Fw: new message
Hey! New message, please read <http://hollyberry.xxx/spirit.php?c9uza> Zaid Ali
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
On May 13, 2014, at 4:52 PM, Patrick W. Gilmore patr...@ianai.net wrote: - Warning the world about Chinese surveillance could have been one of the motives behind the US government's claims that Chinese devices cannot be trusted. But an equally important motive seems to have been preventing Chinese devices from supplanting American-made ones, which would have limited the NSA's own reach. In other words, Chinese routers and servers represent not only economic competition but also surveillance competition. Case in point on Sprint/Softbank merger http://www.theverge.com/2013/3/28/4155714/us-wants-sprint-softbank-deal-to-avoid-chinese-network-equipment/in/3252625 Should we as a community look at Open Hardware when we start to lose trust in vendors and governments? Can we make boards/ASIC/FPGA commodity enough to scale? Zaid signature.asc Description: Message signed with OpenPGP using GPGMail
Need help in flushing DNS
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS. Any other info please reach out to me off-list. Zaid
Re: Fiber cut in SF Bay Area?
Level3 is also impacted. This cut seems to be vandalism but only heard this from one source. Zaid Sent from my iPhone On Apr 16, 2013, at 12:51 PM, Ravi Pina r...@cow.org wrote: Our Zayo provided ETR is 11:00 - 11:30 PDT. XO is one of the impacted providers as well. -r On Tue, Apr 16, 2013 at 08:55:56AM -0700, Raul Rodriguez wrote: Lost a Zayo circuit from Palo Alto to Los Angeles. ETR was given as 11AM PDT. -RR
Re: NYT covers China cyberthreat
We have done our part to China as well along with other countries in state sponsored hacking. This is more of news amusement rather than news worthy. Question here should be how much of this is another effort to get a kill switch type bill back. Zaid On Feb 19, 2013, at 10:10 PM, Kyle Creyts kyle.cre...@gmail.com wrote: quite a bit of coverage lately from the media. http://online.wsj.com/article/SB10001424127887323764804578313101135258708.html http://www.bbc.co.uk/news/world-asia-pacific-21505803 http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to-chinas-military http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked On Mon, Feb 18, 2013 at 7:23 PM, Jay Ashworth j...@baylink.com wrote: http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: Whats so difficult about ISSU
Cisco Nexus platform does it pretty well so they have achieved it. Zaid On Nov 8, 2012, at 3:22 PM, Kasper Adel wrote: Hello, We've been hearing about ISSU for so many years and i didnt hear that any vendor was able to achieve it yet. What is the technical reason behind that? If i understand correctly, the way it will be done would be simply to have extra ASICs/HW to be able to build dual circuits accessing the same memory, and gracefully switch from one to another. Is that right? Thanks, Kim
Re: Fiji Islands
Connect is your best bet http://www.connect.com.fj/ Unwired is also a local competitor but I am not sure if they have coverage in Yaqara. Lautoka is a business district so you can get connectivity there from Connect and Unwired but Yaqara you might be quite limited since its a rural area. Send me a message if you need introduction to folks, I am still connected to some local telco and network engineers there. Zaid On Jul 31, 2012, at 1:14 PM, Philip Lavine wrote: Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)?
Re: Fiji Islands
Fintel and TFL sleep in the same bed essentially. Fintel is the gatekeeper of the southern cross cable protected heavily by the local government, your typical monopoly setup. Connect is a business unit of TFL. I think you can do the math there. Fintel does not do BGP out of the country (or didn't the last time I was there). Forget VSAT, waste of time. Zaid On Jul 31, 2012, at 5:39 PM, Mike Hale wrote: It looks like Fintel and TFL are both providers for Southern Cross cable. That would be your best bet if they can get lines out to you. Otherwise, there's always VSAT, but that brings a set of other issues with it. Ping me offlist if you want more detail on the VSAT stuff. On Tue, Jul 31, 2012 at 4:55 PM, Franck Martin fmar...@linkedin.com wrote: In no particular order Connect.com.fj aka tfl.com.fj Fintel.com.fj Vodafone.com.fj (via a 3G stick) Digicel.com.fj (via a 2G stick, but also via a wireless backbone network) If you want to do BGP or IPv6, good luck! Is that for Fiji Water? ;) These people have very good operational Internet experience in Fiji. http://www.linkedin.com/in/timothyverma http://www.linkedin.com/pub/alfred-prasad/0/409/14a http://au.linkedin.com/in/skeeve On 7/31/12 1:14 PM, Philip Lavine source_ro...@yahoo.com wrote: Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Fiji Islands
VSAT is resold by Telecom Fiji so you are not going to get anything different than the Telecom Fiji experience with the added bonus of very few folks using VSAT in the country and Telecom FIji doing a poor job of operational support of VSAT. I considered VSAT 12 years ago for connecting the university medical network I built there but setting aside costs there was really no competence from Telecom Fiji to manage this service. If something breaks in the earth station a VSAT tech is flown from Australia and it can take weeks to fix anything. My suggestion is to work with Connect folks and explore redundancy from either vodafone or digicel as Franck suggested. My experience there has been building networks in Suva, Lautoka, Nadi. Skeeve can give more advise for all the fun building in the resort Islands :) Zaid On Jul 31, 2012, at 6:05 PM, Mike Hale wrote: VSAT *isn't* a waste of time if you're willing to spend the money. But that, of course, is the key point. Quality VSAT service costs a LOT of money (3k-5k per asymetrical megabit). Plus, a quality provider will have no problem providing you with BGP. On Tue, Jul 31, 2012 at 5:58 PM, Zaid Ali z...@zaidali.com wrote: Fintel and TFL sleep in the same bed essentially. Fintel is the gatekeeper of the southern cross cable protected heavily by the local government, your typical monopoly setup. Connect is a business unit of TFL. I think you can do the math there. Fintel does not do BGP out of the country (or didn't the last time I was there). Forget VSAT, waste of time. Zaid On Jul 31, 2012, at 5:39 PM, Mike Hale wrote: It looks like Fintel and TFL are both providers for Southern Cross cable. That would be your best bet if they can get lines out to you. Otherwise, there's always VSAT, but that brings a set of other issues with it. Ping me offlist if you want more detail on the VSAT stuff. On Tue, Jul 31, 2012 at 4:55 PM, Franck Martin fmar...@linkedin.com wrote: In no particular order Connect.com.fj aka tfl.com.fj Fintel.com.fj Vodafone.com.fj (via a 3G stick) Digicel.com.fj (via a 2G stick, but also via a wireless backbone network) If you want to do BGP or IPv6, good luck! Is that for Fiji Water? ;) These people have very good operational Internet experience in Fiji. http://www.linkedin.com/in/timothyverma http://www.linkedin.com/pub/alfred-prasad/0/409/14a http://au.linkedin.com/in/skeeve On 7/31/12 1:14 PM, Philip Lavine source_ro...@yahoo.com wrote: Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Why use PeeringDB?
