Re: Verizon DSL moving to CGN
On 4/6/2013 11:33 PM, Huasong Zhou wrote: I think Comcast is using CGN too!!! My IP address displayed on my MacBook is in the 10.0.0.0/8 range, and ARIN website can't determine my IP address either. Joe Sent from my iPhone On Apr 6, 2013, at 9:33 PM, Joshua Smith juice...@gmail.com wrote: Very interesting indeed. Way to do the right thing here Verizon. This may be the first time I've been happy to be a Comcast customer. -- Josh Smith kD8HRX email/jabber: juice...@gmail.com Phone: 304.237.9369(c) Sent from my iPad On Apr 6, 2013, at 9:24 PM, cb.list6 cb.li...@gmail.com wrote: Interesting. http://www22.verizon.com/support/residential/internet/highspeedinternet/networking/troubleshooting/portforwarding/123897.htm if you are a business customer your modem is actually a business grade NAT router. If they are using CGN(which doesn't make sense as i can pull an ipv6 addy here on dhcp) it's either a misconfiguration or something else going on.
Re: NANOGers home data centers - What's in your closet?
On 8/16/2011 6:17 PM, Charles N Wyble wrote: On 08/16/2011 03:28 PM, William Warren wrote: On 8/12/2011 7:28 PM, Charles N Wyble wrote: Hey all, I have one rack of stuff..:) Not Enough! We will be removing you now from the list that is. :) I then have my tower(custom build) and ups on another shelf. What kind of UPS? Seems most here prefer APC. Perhaps that's a topic for another thread... I have a dell sc420 running astaro Interesting. I have a download of astaro. I should play with it soon. Coworkers recently mentioned Astaro. So maybe it's reached a tipping point and time for me to mess with it. it is an apc backups ns 1250. only the two servers are on it. Everything else is hoked to the non battery side of the ups. Once i have a bit more time i'll get a detailed diagram posted..:) Once i get kvm working i'll decom the sc and t105.
Re: NANOGers home data centers - What's in your closet?
On 8/12/2011 7:28 PM, Charles N Wyble wrote: Hey all, I'm curious what other NANOGers have in their home compute centers? On the extreme end of course we have mr morris :) with his uber lab: http://smorris.uber-geek.net/lab.htm I've got the following: Production rack (4 post AV rack) From top down: Current primary internet connection, soon to be out of band internet connection (Wimax from Clearwire) Ubiquity Networks Nanostation2 based AP (MeshPotato via the VillageTelco project) serving up 3 SSID (bridge to main vlan, guest, honeypot) Linksys WRT54G T-mobile version not doing anything at the moment 3 dell optiplex 745s PFSense router (WAN to clearwire, LAN to Cisco 3550) AlientVault server (amazing software package) Proxmox server (another great software package) I have also considered turning all 3 machines into Proxmox boxes and run everything in a virtual machine. I like the Dell Optiplex machines, they sip power. APC UPS (considering a rack mount UPS and will probably buy one this weekend from the local Goodwill computer works store) PS3 gotta get my parallel hacking on Avocent Cyclades PDU (unused currently as my apartment wiring won't support it) Cisco 3550 Distribution Switch Cisco 2950 Access Switch Dell PowerEge 1800 Dell PowerEdge 2800 I've got a network lab rack (skeletek) as well. This hosts a 6509 and other fun things (cisco routers/switches). Pretty sure I can do any CCNA/CCNP/CCIE(RS) lab scenario). So what's in NANOGers home networks/compute centers? :) I have one rack of stuff..:) I have three 3500 series switches. Then an hp 1005 on a shelf. I then have my tower(custom build) and ups on another shelf. Behind the computer is my 8 port gigabit switch. The 3500 are not in use at the moment. I have a dell sc420 running astaro and a dell t110 running server 2k8 r2 standard. The other network consists of my sick computer area and my sprint airave. I utilize the airave's built in switch to provide connectivity to sick computers. Nothing hugely special but it fits into one rack with the sick computer area on a small table next to it..:)
Re: Barracuda Networks is at it again: Any Suggestions as to an Alternative?
