Re: Free(opensource) Ticketing solutions
Am 27.05.2024 um 19:28 schrieb Pascal Masha : > > Hello, > > Which free and good ticketing systems do you folks(for those who do) use? I've had good experiences with Zammad https://github.com/zammad/zammad A bit resource-hungry, and some of the UX takes a bit getting used to, but very efficient workflow-wise. APIs are also very decent, if you want to integrate custom systems into the workflow. Stefan -- Stefan BethkeFon +49 175 3288861 signature.asc Description: Message signed with OpenPGP
Re: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...)
Looks like scam to me, we are based in Germany and from time to time we are getting requests from BKA, all mails were originated from "*@bka.bund.de", never heard about ths "cyber.bka.de" Domain. Also I would expect something more like a specific criminal investigation from the BKA instead of the usual "we found suspicious ip addresses" announcement like Shadowserver is offering. Governmental services within DTAG (AS3320) ip space is pretty common in Germany. HTH, Stefan -- Stefan Giera, BelWü (AS553) BelWü-Koordination, Universität Stuttgart Industriestr. 28, 70565 Stuttgart Tel: +49 711/685-65797 | Durchwahl Tel: +49 711/685-88030 | NOC, Netzbetrieb, Router Tel: +49 711/685-88020 | (Schul)Hotline Fax: +49 711/678 83 63 E-Mail: i...@belwue.de - http://www.belwue.de
Direct fibre between Digital Realty ATL2 and Equinox AT1
Good morning NANOG! I am looking for direct fiber providers between ATL2 and AT1, or 100g wavelengths. Any recommendations? Off-List replies are fine! TIA, -Stefan
Re: Log4j mitigation
Am 11.12.2021 um 04:54 schrieb Andy Ringsmuth :
>
> The intricacies of Java are over my head, but I’ve been reading about this
> Log4j issue that sounds pretty bad.
>
> What do we know about this? What, if anything, can a network operator do to
> help mitigate this? Or even an end user?
Probably not. The problem lies in the functionality of log4j to do token
interpolation (think "foo ${bar} baz") not just on the format string that is
configured, but also on the values passed into the logging function call.
Let that sit for a minute.
For most applications that receive input over the network, I would expect it's
close to impossible to recognise problematic input that might be logged while
processing the request, or even at a later stage. The URL is an obvious place,
but form input, or even the contents of a ZIP file that is being uploaded might
be processed by logging function calls.
The good news is that setting the Java system property
log4j2.formatMsgNoLookups to true disables the vulnerable functionality. For
most Java server applications, that should be a very quick change.
Stefan
--
Stefan BethkeFon +49 151 14070811
signature.asc
Description: Message signed with OpenPGP
Re: PeerinDB refuses to register certain networks [was: Setting sensible max-prefix limits]
On 19.08.2021, at 22:39, Seth Mattinen wrote: > > > > On 8/19/21 11:19 AM, Ross Tajvar wrote: >> I, and many others that I know, have successfully listed our networks in >> PeeringDB while having no peering. You may just need to try again. > > > All of the argument is based around an email dated in *2015*. So yeah, try > again. Every public AS (queried by RIR) is welcome and accepted. It is an automated process now. If you had trouble getting your ASN registered with PeeringDB in the past, try it again or get in contact with pdbs support. -Stefan (pdb admin)
Re: Is there an established method for reporting/getting removed a company with 100% false peeringdb entries?
On 05/03/2021 01:14, Eric Kuhnke wrote: First, take a look at this: https://www.peeringdb.com/asn/18894 <https://www.peeringdb.com/asn/18894> Now look at these (or use your own BGP table analysis tools): https://bgp.he.net/AS18894 <https://bgp.he.net/AS18894> https://stat.ripe.net/18894 <https://stat.ripe.net/18894> The claimed prefixes announced, traffic levels and POPs appear to have no correlation with reality in global v4/v6 BGP tables. It is also noteworthy that I have inquired with a number of persons I know who are active in network engineering in NYC, and nobody has ever encountered this company. Hi Nanog! If you stumble across such things, drop us a note at supp...@peeringdb.com and we will take a look at it. -Stefan
Re: Linux BNG
Am 14.07.2018 um 14:13 schrieb Baldur Norddahl : > > I am considering writing a small program or kernel module. This would create > two TAP devices (tap0 and tap1). Traffic received on tap0 with VLAN tagging, > will be stripped of VLAN tagging and delivered on tap1. Traffic received on > tap1 without VLAN tagging, will be tagged according to a lookup table using > the destination IP address and then delivered on tap0. ARP and DHCP would > need some special handling. As a proof of concept, a userland implementation using tap is likely the easiest to implement. But it won’t give you the throughput you’re looking for. I’d look at https://www.dpdk.org if you want to stay in userland. If FreeBSD ist an option, netgraph(4) is designed to allow packet filtering, manipulation and distribution in a set of small processing modules. In either case, Ethernet frames would be processed outside the regular network stack, but could be handed over to the kernel for further processing, i.e. DHCP or SLAAC. Stefan -- Stefan BethkeFon +49 151 14070811
Re: Spiffy Netflow tools?
Not necessarily (only) for *flow, but very nice combo: Luca Deri's ntopng+nprobe (https://www.ntop.org/products/traffic-analysis/ntop/) ***Stefan On Mon, Mar 12, 2018, 6:26 PM <mike.l...@gmail.com> wrote: > Howdy! > > Checking out various Netflow tools and wanted to see what others are using? > > Kentik is cool. Are they the only SaaS based flow digester? I don’t seem > to see any others. > > Also curious about on-prem solutions as well. > > Thanks! > Mike
Re: Templating/automating configuration
http://ipspace.net - search on everything ref network automation, under webinars. Ivan is among the best in analysis and consolidation of such info, and in documenting all options you may have. Once you see what he has to offer, and definitely not only in the network automation space, you may want to subscribe to all his webinars repository access. Regards, ***Stefan On Jun 6, 2017 8:24 AM, "Graham Johnston" <johnst...@westmancom.com> wrote: > Short of complete SDN, for those of you that have some degree of > configuration templating and/or automation tools what is it that you run? > I'm envisioning some sort of tool that let's me define template snippets of > configuration and aids in their deployment to devices. I'm okay doing the > heaving lifting in defining everything, I'm just looking for the tool that > stitches it together and hopefully makes things a little less error prone > for those who aren't as adept. > > Graham Johnston > Network Planner > Westman Communications Group > 204.717.2829 > johnst...@westmancom.com<mailto:johnst...@westmancom.com> > >
Re: SD-WAN for enlightened
As of this announcement: http://investor.cisco.com/investor-relations/news-and-events/news/news-details/2017/Cisco-Announces-Intent-to-Acquire-Viptela/default.aspx there will be one less than before :-) Seriously - when I first learned about them, upon service inclusion of the Viptela products into the VzB SD-WAN offering, they (Viptela - http://blog.ipspace.net/2014/11/viptela-sen-hybrid-wan-connectivity.html) looked very nice, already, as standalone products. And that was a few years back. ***Stefan On Tue, May 2, 2017 at 12:44 PM, Doug Marschke <d...@sdnessentials.com> wrote: > Too many to list. I don’t know who is “winning” in market share right > now, as I am sure each vendor tracks their wins differently. > > There are definitely a few making more noise than others. > > Doug Marschke > > CTO > > <http://www.sdnessentials.com> www.sdnessentials.com > > JNCIE-SP #41, JNCIE-ENT #3 > > 415-902-5702 (cell) > > 415-340-3112 (office) > > > > From: Colton Conor [mailto:colton.co...@gmail.com] > Sent: Thursday, April 27, 2017 6:26 PM > To: Doug Marschke <d...@sdnessentials.com> > Cc: Kasper Adel <karim.a...@gmail.com>; NANOG list <nanog@nanog.org> > Subject: Re: SD-WAN for enlightened > > > > So who are the big SD-WAN players out there? > > > > On Mon, Apr 17, 2017 at 10:31 AM, Doug Marschke <d...@sdnessentials.com > <mailto:d...@sdnessentials.com> > wrote: > > Hello Kasper, > > I will do my best to answer your SD-WAN question, but as you mentioned it > is a buzzword that has a bit of confusion in its definitions. I would say > that a SD-WAN solution should have the following elements: > > 1.) Ability to manage multiple WAN connection and choose the path based on > user and machine criteria (The Hybrid WAN) > 2.) A controller to manage the polices and operations of the SD-WAN devices > 3.) Analytics on the network and application level > 4.) A software overlay that abstracts and secures the underlying networks > > Currently there are a lot of solutions out there by many vendors. Some do > all of these and some a subset, so it make the landscape a bit confusing. > Lots of times vendors use SD-WAN when they are really just talking about > Hybrid WAN (multiple connections) or WAN optimization. > > > > > > Doug Marschke > CTO > www.sdnessentials.com <http://www.sdnessentials.com> > JNCIE-SP #41, JNCIE-ENT #3 > 415-902-5702 (cell) > 415-340-3112 (office) > > > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org <mailto:nanog-bounces@nanog. > org> ] On Behalf Of Kasper Adel > Sent: Sunday, April 16, 2017 1:14 PM > To: NANOG list <nanog@nanog.org <mailto:nanog@nanog.org> > > Subject: SD-WAN for enlightened > > Hi, > > I'm not sure if the buzzword SD-WAN is used to compensate for another > buzzword that got over-utilized (SDN) or it is a true 'new and improved' > way of doing things that has some innovation into it. > > I heard different explanation from different vendors: > > 1) appliances (+ controller) placed in-line to put traffic in tunnels > based on policy, with some DPI and traffic tagging...(to do > performance/policy based routing) over an expensive link (MPLS) and a cheap > one (broadband) with some 'firewall-like' filtering capabilities. > 2) same as above, with a flavor of 'machine learning' to find a pattern > for traffic to optimize utilization. > 3) a controller that instantiates and tears down tunnels from 'classic > routers' based on external policies and Network based features to do > performance based routing over an expensive link (MPLS) and a cheap one > (broadband) with encryption. > > Is the above a decent high-level summary? > > Has anyone tried any of these solutions, any general feedback ? > > Cheers, > Kim > > > >
Re: Software for network modelling / documentation / GIS
Hi, If you want to go the full stack, start open source and to have the support and com.ext. option you can check iDoIT. Good thing is, it has also a nice API for further automation and you can use it as generall CMDB. https://www.i-doit.org/ Rgds, SJ
Other name resolution impacts, as by-products of the Dyn event (e.g. recursive queries limit reached)
Have not seen any mentions yet, so thought of asking here: has anybody paid attention to other name resolution issues, even outside the Dyn hosted services directly sourced ones? I am talking about what we observed, as result of: https://community.infoblox.com/t5/Support-Central/Support-Central-KB-118-What-does-quot-no-more-recursive-clients/ba-p/6321 i.e. "active queue" filled with the Dyn caused event, but leaving thusly no "room", at times, for valid recursive queries, inclusive of internal name resolution, where the SOA sits in another tier (e.g. GSLBs). One possible mitigation for such scenarios is: https://community.infoblox.com/t5/Support-Central/Support-Central-KB-3451-Configuring-CLI-commands-for-Automated/ba-p/6327 Any other related events, on other platforms or configurations? ***Stefan
Re: Advertising rented IPv4 prefix from a different ASN.