The goal is Source of truth for any peer to know information at the Exchange points as well as peering coordinator information. I think it is a great tool for the peering community and definitely useful. Cons: Will it be the next RADB? There needs to be a sustainable community to keep it running since it is a volunteer effort. Zaid On 7/18/12 8:43 AM, Chris Grundemann cgrundem...@gmail.com wrote: Peering Experts, I am currently working on a BCOP for IPv6 Peering and Transit and would very much appreciate some expert information on why using PeeringDB is a best practice (or why its not). All opinions are welcome, but be aware that I plan on using the responses to enhance the document, which will be made publicly available as one of several (and hopefully many more) BCOPs published at http://www.ipbcop.org/. Also, if there are those among you who would like to review the entire document and perhaps volunteer as a SME to help expand and polish it, please contact me off-list and I'll get you a current draft. Thanks in advance. Cheers, ~Chris -- @ChrisGrundemann http://chrisgrundemann.com
Re: Verisign deep-hacked. For months.
I love this VeriSign said its executives do not believe these attacks breached the servers that support our Domain Name System network, Oh my God, said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. That could allow people to imitate almost any company on the Net. Sounds like another opportunity for insert congress person to propose SOPA-2 Zaid On 2/2/12 2:38 PM, Jay Ashworth j...@baylink.com wrote: Oh, my. http://finance.yahoo.com/news/Key-Internet-operator-rb-2857339070.html Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: Verisign deep-hacked. For months.
That part is ambiguous at the moment since Verisign has not released details. Symantec has bought the SSL part of the business and claim that the SSL acquired network is not compromised. Sounds like lots of assumptions being drawn. Zaid On 2/2/12 4:26 PM, Suresh Ramasubramanian ops.li...@gmail.com wrote: So what part of VRSN got broken into? They do a lot more than just DNS. On Fri, Feb 3, 2012 at 5:00 AM, Zaid Ali z...@zaidali.com wrote: VeriSign said its executives do not believe these attacks breached the servers that support our Domain Name System network, Oh my God, said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. That could allow people to imitate almost any company on the Net. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: MD5 considered harmful
I am in the camp of no MD5 in general and more specifically IX. It is a real pain to manage MD5 and no network in my experience has ever implemented a sustainable solution. There is no BCP that folks follow so generally its a verbal agreement that someone in either party will maintain the record. This works until that operator leaves the job and the MD5 is in their email box which is no longer accessible. I would say this is pretty common, I have inherited quite a few networks where I had to deal with this problem. Also most common places where people store MD5's are not in secure locations. I would argue that even though you connect via shared medium in the case of an IX you can still use TTL. Zaid On 1/27/12 3:20 PM, Jared Mauch ja...@puck.nether.net wrote: On Jan 27, 2012, at 3:52 PM, Patrick W. Gilmore wrote: Your network, your decision. On my network, we do not do MD5. We do more traffic than anyone and have to be in the top 10 of total eBGP peering sessions on the planet. Guess how many times we've seen anyone even attempt this attack? If you guessed more than zero, guess again. I am fully well aware saying this in a public place means someone, probably many someones, will try it now just to prove me wrong. I still don't care. What does that tell you? STOP USING MD5 ON BGP. I would generally say: If you are on a p2p link or control the network, then yeah, you don't need md5. If you are at a shared medium (e.g.: IX) I do recommend it there, as it will help mitigate cases where someone can hijack your session by putting your IP/ASN whatnot on the router. The threat (Attack) never became real and we've now had enough time that even the slowest carriers are running fixed code. - Jared
Re: Whacky Weekend: Is Internet Access a Human Right?
I agree with Vint here. Basic human rights are access to food, clothing and shelter. I think we are still struggling in the world with that. With your logic one would expect the radio and TV to be a basic human right but they are not, they are and will remain powerful medium which be enablers of something else and the Internet would fit there. Zaid On 1/5/12 7:22 AM, Jay Ashworth j...@baylink.com wrote: Vint Cerf says no: http://j.mp/wwL9Ip But I wonder to what degree that's dependent on how much our governments make Internet access the most practical/only practical way to interact with them. Understand: I'm not saying that FiOS should be a human right. But as a society, America's recognized for decades that you gotta have a telephone, and subsidized local/lifeline service to that extent; that sort of subsidy applies to cellular phones now as well. Thoughts? Cheers, -- jr 'yes, I know I'm early...' a -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: Whacky Weekend: Is Internet Access a Human Right?
On 1/5/12 8:07 AM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Zaid Ali z...@zaidali.com On 1/5/12 7:22 AM, Jay Ashworth j...@baylink.com wrote: Vint Cerf says no: http://j.mp/wwL9Ip But I wonder to what degree that's dependent on how much our governments make Internet access the most practical/only practical way to interact with them. Understand: I'm not saying that FiOS should be a human right. But as a society, America's recognized for decades that you gotta have a telephone, and subsidized local/lifeline service to that extent; that sort of subsidy applies to cellular phones now as well. I agree with Vint here. Basic human rights are access to food, clothing and shelter. I think we are still struggling in the world with that. With your logic one would expect the radio and TV to be a basic human right but they are not, they are and will remain powerful medium which be enablers of something else and the Internet would fit there. Well, I dunno... as I think was obvious from my other comments: TV and Radio are *broadcast* media; telephones and the internet are not; they're *two-way* communications media... and they're the communications media which have been chosen by the organs of government we've constituted to run things for us. You hit the important word, though, in your reply: *access to* food, clothing, and shelter... not the things themselves. The question here is is *access to* the Internet a human right, something which the government ought to recognize and protect? I sort of think it is, myself... and I think that Vint is missing the point: *all* of the things we generally view as human rights are enablers to other things, and we generally dub them *as those things*, by synecdoche... at least in my experience. If I wrote a blog article that criticized the government and it was shutdown along with my Internet access I wouldn't say that my right to the Internet was violated. I would say that my right to free speech was violated. Regardless of one way or two way communication it is communication. Zaid
Re: Whacky Weekend: Is Internet Access a Human Right?