On 4/9/2011 12:46 PM, Marc Runkel wrote: Ok, shameless plug here, but I invite you to check out our product @ www.untangle.comhttp://www.untangle.com. Base product (including anti-spam) is free. If you want support/web filtering/ or better spam rules they are available as premium add-ons. Marc Runkel Untangle, Inc. Director, Technical Operations (650) 425- direct (650) 345-3788 fax On Apr 8, 2011, at 8:51 PM, John Palmer (NANOG Acct) wrote: OK, its been a year since my Barracuda subscription expired. The unit still stops some spam. I figured that I would go and see what they would do if I tried to renew my subscription EXACTLY one year after it expired. Would their renewal website say Oh, you are at your anniversary date, and renew me for a year? No such luck: They want me to PAY FOR AN ENTIRE YEAR for which I did NOT receive service and then for the current (upcoming year). Sorry - I don't allow myself to be ripped off like that. Sorry Barracuda - you get no money from me and I'll tell everyone I know about this policy of yours. I posted an article about this unscrupulous practice on my blog last year at http://www.john-palmer.net/wordpress/?p=46 My question is - does anyone have any suggestions for another e-mail appliance like the Barracuda Spam Firewall that doesn't try to charge their customers for time not used. I should be able to shut off the unit for a year or whatever and simply renew from the point that I re-activate the unit instead of having to pay for back-years that I didn't use. Thanks Untangle's free version...isn't worth the bandwidth. The paid version is ok..but it's a resource hog.
Re: US .mil blocking in Japan
On 3/16/2011 12:14 PM, andrew.wallace wrote: On Wed, Mar 16, 2011 at 12:58 PM, Jeff Aitkenjait...@aitken.com wrote: What's to be surprised about? This isn't the rhetoric of a super power, more like one of a university campus. To think these guys have built a cyber command with war waging capabilities, and allegedly capable of building nuclear worms such as Stuxnet. It strikes me straight away as amateurish to be blocking web sites in able to have enough bandwidth for operational purposes. You would think their war fighting networks, weren't the same ones used for civilian-based web sites on the public internet. It seems there is a conflict here between what they push out to the media as to what their cyber capabilities are, and what the realities are on the ground. In that respect, yes I'm very surprised. --- Andrew As a former Military Member I can tell you we don't have unlimited amounts of bandwidth...especially overseas. There's been several undersea cables damaged or completely knocked offline. I don't find this policy very surprising due to the disaster in Japan.
Re: medicare.gov / cms.gov DNSSEC Validation Failures
On 12/28/2010 8:43 PM, Nate Itkin wrote: On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation. Ditto. Similar to uspto.gov not too long ago. Try posting to dns-operations. https://lists.dns-oarc.net/mailman/listinfo/dns-operations Almost certainly some *.gov dns admins lurking there. Cheers, Nate Itkin There's a thread going on about .gov dnssec changes going on. This could be the source of your issues.
Re: Mastercard problems
On 12/8/2010 12:00 PM, andrew.wallace wrote: It appears the site is under a sustained attack, CNET reports. http://news.cnet.com/8301-13578_3-20024966-38.html Andrew It's only their main website it has not affected their ability to process payments as of yet.
Re: Unlimited wireless data...
