Re: DDOS solution recommendation
On Mon, 12 Jan 2015, Mike Hammett wrote: So the preferred alternative is to simply do nothing at all? That seems fair. Not at all. But it is your network and only you know what the suggested approaches others have already run through are best for your environment. But if you haven't yet done so, help the rest of us and deploy BCP38 too. :-) - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Christopher Morrow morrowc.li...@gmail.com To: Brandon Ross br...@pobox.com Cc: Mike Hammett na...@ics-il.net, NANOG list nanog@nanog.org Sent: Monday, January 12, 2015 3:05:14 PM Subject: Re: DDOS solution recommendation On Mon, Jan 12, 2015 at 3:17 PM, Brandon Ross br...@pobox.com wrote: On Sun, 11 Jan 2015, Mike Hammett wrote: I know that UDP can be spoofed, but it's not likely that the SSH, mail, etc. login attempts, web page hits, etc. would be spoofed as they'd have to know the response to be of any good. Okay, so I'm curious. Are you saying that you do not automatically block attackers until you can confirm a 3-way TCP handshake has been completed, and therefore you aren't blocking sources that were spoofed? If so, how are you protecting yourself against SYN attacks? If not, then you've made it quite easy for attackers to deny any source they want. this all seems like a fabulous conversation we're watching, but really .. if someone wants to block large swaths of the intertubes on their systems it's totally up to them, right? They can choose to not be functional all they want, as near as I can tell... and arguing with someone with this mentality isn't productive, especially after several (10+? folk) have tried to show and tell some experience that would lead to more cautious approaches. If mike wants less packets, that's all cool... I'm not sure it's actually solving anything, but sure, go right ahead, have fun. -chris wfms
Re: Multicast Internet Route table.
On Tue, 2 Sep 2014, S, Somasundaram (Somasundaram) wrote: Members I have few questions related to Multicast deployment in the internet today. Inter-domain I am assuming. 1: Does all the ISP's provide Multicast Routing by default? Probably not a majority, but it is found on research networks like Internet2, GEANT, etc and any of their member networks. 2: Is there any placeholder where one can get to know the Multicast Internet Route table (usage, stability etc) just like Unicast Route table (http://bgpupdates.potaroo.net)? One such place, long running: https://nic.nrc.ca/bgp-mcast/bgp-active.html There may be others on the networks mentioned above... wfms
Re: Multicast Internet Route table.
On Tue, 2 Sep 2014, Jeff Tantsura wrote: It is not the network devices per se, it is additional configuration, security, MSDP peering, etc, i.e. OPEX Business justification for such effort is not obvious, (most of multicast deployments I have done in my previous life were because I loved the technology, not because of business needs :)) Ditto, although business needs played a part as well. :) wfms
Re: Listing or google map of peering exchange
On Wed, 9 Jul 2014, Dennis Burgess wrote: Looking for a good listing of US/Canada peering exchange, similar to Torx in Toronto..Google map listing would be nice J Telegeography may have this or: https://prefix.pch.net/applications/ixpdir/ Dennis Burgess, Mikrotik Certified Trainer Author of Learn RouterOS- Second Edition http://www.wlan1.com/product_p/mikrotik%20book-2.htm Link Technologies, Inc -- Mikrotik WISP Support Services Office: 314-735-0270 tel:314-735-0270 Website: http://www.linktechs.net http://www.linktechs.net/ - Skype: linktechs skype:linktechs?call -- Create Wireless Coverage's with www.towercoverage.com http://www.towercoverage.com/ - 900Mhz - LTE - 3G - 3.65 - TV Whitespace wfms