On 04.08.2016 21:39, Andrew wrote: > Hello List, > > I work for a medium sized ISP. We are entering an agreement to rent > some IPv4 space from a local higher education institution. Being a > multi-homed ISP we would like to advertise the rented prefix from our > ASN. The prefix that will be advertised is a smaller subnet from the > higher educations block; they will continue to advertise the larger prefix. > > What is the best way to accomplish this? Is there any way of doing this > without having to tunnel the traffic through the origin ASN? > > I feel if we just adverse the prefix it get put on a bogon list for > prefix hijacking. This space is rented long term but they are not > interested in reassigning the space to us. They also want to keep > advertising their prefix as one contiguous block. Make sure proper route-objects exist. Should be no big deal then imho. Others do it as well - also advertising the larger block from one ASN and a smaller portion of it from another. Kind regards, Stefan
Re: Measuring the quality of Internet access
On 06/13/2016 09:11 PM, Max Tulyev wrote: > Hi All, > > I know there are many people from many countries. > > Do you know something about mandatory measurements of Internet access > quality from country telecom regulators? If yes, could you please share > that information with me? austria does something like this: https://www.rtr.at/en/tk/netztesthilfe includes a lot of information and even sourcecode on the measurement apps... Stefan
Re: Low density Juniper (or alternative) Edge
Hi Mark, Mark Tinka <mark.ti...@seacom.mu> schrieb am So., 28. Feb. 2016 07:13: > > > On 3/Feb/16 09:58, Nick Hilliard wrote: > > > Typically the features that fall by the wayside first are: reasonable > > port buffers, qos knobs and decent lag/ecmp hashing support for mpls > > packets. > > Cisco, in general, are suffering here, i.e., QoS on LAG's. > > IOS, IOS XE and IOS XR suffer massively. > > We find that Junos does a better job here. > > Mark. > Do yo have more details what's wrong with the XR platform? Which hardware do we talk about and which XR version is your statement applying? Rgds, Stefan >
Re: Internet Exchanges supporting jumbo frames?
There is no way to avoid breaking MTU for IPv4 but use PMTUD for IPv6, is there? Meaning to stick to 1500 for IPv4 and use something larger for IPv6? Kind regards, Stefan On 09.03.2016 15:59, Kurt Kraut via NANOG wrote: > Hi Mike, > > The adoption of jumbo frames in a IXP doesn't brake IPv4. For an ISP, their > corporate and residencial users would still use 1,5k. For datacenters, > their local switches and servers are still set to 1,5k MTU. Nothing will > brake. When needed, if needed and when supported, from a specific server, > from a specific switch, to a specific router it can raise the MTU up to the > max MTU supported by IXP if the operator know the destination also supports > it, like in the disaster recovery example I gave. For IPv6, the best MTU > will be detected and used with no operational effort. > > For those who doesn't care about it, an IXP adopting jumbo frames wouldn't > demand any kind of change for their network. They just set their interfaces > to 1500 bytes and go rest. For those who care like me can take benefit from > it and for that reason I see no reason for not adopting it. > > > Best regards, > > Kurt Kraut > > 2016-03-09 11:53 GMT-03:00 Mike Hammett <na...@ics-il.net>: > >> Maybe breaking v4 in the process? >> >> - >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> >> >> Midwest Internet Exchange >> http://www.midwest-ix.com >> >> >> - Original Message - >> >> From: "Kurt Kraut via NANOG" <nanog@nanog.org> >> To: "Nick Hilliard" <n...@foobar.org> >> Cc: "NANOG list" <nanog@nanog.org> >> Sent: Wednesday, March 9, 2016 8:50:23 AM >> Subject: Re: Internet Exchanges supporting jumbo frames? >> >> 2016-03-09 11:45 GMT-03:00 Nick Hilliard <n...@foobar.org>: >> >>> this has been tried before at many ixps. No matter how good an idea it >>> sounds like, most organisations are welded hard to the idea of a 1500 >>> byte mtu. Even for those who use larger MTUs on their networks, you're >>> likely to find that there is no agreement on the mtu that should be >>> used. Some will want 9000, some 9200, others 4470 and some people >>> will complain that they have some old device somewhere that doesn't >>> support anything more than 1522, and could everyone kindly agree to that >>> instead. >>> >> >> >> >> Hi Nick, >> >> >> Thank you for replying so quickly. I don't see why the consensus for an MTU >> must be reached. IPv6 Path MTU Discovery would handle it by itself, >> wouldn't it? If one participant supports 9k and another 4k, the traffic >> between them would be at 4k with no manual intervention. If to participants >> adopts 9k, hooray, it will be 9k thanks do PMTUD. >> >> Am I missing something? >> >> >> Best regards, >> >> >> Kurt Kraut
Re: bad announcement taxonomy
> On Nov 18, 2015, at 9:45 AM, Roland Dobbins <rdobb...@arbor.net> wrote: > >> On 18 Nov 2015, at 21:40, William Herrin wrote: >> >> Creating jargon down in the weeds, though, that's a bad thing. > > 'AS 7007' is jargon to those unaware of the history and context. https://en.m.wikipedia.org/wiki/AS_7007_incident He can thank me later Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI m (703) 625-6243
Fw: new message
Hey! New message, please read <http://epicuregifts.com/anybody.php?bjtmi> Stefan Fouant
Fw: new message
Hey! New message, please read <http://shoppingsignal.com/honest.php?r40> Stefan Fouant
RE: Facebook invisible in Italy
https://developers.facebook.com/status/issues/1032802420085278/ stefan From: Steve Mikulasik <steve.mikula...@civeo.com> Reply: Steve Mikulasik <steve.mikula...@civeo.com> Date: 28 Sep 2015 at 23:00:08 To: ma...@paesani.it <ma...@paesani.it>, nanog <nanog@nanog.org> Subject: RE: Facebook invisible in Italy All good from AS15290. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Marco Paesani Sent: Monday, September 28, 2015 2:35 PM To: nanog <nanog@nanog.org> Subject: Facebook invisible in Italy Hi, some issues from FB network ?? Do you have some info ? Regards, -- Marco Paesani MPAE Srl Skype: mpaesani Mobile: +39 348 6019349 Success depends on the right choice ! Email: ma...@paesani.it
Re: Windows 10 Release
Then they might want to show an official MD5/SHA1 on their website for the media. Or maybe simply offer a torrent/magnet-link ... Kind regards, Stefan On 30.07.2015 15:19, STARNES, CURTIS wrote: Not sure about distributing but I would think it would be ok since it is an ISO for upgrading and the site says if it is a new installation a product key would be needed. Curtis -Original Message- From: Martin Hotze [mailto:m.ho...@hotze.com] Sent: Thursday, July 30, 2015 8:17 AM To: STARNES, CURTIS curtis.star...@granburyisd.org; nanog@nanog.org Subject: RE: Windows 10 Release From: STARNES, CURTIS [mailto:curtis.star...@granburyisd.org] https://www.microsoft.com/en-us/software-download/windows10 is the download URL. This site launches the Download Tool so the ISO can be downloaded from Microsoft. Yeah, I know. But is it allowed to redistribute the .iso File(s)? Might help to save downloading some GB ... martin
Re: [ PRIVACY Forum ] Windows 10 will share your Wi-Fi key with your friends' friends
Time to teach home-routers WPA Enterprise auth? Then at least you know whom to blame :-) and just one user to disconnect instead of everybody who previously had the key. Well, but if friends were to share your wifi-key through other ways the end-result would be the same. Just hand your key to clueful people. I think the point here is that we might assume people have a lot of good friends who don't know what they are doing (have things like this enabled by default)? Hmm ... yeah might be :-( Kind regards, Stefan Am 06.07.2015 um 20:29 schrieb Daniel C. Eckert: This isn't really an open source issue -- anybody can make foolish product design decisions regardless of licensing model. This is more about a vendor producing a feature that deliberately and shortsightedly creates a slew of problems impacting almost all existing networks anywhere. It's highly convenient feature for a specific, limited use case (home users hosting a party with a bunch of people that they don't want to have to worry about how to give them a network password). However, gat ignores all of the other security and user impact issues. Can you imagine how the user experience will change when you change your SSID to include the _optout tag and then try to verbally tell someone what the new SSID is? Bonus points for dealing with users in a context where you've had the same SSID for years. On Jul 6, 2015 11:17 AM, Richard Golodner rgolod...@infratection.com wrote: There is a reason why my family loves open source. My kid is learning Linux and she doesn't even know it. Mommy has an Android... On 07/06/2015 12:53 PM, Jay Ashworth wrote: From Lauren, a new feature in Windows 10 I think this community probably wants to know about, to the extent you don't already. I *knew* I didn't like W10. :-) Cheers, -- jra - Forwarded Message - From: PRIVACY Forum mailing list priv...@vortex.com To: privacy-l...@vortex.com Sent: Wednesday, July 1, 2015 8:03:06 PM Subject: [ PRIVACY Forum ] Windows 10 will share your Wi-Fi key with your friends' friends Windows 10 will share your Wi-Fi key with your friends' friends http://www.theregister.co.uk/2015/06/30/windows_10_wi_fi_sense/ [...]
Re: leap second outage
This was supposed to have happened @midnight UTC, right? Meaning that we are past that event. Under which scenarios should people be concerned about midnight local time? Lots of confusing messages flying all over... On Jun 30, 2015 10:13 PM, frnk...@iname.com wrote: We experienced our first leap second outage -- our SHE (super head end) is using (old) Motorola encoders and we lost those video channels. They restarted all those encoders to restore service. Frank
Re: Youtube / IPv6 / Netherlands
Am 25.06.2015 um 15:32 schrieb Christopher Morrow: On Thu, Jun 25, 2015 at 8:33 AM, Marco Davids mdav...@forfun.net wrote: Geolocation imperfections perhaps? geolocation is hard :( geolocation is a broken concept anyway :-( Similar to like being allowed by law to only offer some downloads of series/movies during the night (starting 10pm afaik) for youth-protection (here in Germany) ... come on ... Kind regards, sn
Re: REMINDER: LEAP SECOND
On 25 Jun 2015, at 03:14, Damian Menscher via NANOG nanog@nanog.org wrote: http://googleblog.blogspot.com/2011/09/time-technology-and-leaping-seconds.html comes dangerously close to your modest proposal. Damian I wonder why Google hasn't published the patch yet. Leap smear sounds like the sane way to do leap seconds, and it would't break software at all, because time adjustments in the sub-second area are proven to work quite well. Btw. there seem to be a couple of public Google timeservers, I wonder whether could just sync time from there to get leap smearing. time[1-4].google.com Also this update looks like it would smoothen the process: https://rhn.redhat.com/errata/RHBA-2015-1159.html https://bugzilla.redhat.com/show_bug.cgi?id=1214752 -Stefan
Re: Digitalocean and recent issues
On Sunday, June 7, 2015, Randy na...@afxr.net wrote: Now I'm blocked by... Pizzahut.com Can't order a pizza over my VPN. thank god for comic relief. - s
Re: eBay is looking for network heavies...