On 1/5/12 9:34 AM, Jon Schipp jonsch...@gmail.com wrote: I think there's a fundamental difference between human and civil rights. Human rights come from our humanity, i.e. us being human. As humans, we can walk, talk, produce things, own property, etc. Assuming that isn't true, the next logical question is where do you draw the line? Vehicles are beneficial to society, can they be a human right? If you keep bringing these type of questions up and substitute any good in place of vehicles, you can see how absurd it is. There's no consistency. I think the idea that food, shelter etc. are human rights is absurd. Doesn't that imply that someone must provide those things for me? What if they don't want to? Does that mean they are forced to? Which would be a violation of their human rights. No, it doesn't mean that someone must provide it for you. It means that access must not be denied. Take for example the homeless situation in San Francisco, if the city did not provide shelter for the homeless there would be an outcry our human right violation. If you walk around San Francisco you still see people sleeping in the streets and this is because they choose to but they do have the right to go to a shelter so the city of San Francisco is doing the right thing for basic human right. In India my observation is that people may be really poor but they do not go hungry or denied shelter even though they choose to make it out of a cardboard box. The government makes sure that the lands are protected which is why the slumps are not bulldozed by a developer. This is a good example of human right. Electricity, communication mediums are all things that people get together to bring either as an individual self or a community. Zaid
AS376
Can someone from AS 376 contact me offline? s'il vous plaît? I am seeing a routing issue in your AS. Merci, Zaid
Re: STRIKE: VZN
I heard a few days ago this might happen through another carrier who depends on a local loop from VZ. If you are waiting on circuit installs or someone has to swap out an NI card this may impact you. Thanks for the link. Zaid Sent from my iPhone On Aug 6, 2011, at 10:14 PM, Jay Ashworth j...@baylink.com wrote: As of midnight, 45,000 IBEW and CWA members are striking Verizon, as their contract has expired. http://www.reuters.com/article/2011/08/07/us-verizon-labor-idUSTRE7760C320110807 It's not clear how this might affect what we do, but it might, and I figured the heads up would probably be useful. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: internap fcp competitors?
On Jul 20, 2011, at 11:52 PM, Gregory Edigarov wrote: On Wed, 20 Jul 2011 23:35:05 -0400 MageMojo na...@magemojo.com wrote: Does anyone know of competitors to internap's fcp product? Avaya/Route Science. I would check if this product is still sold by Avaya. Many moons ago I tested it. Also, I would greatly appreciate if anybody could explain what technically is internap fcp. A box that can manipulate your outbound BGP routes since BGP doesn't take into consideration link congestion, delays etc. Zaid _ NANOG mailing list NANOG@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog
Re: ICANN to allow commercial gTLDs
On Jun 17, 2011, at 2:23 PM, Jay Ashworth wrote: - Original Message - From: David Conrad d...@virtualized.org On Jun 17, 2011, at 11:04 AM, Jay Ashworth wrote: Aw, Jeezus. No. Just, no. http://tech.slashdot.org/story/11/06/17/202245/ You just learned about this now? In fact I did. I certainly haven't seen it mentioned on NANOG in the last 6 months or so; where should I have seen it? Just an example, it has hit main stream media http://globalpublicsquare.blogs.cnn.com/2011/03/17/who-runs-the-internet/ Or you could have gone to one of the many free iCANN meetings where you can hear about this till your ears go blue. It has only been a topic for discussion for about 10 years :) but of course if it's not on NANOG it can't be true. Zaid
Re: ICANN to allow commercial gTLDs
On Jun 17, 2011, at 2:44 PM, Paul Graydon wrote: On 06/17/2011 11:33 AM, David Conrad wrote: On Jun 17, 2011, at 11:23 AM, Jay Ashworth wrote: http://tech.slashdot.org/story/11/06/17/202245/ You just learned about this now? In fact I did. I certainly haven't seen it mentioned on NANOG in the last 6 months or so; where should I have seen it? New TLDs have been discussed now for over a decade. Press (both technical and popular) on ICANN activities have ratcheted up significantly recently, particularly with the approval of .XXX (which was recently discussed here on NANOG: http://mailman.nanog.org/pipermail/nanog/2011-March/034488.html). Not blaming/accusing, just surprised this would be a surprise. I guess I've been living in the layer9 cloud too long Regards, -drc I've seen the stuff about adding a few extra TLDs, like XXX. I haven't seen any references until now of them considering doing it on a commercial basis. I don't mind new TLDs, but company ones are crazy and going to lead to a confusing and messy internet. Paul There has been a lot of work put into this. I suggest you start looking at the application guide book http://www.icann.org/en/topics/new-gtlds/dag-en.htm If folks have been debating about this for 10 years then you can be assured the concerns of a messy internet have been brought up. Don't tell me folks will have an existential moment about IDN's and gTLD. Zaid
Re: ICANN to allow commercial gTLDs
On Jun 17, 2011, at 2:54 PM, Benson Schliesser wrote: On Jun 17, 2011, at 4:21 PM, David Conrad wrote: On Jun 17, 2011, at 11:04 AM, Jay Ashworth wrote: Aw, Jeezus. No. Just, no. http://tech.slashdot.org/story/11/06/17/202245/ You just learned about this now? On a related topic, the US DoJ recently wrote a letter suggesting that DNS registry/registrar vertical integration might not be a good idea (from an anti-trust perspective). http://www.icann.org/en/correspondence/strickling-to-dengate-thrush-16jun11-en.pdf Cheers, -Benson And before that, a need for a comprehensive economic study http://forum.icann.org/lists/5gtld-guide/msg00013.html See a pattern? Zaid
Re: ICANN to allow commercial gTLDs
On Jun 17, 2011, at 2:54 PM, Jay Ashworth wrote: - Original Message - From: Joel Barnard jbarn...@nwic.ca I hope they've considered what will happen if you go to http://localhost/ or http://pcname/ Is that the local networks pcname, or the gTld pcname? Are we going to have to start using a specially reserved .local gTld? No, of *course* ICANN didn't give any engineering thought to it. Cause the engineers? Are all *here*. And David Conrad's apparently the only guy who's heard about it. :-) I have seen many NANOG folks at ICANN meetings discussing this and also active on ALAC so David isn't the only guy. Also do a search on the list and you will find threads dating back. http://article.gmane.org/gmane.org.operators.nanog/56728/match=gTLDs Zaid
Re: $ 90 million fine for cutting Internet services
I am a little skeptic that this fine imposed is because the government truly believes in Internet freedom. Many factions of the Egyptian government was to get as much money out of Mubarak as they can and this might be a way to do just that. What would be interesting is if there is a law passed preventing any member of the government from cutting off Internet access. Zaid On May 28, 2011, at 12:23 PM, ML wrote: On 5/28/2011 12:18 PM, Marshall Eubanks wrote: I remember some discussion of this outage on NANOG, and on what it was costing Egypt. Well, here is an estimate - almost $ 20 million USD / day (which actually sounds low to me). Regards Marshall http://english.aljazeera.net/news/africa/2011/05/201152811555458677.html An Egyptian court has fined ousted president Hosni Mubarak and former officials more than $90m for cutting off access to internet and mobile phone services during the country's massive protests in January. A court source told the Reuters news agency on Saturday that Mubarak's fine is $34m, former interior minister Habib al-Adly will owe $53m, and former prime minister Ahmed Nazif has a fine of $7m. The fine is to be paid from personal assets... Can I fine TEDATA for committing VoIP fraud against my network during that same time period?
Edgecast?
Anyone from edgecast here? I am seeing peering issues to a particular CDN. Please contact me offline. Zaid
Re: Using Region-X assigned IP space in Region-Y?
