare time and found the
issue annoying, as such I've decided to forgot Sixxs (dynamic) tunnel
support and recommend the free Hurricane Electric tunnelbroker instead.

I can spend my time better in getting OpenVPN working with IPv6 then
waiting to accumulate kredits(tm).

Kind regards,

Seth