Re: Listing or google map of peering exchange
On Wed, 9 Jul 2014, Paul Stewart wrote: I?ve actually been working on a site like that for a while (with Google Maps) - just never got around to putting it online. Honestly I wasn?t sure if there was an interest in it :) chop-chop! :) Paul On 2014-07-09, 2:18 PM, Dennis Burgess dmburg...@linktechs.net wrote: Looking for a good listing of US/Canada peering exchange, similar to Torx in Toronto..Google map listing would be nice J Dennis Burgess, Mikrotik Certified Trainer Author of Learn RouterOS- Second Edition http://www.wlan1.com/product_p/mikrotik%20book-2.htm Link Technologies, Inc -- Mikrotik WISP Support Services Office: 314-735-0270 tel:314-735-0270 Website: http://www.linktechs.net http://www.linktechs.net/ - Skype: linktechs skype:linktechs?call -- Create Wireless Coverage's with www.towercoverage.com http://www.towercoverage.com/ - 900Mhz - LTE - 3G - 3.65 - TV Whitespace wfms
Re: Canada and IPv6 (was: Ars Technica on IPv4 exhaustion)
On Thu, 19 Jun 2014, jim deleskie wrote: Those all sounds like legit business questions. Yup. On the otherhand at the other end of the customer spectrum: http://www.tbs-sct.gc.ca/it-ti/ipv6/ipv6tb-eng.asp -jim On Thu, Jun 19, 2014 at 2:45 PM, William F. Maton Sotomayor wma...@ottix.net wrote: On Wed, 18 Jun 2014, Sadiq Saif wrote: On 6/18/2014 14:25, Lee Howard wrote: Canada is way behind, just 0.4% deployment. Any Canadian ISP folk in here want to shine a light on this dearth of residential IPv6 connectivity? Is there any progress being made on this front? Teksavvy does it (tunnel I believe) if you ask. Otherwise it's the usual: - 'why do we need this?'; - 'It costs money to upgrade for something low-demand'; - 'What's the market?'; - 'I don't have time'; - 'Aw gee do I have to??' wfms wfms
Re: Canada and IPv6 (was: Ars Technica on IPv4 exhaustion)
On Wed, 18 Jun 2014, Sadiq Saif wrote: On 6/18/2014 14:25, Lee Howard wrote: Canada is way behind, just 0.4% deployment. Any Canadian ISP folk in here want to shine a light on this dearth of residential IPv6 connectivity? Is there any progress being made on this front? Teksavvy does it (tunnel I believe) if you ask. Otherwise it's the usual: - 'why do we need this?'; - 'It costs money to upgrade for something low-demand'; - 'What's the market?'; - 'I don't have time'; - 'Aw gee do I have to??' wfms
Re: Anternet
On Tue, 6 May 2014, Dave Crocker wrote: On 4/4/2014 11:32 PM, Andrew D Kirch wrote: So, if there's more than 4 billion ants... what are they going to do? get larger ants. No, no. The solution is far simpler than that, and would probably give a good example of real-world population control. Just get an ant-eater. (and the responses have now covered both pro forma responses.) d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net wfms
Re: Recommendation on NTP appliances/devices
On Thu, 3 Apr 2014, David Hubbard wrote: Anyone have recommendations on NTP appliances; i.e. make, model, gps vs cell, etc.? Roof/outdoor/window access not available. Would ideally need to be able to handle bursts of up to a few thousand simultaneous queries. Needs IPv6 support. For some diversity you could try: - WWVB/CHU radio with a good indoor antenna into an appliance - CDMA, which yes is based on GPS, but tied with Rb oscillator can carry over any reception outages (CDMA or GPS) - Of course just setup an NTP server that peers to pool.ntp.org (but perphaps the least desirable) I've seen good results using the Endrun CDMA units as well as the WWVB units, both appliances and IPv6-enabled. Symmetricom does this too. wfms
Re: AlbertaIX - no longer a Cybera project?