On 12/3/2010 6:47 PM, Nathan Eisenberg wrote: This came up in another thread yesterday or today, and I just got the solicitation mailer for Clearwire's WiMAX service in Tampa Bay, which they call 4G, though the ITU disagrees. The AUP is here: http://www.clear.com/legal/aup I cannot strongly enough discourage you from using their service. My experience with them has been consistently awful - and given that they're headquartered in my area, that's unacceptable. I'm informed that my experience is not at all unique - either to the Seattle area or to their service at large. Their Wikipedia article tells you pretty much everything you need to know. http://en.wikipedia.org/wiki/Clearwire Their definition of unlimited tends to be barely acceptable throughput levels, until you start streaming youtube/netflix or doing a long-running download or using bittorrent to seed files to your work PC and laptop or using your VPN to retrieve a document, in which case, we won't turn you off, we'll just silently jail you into a 32-128kbps bandwidth profile. Also, have some poorly implemented NAT on our ludicrously underpowered CPEs! I also understand that they've been having financial difficulties, so they're unlikely to address the issues their customers are faced with. If I were you, I would keep your backpack offline until another option is available. You're not going to be able to use VOIP on their service, anyways. Nathan (Speaking as an individual - not as the company I work for.) My wife's employer(a multinational grocery conglomerate) tried clear for their internet access as well. It spent more time offline than on. They have since switched that location to 3g cards in the individual machines and vpn back to the home office..:)
Re: Level 3 Communications Issues Statement Concerning Comcast'sActions
replies inline On 11/30/2010 12:09 AM, Andrew Koch wrote: On Mon, Nov 29, 2010 at 22:17, William Herrinb...@herrin.us wrote: So you're saying: treat it like electrical service. I have a 200 amp electrical service at my house. But I don't pay for a 200 amp service, I pay for kilowatt-hours of usage. There are several problems transplanting that billing model to Internet service. The first you've already noticed - marketing activity has rendered it unsalable. But that's not the only problem. Not quite. Look at mobile data plans. A very few are unlimited, most are per byte. I don't know of a single data plan that's unlimited. they all have either 5 gig or lower transfer caps. That's not unlimited no matter what the lawyers or marketers day. Andy Koch
Re: Level 3 Communications Issues Statement Concerning Comcast's Actions
On 11/30/2010 6:33 AM, Jeff Young wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 30/11/2010, at 9:28 AM, Patrick W. Gilmore wrote: http://www.marketwatch.com/story/level-3-communications-issues-statement-concerning-comcasts-actions-2010-11-29?reflink=MW_news_stmp I understand that politics is off-topic, but this policy affects operational aspects of the 'Net. Just to be clear, L3 is saying content providers should not have to pay to deliver content to broadband providers who have their own product which has content as well. I am certain all the content providers on this list are happy to hear L3's change of heart and will be applying for settlement free peering tomorrow. (L3 wouldn't want other providers to claim the Vyvx or CDN or other content services provided by L3 are competing and L3 is putting up a toll booth on the Internet, would they?) -- TTFN, patrick So in this particular game of chicken, Comcast wins. Shame that L3 agreed to this, sets a bad precedent. I have to imagine that Comcast would have been the worse for wear, their phone lines would have lit up like a Christmas tree -- why can't I access...? jy -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAkz04QkACgkQxvthcni5E2+LwgD+NAie3r+r1dniJNRPMVKAJEj7 BQIympMzCXji7NveWicA/ReSLZgW92LT4cY/yMnsw3EkrD8mL1rkhAzicifOoCwe =GPm+ -END PGP SIGNATURE- This whole mess concerns me about the future of the internet. If the traffic can't get to the clients by routing around a depeering..is the internet really working as designed? I don't think so. Peering has become the gateway to the ultimate in network control...while it's the provider's prerogative who access their network..peering has become a club for access and has become the instrument of removing the basic design wins of the internet.