Sort of back-tracking on the OP JD - is one to derive from the posting and requirements for the job(s) that: 1. the need arises because of the eBay - PayPal split? 2. is PayPal leaving with the openstack [need for] expertise and associated IaaS parts (http://www.openstack.org/user-stories/paypal/), while eBay is keeping a more traditional infra setup? Stefan On Sat, Jun 6, 2015 at 8:53 AM, Brandon Ross br...@pobox.com wrote: I also concur. There is most certainly a negative correlation between certs and clue in my experience, having met 10s of certificate holders. Long ago when the MCSE was more popular, I actually started putting MCSE need not apply on job postings because everyone I interviewed that had one was not just clue challenged, but had negative clue. On Fri, 5 Jun 2015, jim deleskie wrote: Based on the number of certified people I've interviewed over the last 20yr, my default view lines up with Jared's 100% On Fri, Jun 5, 2015 at 10:38 PM, Mike Hale eyeronic.des...@gmail.com wrote: We need a pool on what percentage of readers just googled traceroute. On Jun 5, 2015 6:28 PM, na...@cdl.asgaard.org wrote: On 5 Jun 2015, at 17:45, Łukasz Bromirski wrote: On 06 Jun 2015, at 02:26, Jared Mauch ja...@puck.nether.net wrote: On Jun 5, 2015, at 7:13 PM, John Fraizer j...@op-sec.us wrote: Head of line for CCIE / JNCIE but knowledge and experience trumps a piece of paper every time! Can you please put these at the back of the line? My experience is that the cisco certification (at least) is evidence of the absence of actual troubleshooting skills. (or my standards of what defines “expert” are different than the rest of the world). Jared, don’t generalize. True - there are people that are ‘paper’ CCIE/JNCIEs - but let’s not start a rant unless you've met tens of CCIEs/JNCIEs and all of them didn’t know a jack. About troubleshooting. 't We had one CCIE at a previous job who just didn't click no matter how much we tried to train on the architecture. Eventually in one backbone event, he kept saying that the problem couldn't be with a given router because traceroute worked. When it was pointed out that the potential fault wouldn't cause traceroute to fail, we got a very puzzled look. We then asked him to explain how traceroute worked. He spectacularly failed. It became a tongue-in-cheek interview question. What was boggling was the number of *IE's that failed trying to explain traceroute's mechanics. My test, as crass as it is. If your CV headlines with a JCIE/CCIE, I am pretty certain that you have very little real-world experience. If it's a footnote somewhere, that's ok. Christopher — CCIE #15929 RS/SP, CCDE #2012::17 (not that I’d know anything about troubleshooting of course) -- 李柯睿 Avt tace, avt loqvere meliora silentio Check my PGP key here: http://www.asgaard.org/cdl/cdl.asc Current vCard here: http://www.asgaard.org/cdl/cdl.vcf keybase: https://keybase.io/liljenstolpe -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: BGP offloading (fixing legacy router BGP scalability issues)
Of course it's not something you should generalise about all people or all traffic from certain countries. But it's obvious that there are some countries which seem to care almost not at all about abuse or maybe even are sources for planned hack-attempts. And at least some large ISPs there seem to do nothing for their reputation or the reputation of their country. Kind regards, Stefan On 04/02/2015 09:40 AM, Paul S. wrote: Do you have data on '100% of the traffic' being bad? I happen to have a large Chinese clientbase, and this is not the case on my network. On 4/2/2015 午後 04:35, Colin Johnston wrote: or ignore/block russia and north korea and china network blocks takes away 5% of network ranges for memory headroom, especially the large number of smaller china blocks. Some may say this is harsh but is the network contacts refuse to co-operate with abuse and 100% of the traffic is bad then why not Colin On 2 Apr 2015, at 07:59, Mark Tinka mark.ti...@seacom.mu wrote: On 1/Apr/15 19:01, Frederik Kriewitz wrote: We're wondering if anyone has experience with such a setup? Cisco have a feature called BGP-SD (BGP Selective Download). With BGP-SD, you can hold millions of entries in RAM, but decide what gets downloaded into the FIB. By doing this, you can still export a full BGP table to customers directly connected to your 6500, and only have a 0/0 + ::/0 (and some more customer routes) in the FIB to do forwarding to a bigger box. BGP-SD started shipping in IOS XE, but I now understand that the feature is on anything running IOS 15. This would be my recommendation. Mark.
Re: BGP offloading (fixing legacy router BGP scalability issues)
On 04/02/2015 09:57 AM, Mark Tinka wrote: On 2/Apr/15 09:52, Stefan Neufeind wrote: Of course it's not something you should generalise about all people or all traffic from certain countries. But it's obvious that there are some countries which seem to care almost not at all about abuse or maybe even are sources for planned hack-attempts. And at least some large ISPs there seem to do nothing for their reputation or the reputation of their country. So when your customer calls you to complain about not being able to reach a random destination in certain countries, you would tell them that you made a conscious decision to block access to certain countries because of reasons the customer probably will never understand or appreciate? Not fully block / null-route of course. You might however consider to not allow ssh-logins from certain countries (if you know what you're doing) to avoid noise in the logs, might monitor incoming emails with smtp-auth for suspicious activity based on country (of course there can always be someone on holiday in those countries) etc. All I'm saying is that attacks or spam sometimes seem to originate mainly from certain countries. Judge for yourself what you maybe want to use that additional piece of information (geo-location) for - and use it wisely. Kind regards, Stefan
Re: NIST NTP Server List
Am 29.10.2014 um 18:14 schrieb Brian Christopher Raaen mailing-li...@brianraaen.com: The list of NIST NTP servers is down for me, is anyone else seeing this? I'm getting a 404 error http://tf.nist.gov/tf-cgi/servers.cgi 404 from Kabel Deutschland reaching tf.nist.gov via AS1273, a small hoster in Hamburg, Germany via AS194, Inception Hosting (UK) via AS209; but proper page from VZ FIOS in Framingham, MA also via AS209. From AS13135, I get 404 on the web page, but my ntpd syncs to 128.138.141.172 just fine. Stefan -- Stefan Bethke s...@lassitu.de Fon +49 151 14070811
Re: NIST NTP Server List
Seems to be working over IPv4, not over IPv6. $ curl -6 http://tf.nist.gov/tf-cgi/servers.cgi 2/dev/null | head -5 !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title404 Not Found/title /headbody h1Not Found/h1 $ curl -4 http://tf.nist.gov/tf-cgi/servers.cgi 2/dev/null | head -5 html head titleNIST Internet Time Service/title meta http-equiv=content-type content=text/html;charset=iso-8859-1 script language=JavaScript id=_fed_an_js_tag src=/js/federated-analytics.all.min.js?agency=NISTsubagency=tfpua= UA-42404149-6yt=true/script Am 29.10.2014 um 18:26 schrieb Brian Christopher Raaen mailing-li...@brianraaen.com: I'm still getting a 404. I am using a Windstream backbone, is this maybe path/server specific. Here is a dig. dig tf.nist.gov -- Stefan Bethke s...@lassitu.de Fon +49 151 14070811
Re: Google causes 40% drop in traffic?
On 01/24/2014 09:08 PM, Jay Ashworth wrote: Given how much traffic these days is CDN and streaming, is that number really supportable? http://www.marketplace.org/topics/tech/down-goes-google-down-goes-internet In the interview they are saying that if Google is down, lots of people don't have DNS anymore. So that accounts for an even larger drop than just no Youtube. Hmm - why would people use those resolvers, besides being lazy in configuring a proper resolver-address. Of course if Google is down we have no Google search (well, might be a problem in some cases), no Gmail etc. (fine with me) and no Youtube (hmm, but we'll survive without it). Come on ... If the average user is *so* dependent on Google, we have an even larger problem. Maybe like IPv6-day etc. lets try a Google outage day once a year as a training :-) Regards, Stefan
Re: Google causes 40% drop in traffic?
On 01/24/2014 09:46 PM, valdis.kletni...@vt.edu wrote: On Fri, 24 Jan 2014 21:22:58 +0100, Stefan Neufeind said: just no Youtube. Hmm - why would people use those resolvers, besides being lazy in configuring a proper resolver-address. A lot of people make value judgements on the relative likelyhood of finding evil in DNS packets coming from 8.8.8.8 versus DNS packets coming from the IP address handed to you in the DHCP reply If it's just some DNS your provider hands out, I agree it's not much better as well. (But you might possibly assume your provider has less interst to spy on all your emails, your dns-queries and the like.) What imho you'll want is a reliable resolver which is as close to you as possible (and have it do DNSSEC-validation etc.). Regards, Stefan
Network Lifecycle Management - anybody???
As $subj may infer, do you guys follow any type of network lifecycle in your environment? If so - what would be some criteria you would consider critical: - consistent rate of cash flow, year after year, while replacing aging gear (allowing for consistent budgetary planning) - risk reduction while replacing unsupported equipment - security issues associated with OS or appliances not supported - business / apps demand for capacity or features (e.g. virtualization, SDN, etc.), laid out well in advance to allow for a 3-4-5 yrs plan with a consistent replacement rate of aging equipment - increased costs of support for aging equipment, or recertification for vendor support - anything else ... ??? Care to share some [other] aspects, as they may relate to $subj? Thanks, ***Stefan
Re: Email Server and DNS
* Private Sender nob...@snovc.com: On 11/3/2013 8:39 AM, rw...@ropeguru.com wrote: I am looking for some info on current practice for an email server and SMTP delivery. It has been a while since I have had to setup an email server and I have been tasked with setting up a small one for a friend. My question centers around the server sending outgoing email and the current practices requirements for other servers to accept email Things like rDNS, SPF records, etc... [...] MX, PTR, and SPF are really all you need. I would recommend you go a step further and use DKIM, ADSP, and DMARC. It will help keep asshat spammers from flaming your domain all over the internet. And while you are at it - why not implement DNSSEC for the domain in question and publish some DANE TLSA records? Stefan signature.asc Description: Digital signature
Re: Reverse DNS RFCs and Recommendations
* Nolan Rollo nro...@kw-corp.com: It seems like the unspoken de facto that mail admins appreciate given the IP 203.0.113.15 is 203-0-113-15.[type].[static/dynamic].yourdomain.tld. This seems perfectly acceptable, it's short, detailed and to the point. Is there really anything bad about this? Mail admins wanting matching forward/reverse DNS and hostnames that don't look dynamically generated is probably more of a human than an RFC thing: We used to get a lot of spam from dialup IPs, or IPs without matching reverse DNS, so let's reject anything that comes from an IP without FcRDNS and greylist anything with more than X dashes and Y dots in it's hostname. Stefan signature.asc Description: Digital signature
Re: To CCIEs and JNCIEs
Seriously... Those cert monkeys think they know everything ;) Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI m (703) 625-6243 On Oct 11, 2013, at 3:28 AM, Randy Bush ra...@psg.com wrote: Please relay to your CCIE/JNCIE friends, I am giving out name@theccie.comand n...@jncie.com email accounts, anyone interested can contact me. but who would want to deal with such slime?