On Sat, 7 Sep 2013, Theo de Raadt wrote: Mike Leber wrote: Facility and parties willing, hopefully there will be a YYCIX switch in Cybera. Interesting idea, how the heck did I miss that. Indeed, if multiple IX pops in any given locale makes sense, then it is worth pursuing - providing there is a benefactor willing to aid in the cross connect between the pops or an economic model enabling the IXP to do it itself. In Canada, the other collision preventing exchanges from showing up is the CANARIE content peering model, which by providing free content access to schools and such takes many (young bandwidth hungry) eyeballs out of the equation for IX development and growth: This isn't a new idea actually. It was first proposed on the CANARIE techs mailing list way back in mid-2000 I believe. In any case it is a replication of the Internet2 CDS effort. Not sure how well this has caught on, but since CANARIE are now charging user fees, it remains to be seen how far it goes. Time for change? There once was a proposal back in the day that CANARIE POPs should be co-located at either universities (offering a neutral venue for everyone) or at least with other IXPsOh, what IXPs? The idea quickly evolved to CANARIE establishing some IXPs but this was very quickly shot down (IIRC) by the then CANARIE board as it was seen to be interference by CANARIE in municipal affairs - because back then municipal dark fibre builds were all the rage. WHET those BTW? In any case, I did persuade CANARIE to peer to at least one IXP in Canada to pick peering instead of doing a backhaul for all the peerings into the USA. My little bit of contribution to the IXP cause. However, given the science and academic population in CANARIE's network, I do know it is felt in some quarters to be of no real benefit to peer at IXPs. wfms
Re: Vancouver IXP - VanTX - BCNet
On Tue, 20 Aug 2013, Jonathan Stewart wrote: You named 2 IXPs, and only got one right. A year ago, there were two active: TORIX in Toronto, and OTTIX in Ottawa. Ottawa is too close to Toronto to have an impact, so OTTIX has remained small. Having only 2 open That's not entirely accurate. The fact is the Ottawa market - as well as the Eastern Ontario market, had a large number of very small ISPs in the area a decade ago. So OttIX had many ISPs be litle traffic. After a major market conolidation (buyouts,m mergers, etc) the number of peers declined quite a bit - but the traffic increased. In the meantime, within the province of Ontario, LANX costs became effectively the same (to us) to go from one end of the city to the other as the cost to go between cities. Even at the $dayjob, we took advantage of this and simply dragged another LANX over to TorIX. Heck, even OttIX had a POP at 151 Fron in Toronto which saw enormous growth. So in that sense, OttIX achieved one of its primary objectives and that was to drive transit costs down in what is effectively a one-company town. IXPs, 400 km apart in a country 5000 km wide is not good enough. 5000km in length by 100Km in width as most of the population lives within 100Km of the Canada-US border, but yes, it's a big country. Since then, QIX in Montreal has opened up from a research-only IXP, to a neutral peering facility. MBIX in Winnipeg has started, and YYCIX in Calgary is up and running as well. Vancouver is still lacking. BCNet would beg to differ. :-) There's also VicTX in Victoria run by BCNet. (Granted, some might simply say those are nothing more than BCNet aggregation hubs - but judge for yourselves please.) Currently, the aforementioned established big players are not at all interested in our exchange, they don't talk to us. Only exception is Hurricane Electric, who recently joined, dropping wholesale bandwidth costs in Winnipeg *dramatically*. IXPs in Canada have been particularly effective in doing this, especially in Ottawa where in 2003 it was something like $550 per megabit/month. One of the OttIX members (IGS) offered $200 and well, a number of OttIX peers went to town with that. The rate grudgingly dropped to $333 by 2006 until $MGMT allowed me to break out in other places to leverage even lower pricing. As of 2011 the best price I could get here was $90 but we already got out of Dodge by then. All to say the effects of an IXP in a certain locale were positive for the end-consumers (ISPs mainly) of transit. BTW, in Winnipeg we still have the problem of cross-continent traffic paths to send data across the street. Worst case is something like this: Winnipeg--Chicago--Toronto--Vancouver--Calgary--Winnipeg. That's a 15,000 km round trip. MBIX can help with that. For a good view of the Canadian perspective on those and more, see: http://www.ixmaps.ca/index.php We've contributed a lot of traceroutes, ditto via $dayjob given the diverse footprint of the network (national research backbone - not CANARIE's though) just to see how our traffic runs about the country as well as outside. Some surprises there. (I think CIRA funded that one as well.) wfms
Re: Vancouver IXP - VanTX - BCNet
On Wed, 21 Aug 2013, Randy Bush wrote: In Montreal, is anyone at the Peer1 exchange other than Peer1? Peer1 exchanges are only open to Peer1 customers, I believe. At least, that's how it worked in Toronto the last time I looked. that is not an exchange. most isps have switches in their transit infrastructure. +1 The Peer1 setups remind me very much of what Group Telecom (defunct Canadian backbone provider) did in the very late 90's and the very early part of the last decade. They had them in nearly every city they had their facilities, but the GT IXPs never caught on ($$$ to get inside the facility and they played hard ball against incumbant access effectively making them closed unless direct GT customers.) wfms