Re: Level 3 Communications Issues Statement Concerning Comcast's Actions
On 11/29/2010 5:46 PM, Mark Wall wrote: Between the lines: Comcast wants to end mutual peering agreements (due to: ratios, politics , greed) but we are going to spin it due to net neutrality making it main stream media and hoping we can get comcast clients to complain... Not the worse angle we've seen I think Karl Denninger has this one called right: http://market-ticker.org/post=173522
Re: Level 3 Communications Issues Statement Concerning Comcast's Actions
On 11/29/2010 6:45 PM, Aaron Wendel wrote: I think what this really boils down to is an effect of shoddy marketing. Access providers want to offer unlimited everything and don't want to have to go back to their customer base and say, oh, sorry, we didn't really mean unlimited. We didn't think you'd really use that much. So they are looking for ways of making up for the increased costs without having to look like idiots to their customers. Unlimited access is already NOT unlimited access. A transfer cap isn't unlimited..while Comcast has a generous cap..it's still a transfer cap. My problem is, what happens if this becomes the new model? What if Comcast comes to me and says, Oh, we've noticed X Mbits originating from your network coming through ours. Here's the bill of $X per bit. What happens when I counter with, Ok, and I see X bits originating from your network. Here's my bill, too. Do they agree to an exchange of money for an exchange of bits or do I get an F you. Pay your bill to us and we're not giving you crap.
Re: legacy /8
On 4/3/2010 1:39 PM, valdis.kletni...@vt.edu wrote: On Sat, 03 Apr 2010 08:06:44 EDT, Jeffrey Lyon said: For small companies the cost of moving to IPv6 is far too great, especially when we rely on certain DDoS mitigation gear that does not yet have an IPv6 equivalent. So? How many people are *realistically* being hit by IPv6 DDoS right now? (I saw a number in the last 2-3 days that 2-3% of spam is now being delivered via SMTP-over-IPv6). You may not need that gear as much as you thought... Did you tell your mitigation gear vendor 5 years ago that their next model needed to have IPv6 support? Given that currently most stuff is dual-stack, and IPv6 isn't totally widespread, what are the effects of doing IPv6 DDoS mitigation by simply turning off IPv6 on your upstream link and letting traffic fall back to IPv4 where you have mitigation gear? Not a valid argument. When ipv6 gets widely used then the DDOS will follow it. I have to agree with the previous poster about not wanting to move until his DDOS mitigation gear supports V6. Many of the security products i use are just now starting to go v6 capable. I would not want to move to V6 even if i could until all of my security gear/software is properly V6 tested.
Re: legacy /8
On 4/3/2010 1:31 PM, George Bonser wrote: -Original Message- From: Larry Sheldon [mailto:larryshel...@cox.net] Sent: Saturday, April 03, 2010 8:43 AM To: nanog@nanog.org Subject: Re: legacy /8 On 4/3/2010 10:34, Michael Dillon wrote: That adoption is so low at this point really says that it has failed. In the real world, there is no success or failure, only next steps. At this point, IPv4 has failed, Failed? Really?!!?! Failed in the sense that I am not sure there is enough time left to really get v6 deployment going before we hit the wall. It is like skydiving and waiting too long to open the chute. Any school teaching v4 at this point other than as a legacy protocol that they teach on the second year because they might see it in the wild should be closed down. All new instruction that this point should begin and end with v6 with v4 as an aside. But that isn't. We've been dealing with the IPV4 myth now for over 7 years that i have followed it. It's about as valid as the exaflood myth. Part fo the reason folks aren't rushing to the V6 bandwagon is it's not needed. Stop doing the chicken little dance folks. V6 is nice and gives us tons of more addresses but I can tell you V4 is more than two years form dying just by seeing all the arm flailing going around.