[Q] Any good resource of info ref LECs, in different US areas?
Trying to build diversity in some very odd places, about which the big names tell me exclusively about other bug names, but cannot easily verify. Thank you, ***Stefan
[Q] What is your favorite Network Tools Live CD / USB, which you could have running in remote offices?
I've been toying with Live distros (CD, then USB) for many years, in support of security toolsets, to which I kept adding my own stuff, or customizing existing components. I am now trying to build a network toolset LiveCD/USB, but this time with a completely different purpose: I would like to put it in the hands of all remote offices we have on our network, and use it to have local systems boot out of it, and help us then run troubleshooting tools, from the central office, by SSH/X-ing into the remote live system (e.g. iperf, hping3, httping, tcping, mtr, tcpdump, voip tools, some thin clients/apps, synthetic transactions scripted to run at diff time intervals, and report back to us the health seen form the remotes, etc.). Has anybody used a base network tools Live CD/USB that they would recommend, having used as basis for such a network probe functionality? NOTE: I assume *nix based (Linux or BSD flavors), not Windows ... TIA, ***Stefan
Re: [Q] What is your favorite Network Tools Live CD / USB, which you could have running in remote offices?
Should have mentioned what I already use for security toolset base: Kali and Security Onion ... ***Stefan Mititelu http://twitter.com/netfortius http://www.linkedin.com/in/netfortius On Thu, Aug 22, 2013 at 12:29 PM, Michael Shuler mich...@pbandjelly.orgwrote: On 08/22/2013 12:06 PM, Stefan wrote: I've been toying with Live distros (CD, then USB) for many years, in support of security toolsets, to which I kept adding my own stuff, or customizing existing components. I am now trying to build a network toolset LiveCD/USB, but this time with a completely different purpose: I would like to put it in the hands of all remote offices we have on our network, and use it to have local systems boot out of it, and help us then run troubleshooting tools, from the central office, by SSH/X-ing into the remote live system (e.g. iperf, hping3, httping, tcping, mtr, tcpdump, voip tools, some thin clients/apps, synthetic transactions scripted to run at diff time intervals, and report back to us the health seen form the remotes, etc.). Has anybody used a base network tools Live CD/USB that they would recommend, having used as basis for such a network probe functionality? http://www.kali.org/ - it is completely customizable, as well. -- Kind regards, Michael
Re: What is your favorite Network Tools Live CD / USB, which you could have running in remote offices?
On Thu, Aug 22, 2013 at 1:14 PM, Dan White dwh...@olp.net wrote: On 08/22/13 12:06 -0500, Stefan wrote: I've been toying with Live distros (CD, then USB) for many years, in support of security toolsets, to which I kept adding my own stuff, or customizing existing components. I am now trying to build a network toolset LiveCD/USB, but this time with a completely different purpose: I would like to put it in the hands of all remote offices we have on our network, and use it to have local systems boot out of it, and help us then run troubleshooting tools, from the central office, by SSH/X-ing into the remote live system (e.g. iperf, hping3, httping, tcping, mtr, tcpdump, voip tools, some thin clients/apps, synthetic transactions scripted to run at diff time intervals, and report back to us the health seen form the remotes, etc.). Has anybody used a base network tools Live CD/USB that they would recommend, having used as basis for such a network probe functionality? NOTE: I assume *nix based (Linux or BSD flavors), not Windows ... live-build (Debian based) is what I've been using, and has the benefit of allowing you to pick and choose from Debian's vast repository. Here's my latest build script: http://web.olp.net/dwhite/lb.**txt http://web.olp.net/dwhite/lb.txt -- Dan White I love it, Dan! Thanks for sharing. ***Stefan
Re: What to expect after a cooling failure
* Erik Levinson erik.levin...@uberflip.com: [cooling failure] For those who have gone through such events in the past, what can one expect in terms of long-term impact...should we expect some premature component failures? Does anyone have any stats to share? We had a similar event (temperatures were a bit higher at 49°C, duration was a bit shorter, 10am to 3pm) this January. In the two days after the event, two of our HP servers had drives that went from OK to Predictive Failure, which is the SmartArray controller's way of telling about high error rates. Two weeks after, we had a single DIMM with an uncorrectable ECC error, causing a server reboot. Three weeks after, a single PSU failed. In our opinion, the disk problems were caused by the cooling failure, while the ECC error and the faulted PSU were probably not related. I believe that your hardware will be fine, but it probably wouldn't be a bad idea to check if you have current maintenance contracts/warranty for your servers, or any other way of obtaining replacement drives in a reasonably short time. Cheers Stefan
[Q] Any detailed enterprise WAN QoS design/config for MPLS services, f/various ISPs?
Been looking for Verizon and ATT AVPN MPLS, specifically. Pointers highly appreciated, as the nanog archive does not seem to have searchable items ref such. Cisco docs have some info, but I am mostly looking for tried and proven configs with the specifics that Verizon and ATT offer. Traditional ATT (e.g.) means involve the likes of (for main DC): policy-map GENERAL NAME description ISP CoS Profile nb code nb% RT (nb1/nb2/nb3) class 0 priority percent nb class 1 set dscp af21 bandwidth nb1 class C2 set dscp af31 bandwidth nb2 policy-map 3 class 4 set dscp af21 class 5 set dscp af31 class 6 priority percent nb policy-map NAME class class-default shape average nb service-policy GENERAL NAME ... interface GigabitEthernet2/0/0.x ... ip pim sparse-mode service-policy output 3 ... or the likes (can't even tell if I consistently sanitized the info, but you get the point) I am interested in main hub/DC + remotes - docs, preferably. TIA, ***Stefan
Re: Dark fiber usage info request - know-how pointers and experience sharing
Thank you all who answered. I got a few good leads to follow, and information on operation gotchas. ***Stefan
Dark fiber usage info request - know-how pointers and experience sharing
Looking at dark fiber leasing as an alternative for existing ISP-acquired MPLS, MetroE, P2P, etc. services. I would appreciate some pointers (links) into specific technologies used with dark fiber, as direct consumer (not ISP). I am not looking for the theory behind (C)DWDM, but rather real life implementations and experience with folks operating such. Highly appreciated would also be extra info on what the learning curve required for traditional network engineering crew to operate devices terminating into such, and maybe even work (installation and operation) needed to maintain plants with this infrastructure. TIA, ***Stefan
Re: Trouble with IPv6 setup on Quagga
On 08/08/2012 09:37 AM, Oliver wrote: On Tuesday 07 August 2012 01:08:24 Anurag Bhatia wrote: router bgp 54456 bgp router-id 199.116.78.28 redistribute connected metric 1 redistribute static metric 1 neighbor 2607:1b00:10:a::1 remote-as 54456 neighbor 2607:1b00:10:a::1 next-hop-self address-family ipv6 network 2607:1b00:d1::/48 network 2607:1b00:d2::/48 neighbor 2607:1b00:10:a::1 activate exit-address-family Specifying next-hop-self in the general BGP router config section is equivalent to specifying it purely for IPv4 routes; you need to specify next- hop-self in the IPv6 address-family section. And you might want to disable (no neighbor ... activate) for the default-protocol (IPv4) as otherwise Quagga tries to advertise IPv4 over the same session as well - which you usually wouldn't want to. I've seen cases where both sides ran Quagga and wondered where all the (unfiltered) IPv4-routes came from :-) Regards, Stefan
Re: Attack on UDP 101
Can you give us more information? What do you mean it is causing Layer 3 loops? Stefan Fouant Sent from my HTC on the Now Network from Sprint! - Reply message - From: Shahab Vahabzadeh sh.vahabza...@gmail.com Date: Sat, Jul 21, 2012 10:50 am Subject: Attack on UDP 101 To: nanog@nanog.org Hi there, Does any body know any report about attack on UDP Port 101 which make Layer 3 Loops? This is an example sniff: Source IP Address is : 76.164.199.86 Source port: 62946 Destination port: 101 2012-07-21 11:11:09.646757 Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: How do the lowest layers of the DSL stack work?