Re: Vancouver IXP - VanTX - BCNet
On Wed, 21 Aug 2013, Clayton Zekelman wrote: Just wondering aloud if an ISP that did have commercial interest could run a non-member driven exchange point successfully as long as they had pricing and policies that were similar to member driven exchange points. Vey interesting that you raise that. IIRC, Albuquerque has NMIX which I think was setup as for-profit. (John Brown are you still here?) Well over a decade ago now, my recollection is fuzzy. I don't recall the reasoning in choosing for-profit over nont-for-profit. As for ISPs doing it, there are clear examples in the wild today, but. Many buts. That ISP would have to be quite benevolent. In the long run. New MGMT/owners and then.? I have a facility in Windsor, Ontario that is well connected, has all the physical infrastructure necessary, the ability to provide relatively low cost local fibre loops, has an open policy towards other carriers providing transport loops, but alas, it wouldn't be perceived as neutral. The only reason why we (OttIX) followed the path of not-for-porfit (and all that it comes with, from beloved loons to passionate supporters to the somewhat silent majority) was to give the community of interest (gawd what a PC-style phrase) assurance that the IXP would not be held hostage to a bottom-line or to the dictates of the single owner. In other words, neutral. (Now going for-profit could have been tempered with issuing one share per peer and having share-holders, etc, but we're starting to delve into philosophical viewpoints which in turn have consequences, advantages and disadvantages too numerous to get into here.) Community of interest of course is the other magical ingredient that is necessary. Not sure how many ISPs would want to peer in Windsor... If I were looking strictly at bottomline and had the same cost option between connecting to an IX in Ottawa/Windsor as going to Toronto, I'd go to Toronto. $dayjob was public sector: We believed the more we peer with, the greater the benefit to public citizen (along being able to divide and conquer potential DDOS). Of course there are those who don't subscribe to that notion... so what do I know? But, do what we did, throw it out there and try it just to see if there's any interest Windsor. Get the packets flowing, forget the paperwork and managerial super-structure for now. Talk to CIRA, get them to listen to you, you listen to them. OttIX started with a Paradyne DSLAM as switch core and many peers coming in on $40/month xDSL lines, just to see if there was a point. That's one decade gone, already into another wfms
Re: Vancouver IXP - VanTX - BCNet
On Wed, 21 Aug 2013, Randy Bush wrote: and i would add carrier neutrality, i can haul fiber from anyone into the exchange. this is pretty critical in the exchanges where i have played. Facility neutrality especially. If the IXP is inside a non-neutral DC, it and its peers are always under constant threat of being squeezed out or shutdown by any number of circumstances. If the co-lo business were separate from the facility business, it may be a better environment since the IXP could convince the facility to host it, which the co-lo business could then be attracted to. All depends on the circumstances and environment. wfms
Re: Vancouver IXP - VanTX - BCNet
On Wed, 21 Aug 2013, bmann...@vacation.karoshi.com wrote: IIRC, Albuquerque has NMIX which I think was setup as for-profit. (John Brown are you still here?) Well over a decade ago now, my recollection is fuzzy. I don't recall the reasoning in choosing for-profit over nont-for-profit. [NMIX couldn't pay its bills so it lost a lot of support/clients] Ah thanks for that update. You've reminded me of another point: While it is admirable that CIRA (and probably other similar counterparts are watching) looking to establish IXPs, my anxiety lies with the future: Given everything that's already been written, are any of these IXPs capable of becoming self-sustaining in the future? It's a rhetorical question applicable to any starting IXP and requires an understanding of the local environment. wfms
Re: Big day for IPv6 - 1% native penetration
APNIC labs have an interesting set of numbers on IPv6 uptake as well. http://labs.apnic.net/measureipv6/ On Tue, 20 Nov 2012, Owen DeLong wrote: It is entirely possible that Google's numbers are artificially low for a number of reasons. Owen On Nov 20, 2012, at 5:31 AM, Aaron Toponce aaron.topo...@gmail.com wrote: On Tue, Nov 20, 2012 at 10:14:18AM +0100, Tomas Podermanski wrote: It seems that today is a big day for IPv6. It is the very first time when native IPv6 on google statistics (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some might say it is tremendous success after 16 years of deploying IPv6 :-) And given the rate on that graph, we'll hit 2% before year-end 2013. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o wfms
Re: Plages d'adresses IP Orange
Il serait mieux si vous contactez directement d'Orange. On Mon, 19 Nov 2012, jipe foo wrote: Bonjour ? tous, Quelqu'un d'Orange (ou autre) pourrait-il me donner plus d'info sur les plages d'adresses suivantes: inetnum:81.253.0.0 - 81.253.95.255 netname:ORANGE-FRANCE-HSIAB descr: Orange France / Wanadoo service country:FR admin-c:AR10027-RIPE tech-c: ER1049-RIPE inetnum:90.96.0.0 - 90.96.199.255 netname:ORANGEFRANCE-WFP descr: Orange France - WFP country:FR admin-c:ER1049-RIPE tech-c: ER1049-RIPE S'agit-il de plages d'adresses de mobiles, de livebox ou de connexions WIFI partag?es (au moins pour la seconde) ? Merci d'avance, -- J wfms
RE: Internet routing table completeness monitoring?