On 3/27/11 8:19 AM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: On Sun, 27 Mar 2011 08:58:29 MDT, Mark Leonard said: Is it possible/allowable to move one of these datacenters to a different geographical region with a different RIR and keep using the same two subnets, or will a new /24 need to be requested from the new RIR? There's only one question to be asked - will the (possibly new) upstream of the moved datacenter announce the route for the /24 or not? Why would the new upstream refuse to announce the /24 assuming he has the correct information for his route objects and visible through the RIR database. Zaid
Re: Using Region-X assigned IP space in Region-Y?
On 3/27/11 10:54 AM, Jima na...@jima.tk wrote: On 3/27/2011 12:10 PM, Zaid Ali wrote: On 3/27/11 8:19 AM, valdis.kletni...@vt.eduvaldis.kletni...@vt.edu wrote: There's only one question to be asked - will the (possibly new) upstream of the moved datacenter announce the route for the /24 or not? Why would the new upstream refuse to announce the /24 assuming he has the correct information for his route objects and visible through the RIR database. Some transit providers dislike announcing smaller networks, and thus have lower limits. Jima Then the said transit provider customer will turn off the circuit and move to the next transit provider that doesn't have a problem with /24. If you are in a monopolistic ISP environment then it is different and that is a different topicof discussion. Sadly been there done that. Zaid
Re: Regional AS model
On Mar 24, 2011, at 3:17 PM, Michael Hallgren wrote: Le jeudi 24 mars 2011 à 14:26 -0700, Bill Woodcock a écrit : On Mar 24, 2011, at 1:47 PM, Patrick W. Gilmore wrote: On Mar 24, 2011, at 3:40 PM, Owen DeLong wrote: On Mar 24, 2011, at 12:42 PM, Zaid Ali z...@zaidali.com wrote: I have seen age old discussions on single AS vs multiple AS for backbone and datacenter design. I am particularly interested in operational challenges for running AS per region e.g. one AS for US, one EU etc or I have heard folks do one AS per DC. I particularly don't see any advantage in doing one AS per region or datacenter since most of the reasons I hear is to reduce the iBGP mesh. I generally prefer one AS and making use of confederation. If you have good backbone between the locations, then, it's mostly a matter of personal preference. If you have discreet autonomous sites that are not connected by internal circuits (not VPNs), then, AS per site is greatly preferable. We disagree. Single AS worldwide is fine with or without a backbone. Which is preferable is up to you, your situation, and your personal tastes. We're with Patrick on this one. We operate a single AS across seventy-some-odd locations in dozens of countries, with very little of what an eyeball operator would call backbone between them, and we've never seen any potential benefit from splitting them. I think the management headache alone would be sufficient to make it unattractive to us. -Bill Right. I think that a single AS is most often quite fine. I think our problem space is rather about how you organise the routing in your AS. Flat, route-reflection, confederations? How much policing between regions do you feel that you need? In some scenarios, I think confederations may be a pretty sound replacement of the multiple-AS approach. Policing iBGP sessions in a route-reflector topology? Limits? Thoughts? I always look at confederations as a longer term plan because you have some idea how your backbone is going to shape out. Knowing where you are going makes confederation planning easier. Start with RR's and then see if confeds make sense. Zaid
Regional AS model
I have seen age old discussions on single AS vs multiple AS for backbone and datacenter design. I am particularly interested in operational challenges for running AS per region e.g. one AS for US, one EU etc or I have heard folks do one AS per DC. I particularly don't see any advantage in doing one AS per region or datacenter since most of the reasons I hear is to reduce the iBGP mesh. I generally prefer one AS and making use of confederation. Zaid
Re: External sanity checks
On Feb 4, 2011, at 1:36 PM, Franck Martin wrote: - Original Message - From: Paul Graydon p...@paulgraydon.co.uk To: nanog@nanog.org Sent: Friday, 4 February, 2011 8:39:09 AM Subject: Re: External sanity checks On 02/03/2011 08:04 AM, Philip Lavine wrote: To all, Does any one know a Vendor (NOT Keynote) that can do sanity checks against your web/smtp/ftp farms with pings, traceroutes, latency checks as well as application checks (GET, POST, ESMTP, etc) Thank you, Philip Slight hijack, I'm interested in the answer to this question, but I'm also wondering about a service that will actually phone you (or is there a reliable text/e-mail-phone call service?) I'd appreciate actually being phoned overnight if something dies drastically to the outside world! A bit different, but if you are looking for something that works a bit before the problem becomes visible to the user, check: http://www.avonsys.com/Application+Monitoring I used Avonsys before for monitoring. You can have Keynote, Gomez, homegrown tool etc but you still need someone with clue on how to interpret it, verify alerts, find odd performance problems etc. Contact me off list if you want reference. Zaid
bestpath as-path multipath-relax
I am looking for some operational feedback of this undocumented feature, bgp bestpath as-path multipath-relax, for IOS. If you are using this for outbound load balancing I would like to hear your experiences. Also if you are running it across edges. Thanks, Zaid
Re: wikileaks unreachable
I see a new T-Shirt Free speech has an IP address Zaid On 12/3/10 8:38 AM, // ravi ravi-li...@g8o.net wrote: On Dec 3, 2010, at 1:19 AM, Jorge Amodio wrote: and this is based on what facts? Instead of tweeting about how to reach their content, or their IP addresses to bypass DNS [snip happens] http://twitter.com/#!/wikileaks/status/10621245489938433 7 hours ago (Randy, I plan/hope to requote your earlier message non-commercial use with attribution) ravi
Re: wikileaks unreachable
I heard there are DDoS attacks on the Wikileaks site. Zaid On 11/28/10 1:34 PM, Randy Bush ra...@psg.com wrote: anyone know why https://www.wikileaks.org/ is not reachable? nations state level censors trying to close the barn door after the horse has left? randy
Interesting IPv6 viral video
Not quite accurate and a bit too dramatic on the panic side but the approach is interesting to put C-Level folks in the hot seat about v6. Would be interesting also to see if folks here get asked by C-Level folks bout IPv6. http://www.youtube.com/watch?v=eYffYT2y-Iw Zaid
Re: Interesting IPv6 viral video
On 10/28/10 2:11 PM, Leo Bicknell bickn...@ufp.org wrote: If you have been trying to get your C-Level folks to understand the problem for months or years and they won't listen, yet they come to you after watching this Cisco video then you should go visit www.monster.com, or www.careerbuilder.com. I don't have this problem thankfully but I know many do and it is probably the major reason why v6 adoption is slow. Many networks needs money invested to upgrade for v6 readiness. The message is do it now before the costs dramatically increase. The problem with C-level folks is not they don't want to do it but there is no financial incentive for them to do it, if there is no direct benefit to drive revenue then why put the money? The barrier for v6 is not technical it is purely financial, some understand the economics and some don't. Finance people usually think that the longer you can put off expenses the better it looks for your balance sheet. This is really the crux of the problem. Zaid
Re: Interesting IPv6 viral video