Am 01.07.2012 um 21:01 schrieb James Bensley: [15.24 Mbit/s raw bit rate compared to 8.128 Mbit/s net] is quite a drop in speed and I'm trying to understand where this is happening. ... According to that extract, it all disappeared because of [Reed-Solomon] encoding, which is hugely vague. http://en.wikipedia.org/wiki/Reed-Solomon_error_correction#Data_storage The second paragraph explains that typically the raw bit rate is twice the net rate. The raw bitstream is then encoded further as HDLC or ATM. Stefan -- Stefan Bethke s...@lassitu.de Fon +49 151 14070811
Re: NOC presentations
On 2012-06-04 12.46, Stefan Liström wrote: Hi all, In TF-NOC we have been collecting information about NOCs for some time now[1]. Most of the NOCs are from research and educational organizations and we think it would also be very interesting to get the same kind of information from commercial NOCs. I understand that many commercial companies might not be able to share this information, but I thought it might be worth asking. If you would like to share information about your NOC please check out our presentation template[2] for inspiration and let me know. Even if you are not able to share information about your NOC the information we have gathered will hopefully still be interesting for you. [1] http://www.terena.org/activities/tf-noc/nocs.html [2] http://www.terena.org/activities/tf-noc/TF-NOC-flashpresentation-v2.ppt Hi again, Got an off list reminder about the great NOC list at Puck: http://puck.nether.net/netops/nocs.cgi I forgot to mention that if you know any other groups of people that collect and publish information about NOCs I'd love to hear about it. But I also wanted to clarify that we are not trying to create a contact list for NOCs. We are more aiming at getting to know how different NOCs work. E.g. if you are responsible for a hybrid network a certain size or a distributed NOC what kind of tools and procedures do you find useful. So that other NOCs in a similar situation can be inspired and get useful tips on how they could improve their network operations. -- Best regards Stefan Liström
NOC presentations
Hi all, In TF-NOC we have been collecting information about NOCs for some time now[1]. Most of the NOCs are from research and educational organizations and we think it would also be very interesting to get the same kind of information from commercial NOCs. I understand that many commercial companies might not be able to share this information, but I thought it might be worth asking. If you would like to share information about your NOC please check out our presentation template[2] for inspiration and let me know. Even if you are not able to share information about your NOC the information we have gathered will hopefully still be interesting for you. [1] http://www.terena.org/activities/tf-noc/nocs.html [2] http://www.terena.org/activities/tf-noc/TF-NOC-flashpresentation-v2.ppt -- Best regards Stefan Liström
Re: IPv6 aggregation tool
Am 04.05.12 03:35, schrieb Rafael Rodriguez: Found this tool that works perfectly. http://zwitterion.org/software/aggregate-cidr-addresses/aggregate-cidr-addresses Hoping this'll help someone else here on the list. Thanks! Thx, this is at least three times faster than what I have here. Just a comment on the final print statement, which doesn't fit my needs for ipv6: -print prefix: , $_-prefix(), \n; +print print: , $_-print(), \n; - prefix: 2001:0db8::::::/32 + print: 2001:db8::/32 Rgds, Stefan
Re: French Regulator to ask all your information about your Peering
On 03/30/2012 08:21 PM, Raphael MAUNIER wrote: This is now the end. The French regulator ( Arcep ) is now asking all the people with an ASN in France ( with a L33 license ) to get all their information on their peering. [...] You have to give them information twice a year Well, then for a few hundered peerings send them one letter each and wait for a reaction :-) Cheers, Stefan
Re: US withdraws IANA RFP, ‘no suitable responses’
Was waiting for a response from Eric and without fail he comes through in record time... :-b Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Mar 12, 2012, at 4:14 PM, Eric Brunner-Williams brun...@nic-naa.net wrote: good head line copy edit. body lacks substance, though not attitude. -e
Re: Most energy efficient (home) setup
Am 22.02.2012 um 22:48 schrieb Joe Greco: You also don't have to buy a MMS; the lower end Mac mini's are also plenty powerful, can be upgraded similarly, but lack OS X Server and the quad core CPU. With 10.7, Server is now a $50 add-on download from the Mac App Store, no special hardware required. Stefan -- Stefan Bethke s...@lassitu.de Fon +49 151 14070811
Re: enterprise 802.11
+1 f/Aruba ... and check out the BlackHat conferences, also. On Jan 15, 2012 3:31 PM, Rafael Rodriguez packetjoc...@gmail.com wrote: I'd recommend Aruba. Not a fan of the Cisco wifi controller gear. On Sun, Jan 15, 2012 at 2:30 PM, Ken King kk...@yammer-inc.com wrote: I need to choose a wireless solution for a new office. up to 600 devices will connect. most devices are mac books and mobile phones. we can see hundreds of access points in close proximity to our new office space. what are the thoughts these days on the best enterprise solution/vendor? Thanks for your replies. Ken King
Re: community strings for Reliance Globalcom
I could be wrong, but I think OP was requesting for BGP communities. I don't think he was asking for their SNMP community strings - I've never heard of a situation where a provider would allow their customers to poll their routers via SNMP. Or did I miss something? Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Jan 12, 2012, at 6:06 PM, Matthew Petach mpet...@netflight.com wrote: On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine source_ro...@yahoo.com wrote: does anybody have the community strings for Reliance Globalcom You might check to see if they left the default public read-only string in place, but I highly doubt it. Most people are pretty careful to pick at least somewhat hard to guess community strings, and to ACL them off from external querying. Matt
Re: community strings for Reliance Globalcom
Not sure how up to date this is, but I believe this is what you are looking for: http://www.onesc.net/communities/as15412/ Cheers, Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Jan 12, 2012, at 5:57 PM, Philip Lavine source_ro...@yahoo.com wrote: does anybody have the community strings for Reliance Globalcom
Re: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one?
On 12/29/2011 7:59 AM, Cameron Byrne wrote: Next topic, ethernet is too chaotic and inefficient to deploy and support mission critical applications in LAN or WAN or data center. See IEEE1588v2 (Precision Time Protocol), SyncE, and Data center bridging (DCB) - all attempts to remedy such inefficiencies. Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate
Re: Inaccessible network from Verizon, accessible elsewhere.
Am 10.12.2011 um 20:49 schrieb NetSecGuy: This does not work from FIOS: traceroute to 106.187.34.33 (106.187.34.33), 64 hops max, 52 byte packets 4 so-6-1-0-0.phil-bb-rtr2.verizon-gni.net (130.81.199.4) 34.229 ms 8.743 ms 8.878 ms 5 so-8-0-0-0.lcc1-res-bb-rtr1-re1.verizon-gni.net (130.81.17.3) 15.402 ms 13.008 ms 14.932 ms 6 0.ae2.br1.iad8.alter.net (152.63.32.158) 13.325 ms 13.245 ms 13.802 ms 7 204.255.169.218 (204.255.169.218) 14.820 ms 14.232 ms 13.491 ms 8 lap-brdr-03.inet.qwest.net (67.14.22.78) 90.170 ms 92.273 ms 145.887 ms 9 63.146.26.70 (63.146.26.70) 92.482 ms 92.287 ms 94.000 ms 10 sl-crs1-kc-0-0-0-2.sprintlink.net (144.232.18.112) 58.135 ms 58.520 ms 58.055 ms 11 otejbb203.kddnet.ad.jp (203.181.100.17) 205.844 ms otejbb204.kddnet.ad.jp (203.181.100.25) 189.929 ms otejbb203.kddnet.ad.jp (203.181.100.17) 204.846 ms 12 sl-crs1-oro-0-1-5-0.sprintlink.net (144.232.25.77) 87.229 ms sl-crs1-oro-0-3-3-0.sprintlink.net (144.232.25.207) 88.796 ms 88.717 ms 13 124.215.199.122 (124.215.199.122) 193.584 ms 202.208 ms 192.989 ms 14 * * * From FIOS in BOS: 3 g14-0-7-1544.bstnma-lcr-05.verizon-gni.net (130.81.49.80) 132.408 ms 130.742 ms 139.945 ms 4 so-7-2-0-0.bos-bb-rtr1.verizon-gni.net (130.81.29.172) 132.405 ms 137.776 ms 134.929 ms 5 so-9-1-0-0.ny325-bb-rtr1.verizon-gni.net (130.81.19.70) 139.872 ms 141.344 ms 150.117 ms 6 0.so-0-0-0.xt1.nyc4.alter.net (152.63.1.41) 142.381 ms 141.256 ms 139.873 ms 7 0.ae3.br2.nyc4.alter.net (152.63.3.110) 169.904 ms 169.769 ms 167.357 ms 8 nyc-brdr-02.inet.qwest.net (63.146.27.209) 140.164 ms 142.500 ms 142.880 ms 9 lap-brdr-03.inet.qwest.net (67.14.22.78) 274.856 ms 226.176 ms 232.839 ms 10 63.146.26.70 (63.146.26.70) 224.891 ms 223.915 ms 225.082 ms 11 lajbb002.kddnet.ad.jp (59.128.2.73) 227.355 ms lajbb001.kddnet.ad.jp (59.128.2.173) 236.509 ms lajbb002.kddnet.ad.jp (59.128.2.177) 226.723 ms 12 otejbb204.kddnet.ad.jp (203.181.100.25) 324.419 ms otejbb203.kddnet.ad.jp (203.181.100.13) 336.141 ms otejbb204.kddnet.ad.jp (203.181.100.45) 330.458 ms 13 cm-fcu203.kddnet.ad.jp (124.215.194.164) 336.209 ms cm-fcu203.kddnet.ad.jp (124.215.194.180) 334.191 ms cm-fcu203.kddnet.ad.jp (124.215.194.164) 327.027 ms 14 124.215.199.122 (124.215.199.122) 334.904 ms 324.853 ms * -- Stefan Bethke s...@lassitu.de Fon +49 151 14070811
Re: ATT GigE issue on 11/19 in Kansas City
On Wed, Nov 30, 2011 at 8:21 AM, Brad Fleming bdfle...@gmail.com wrote: On Nov 29, 2011, at 8:17 PM, compt...@kc.rr.com wrote: We lost several of our GigE links to ATT for 6 hours on 11/19, anyone else see this and get a root cause from ATT? All I can get is that they believe a change caused the issue. We lost several (but not all) of our Optiman circuits on 11/19 at about 10:20am. We were told the root issue was that all VLANs in one of their switches had been accidentally deleted / removed. We were never able to get any additional detail (like how) but services were restored about 16:45. +1 to the above - we received the following RFO, from the their NOC: All impacted VLANS were rebuilt to restore service. It is believed there were some configuration changes that caused the VLAN troubles. A case has been opened with Cisco to further investigate the root cause. ***Stefan Mititelu http://twitter.com/netfortius http://www.linkedin.com/in/netfortius
Re: First real-world SCADA attack in US
Am 21.11.2011 um 21:22 schrieb Ryan Pavely: But then again I don't want to goto jail for leaving my car door open and having someone steal my car, so nix that idea. Oh, but you are. (Not sure about criminal liability, but definitely civil.) -- Stefan Bethke s...@lassitu.de Fon +49 151 14070811
Re: Random five character string added to URLs?
Is there anything perhaps protecting or intercepting the data on its way to the
server, perhaps an Arbor device of some type of load balancer?
This type of behavior is quite common when protecting web assets to eliminate
zombies and such, but its usually something you would see back to the clients,
not tp the server.
Also, IIRC, the LOIC DoS tool had this ability to create random strings in the
URL, and I believe it did so with 5 characters. Might want to do a packet
trace and identify if this is coming from LOIC.
Regards,
Stefan Fouant
Technical Trainer, Juniper Networks
GPG Key ID: 0xB4C956EC
Sent from my HTC EVO.
- Reply message -
From: Christopher J. Pilkington c...@0x1.net
Date: Tue, Nov 1, 2011 3:51 pm
Subject: Random five character string added to URLs?
To: nanog@nanog.org
This might be off-topic, my apologies if so.
I seeing requests against a server with initial GET requests in the form:
GET /[a-zA-Z]{5}/pagename.html
pagename.html being optional. The 5 character string seems to be
random. This GET always results in a 404, as our servers don't have
these paths. The second request seems to always the same without the
modified path, which results in a 20.
I initially suspected this was something from an attack or DOS tool,
but the traffic doesn't fit such a pattern.
Is anyone familiar with what device/service behaves in this fashion?
Clearly something layer 7 is between the clients and the server.
Provider is without clue regarding this. Google results in many
GoDaddy users complaining of same; the server in question is not
hosted with them, but I suspect they may be doing something similar.