Re: Home CPE choice
On 3/31/2010 6:55 PM, Charles N Wyble wrote: Hopefully this e-mail is considered operational content :) The recent thread on the new linkys kit and ipv6 support got me thinking about CPE choice. What good off the shelf solutions are out there? Should one buy the high end d-link/linksys/netgear products? I've had bad experiences with those (netgear in particular). Should one get a real cisco router? The 877 or something? Maybe an ASA or the new small business targeted ISR (can't recall the model number off hand right now). There is mikrotik but I'm not so sure about the operating system. Is there a market for a new breed of CPE running OpenWRT or pfsense on hardware with enough CPU/RAM to not fall over? Granted that won't cost $79.00 at best buy. However it seems to me that decent CPE is going to run a couple hundred dollars in order to have sufficient ram/cpu. My current home router is a cisco 1841. I keep my 6mbps DSL line pretty much saturated all the time. Often times my wife will be watching Hulu in the living room, I'll be streaming music and running torrents (granted I have tuned my Azures client fairly well) all at the same time and it's a good experience. Running that kind of traffic load through my linksys would cause it to need a reboot once or more a day. What are folks here running in SOHO environments that doesn't require too frequent oil changes :) I run Astaro on a p-4 celey i had lying around. Get far more than any little router you'll see..can't beat the price.
Re: Spamhaus...
On 2/18/2010 12:50 PM, Crist Clark wrote: On 2/18/2010 at 2:40 AM, Michelle Sullivanmatt...@sorbs.net wrote: Laczo, Louis wrote: Folks, I'm looking for comments / suggestions / opinions from any providers that have been contacted by spamhaus about excessive queries originating from their DNS resolvers, typically, as a proxy for customers. I know that certain large DNS providers (i.e. google and level3) have either been banned or have voluntarily blocked spamhaus queries by their resolvers. We're currently in discussion with spamhaus and I wanted to see how others may have handled this. They seem to be doing that a lot of late. They also contacted my employer and demanded $100k/yr(?) for having a Use Spamhaus RBL in our software. Next version will not have the ability to query Spamhaus unless a user configures it themselves in the Custom RBL settings. Michelle ? = could have been more, not sure without checking with the CEO, result was the same. We received such a message from a Spamhaus Datafeed reseller and eventually had our DNS servers blocked. What angered me was that I analyzed our usage, and we were well below the thresholds and met the TOS published at the Spamhaus website for no-cost use. However, they said we had to subscribe to the Datafeed despite that because we have a Barracuda appliance. To me, it sounds like Barracuda customers are being singled out in some conflict between Barracuda Networks and Spamhaus. Spamhaus (via the reseller, MXTools) is leaning on Barracuda customers hoping that they'll lean on Barracuda Networks so that Barracuda Networks will do a deal at the corporate level with Spamhaus. Spamhaus does some good work, but being used as a pawn in some conflict between vendors doesn't feel nice. And I want to know how they figured out we had a Barracuda. try using barracuda's own barbell(brbl) service..i don't know if it's built into your appliance. I have also found that greylisting(for me via postgrey) has done more than any rbl to nearly eliminate my spam.
Re: Ready to get your federal computer license?
On 8/28/2009 6:11 PM, Peter Beckman wrote: On Fri, 28 Aug 2009, Hiers, David wrote: Governments already license stock brokers, pilots, commercial drivers, accountants, engineers, all sorts of people whose mistakes can be measured in the loss of hundreds of lives and millions of dollars. 'The power company allowed their network security to be comprimised by a single Windows computer connected to the Internet in the main control facility, so we unplugged the entire Internet to mitigate the attack,' said Senator Rockefeller, the author of the bill that enabled the President to take swift action after an unknown hacker used the Internet to break into Brominion Power's main control facility and turn off the power to the entire East Coast. 'It will remain unplugged and nobody in the US will be allowed to connect to the Internet until the power is back on and this hacker is brought to justice.' Authorities are having a difficult time locating the hacker due to the unavailability of the Internet and electricity, and cannot communicate with lawmakers via traditional means due to the outage. A formal request to turn the power and Internet back on was sent on a pony earlier this afternoon to lawmakers in DC. Can't wait. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ --- ROFL!