On Wed, 3 Oct 2012, Joseph Jackson wrote: I have cacti graph the amount of prefixes announced and withdrawn from a BGP peer on each BGP router. +1 Note that not all router OSs support fetching data like that via SNMP. We use a custom built thing internally that does this two, which we then tack on an alert threshold for. So if a downstream peer sends us less than that, we get an alert. Handy for those times when they call and ask us what we did to their network. :-) Prior to that, we had a script which whould login, munge the 'show ip bgp summary' table output, figure out the deltas and graph or report as needed on a particularly troublesome peer. -Original Message- From: ML [mailto:m...@kenweb.org] Sent: Tuesday, October 02, 2012 11:43 PM To: North American Networking and Offtopic Gripes List Subject: Internet routing table completeness monitoring? Has anyone put in place a method to identify if one their BGP peers suddenly withdraws X% of their prefixes? e.g I should expect ~420k prefixes in a complete[1] routing table from a transit peer today. If suddenly I'm only getting 390k prefixes I'd guess a major network was depeered or similiar. If so how are people doing this? SNMP MIB, screen scrape? [1] Varying levels of completeless apply. wfms
Re: RFC becomes Visio
On Tue, 2 Oct 2012, Michael Hallgren wrote: Le mardi 02 octobre 2012 à 23:25 +0200, Dan Luedtke a écrit : On Fri, 2012-09-28 at 19:31 +0100, Nick Hilliard wrote: Here's a visio diagram you can send them: http://www.foobar.org/~nick/bgp-network-diagram.vsd Is there a .png version of it somewhere? The whole thread made my day, I'm eager to see this diagram as well. I don't have this MS Visio thingy you all use to set up your Avian Carrier BGP sessions... Don't use ``MS Visio thingy'', prefer TeX with metapost, PGF/TikZ (or PSTRicks). The output is by far more beautiful, and maintaining the document much more slim. I still miss doing this stuff using gpic/groff. ;-) wfms
Re: RFC becomes Visio
On Fri, 28 Sep 2012, Joe Maimon wrote: Just got told by a Lightpath person that in order to do BGP on a customer gig circuit to them they would need a visio diagram (of what I dont know). Has anybody else seen this brain damage? In my quaint little corner of the world, this was once fairly routine actually. It seems to have been more popular amonsgt the enterprise crowd than anything else. Joe wfms
Re: [routing-wg] BGP Update Report
On Sat, 15 Oct 2011, Keegan Holley wrote: +1 good to get a view from multiple sources even if they are automated. Should be easy enough to filter for those that do not want them. Plus it's helped me in the past catch a very massive (well, OK, it was a less than a hundred unaggregated routes run off into the Internet) leak, which forced me to learn about prefix-lists and such. So for those that care enough about their own networks, it can be catalyst to learning something new. 2011/10/15 William F. Maton Sotomayor wma...@ottix.net On Sat, 15 Oct 2011, Lynda wrote: On 10/15/2011 4:26 AM, Geoff Huston wrote: While I am at it, does anyone read this report, or is this weekly report also just part of the spam load on this list? I read both of them, and also the Weekly Routing Report. I will regret the loss, and consider all three to be far more valuable than 90% of the traffic on the list. +1 The reports are also useful to do a double-check on changes I've made from the perspective of others (even if they are automated tools). wfms wfms
Re: The Cidr Report
On Sun, 16 Oct 2011, Aftab Siddiqui wrote: success. what would help? I guess rpki would help and a banner during every NOG/RIR meeting showing top polluters. A similar thing was done at a USENIX in Monterey over a decade ago. The point behind that one was to drive home how bad it was for the attendees to use telnet to their boxes at the mothership. Nothing like seeing people watch their passwords put up on two screens to teach them about SSH. Granted, placing the CIDR report up on a screen may not have the same effect, but as NANOGs get video recorded, it's a lot harder to explain in the future why you were on that list. Somehow the visual is more powerful than pretending an erased email doesn't make it into a web archive. I seriously don't understand that why an RIR can't send atleast a notice to those announcing bogus prefixes. A letter in RED mailed to the business address would help. May be a useful angle for the RIRs to pursue - but are RIRs in the routing police business? wfms