Thanks,
-cjp
Re: Need photographs of IT/Telecom gear/rooms
Am 27.10.2011 um 21:30 schrieb Mike: Greetings, I have been given the opportunity to teach the mechanics of the Internet to a group of 6 - 12'th grade students, and as an engineer and owner of an ISP I have it in mind to really get into this and show these kids how, really, all this stuff works and to make it fun and exciting. There's a German TV program (Die Sendung mit der Maus - the program with the mouse) that has been doing how stuff works kind of segments for a long time, and they did one on the Internet some ten years back. A version with English subtitles is here: http://www.youtube.com/watch?v=vfXsdbnPjX4 While it is simplified, I find it surprisingly accurate despite the reenactment. Stefan -- Stefan Bethke s...@lassitu.de Fon +49 151 14070811
Re: Outsourcing DDOS
On 10/24/2011 1:54 PM, Andreas Echavez wrote: obviously they will get blocked. My personal experience is that when you're dealing with a DoS at the scale that you need Prolexic, there is simply no one else that can handle that level of traffic. Andreas, I think there are a lot of people on this list that would argue with that statement. As was mentioned earlier, ATT, Verizon, and several others including Verisign have very ample networks capable of handling attacks just as large as Prolexic, if not bigger. One thing to note about Prolexic, where it stands out from some of the others is that it is a completely off-net solution. Many of the other offerings from folks like Verizon require you to have WAN circuits connected to their network in order to avail of such a service (in other words, they will only scrub that which would normally traverse their network on it's way towards your WAN interface). Others like Verisign have (smartly) adopted a similar model to that of Prolexic. They understand that requiring a physical connection into a provider's cloud is a monolithic approach (and certainly runs counter to today's mantra of offering up cloud-based services). Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate
Re: Outsourcing DDOS
On 10/24/2011 3:53 PM, Christopher Morrow wrote: On Mon, Oct 24, 2011 at 3:29 PM, Stefan Fouant but... often the cost of scrubbing includes the cost of transit to/from the remote provider, which is why 'cheapest' only counts for an entire process, NOT for 'lookie, I bought the service!'. either way, folks will learn one way or the other which works for them. I couldn't agree with you more - often times there are unintended costs, for example, the operational burden of moving your advertisements towards the provider who offers a scrubbing service... Also the more complex it is to use a particular service, the more likely you are to have indirect costs in terms of lost revenue during the outage. All of these things should be properly vetted well in advance, and the additional operational burden should also be factored into the pricing equation. Unfortunately, all too often these additional things aren't factored by the bean counters until it's too late. Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate
Re: Outsourcing DDOS
Although a bit dated, I did a pretty exhaustive comparison of offerings from ATT, Verizon, Prolexic, and a few others a while back. Don't forget there is also the go-it-yourself approach which is always a fun option, guaranteed to keep you up at night and give you a few additional gray hairs... Let me know if you're interested in the slides... Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate On 10/20/2011 4:43 PM, Hank Nussbacher wrote: At 09:13 19/10/2011 -0400, samuel.cunning...@wellsfargo.com wrote: We are considering using Prolexic to 'defend' our Internet-facing network from DDOS attacks. Anyone have any known issues or word of warnings before we proceed? Things to check: - DDOS service caps - outage remedy credits - service trial period - monitoring - you will want some external mutually agreeable monitoring service like gomez/compuware. Who pays for it? Regards, Hank Chris Cunningham Network Engineering Secure Connectivity 704-427-3557 (Desk) 704-701-6924 (Cell) samuel.cunning...@wellsfargo.commailto:samuel.cunning...@wellsfargo.com [X] This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.
Re: Juniper DOS/Blackhole question
Enabling BGP multi-hop is a very common approach with DDoS Mitigation services and also variations of Remote-Triggered Black Holes where the discard route isn't localized on the edge router. This is not because the customer router will be greater than one hop away, but because enabling multi-hop has an additional side effect of disabling next-hop validation. Without this enabled, the edge router will invalidate the “mitigate” routes received from the customer because the next-hop is not directly reachable via the neighbor. Not sure about the PPS limitations... The PFE ASICs should be able to handle a 750Mbps / 1.5 Mpps DoS pretty easy... HTHs. Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Oct 22, 2011, at 9:38 PM, Jack Bates jba...@brightok.net wrote: Considered j-nsp, but this just feels more nanog appropriate. I'm told by one of my NSPs that I'm connected to a juniper. We were dealing with a DOS, and for some reason remote triggered DOS prevention via BGP wasn't working. The NOC said they had to enable multihop to my peering to make it work, otherwise it wouldn't accept the route. This seems strange to me. Any idea why a route would be rejected unless multihop was enabled? Also, any idea why a Juniper couldn't handle a simple 750mbit/s, 1.5Mpps DOS? Don't get me wrong, it could have been more than that. I was just receiving that much of the DOS and my lower end m120 didn't seem to think it an issue, so I'm curious why I was dropping packets on the link to begin with. Interestingly, I have an OC-12 to another NSP who was also dropping after around 1.2Mpps (last time I asked, they said the oc-12 hit a cisco 7600). Jack
Re: Strange static route
Well considering that native multicast isn't enabled end to end Internet wide, and class E address space isn't used, it's more like half your IPv4 Internet goes one way, and ~38% goes the other way... :-b Stefan Fouant JNCIE-M, JNCIE-ER, JNCIE-SEC, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Sep 23, 2011, at 10:15 PM, Jon Lewis jle...@lewis.org wrote: On Sat, 24 Sep 2011, Glen Kent wrote: Hi, I have seen a few operators adding static routes like: 0.0.0.0/1 some next-hop and 128.0.0.0/1 some next-hop. It means half the IPv4 internet goes one way. Half goes the other way. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
GNS3 site
http://www.downforeveryoneorjustme.com/www.gns3.net - anybody having any idea about the status of this? ***Stefan Mititelu http://twitter.com/netfortius http://www.linkedin.com/in/netfortius
Re: OSPF vs IS-IS
On 8/12/2011 8:40 AM, James Jones wrote: I would not say ISIS is the prefered protocol. Most service providers I have worked with use OSPF. Most networks outside of the US use it from what I have seen and the larger SPs in the US do too. There must be a reason for that. Actually, i strongly disagree with this statement. A good majority of the Tier-1 Service Providers that I have worked with in the past used IS-IS, I think in large part due to the points mentioned earlier. I know for a fact that in the late 90s, when we were transitioning from an ATM core to an MPLS core at UUnet, we selected IS-IS largely due to the fact that it supported MPLS Traffic Engineering extensions before comparable support was available in OSPF, and the main reason for this was due to the fact that IS-IS was TLV based. Stefan Fouant JNCIE-ER, JNCIE-M, JNCIE-SEC, JNCI Technical Trainer, Juniper Networks http://www.shortestpathfirst.net http://www.twitter.com/sfouant
Invitation to connect on LinkedIn
LinkedIn Stefan Mititelu requested to add you as a connection on LinkedIn: -- Ted, I'd like to add you to my professional network on LinkedIn. - Stefan Accept invitation from Stefan Mititelu http://www.linkedin.com/e/-voa23o-gr9ijy3w-17/q0XU4EiXDUS2IbxL1NdPb3ZaZI/blk/I1603377540_3/1BpC5vrmRLoRZcjkkZt5YCpnlOt3RApnhMpmdzgmhxrSNBszYPnP0QdjsTcPcMdz59bQAVcA98qkRBbPkRdjkQd3cQe3cLrCBxbOYWrSlI/EML_comm_afe/ View invitation from Stefan Mititelu http://www.linkedin.com/e/-voa23o-gr9ijy3w-17/q0XU4EiXDUS2IbxL1NdPb3ZaZI/blk/I1603377540_3/3dvc3gRdPsPcP0SckALqnpPbOYWrSlI/svi/ -- DID YOU KNOW your LinkedIn profile helps you control your public image when people search for you? Setting your profile as public means your LinkedIn profile will come up when people enter your name in leading search engines. Take control of your image! http://www.linkedin.com/e/-voa23o-gr9ijy3w-17/ewp/inv-22/ -- (c) 2011, LinkedIn Corporation
Re: OSPF vs IS-IS
Well up until not too long ago, to support IPv6 you would run OSPFv3 and for IPv4 you would run OSPFv2, making IS-IS more attractive, but that is no longer the case with support for IPv4 NLRI in OSPFv3. The only reason in my opinion to run IS-IS rather than OSPF today is due to the fact that IS-IS is decoupled from IP making it less vulnerable to attacks. Stefan Fouant JNCIE-M, JNCIE-ER, JNCIE-SEC, JNCI Technical Trainer, Juniper Networks http://www.shortestpathfirst.net http://www.twitter.com/sfouant Sent from my iPad On Aug 11, 2011, at 8:57 AM, CJ cjinfant...@gmail.com wrote: Hey all, Is there any reason to run IS-IS over OSPF in the SP core? Currently, we are running IS-IS but we are redesigning our core and now would be a good time to switch. I would like to switch to OSPF, mostly because of familiarity with OSPF over IS-IS. What does everyone think? -- CJ http://convergingontheedge.com http://www.convergingontheedge.com
Re: OSPF vs IS-IS
I'll go with that... And one other thing... Traditionally it has been easier for developers to add new features to IS-IS because of the structure and flexibility of TLVs, whereas OSPF required the design of entirely new LSA types to support similar capabilities... I guess this has become less of an issue over the last few years however... Nonetheless, if I was building a greenfield network today, I would personally go with IS-IS, but that is largely because of my many years working with the protocol... Stefan Fouant JNCIE-M, JNCIE-ER, JNCIE-SEC, JNCI Technical Trainer, Juniper Networks http://www.shortestpathfirst.net http://www.twitter.com/sfouant Sent from my iPad On Aug 11, 2011, at 6:19 PM, Randy Bush ra...@psg.com wrote: The only reason in my opinion to run IS-IS rather than OSPF today is due to the fact that IS-IS is decoupled from IP making it less vulnerable to attacks. how about simpler and more stable? randy
Re: OSPF vs IS-IS
On 8/11/2011 8:16 PM, Jimmy Hess wrote: I would encourage you to ask the opposite question: Is there any reason to run OSPF over IS-IS in the SP core? And the answer would be... probably not. There is not really a good technical reason to run OSPF over IS-IS in the SP core. You might have some aesthetic considerations such as wanting the SP core to run the same protocol as something else, despite its limitations. Just to add to everything that Jimmy said, if you've got the time to do an in-depth side-by-side analysis of the two protocols, I strongly recommend the book OSPF and IS-IS: Choosing an IGP for Large-Scale Networks by Jeff Doyle. I can't speak highly enough of this book... Stefan Fouant JNCIE-ER, JNCIE-M, JNCIE-SEC, JNCI Technical Trainer, Juniper Networks http://www.shortestpathfirst.net http://www.twitter.com/sfouant
Re: network issue help
Is there an acronym for RTFM when there are a volume of manuals that need to be read? Stefan Fouant JNCIE-M, JNCIE-ER, JNCIE-SEC, JNCI Technical Trainer, Juniper Networks http://www.shortestpathfirst.net http://www.twitter.com/sfouant Sent from my iPad On Aug 10, 2011, at 5:35 PM, Deric Kwok deric.kwok2...@gmail.com wrote: Hi There is problem in our network. The connection is disappearing. ls it about lop ing? How can I check it in switch? ls spammingtree disable by default? Thank you so much
Re: network issue help
Sorry, couldnt help it... that was my Asperger's kicking in... Stefan Fouant JNCIE-M, JNCIE-ER, JNCIE-SEC, JNCI Technical Trainer, Juniper Networks http://www.shortestpathfirst.net http://www.twitter.com/sfouant Sent from my iPad On Aug 10, 2011, at 9:22 PM, Christopher Morrow morrowc.li...@gmail.com wrote: folks do get that deric's primary language isn't English right? so asking him to explain is probably 'ok'. (yes, he could have put more details into his mail, yes it would have been more helpful and quicker to an answer for him...) -chris
Re: I'm missing 2 bytes (GRE implementation)
Everything from checksums, keys, and sequence numbers is optional. The only required fields IIRC amount to 2 bytes of overhead. Sounds like they both interpret what should be included in the GRE header slightly differently. Stefan Fouant GPG Key ID: 0xB4C956EC Sent from my HTC EVO. - Reply message - From: Franck Martin fmar...@linkedin.com Date: Tue, Aug 9, 2011 5:57 pm Subject: I'm missing 2 bytes (GRE implementation) To: nanog@nanog.org nanog@nanog.org I'm using a GRE IPv4 tunnel between a cisco and linux machines I did some packet capture, and saw that my MTU was 1418, but the cisco was sending TCP packet with a MSS of 1380. This created a bunch of issues. When I told the cisco box to use a MSS of 1378 everything starting to work fine. So why Cisco is off by 2 Bytes? Does the GRE implementation on Linux uses 2 extra bytes compared to Cisco (or vice versa)?