Re: Slightly OT: Calculating HVAC requirements for server rooms
Mike Lyon wrote: Hello All, I am curious what formulas/equations folks use to figure out required cooling for small datacenters in offices. The variables I am using are the size of the room, the total amount of power available for usage and the lightning. Specifically, I am using the guide posted at: http://www.openxtra.co.uk/articles/calculating-heat-load Any other recommendations or suggestions from those folks that have done this before? Thank You in advance. Cheers, Mike You also have to take into account the environment surrounding the data room. At my wife's work The ceiling above is only separated with a false ceiling to the metal roof above but the rest of hte spaces surrounding the room are climate controled. They ahd to significantly upsize to account for the heat load of that ceiling.
Re: real hardware router VS linux router
On 2/19/2009 9:37 AM, Ryan Harden wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 While you could probably build a linux router that is just as fast as a real hardware router, you're always going to run into the moving pieces part of the equation. In almost all scenarios, moving parts are more prone to failure than non-moving parts. Regardless of what you find out in your research, consider the above in your cost-benefit analysis. /Ryan Deric Kwok wrote: Hi All Actually, what is the different hardware router VS linux router? Have you had experience to compare real router eg: cisco VS linux router? eg: streaming speed... tcp / udp Thank you for your information - -- Ryan M. Harden, BS, KC9IHX Office: 217-265-5192 CITES - Network Engineering Cell: 630-363-0365 2130 Digital Computer Lab Fax:217-244-7089 1304 W. Springfield email: harde...@illinois.edu Urbana, IL 61801 University of Illinois at Urbana/Champaign University of Illinois - ICCN -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmdbpcACgkQtuPckBBbXboREgCguTikt2UwEIRHNfoNzASreLD/ YLcAoKdr/Gbw8CQuY9dTitvGQdD3+H0s =bsHP -END PGP SIGNATURE- ssd's remove the spindle from the equation..otherwise they both have fans that do fail.
Re: Network diagram software
On 2/11/2009 8:06 AM, Mathias Wolkert wrote: I'd like to know what software people are using to document networks. Visio is obvious but feels like a straight jacket to me. I liked netviz but it seems owned by CA and unsupported nowadays. What do you use? /Tias network notepad
Re: Security team successfully cracks SSL using 200 PS3's and MD5
Dragos Ruiu wrote: On 2-Jan-09, at 9:56 AM, Robert Mathews (OSIA) wrote: Joe Greco wrote: [ ] Either we take the potential for transparent MitM attacks seriously, or we do not. I'm sure the NSA would prefer not. :-) As for the points raised in your message, yes, there are additional problems with clients that have not taken this seriously. It is, however, one thing to have locks on your door that you do not lock, and another thing entirely not to have locks (and therefore completely lack the ability to lock). I hope that there is some serious thought going on in the browser groups about this sort of issue. [ ... ] ... JG F Y I, see: SSL Blacklist 4.0 - for a Firefox extension able to detect 'bad' certificates @ http://www.codefromthe70s.org/sslblacklist.aspx Best. Snort rule to detect said... url: http://vrt-sourcefire.blogspot.com/2009/01/md5-actually-harmful.html alert tcp $EXTERNAL_NET $HTTP_PORTS - $HOME_NET any (msg:POLICY Weak SSL OSCP response -- MD5 usage; content:content-type: application/ocsp-response; content:2A 86 48 86 F7 0D 01 01 05; metadata: policy security-ips drop, service http; reference: url, www.win.tue.nl/hashclash/rogue-ca/; classtype: policy-violation; sid:101;) cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada March 16-20 2009 http://cansecwest.com London, U.K. May 27/28 2009 http://eusecwest.com pgpkey http://dragos.com/ kyxpgp Everyone seems to be stampeding to SHA-1..yet it was broken in 2005. So we trade MD5 for SHA-1? This makes no sense.
Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.
Rodrick Brown wrote: A team of security researchers and academics has broken a core piece of Internet technology. They made their work public at the 25th Chaos Communication Congress in Berlin today. The team was able to create a rogue certificate authority and use it to issue valid SSL certificates for any site they want. The user would have no indication that their HTTPS connection was being monitored/modified. http://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-ps3s/ http://phreedom.org/research/rogue-ca/ -- [ Rodrick R. Brown ] http://www.rodrickbrown.com http://www.linkedin.com/in/rodrickbrown ssl itself wasn't cracked they simply exploited the known vulnerable md5 hashing. Another hashing method needs to be used.