Re: [routing-wg] BGP Update Report
On Sat, 15 Oct 2011, Lynda wrote: On 10/15/2011 4:26 AM, Geoff Huston wrote: While I am at it, does anyone read this report, or is this weekly report also just part of the spam load on this list? I read both of them, and also the Weekly Routing Report. I will regret the loss, and consider all three to be far more valuable than 90% of the traffic on the list. +1 The reports are also useful to do a double-check on changes I've made from the perspective of others (even if they are automated tools). wfms
Re: IPv6 words
(Warning: This email contains scenes of flashbacks) On Thu, 23 Jun 2011, Jeroen van Aart wrote: I am sure it has come up a number of times, but with IPv6 you can make up fancy addresses that are (almost) complete words or phrases. Making it almost as easy to remember as the resolved name. It'd be nice in a weird geek sort of way (but totally impractical) to be able to request IPv6 blocks that have some sort of fancy name of your choice. 2001:db8:dead:beef:: dead:beef:: dead::beef 3fff:BAD:: Seriously though, I remember playing little games like this numbering Novell IPX network segments back in the 1990's. After IP came on the network I think I was accussed of polluting pristine IPX netsthen... I'll stop now. ;-) wfms
Re: BCP38 considerations in IPv6
On Thu, 10 Feb 2011, Ryan Rawdon wrote: What considerations should be made with respect to implementing egress filtering based on source IPv6 addresses? Things like allowing traffic sourced from fe80::/10 in said filters for on-link communication (for the interface that the filter is applied to). Is there anything else that should be taken into account while implementing BCP38 egress filtering in IPv6? That's a consideration, and one other candidate which has already been welcomed to my black-hole server: 2001:DB8::/32. I'll leave that as an exercise to everyone to see who's block that is. :-) wfms
Re: IPv6 - a noobs prespective
On Wed, 9 Feb 2011, Mike Lyon wrote: With the recent allocation of the last existing IPv4 /8s (which now kind of puts pressure on going v6), it would be wonderful if at the next couple of NANOGs if there could be an IPv6 for dummies session or two :) I think these could be pretty valuable in the light of the last of thae allocations, and I would expect that even the RIRs through their outreach have done the same. NANOG archives, especially of previous sessions (look for the Sunday tutorials) will help. -Mike On Wed, Feb 9, 2011 at 10:22 AM, Jack Bates jba...@brightok.net wrote: On 2/9/2011 12:03 PM, William Herrin wrote: The thing that terrifies me about deploying IPv6 is that apps compatible with both are programmed to attempt IPv6 before IPv4. This means my first not-quite-correct IPv6 deployments are going to break my apps that are used to not having and therefore not trying IPv6. But that's not the worst part... as the folks my customers interact with over the next couple of years make their first not-quite-correct IPv6 deployments, my access to them is going to break again. And again. And again. And I won't have the foggiest idea who's next until I get the call that such-and-such isn't working right. What scares me most is that every time I upgrade a router to support needed hardware or some badly needed IPv6 feature, something else breaks. Sometimes it's just the router crashes on a specific IPv6 command entered at CLI (C) or as nasty as NSR constantly crashing the slave (J); the fixes generally requiring me to upgrade again to the latest cutting edge releases which everyone hates (where I'm sure I'll find MORE bugs). The worst is when you're the first to find the bug(which I'm not even sure how it's possible given how simplistic my configs are, isis multitopology, iBGP, NSR, a few acls and route-maps/policies), it takes 3-6 months or so to track it down, and then it's put only in the next upcoming release (not out yet) and backported to the last release. Jack (hates all routers equally, doesn't matter who makes it) wfms