On 10/28/10 2:24 PM, Beavis pfu...@gmail.com wrote: lol... Is this video by cisco? what a funny way to mis-inform non-tech folks. Yes it is. When do marketing people get it right? I actually think the fun hasn't begun yet. Wait till CNN/FOX etc makes this a big issue and claim the internet is going to come to an end then folks with clue will have to go on TV and calm the hysteria. Zaid
Re: Interesting IPv6 viral video
On 10/28/10 4:06 PM, Scott Weeks sur...@mauigateway.com wrote: --- z...@zaidali.com wrote: Wait till CNN/FOX etc makes this a big issue and claim the internet is going to come to an end - http://www.argee.net/chickenlittleagenda/CLA%2072.jpg scott We have all seen the trend set by the Cyberwar news reports. Zaid
Re: Only 5x IPv4 /8 remaining at IANA
If you run Cisco ACE load balancers and start with your web server farm I can assure you that you will be stuck because ACE loaad balancers do not support v6 and don't plan to until mid next year and not without a new card/cost. If you run ACE in non routed mode then you a doubly stuck because you can't even by bypass the loadbalancer to reach one of your webservers since the ACE doesn't pass v6 traffic! So I agree, don't start there instead get the corporate LAN, learn from it then move onto your production facing networks. Also get white listed for Google NS so you can see more user traffic. Zaid On 10/19/10 11:30 AM, Franck Martin fra...@genius.com wrote: No, no Putting your servers on IPv6 is a major task. Load balancers, proprietary code, log analysis, database records... all that needs to be reviewed to see if it is compatible with IPv6 (and a few equipments need recent upgrades if even they can do IPv6 today). Putting your client machines (ie internal network) to IPv6 is relatively easy. Enable IPv6 on the border router, you don't need failover (can built it later) as anyhow the clients will failover to IPv4 if IPv6 fails... So as failover is not needed you can have a separate simple IPv6 network infrastructure on top of your IPv4 Infrastructure. So my advocacy, is get your client (I'm not talking about customers here, but client as client/server) machines on IPv6, get your engineers, support staff,.. to be familiar with IPv6, then all together you can better understand how to migrate your servers infrastructure to IPv6 (and your customers to IPv6 if you are an ISP). If you do that, you will see migration to IPv6 is made much easier, and much faster. - Original Message - From: Owen DeLong o...@delong.com To: Franck Martin fra...@genius.com Cc: Jonas Frey (Probe Networks) j...@probe-networks.de, Jeffrey Lyon jeffrey.l...@blacklotus.net, NANOG list nanog@nanog.org Sent: Tuesday, 19 October, 2010 8:55:56 PM Subject: Re: Only 5x IPv4 /8 remaining at IANA Servers work just fine over tunnels if necessary too. Get your public-facing content and services on IPv6 as fast as possible. Make IPv6 available to your customers as quickly as possible too. Finally, your internal IT resources (other than your support department(s)) can probably wait a little while. Owen On Oct 18, 2010, at 1:41 PM, Franck Martin wrote:
Re: Only 5x IPv4 /8 remaining at IANA
On 10/19/10 2:37 PM, Mark Andrews ma...@isc.org wrote: So stick a router in parallel and just route IPv6 over it. So stick in a IPv6-IPv4 proxy and send that traffic through the load balancer. Nah considering v6 traffic is small I have a simpler solution, I prefer to set up a temporary web service running v6 native outside LB's and offer experimental service, that way I can keep yelling at Vendors to get their act together because if they don't hear user requests then v6 will not be a priority for them. The last thing you want to go is build a kluge and stay silent. Zaid
Re: Only 5x IPv4 /8 remaining at IANA
On 10/19/10 3:58 PM, Mark Andrews ma...@isc.org wrote: Adding is seperate IPv6 server is a work around and runs the risk of being overloaded. And what a wonderful problem to have! You can show a CFO a nice cacti graph of IPv6 growth so you can justify him/her to sign off on IPv6 expenses. A CFO will never act unless there is a real business problem. There are some of us here who have management with clue but there are many that don't, sadly this is the majority and a large contributor to the slow adoption of IPv6. Zaid
Choice of network space when numbering interfaces with IPv6
SO I have been turning up v6 with multiple providers now and notice that some choose /64 for numbering interfaces but one I came across use a /126. A /126 is awfully large (for interface numbering) and I am curious if there is some rationale behind using a /126 instead of a /64. Zaid
Re: Choice of network space when numbering interfaces with IPv6
Bahh had my head turned around and brain fried on a Friday. I was more curious about /64 vs /126 from management perspective. Thanks everyone for answering offline as well, I got my questions answered. Zaid On 10/15/10 12:26 PM, Zaid Ali z...@zaidali.com wrote: SO I have been turning up v6 with multiple providers now and notice that some choose /64 for numbering interfaces but one I came across use a /126. A /126 is awfully large (for interface numbering) and I am curious if there is some rationale behind using a /126 instead of a /64. Zaid
Re: 12 years ago today...
On 10/15/10 8:38 PM, Jorge Amodio jmamo...@gmail.com wrote: On Fri, Oct 15, 2010 at 9:51 PM, Rodney Joffe rjo...@centergate.com wrote: On October 16th, we lost a real friend and hero. Sigh http://www.apps.ietf.org/rfc/rfc2468.html Amen. Long Live Jon Postel !! And you can sometimes hear his comments http://www.facebook.com/jon.postel :)
MsgSent statistics question
I am trying to troubleshoot an odd v6 peering connection issue. Does anyone know at what point is MsgSent in BGP summary or neighbor summary calculated? Does the MsgSent include initial TCP connections before establishment? Thanks, Zaid
Re: Facebook down!! Alert!
I think the Outages mailing list is more appropriate for this. On 10/5/10 9:46 PM, Mike Lyon mike.l...@gmail.com wrote: Same here in SF Bay Area On Tue, Oct 5, 2010 at 9:44 PM, James Smith ja...@smithwaysecurity.comwrote: At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. ~SmithwaySecurity Sent from my iPhone
Re: L3 Issues this Morning?
Not sure if this is related but my Level 3 BGP peer went down at 3:33:57 GMT for just over 6 hours. This was in the San Jose/Santa Clara area. Their reason was an OSPF problem. Zaid On 9/30/10 10:39 AM, Khurram Khan brokenf...@gmail.com wrote: Learn something new everyday, that's awesome. We've got several data centers between San Diego, Denver, Tulsa, Chicago, Washington DC. All of the circuit's between those POP's , and all are L3, just dropped traffic. On Thu, Sep 30, 2010 at 11:35 AM, James Smith ja...@smithwaysecurity.com wrote: None Down here in Canada Sent from my iPhone On Sep 30, 2010, at 2:32 PM, Khurram Khan brokenf...@gmail.com wrote: Hello All, This is my first time writing to this list and wanted to check if anyone experienced issues with L3 circuits between 12:50 ET and 13:05 ET. All our core backbone circuits re-converged and we saw a significant drop in traffic. Regards, Khurram
Re: Google wants your Internet to be faster
The devil is always in the details. The Network management piece is quite glossed over and gives a different perception in the summary. You can't perform the proposed network management piece without deep packet inspection which violates every users privacy. Zaid On 8/9/10 11:52 AM, Joly MacFie j...@punkcast.com wrote: Surely differentiated services could include a 'YouTube Channel' - something they deny in the call? I've blogged the proposal at http://www.isoc-ny.org/p2/?p=1112 j On Mon, Aug 9, 2010 at 2:46 PM, Jason Iannone jason.iann...@gmail.comwrote: http://googlepublicpolicy.blogspot.com/2010/08/joint-policy-proposal-for-open -internet.html Pretty boiler plate pro net neutral. The transparency requirements and 'differentiated services' exceptions are particularly interesting.