Re: DNS DoS ???
Ping me offline, there are a few other folks who have seen this as well. The isc.org record is commonly used in reflection attacks because the size of the record is so large, so the amplification factor is greatly increased. Can you check to see if +edns=0 was set in the query? That would be a sure sign this is related to what others have seen... Sorry for the top post, I'm on my iPad. Stefan Fouant JNCIE-M, JNCIE-ER, JNCIE-SEC, JNCI Technical Trainer, Juniper Networks http://www.shortestpathfirst.net http://www.twitter.com/sfouant Sent from my iPad On Jul 29, 2011, at 2:51 PM, Elliot Finley efinley.li...@gmail.com wrote: my DNS servers were getting slow so I blocked recursive queries for all but my own network. Then I was getting so many of these: ns2 named[5056]: client 78.159.111.190#25345: query (cache) 'isc.org/ANY/IN' denied that is was still slowing things down. I've since written a script to watch the log and throw these into the box local firewall. If I expire the entries after 24 hours then I accumulate about 10200 unique IPs. If I expire after 48 hours, then it's just over 2 unique IPs. Is anyone else seeing this? Elliot
RE: Verisign Internet Defence Network
-Original Message- From: Seth Mattinen [mailto:se...@rollernet.us] Sent: Wednesday, June 01, 2011 2:44 AM To: nanog@nanog.org Subject: Re: Verisign Internet Defence Network Sounds like a catch-22 though; if it's not always on and only starts scrubbing after an attack begins (pending activation approval from the customer which may take time), then the customer site is quite possibly already down when they start doing their thing to make it come back up. Well that's exactly how it works in most cases. Customers don't usually avail of these types of services until there is a problem, which usually means their site is down in most cases. This is why having proper visibility is key as they can serve as an early warning system giving indication of an impending attack prior to it becoming big enough to bring the site down (usually it takes several minutes to ramp up the attack during the time the bots receive instruction-set from the bot herder). The problem with an always-on mitigation service is that there are additional latencies involved in the redirection (assuming it's not in-line), not to mention the inspections/proxying/filtering that the mitigation devices perform. Note that these latencies will be substantially less on an on-net service offering like Verizon's whereas they can be substantially higher on an off-net service offering from folks like Verisign/Prolexic, etc. These latencies are generally acceptable when a site is under attack, but not desired under normal circumstances. Stefan Fouant JNCIE-M #513, JNCIE-ER #70, JNCI GPG Key ID: 0xB4C956EC
RE: VeriSign Internet Defense Network
-Original Message- From: Deepak Jain [mailto:dee...@ai.net] Sent: Tuesday, May 31, 2011 3:07 PM Subject: RE: VeriSign Internet Defense Network Let's not ignore the value of DNS with a short ttl time. It may not be as quick as a BGP adjustment, but serves to provide a buttressed front-end IP that can restore service instantly [faster than getting someone on the phone to coordinate the change, etc]. Heck, if it's good enough for fast-flux, it's good enough for me ;) Stefan Fouant JNCIE-M #513, JNCIE-ER #70, JNCI GPG Key ID: 0xB4C956EC
RE: VeriSign Internet Defense Network
-Original Message- From: Christopher Morrow [mailto:morrowc.li...@gmail.com] Sent: Tuesday, May 31, 2011 3:31 PM Subject: Re: VeriSign Internet Defense Network also, note that VerizonBusiness ddos-mitigation service was no-call-required, just send the right community on a configured session ... and 'cheap'. The downside to their approach is that it only works for sites you actually have connected to VzB's network. They could just as easily offer the service to off-net customers similar to what Verisign and Prolexic do, but for some reason we could never convince the marketing folks to do just that... Agreed though, it is super-easy to use and competitively priced. Stefan Fouant JNCIE-M #513, JNCIE-ER #70, JNCI GPG Key ID: 0xB4C956EC
RE: Verisign Internet Defence Network
-Original Message- From: Jim Mercer [mailto:j...@reptiles.org] Sent: Monday, May 30, 2011 10:26 AM To: nanog@nanog.org Subject: Verisign Internet Defence Network it claims to be Carrier-agnostic and ISP-neutral, yet When an event is detected, Verisign will work with the customer to redirect Internet traffic destined for the protected service to a Verisign Internet Defense Network site. anyone here have any comments on how this works, and how effective it will be vs. dealing directly with your upstream providers and getting them to assist in shutting down the attack? It's really very simple. Verisign advertises your netblock to the Internet at whole while at the same time you cease to advertise your route to your ISPs. Traffic gets redirected into VIDN scrubbing center where the bad traffic is removed. The resulting clean traffic is sent via GRE tunnel back to customer CPE router. Regarding how effective it will be vs. getting your upstream to assist really depends on how many upstream providers you have and what their capabilities are. Certainly dealing with one company (Verisign) is going to be a lot easier than dealing with many upstream providers which are likely to not have uniform offerings and services. Most providers that are going to be willing to assist you are only going to null-route traffic towards the destination netblock thereby completing the DoS attack. Those that do have mitigation offerings are going to charge you for it, and then again, it's not a uniform offering across all your upstream providers. I personally think the cloud-based approach offered by Verisign makes a whole heckuva lot more sense than trying to deal with heterogeneous offerings from many disparate providers, much less having to open tickets with each provider, having to deal with typical response times, etc. In my experience, reducing the number of cogs usually results in dramatically lower mitigation times, which is certainly the end goal in dealing with these types of attacks. Stefan Fouant JNCIE-M #513, JNCIE-ER #70, JNCI GPG Key ID: 0xB4C956EC
RE: Had an idea - looking for a math buff to tell me if it's possible with today's technology.
-Original Message- From: Landon Stewart [mailto:lstew...@superb.net] Sent: Wednesday, May 18, 2011 4:08 PM To: nanog Subject: Had an idea - looking for a math buff to tell me if it's possible with today's technology. Lets say you had a file that was 1,000,000,000 characters consisting of 8,000,000,000bits. What if instead of transferring that file through the interwebs you transmitted a mathematical equation to tell a computer on the other end how to *construct* that file. First you'd feed the file into a cruncher of some type to reduce the pattern of 8,000,000,000 bits into an equation somehow. Sure this would take time, I realize that. The equation would then be transmitted to the other computer where it would use its mad-math-skillz to *figure out the answer* which would theoretically be the same pattern of bits. Thus the same file would emerge on the other end. Not exactly the same thing, but application acceleration of this sort has been around for some time - http://www.riverbed.com/us/ http://www.juniper.net/us/en/products-services/application-acceleration/wxc- series/ http://www.cisco.com/en/US/products/ps5680/Products_Sub_Category_Home.html Stefan Fouant
Re: Routing study
Am 12.05.2011 um 18:02 schrieb Greg Whynott: helps to read before you jump! I think he might be referring to the fact that the prefix supposedly used to conduct the test is his, not Georgia Tech's. -- Stefan Bethke s...@lassitu.de Fon +49 151 14070811
RE: Suspecious anycast prefixes
-Original Message- From: Yaoqing(Joey) Liu [mailto:joey.li...@gmail.com] Sent: Monday, May 02, 2011 2:17 PM To: nanog@nanog.org Subject: Suspecious anycast prefixes Hi all, I found the following prefixes are often originated by many ASNs more than five, wonder if they provide global anycast service, if so what specific service they provide? 12.64.255.0/24 70.37.135.0/24 198.32.176.0/24 199.7.49.0/24 199.7.80.0/24 199.16.93.0/24 199.16.94.0/24 199.16.95.0/24 206.223.115.0/24 Most of those are for Verisign's DNS resolution services. Definitely nothing to be suspicious about here. Move along. These aren't the droids you are looking for. Stefan Fouant
Re: Amazon diagnosis
On Fri, Apr 29, 2011 at 2:35 PM, Joly MacFie j...@punkcast.com wrote: *http://aws.amazon.com/message/65648/*http://aws.amazon.com/message/65648/ ___ -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -- - http://storagemojo.com/2011/04/29/amazons-ebs-outage/ ***Stefan Mititelu http://twitter.com/netfortius http://www.linkedin.com/in/netfortius
RE: Multitenant FWs
-Original Message- From: David Oramas [mailto:david.ora...@aptel.com.au] Sent: Sunday, May 01, 2011 9:42 PM To: nanog@nanog.org Subject: Multitenant FWs Hi, What do you guys recommend for Multitenant Firewalls with support for over 1,000+ users/contexts? I have looked at Centrinet's Accessmanager and Barracuda NG Firewall. Any other players/products? Many Thanks in advance for the input, When I worked on building out Verizon's Network Based Firewall solution many years ago, I chose Juniper NS-5400 platforms due to their multitenancy capabilities and ability to support literally thousands of virtual firewall contexts and many times that for users. This decision was made after an exhaustive analysis of competing solutions from Checkpoint, Cisco, and Juniper. Juniper's SRX line of products might make a good fit, but they currently don't have full Logical System support which would certainly be a requirement for any multi-tenant offering. However, Logical System support is on the roadmap so you might want to look into this depending on your timeframe for deployment. As the other list member pointed out, Palo Alto does make some really nice gear and I have really been impressed with their Application Layer Firewalling capability (Application Identification, Web Firewalling, etc), however, I was suitably unimpressed with their multitenant capability and think you might be hard pressed to offer such an offering to more than one customer using such a device. Stefan Fouant
RE: Multitenant FWs
-Original Message- From: christopher.mor...@gmail.com [mailto:christopher.mor...@gmail.com] On Behalf Of Christopher Morrow one thing to keep in mind is that as near as I can tell no vendor (not a singl eone) has actual hard limits configurable for each tenant firewall instance. So, one can use all of the 'firewall rule' resources, one can use all of the 'route memory' ... leaving other instances flailing :( Ahem, actually ScreenOS does support just such a thing through the use of resource profiles - with this you can limit the amount of CPU, Sessions, Policies, MIPs and DIPs (used for NAT), and other user defined objects such as address book entries, etc. that each VSYS can avail. This was one of the primary drivers behind our decision to utilize the NS-5400 for Verizon's NBFW (you remember that place right Chris, heh') Stefan Fouant