Re: What to do when your ISP off-shores tech support
Matthew Black wrote: On Wed, 24 Dec 2008 10:10:33 -0800 Etaoin Shrdlu shr...@deaddrop.org wrote: Matthew Black wrote: On Wed, 24 Dec 2008 09:51:41 -0800 Tomas L. Byrnes t...@byrneit.net wrote: Cox Communications has fully on-shore support. Here in SD they are actually LOCAL. In Verizon land, residential customers do not have CLEC voice or DSL alternatives. We do not have Cox. Our area is served by Charter Communications who has the broadband cable monopoly. Verizon has the fiber monopoly with their FIOS. ATT fiber is not possible in Verizon land. Nobody competes against Verizon for residential service in Southern California. Sir, both COVAD and DSLExtreme beg to differ. Seriously. I just checked. -- The histories of mankind are histories only of the higher classes. Thomas Malthus Going through COVAD's interactive DSL chooser, there are no options for RESIDENTIAL service. http://covad.com/web/index.html DSLextreme is charging a higher price than Verizon and I suspect they are simply reselling Verizon's DSL rather than connecting my copper to their network. That's hardly what I consider CLEC service. I could be wrong and would switch if I could. But I don't see them offering voice and that's why I conclude they are reselling Verizon's DSL service. matthew black california state university, long beach voice on landline? drop it..go cellular. I'm totally verizon free. Comcast does my internet and tv and sprint does my three business lines.
Re: routing around Sprint's depeering damage
James Jun wrote: How about: If there is a need, somebody will provide at a suitable price? If no body steps up, we don't need it. There seems to be ample evidence, in many arenas, that naked capitalism can have disastrous results. And there are lot of examples and ample evidence in history, in many areas, that complete regulation, complete socialism can have disastrous results as well. If you want to have a good idea on how the internet will look like in the US after regulation, simply look at Australia. The government imposed regulation early on in internet infrastructure market caused nothing but raising the entry barrier for small ISPs, only creating government-approved monopoly for major telcos/carriers. Only such regulation creates a situation where it is cheaper and affordable for a smaller ISP to route traffic from .AU to .US, then back to .AU than interconnect directly with incumbent carrier in their own country. So yes, more regulations definitely help the internet indeed (by adding extra 300ms into the process). Instead of calling for socialist/communist policies to regulate the transit industry, the single-homed networks can simply multihome. Because of Cogent, the cost of transit has come down to single-digit per megabit that even after adding transport costs, it's now affordable to add a 2nd internet connection for practically most organizations out there, especially in the continental US (the same capitalism that you call 'disatrous results' is the same capitalism that brought cheap dollars/meg pricing, allowing smaller companies to multihome now when they couldn't afford to do so in the past). As much as we blame Cogent and Sprint for breaking the internet, I also have no sympathy for individual single-homed downstream customers on either networks. If you are complaining about Sprint-Cogent depeering and have customers demanding for your mission-critical services, then you are just as negligent to not have multihomed before all of this happened. If you need that 100% uptime guarantee, you shouldn't rely on single carrier, nor should you rely on government for more regulation. No one can help you but yourself in ensuring your uptime-- so perhaps look at your own setup and decide that you need that 2nd connection to back you up when first one fails. This is a simple business logic. James If things were truly operating as designed the internet would be able to automatically route around this depeering..the problem is not only do these two depeer but they also totally block any other traffic coming in from the other side. This is not how things should be done..disconnect the peering but let the traffic get automatically route around the disruption as it should.