Re: NTP Server
On Mon, 25 Oct 2010, Robert E. Seastrom wrote: The folks at NRC in Canada will do cryptographically authenticated NTP with you for an annual fee. I have no idea if there is something Robert, Thanks for the shout. NRC does do this, more info here: http://www.nrc-cnrc.gc.ca/eng/services/inms/time-services/network-time.html You can use the services as well for non-auth. I should also point out to folks on this list that the NRC NTP servers have renumbered, but I still see quite a bit of traffic from what appears to be ISP infrastructure looking for the old addresses. wfms
Re: ipv6 bogon / martian filter - simple
On Mon, 14 Jun 2010, Brandon Applegate wrote: I mean really simple. Like 2000::/3. If it's not in there it's bogon, yes ? Been using that on the advanced networks side for ... OK, years. Seems to work. Kept unseemingly bogons like 1000::/3 out, except for the deprecated 6bone pTLA, 3FFF:: What I'm really asking, is for folks thoughts on using this - is it too restrictive ? For leaks of old 6bone space, which I haven't seen for a long while, probably not. But filter aginst that, and maybe it will be fine. It's all in the RIR allocations How long until it's obsolete ? Should be a really long time no ? Mmm...Last table entry in my table is: 2C0F:FE18::/32. Maybe 2000::/4 will do, but that might not last very long as an ACL, given the proximty of 2Cxx:: to 2FFF:: Again, just looking for some feedback either way. Would be very nice to have a single line ACL do this job. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. wfms
Re: Large number of IPv6 bogons with spoofed ASpath
On Sat, 12 Jun 2010, Andree Toonk wrote: Hi List Yesterday I noticed a large number of 'bogon' IPv6 announcement. I think it was about a 100 different (IPv6) bogon prefixes [1] [2] being announced from a what looks a variety of origin ASns. I have seen 1000::/32 come in once and a while, but I've noticed that it's hard to catch from where this is coming from. But I've not seen the others. But it does point to the larger lesson that just because it is IPv6, it doesn't mean that prefix-fiters (and other tools) aren't required like in IPv4. wfms
Re: Network Naming Conventions
Singers: tenchi% ping elvis elvis is alive tenchi% On Sat, 13 Mar 2010, aa...@wholesaleinternet.net wrote: STD's --Original Message-- From: Tim Sanderson To: NANOG list Subject: RE: Network Naming Conventions Sent: Mar 13, 2010 12:12 PM ...Types of coffee and donuts Tim -Original Message- From: James Bensley [mailto:jwbens...@gmail.com] Sent: Saturday, March 13, 2010 12:27 PM To: NANOG list Subject: Re: Network Naming Conventions On 13 March 2010 16:06, James Jones ja...@freedomnet.co.nz wrote: On my last network I named all the routers after simpsons characters. We use ancient Greek gods. -- Regards, James ;) Sent from my Verizon Wireless BlackBerry wfms
Re: Speed Testing and Throughput testing
On Tue, 3 Nov 2009, Jason Biel wrote: Please take note with using iperf that you'll want to make sure the appropriate TCP Window Size has been negotiated. We recently did some testing with systems that had decided to pick less than optimal window sizes and in turn had to manually set the size within iperf options. Indeed this is true. Also, if you use one of the Internet2 network test web100-enabled servers, you can try testing through a web browser. There's both NPAD and NDT on distributed on different nodes, although each has its own slightly different tests. It's also not a bad set of tools for support people wanting to troubleshoot bandwidth problems caused by duplex misconfigs. Jason On Tue, Nov 3, 2009 at 4:01 AM, Benoit VANNIER benoit.vann...@apog.netwrote: Hello, Iperf is pretty good at this ... It s free Ben -Message d'origine- De : Mark Urbach [mailto:mark.urb...@pnpt.com] Envoyé : lundi 2 novembre 2009 22:57 À : nanog@nanog.org Objet : Speed Testing and Throughput testing Anyone have a good solution to get accurate speed results when testing at 10/100/1000 Ethernet speeds? Do you have a server/software that customer can test too? Thanks, Mark Urbach PinPoint Communications, Inc. 100 N. 12th St Suite 500 Lincoln, NE 68508 402-438-6211 ext 1923 Office 402-660-7982 Cell mark.urb...@pnpt.com [cid:image003.jpg@01CA5BD5.1A5CEE20] -- Jason Biel wfms