RE: Multitenant FWs
-Original Message- From: christopher.mor...@gmail.com [mailto:christopher.mor...@gmail.com] On Behalf Of Christopher Morrow Ahem, actually ScreenOS does support just such a thing through the use of resource profiles - with this you can limit the amount of CPU, Sessions, Policies, MIPs and DIPs (used for NAT), and other user defined objects such as address book entries, etc. that each VSYS can avail. This was one of the good to know... I wonder how well it isolates. Ask the Vz marketing folks... oh, wait, 1 customer isn't really enough to demonstrate how well it isolates after all I guess ;) primary drivers behind our decision to utilize the NS-5400 for Verizon's NBFW (you remember that place right Chris, heh') i do, occasionally via the twitching :) Hehe... Stefan Fouant
RE: riverbed steelhead
-Original Message- From: harbor235 [mailto:harbor...@gmail.com] Sent: Thursday, April 21, 2011 2:50 PM To: NANOG list Subject: riverbed steelhead Anyone out there have experience with Riverbed Steelhead products? Do they improve TCP performance over WAN links? is it worth the price? I've had generally good experiences w/ Riverbed's Steelhead as well as Juniper's WX Series product. For certain types of applications, like email and database replication you can expect to see pretty dramatic reductions in throughput because of the technique of replacing symbols for otherwise long strings of repeatable characters. Also because of the local proxying abilities with regards to TCP ACKs and such, you can also get better pipelining of traffic... As far as whether they are worth the price, this really boils down to a proper Cost/Benefit analysis, but most of the ROI calculators show a return after as little as just a few months. Stefan Fouant
RE: riverbed steelhead
-Original Message- From: Stefan Fouant [mailto:sfou...@shortestpathfirst.net] Sent: Thursday, April 21, 2011 2:58 PM To: 'harbor235'; 'NANOG list' Subject: RE: riverbed steelhead I've had generally good experiences w/ Riverbed's Steelhead as well as Juniper's WX Series product. For certain types of applications, like email and database replication you can expect to see pretty dramatic reductions in throughput because of the technique of replacing symbols for otherwise I'm sorry, this should have read pretty dramatic increases, not reductions. Sorry for the confusion. Stefan Fouant
RE: IPV6 Training Books
-Original Message- From: Michael Ruiz [mailto:mr...@lstfinancial.com] Sent: Monday, April 04, 2011 3:43 PM To: nanog@nanog.org Subject: IPV6 Training Books Hello All, I am looking for some good reading material to get a better understanding of IPV6. I know how to convert HEX into decimal format. What I am looking for is how to under the CIDR notation and break them out into subnets. Thank you in advance. I recommend 'Running IPv6' by Iljitsch van Beijnum or 'IPv6 Essentials' by Silvia Hagen. Also Chris Grundemann wrote a Day One Guide for Juniper entitled Exploring IPv6 which you can download for free at http://forums.juniper.net/t5/Day-One-Books/Day-One-Book-Exploring-IPv6/ba-p/ 52402 - Chapter 1 in the Day One guide has a lot of really good information on understanding IPv6 addressing formats, subnetting, etc. Either one of those should be able to answer most of your questions. Stefan Fouant
RE: State of QoS peering in Nanog
-Original Message- From: Leo Bicknell [mailto:bickn...@ufp.org] Sent: Saturday, April 02, 2011 5:56 PM In an IP network, the bandwidth constraints are almost always across an administrative boundary. This means in the majority of the case across transit circuits, not peering. 80-90% of the packet loss in the network happens at the end user access port, inbound or outbound. Another 5-10% occurs where regional or non-transit free providers buy transit. Lastly, 3-5% occurs where there are geographic or geopolitical issues (oceans to cross, country boarders with restrictive governments to cross). Hi Leo, I think you bring up some interesting points here, and my experience and observations largely lend credence to what you are saying. I'd like to know however, just for my own personal knowledge, are the numbers you are using above based on some broad analysis or study of multiple providers, or are you deriving these numbers likewise you're your own personal observations? Thanks, Stefan Fouant
RE: State of QoS peering in Nanog
-Original Message- From: Leo Bicknell [mailto:bickn...@ufp.org] Sent: Saturday, April 02, 2011 10:24 PM But it also only affects priority queue traffic. I realize I'm making a value judgment, but many customers under DDoS would find things vastly improved if their video conferencing went down, but everything else continued to work (if slowly), compared to today when everything goes down. I'd like to observe that discussion when the Netflix guys come calling on the support line - Hey Netflix, yeah you're under attack and your subscribers can't watch videos at the moment, but the good news is that all other apps running on our network are currently unaffected. ; In closing, I want to push folks back to the buffer bloat issue though. More than once I've been asked to configure QoS on the network to support VoIP, Video Conferencing or the like. These things were deployed and failed to work properly. I went into the network and _reduced_ the buffer sizes, and _increased_ packet drops. Magically these applications worked fine, with no QoS. Video conferencing can tolerate a 1% packet drop, but can't tolerate a 4 second buffer delay. Many people today who want QoS are actually suffering from buffer bloat. :( Concur 100%. In my experience, I've gotten much better performance w/ VoIP/Video Conferencing and other delay-intolerant applications when setting buffer sizes to a temporal value rather than based on a _fixed_ number of packets. Stefan Fouant
Re: as-set members
Hi Bogdan, If you are on Cisco, you can accomplish this using the attribute-map argument to the as-set statement. On Juniper, this is fairly easy to accomplish with routing policy (learning RegEx will make your life easier). HTHs. Stefan (sorry for the top post, I'm on my mobile...) - Reply message - From: Bogdan shos...@shoshon.ro Date: Sat, Apr 2, 2011 7:32 am Subject: as-set members To: nanog@nanog.org hello i have an as-set that has some members, other as-sets. can i exclude some members from my as-set members? as-set: me members: as-set-1, as-set-2, as-set-3 as-set-3 has some members that i want to exlude; let's say as-set-xxx, is a member of as-set as-set-3 is there something like members: as-set-1, as-set-2, as-set-3 and not as-set-xxx ? thanks
RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
-Original Message- From: Matthew Petach [mailto:mpet...@netflight.com] Sent: Thursday, March 31, 2011 2:28 PM I for one would put money on the table towards the rename Owen to Mr. IPv6 effort. I think it would be wonderful to be able to honestly say IPv6 is in da house! every time the person formerly known as Owen walked into the room at ARIN meetings. :D +1 | That, or The evangelist formerly known as Owen... :p Stefan Fouant
RE: ICANN approves .XXX red-light district for the Internet
-Original Message- From: Marshall Eubanks [mailto:t...@americafree.tv] Sent: Saturday, March 26, 2011 9:41 PM But that is an excellent reason why someone would want it. I was involved in the IETF NEWDOM WG way back in ~1996 and heard all of these arguments then. IMHO this was snake oil 15 years ago, and it is even more snake oil now. And I'm afraid we'll be seeing a whole heckuva lot more of this snake oil once ICANN finalizes the Generic TLD process in June: http://www.pcmag.com/article2/0,2817,2382233,00.asp Stefan Fouant
RE: ICANN approves .XXX red-light district for the Internet
-Original Message- From: Eric Brunner-Williams [mailto:brun...@nic-naa.net] Sent: Saturday, March 26, 2011 7:24 PM ICM retained competent counsel for the ICANN issue advocacy. I expect Stuart will retain competent counsel for the follow-on issues. Yes, it is certain that Stuart will retain competent counsel for all follow-on issues, I mean, the guy bragged to Bloomberg that ICM is set to make at least $200 million a year through these registrations (believe me, if I were in his position, I'd have the best lawyers money could buy). That doesn't even touch the $3-4 Billion in porn transactions ICM is hoping to process and get a cut of once they launch their payment processing service. What changed ICANN's mind between the ruling in 2007 and the ruling in 2010? ICM brings in an independent arbitrator and ICANN agrees to go along with the findings, yet for the life of me I can't find any majority who believe this was necessary. The ACLU objects because of censorship issues. Family and religious groups oppose because they believe .xxx legitimizes porn. Heck, even the porn industry itself opposes because it will increase operating costs and open the industry to more regulation. I can't seem to find anyone that would benefit from this, with the exception of Stuart and ICM's shareholders. Stefan Fouant
RE: ICANN approves .XXX red-light district for the Internet
-Original Message- From: John Levine [mailto:jo...@iecc.com] Sent: Sunday, March 27, 2011 12:57 AM The growing certainty of an expensive and very embarassing lawsuit if they turned ICM down. Despite the clear lack of industry support for .XXX, ICM carefully jumped through every hoop, dotted every i, and crossed every t in the 2004 application process and the subsequent appeal and review processes. I expect the board and staff really really would not want to have to answer questions under oath like who did you talk to at the US Department of Commerce about the .XXX application and what did you say? and why did you vote against .XXX when they followed the same rules as the TLDs you voted for? Agreed. And ICM made damn well sure that they had the ways and the means to wage a considerable and sustained amount of legal pressure by selling over a quarter million pre-registrations at $75 each, generating over $20M in revenue... Stefan Fouant
ICANN approves .XXX red-light district for the Internet
Surprised this was actually approved, but more so that this story seems to have gone unnoticed on the list... I would have expected a lot more chatter here - http://arstechnica.com/tech-policy/news/2011/03/icann-approves-xxx-red-light -district-for-the-internet.ars So the days of pointless TLDs are amongst us as we've now given would-be registrars the right to print money and companies are forced to purchase useless domain names in order to protect their trademarks, prevent squatting, etc. When will sanity prevail? Stefan Fouant