Re: Aid in bypassing DNS issue
Steve Bertrand wrote: With the time I've had, I've tried my best to keep up with every message related to the current issue upon us related to DNS. I am a small op, amongst many that I've met the last few days that may need assistance. I would like at least someone from a large operation to read what I've done, what my concerns are and what help might be provided for a scenario. If this is as big an issue as I feel it is, then perhaps those with resources can offer advice. If you will: I've: - exploited a legacy machine and hijacked the NS records - set up an NS under the phony domain - configured A, and MX records for the hijacked domain (example.com) - put in place a simple index.html file for a website - configured email accounts - you get the point...it all works Then: - made some slight changes to the latest (as of 1000hrs 080725) to the bailiwicked_domain.rb file to accept a new parameter 'RECURSCHK', that 'fixes' the problem of a consistent domain showing up in the initial TXT check that from what I can tell tests for recursion: (#set recurschk wwNN.myDdomain.com). It allows an attacker to set a lookup against a name/record that (s)he knows exists to get the ball rolling initially. This generally ensures that the first check of the exploit will always pass (at least get an affirmative response, recursive or not), but come under the radar of an expecting IDS filter. Once one host is exploited, then the rest of the names can be built/run against, well, anything of course ...unfinished, but in progress (I know Perl, never dealt with Ruby... a if/for/while would be handy). I'd like to change the initial TXT to an A, but I don't think I quite understand the ramifications on the grand scheme of things within the scope of the exploit code, unless I were to focus more time on this. Technically, I'm now on holidays... Anyway, if you've read this far, - my true, core name servers are as vulnerable as any name server that has been patched - I have clients connected to my 'upstream' (if you please) - I configured a DNS server (implementation regardless) to FORWARD ONLY to the 'upstream' DNS servers - We found that we are vulnerable, due to the fact that our 'upstream' DNS servers are vulnerable because they don't use port randomization - we have wholesale business clients who are directly connected to this 'upstream', and retrieve DNS server addresses via DHCP from somewhere within their access layer - the 'upstream' has made no confirmation regarding fixes after discussion My question: How to deal with this? It appears as though there are many that state ...the patching has gone down hill, but what to do when your hands are tied? Is there a network operations centre capable, able and willing to publicly claim: if you've tried your best to tell your 'upstreams' (ISP) to fix the issue but they haven't, tell them to forget patching, ignore the work until the problem goes away, turn off recursion and forward to us, then patch later when you can afford some downtime? Thank you to everyone who has already put so much time and determination into this issue. Steve if your upstream has not fixed their issues yet..try forwarding to opendns which IS secured against this issue until your upstream fixes their servers.
Re: [NANOG] fair warning: less than 1000 days left to IPv4 exhaustion
That also doesn't take into account how many /8's are being hoarded by organizations that don't need even 25% of that space. Geoff Huston wrote: Mike Leber wrote: Since nobody mentioned it yet, there are now less than 1000 days projected until IPv4 exhaustion: http://www.potaroo.net/tools/ipv4/ ps. 1000 days assumes no rush, speculation, or hoarding. Do people do that? pps. Of course these are provocative comments for amusement. :) I keep on saying: its just a mathematical model, and the way this will play out is invariably different from our best guesses. So to say well there's x days to go is somewhat misleading as it appears to vest this model with some air of authority about the future, and that's not a good idea! IPv4 address allocation is a rather skewed distribution. Most address allocations are relatively small, but a small number of them are relatively large. Its the the timing of this smaller set of actors who are undertaking large deployments that will ultimately determine how this plays out. It could be a lot faster than 1000 days, or it could be slower - its very uncertain. There could be some last minute rush. There could be a change in policies over remaining address pools as the pool diminishes, or So, yes, the pool is visibly draining and you now can see all the way to the bottom. And it looks like there are around 3 years to go ... but thats with an uncertainty factor of at least +/- about 1 1/2 years. regards, Geoff ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog -- Registered Microsoft Partner My Foundation verse: Isa 54:17 ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