Re: Unable to reach security.debian.org through an HurricaneElectric IPv6 pipe
On Thu, 29 Oct 2009, Laurent CARON wrote: I'm currently unable to reach security.debian.org (2001:8d8:2:1:6564:a62:0:2) through IPv6. Judging from the traceroute, it seems that Hurricane Electric and OneAndOne are peering, but perhaps there's a problem between Nerim and one of the other two? My traceroutes reach wieck, but the Nerim sTLA (2001:7a8::/32) isn't in my routing tables. Have you contacted Nerim NOC? wfms
Re: SMS
On Tue, 22 Sep 2009, Shane Ronan wrote: How do I send out an email if the network is down? I have had success using a GSM phone hooked up to the server via USB. (Bonus is that the server constantly 'charges' the phone). An ugly set of scripts deals with taking emails and changing them into SMS messages which are then transmitted through that phone to another. On Sep 22, 2009, at 11:52 AM, Alex Balashov wrote: Shane Ronan wrote: On that same note, can someone point me in the direction of an SMS gateway service? I would like to be able to send SMS messages from my monitoring systems, but I am unsure about how to go about it. Appreciate the assistance. Why not use an e-mail to SMS gateway from whichever carrier? -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 wfms
Re: how to fix incorrect GeoIP data?
On Fri, 1 May 2009, Christopher Morrow wrote: On Fri, May 1, 2009 at 2:06 PM, Mikael Abrahamsson swm...@swm.pp.se wrote: On Fri, 1 May 2009, Frank Bulk wrote: What we need is a master update form where Akamai, Google, Maxmind, hostip.info, Geobytes, ip2location, ipgeo, etc can be notified about changes. Perhaps we as the ISP community need to realise that we need to somehow publish this data (town or something alike) via some kind of standardized API? hey lookie! dns TXT records!! :) LOC records too. :-) dig @prisoner.iana.org hostname.as112.net any ;; QUESTION SECTION: ;hostname.as112.net.IN ANY ;; ANSWER SECTION: hostname.as112.net. 604800 IN SOA as112.gigafed.net. dns.ryouko.imsb.nrc.ca. 1 604800 60 604800 604800 hostname.as112.net. 604800 IN LOC 45 25 0.000 N 75 42 0.000 W 80.00m 1m 1m 10m Helpful for folks like CAIDA too. wfms
Re: IPv6 Advertisements
On Tue, 29 May 2007, David Conrad wrote: Should've clarified: this was in the context of IPv4... To be honest, I'm not sure what the appropriate equivalent would be in IPv6 (/128 or /64? Arguments can be made for both I suppose). There have been discussions of this sort made over the years. A good place to start would be the old (well, maybe not that old) 6Net site where there's a list of publications called 'Deliverables'. The info is buried in other, but amongst other things it contains deployment scenarios as well as cookbooks decumenting IPv6 deigns and roll-outs, and what they learned from it all. Lot's to read, but good info nonetheless: http://www.6net.org/publications/deliverables/ Rgds, -drc On May 29, 2007, at 9:34 AM, David Conrad wrote: On May 29, 2007, at 8:23 AM, Donald Stahl wrote: vixie had a fun discussion about anycast and dns... something about him being sad/sorry about making everyone have to carry a /24 for f-root everywhere. Whether it's a /24 for f-root or a /20 doesn't really make a difference- it's a routing table entry either way- and why waste addresses. I once suggested that due to the odd nature of the root name server addresses in the DNS protocol (namely, that they must be hardwired into every caching resolver out there and thus, are somewhat difficult to change), the IETF/IAB should designate a bunch of /32s as root server addresses as DNS protocol parameters. ISPs could then explicitly permit those /32s. However, the folks I mentioned this to (some root server operators) felt this would be inappropriate. Rgds, -drc wfms