Re: Web expert on his 'catastrophe' key for the internet
Great! So I assume he is an elder of the Internet? http://www.youtube.com/watch?v=iRmxXp62O8g On 7/27/10 4:43 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: A British computer expert has been entrusted with part of a digital key, to help restart the internet in the event of a major catastrophe. Paul Kane talked to Eddie Mair on Radio 4's PM programme about what he might be called upon to do in the event of an international online emergency. http://www.bbc.co.uk/news/uk-10781240
v6 bgp peer costs?
I currently have a v4 BGP session with AS 701 and recently requested a v6 BGP session to which I was told a tunnel session will be provided (Same circuit would be better but whatever!). Towards the final stage in discussions I was told that it will cost $1500. I find this quite ridiculous and it will certainly not motivate people to move to v6 if providers put a direct price tag on it. I am going through a bandwidth reseller though so I am not sure who is trying to jack me here. Has anyone here gone through a similar experience? Thanks, Zaid
Re: v6 bgp peer costs?
On 7/21/10 12:22 PM, Marco Hogewoning mar...@marcoh.net wrote: On 21 jul 2010, at 21:08, Zaid Ali wrote: I currently have a v4 BGP session with AS 701 and recently requested a v6 BGP session to which I was told a tunnel session will be provided (Same circuit would be better but whatever!). Towards the final stage in discussions I was told that it will cost $1500. I find this quite ridiculous and it will certainly not motivate people to move to v6 if providers put a direct price tag on it. I am going through a bandwidth reseller though so I am not sure who is trying to jack me here. Has anyone here gone through a similar experience? I think the main question here would be, what they would charge for a change to a v4 session. Most likely they just decided that setting up the tunnel and configuring BGP takes time and since time is money they decided to charge for you. Seems like a reasonabe rule of business, why should it be free ? At the same time, the same set of economics will probably find you somebody who will do this for less and maybe even is happy to take your business and setup v4/v6 dual stack for free. So get a quote from a competitor, call back 701 and offer them the choice of setting up the tunnel or loose a customer. My personal preference would be to leave and find somebody who can do native all the way. MarcoH Thanks, I am trying to see if there is a trend or anomalous gouging. From off-list answers it doesn't seem like a trend among other vendors. My worry about high costs is when you have several circuits this will add up and going to a CFO to justify will be pretty hard. A CFO will generally say lets deal with that problem next year when v4 actually runs out. Two years ago I felt there wasn't enough motivation for folks to move to v6, I don't see this changing especially when vendors, resellers etc charge more $$ for v6. Zaid
Re: v6 bgp peer costs?
I already have a v6 BGP tunnel with Hurricane Electric and works like a charm :) It is other vendors I am concerned about. Zaid On 7/21/10 12:38 PM, Mike Leber mle...@he.net wrote: You can get a free IPv6 BGP tunnel from Hurricane Electric at http://tunnelbroker.net We have tunnel servers spread through out the world, so typically the nearest server has reasonably low latency from your location. Of course our main business is selling wholesale native IPv6 and IPv4 transit, however you don't have to be a paying customer to use our free service. Mike. On 7/21/10 12:08 PM, Zaid Ali wrote: I currently have a v4 BGP session with AS 701 and recently requested a v6 BGP session to which I was told a tunnel session will be provided (Same circuit would be better but whatever!). Towards the final stage in discussions I was told that it will cost $1500. I find this quite ridiculous and it will certainly not motivate people to move to v6 if providers put a direct price tag on it. I am going through a bandwidth reseller though so I am not sure who is trying to jack me here. Has anyone here gone through a similar experience? Thanks, Zaid
Re: v6 bgp peer costs?
On 7/21/10 12:39 PM, Seth Mattinen se...@rollernet.us wrote: On 7/21/2010 12:08, Zaid Ali wrote: I currently have a v4 BGP session with AS 701 and recently requested a v6 BGP session to which I was told a tunnel session will be provided (Same circuit would be better but whatever!). Towards the final stage in discussions I was told that it will cost $1500. I find this quite ridiculous and it will certainly not motivate people to move to v6 if providers put a direct price tag on it. I am going through a bandwidth reseller though so I am not sure who is trying to jack me here. Has anyone here gone through a similar experience? Ooh, Verizon? Good luck. Do you know what pop (VZ calles them hubs) your existing circuit is out of? Not all of 701 is IPv6 enabled. If you are currently served from a v4 only location you're out of luck. POS-6 SJC I ordered an Ethernet circuit from Verizon last year as dual-stack IPv4/IPv6. There was no extra cost involved. However, they never did actually deliver the layer 3 portion, so I just let them languish into obscurity. My problem was that I'm closer to a v4 only pop (Sacramento), but the closest 4/6 pop is further away in San Jose. For some reason they could not figure out how to go there and kept defaulting to Sac. Eventually they called me and said it's just not possible to deliver the service. I ended up placing an order with Global Crossing and the dual-stack process was completely painless. Sigh.. Explains why I never got a straight answer on native v6 support. First they said yes then now Tunnel only. Perhaps time to turn them off. Zaid
Email over v6
Are there any folks here who would be inclined to do SMTP over IPv6? I have a test v6 network with is ready to do email but getting some real world data to verify headers would be more helpful. Please send me an email offlist if you are interested. Thanks, Zaid
Re: Securing the BGP or controlling it?
What we need (as operators) is to get better at ensuring that advertisements are coming from the valid owner of said address space. What we don't need is a separate governance model which I worry this article is trying to imply. I still use RADB but I hear not every peer/provider checks there anymore? This is hearsay so interested in other opinions. As far as the mistakes pointed out in this article one can be assured that these things are bound to happen. The youtube situation could have been prevented if the peer opening a filter (and responsible for announcing out) had reach to a system where the other peer's advertisement can be verified. I don't think leaning on competency is a good way to go about solving this problem, we need a system or model in place to ensure we have a trust and verification system. Zaid On 5/10/10 9:54 AM, Thomas Magill tmag...@providecommerce.com wrote: All of the major providers I have worked with have required proof of 'ownership' of address space or an LoA from the registered holder of that space before they would allow advertisements from me, which are then filtered. Is this not the norm? I can understand if they are talking about an operator making a mistake, but the article seems to imply that anyone running BGP can bring down the Internet... I think any competent provider can easily eliminate this threat from customers. Are there any types of penalties if an ISP is found to not be taking adequate precautions, other than the possible threat of losing business? -Original Message- From: Franck Martin [mailto:fra...@genius.com] Sent: Monday, May 10, 2010 9:48 AM To: nanog@nanog.org Subject: Re: Securing the BGP or controlling it? APNIC allows you to put your BGP data in the whois, so like this you have a third party verification tool on who is peering with who.
Re: Internationalized domain names in the root
I agree Safari experience looks much nicer and yes whole host of potential malice to arise. Firefox shows punycode http://xn--4gbrim.xnrmckbbajlc6dj7bxne2c.xn--wgbh1c/ar/default.aspx Now if I understood arabic only and was travelling or happen to use Firefox which showed punycode how would I trust it? If it was directly translated to latin characters I could trust it with verification from someone I know who understands english. I would not trust puny code because an end user does not know what it means, I think there is potential for a lot of issues here. Zaid On 5/6/10 11:45 AM, Geoff Adams gadams+na...@avernus.com wrote: On 5 May 2010, at 2:16 PM, Jorge Amodio wrote: On Wed, May 5, 2010 at 11:34 AM, David Conrad d...@virtualized.org wrote: Perhaps a bit off-topic, but some folks might get support calls... http://وزارة-الأتصالات.مصر/ (that's Arabic for Ministry of Communications.Egypt) Great progress and interesting addition to the root, only issue is that after all the work with IDNs you land on a page written in english (web browser lang does not matter, name resolves to the same IP as the original URL). Hope they soon take advantage of the new name The page shows up in Arabic for me in all three of Safari (in which the URL bar also shows the Arabic name), Chrome and Firefox (in both of which the URL bar shows the encoded US-ASCII characters for the domain name). I tested using the Mac versions of these three browsers, and English is set as my preferred language. Arabic doesn't appear until much farther down on the list. The Safari experience looks nicer, but I suppose it leaves its users more susceptible to maliciously-constructed domain names that look similar to well-known ones. I wonder if they've addressed that issue in some way. I haven't been checking recently. - Geoff
Re: Weekly Routing Table Report
On 4/16/10 11:28 AM, Franck Martin fra...@genius.com wrote: Would it not be time, to have the IPv6 equivalent of this table report? 5% of the Internet is IPv6, that's an interesting threshold that was just passed. I think that time has come :) Zaid
Re: Carrier class email security recommendation
I haven't seen the man ask support for messages/hour, 3M..10M..1B ? Or maybe I missed this question? Zaid On 4/12/10 8:47 AM, Suresh Ramasubramanian ops.li...@gmail.com wrote: On Mon, Apr 12, 2010 at 8:45 PM, todd glassey tglas...@earthlink.net wrote: On 4/12/2010 7:22 AM, Suresh Ramasubramanian wrote: The man did say carrier class .. not small webhost for four families and dog. yes he did Suresh ... meaning that something larger and more secure than the off-the-shelf copy of Linux is needed. Funny the NSA and many others would disagree with you. I know of (and have been the postmaster for) multiple million user installations that run happily on linux + postfix (and sendmail, qmail..). None that run on one server running webmin, even a 3U server. or layered as stages within a new system design based on GPU's which allow for the specific assignment of threads of control to specific processes. Imaging a cloud type environment running in a single GPU with the abililty to properly map threads to GPU threads. You don't have single of anything at all for large and well scaled environments. OK our server is 3U but that was because I wanted bigger fans inside it... The 1U single TESLA based email GW is exactly what you describe - a 512 thread CUDA based GPU with serious capabilities therein. So how many users do you run on that one 3U box? 100K? 300K? A couple of million? :) The man said carrier class. And when you talk that you dont just talk features, you talk operations on a rather larger scale than what you're describing. --srs
Re: Carrier class email security recommendation
I think it is a perfectly reasonable question to ask in NANOG. If someone asks how much memory do I need on my router to do BGP, you have to ask the fundamental question of how big your routing table will be. I don't see this as any different. Its helpful to provide opinions when you are guided by some data :) Zaid On 4/12/10 9:06 AM, Suresh Ramasubramanian ops.li...@gmail.com wrote: Its nanog and not an RFQ process or I'd have asked him that too :) On Mon, Apr 12, 2010 at 9:29 PM, Zaid Ali z...@zaidali.com wrote: I haven't seen the man ask support for messages/hour, 3M..10M..1B ? Or maybe I missed this question?
Re: legacy /8
This sounds like Step 1: I have a wisdom tooth, it hurts on my right jaw and so I will chew from my left. Step 2: Take some pain killers. Step 3: Damn it hurts I will ignore it and it will eventually heal. Step 4: Continue to take pain killers and perhaps if I sleep more it will grow in the right direction and everything will be fine. Step 5: Wake up everything is fine. You will actually wake up without a toothache and things will seem fine except you now have teeth you don't actually need because they will cause blockage, hard to brush, floss constraints, many future dental trips etc. Your ancestors needed wisdom teeth in the stone age because they bit off more than they could chew, food was rough and coarse and teeth fell out easily. Through evolution diet changed and jaws eventually became smaller and humans chewed differently so you don't need the protection of wisdom teeth. Given that understanding you can avoid 5 painful steps and go to a doctor to have it pulled out, slight extra pain in doing so but you gain healthier teeth. Leaving dentistry and coming back to IP, we have to think of what we want the future IP address model to be and how does it affects the future of the Internet model. A lot of smart people have come together to bring the IPv6 solution, it works (not without flaws but neither did IPv4 in the early days) so lets work together in figuring out implementation and adoption. There is nothing stopping anyone from writing an RFC on IP option for low order bits+NAT et al and to that I wish anyone well. Just make sure one addresses scaling/backward compatibility because it will be like not being able to predict what kind of food will get stuck around your oddly grown wisdom tooth that caused a hole and now need a filling. Implementing IPv4 patches/NAT etc will not harm or break the Internet model but the question is do we want this or do we want to implement IPv6 that may be have a bit of pain now but the right thing for the future. Lets go where we want and have a healthy Internet, adopt IPv6 and phase out IPv4. Zaid P.s. Disclaimer: I have always been a network operator and never a dentist. I did build networks for a medical university many moons ago and often got into interesting discussions about medicine. On 4/3/10 11:11 PM, Vadim Antonov a...@kotovnik.com wrote: With all that bitching about IPv6 how come nobody wrote an RFC for a very simple solution to the IPv4 address exhaustion problem: Step 1: specify an IP option for extra low order bits of source destination address. Add handling of these to the popular OSes. Step 2: make NATs which directly connect extended addresses but also NAT them to non-extended external IPs. Step 3: leave backones unchanged. Gradually reduce size of allocated blocks forcing people to NAT as above. Step 4: watch people migrating their apps to extended addresses to avoid dealing with NAT bogosity and resulting tech support calls costs. Step 5: remove NATs. --vadim
Re: legacy /8
On 4/3/10 9:12 PM, Owen DeLong o...@delong.com wrote: Uh, netflix seems fully functional to me on IPv6. What do you think is missing? Functional is the easy part and it seems Netflix has executed that well. I was implying that the v6 traffic rate might not be quite there yet which is what we saw with Google a while back but eventually v6 traffic started to multiply. I could be wrong here and happy to be corrected. Zaid
Re: legacy /8
On 4/4/10 6:44 AM, Leen Besselink l...@consolejunkie.net wrote: Out of the total number of emails received, 14% were received over IPv6, the rest over IPv4. It should be clear that 14% received here is email to RIPE NCC servers. I don't think we have 14% of SMTP traffic out there coming via IPv6. Actual SMTP traffic may still be under 1%, I have done some work with a colleague to sample 0.5M domains yielding in 2% MX records and we heard similar data with other folks that ran a similar experiment. Seeing an uptick on quad A MX record is still a good thing and tells us there is some form of migration but SMTP over IPv6 will be really valuable data here. Has anyone collected and published data on this? Zaid
Re: legacy /8
On 4/4/10 2:04 PM, Vadim Antonov a...@kotovnik.com wrote: Zaid P.s. Disclaimer: I have always been a network operator and never a dentist. I would have thought opposite. It is sometimes helpful to draw lessons from nature and other systems :) People who have been on this list longer would probably remember when I was playing in this sandbox. The real wisdom about networks is never try to change everything and everywhere at once. You either do gradual migration, or you end up in a big pile of poo. Which what IPv6 transition situation is. --vadim I too apply the same real wisdom and view IPv6 transition as a gradual migration and we are seeing a lot of success already with this approach, its just that the adoption numbers are slower than we would like. I get a sense that our 5+ year IPv6 discussions have people worried and panicked that the best thing is to leave things as they are insert NAT solutions which makes me think we should perhaps spend less time on the advocacy part of IPv6 solution and put our efforts on what we get out of implementation. Zaid
Re: legacy /8
They are not glowing because applications are simply not moving to IPv6. Google has two popular applications on IPv6, Netflix is on it way there but what are other application companies doing about it? A popular application like e-mail is so far behind [ref: http://eng.genius.com/blog/2009/09/14/email-on-ipv6/] and I still encounter registrar's providing DNS service not supporting Quad A's. I feel talking to network operators is preaching to the choir, the challenge is helping content providers think about moving to IPv6. SarcasmI think we will only see success once we are able to successfully work with content providers but they are quite busy now building real technology like the Cloud /Sarcasm Zaid On 4/3/10 2:22 PM, Frank Bulk frnk...@iname.com wrote: If every significant router on the market supported IPv6 five years ago, why aren't transit links glowing with IPv6 connectivity? If it's not the hardware, than I'm guessing it's something else, like people or processes? Frank -Original Message- From: Michael Dillon [mailto:wavetos...@googlemail.com] Sent: Saturday, April 03, 2010 1:07 PM To: Larry Sheldon Cc: nanog@nanog.org Subject: Re: legacy /8 Not often you hear something that has changed just about every aspect of life and enabled things that could not be imagined at its outset called a failure Sounds like you are describing the Roman Empire. It failed and that's why we now have an EU in its place. Things change. Time to move on. IPv4 has run out of addresses and we are nowhere near finished GROWING THE NETWORK. IPv6 was created to solve just this problem, and 10 years ago folks started deploying it in order to be ready. By 5 years ago, every significant router on the market supported IPv6. Now that we actually need IPv6 in order to continue network growth, most ISPs are in the fortunate position that their network hardware already supports it well enough, so the investment required is minimized. --Michael Dillon
Re: Gmail Down?
Seems like the contact portion only. Gmail is temporarily unable to access your Contacts. You may experience issues while this persists. Zaid On Sep 24, 2009, at 8:08 AM, Chris Gotstein wrote: Anyone else seeing Google's Gmail down right now? Seems to have been down since 10am CST. We are connected through Chicago. downforeveryoneorjustme.com is also reporting it's down. -- Chris Gotstein, Sr Network Engineer, UP Logon/Computer Connection UP http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com
Re: Multi-homed clients and BGP timers
From experience I found that you need to keep all the timers in sync with all your peers. Something like this for every peer in your bgp config. neighbor xxx.xx.xx.x timers 30 60 Make sure that this is communicated to your peer as well so that their timer setting are reflected the same. Zaid - Original Message - From: Steve Bertrand st...@ibctech.ca To: nanog list nanog@nanog.org Sent: Friday, May 22, 2009 3:45:20 PM GMT -08:00 US/Canada Pacific Subject: Multi-homed clients and BGP timers Hi all, I've got numerous single-site 100Mb fibre clients who have backup SDSL links to my PoP. The two services terminate on separate distribution/access routers. The CPE that peers to my fibre router sets a community, and my end sets the pref to 150 based on it. The CPE also sets a higher pref for prefixes from the fibre router. The SDSL router to CPE leaves the default preference in place. Both of my PE gear sends default-originate to the CPE. There is (generally) no traffic that should ever be on the SDSL link while the fibre is up. Both of the PE routers then advertise the learnt client route up into the core: *i208.70.107.128/28 172.16.104.22 0150 0 64762 i * i 172.16.104.23 0100 0 64762 i My problem is the noticeable delay for switchover when the fibre happens to go down (God forbid). I would like to know if BGP timer adjustment is the way to adjust this, or if there is a better/different way. It's fair to say that the fibre doesn't 'flap'. Based on operational experience, if there is a problem with the fibre network, it's down for the count. While I'm at it, I've got another couple of questions: - whatever technique you might recommend to reduce the convergence throughout the network, can the same principles be applied to iBGP as well? - if I need to down core2, what is the quickest and easiest way to ensure that all gear connected to the cores will *quickly* switch to preferring core1? Steve
partial routes for AS701 and AS3365
Anyone here doing partial routes with AS701 and AS3356? If so can you tell me how many routes you are receiving? Thanks, Zaid
Re: Yahoo and their mail filters..
I think a major reason why recipients click the 'Spam' button is because often times its not obvious how to identify the opt out link in the email. You can perhaps put the opt out link on the top of the email so that the user clicks that instead of the 'Spam' button. There is also the issue of weather the user trusts the opt out link, I have been in discussions where data shows that most users don't generally trust it. On the subject of feedback loop I think that if you sign up to receive FBL emails then you must do something about it. I think its useless to sign up for FBL's and not take any action because ESP's monitor FBL rate so if they feel that you are not taking action then you can expect to see your emails go to a junk folder or be subjected to greylisting. Zaid - Original Message - From: Peter Beckman beck...@angryox.com To: Suresh Ramasubramanian ops.li...@gmail.com Cc: nanog@nanog.org Sent: Wednesday, February 25, 2009 12:28:46 PM GMT -08:00 US/Canada Pacific Subject: Re: Yahoo and their mail filters.. On Wed, 25 Feb 2009, Suresh Ramasubramanian wrote: On Wed, Feb 25, 2009 at 10:38 PM, Peter Beckman beck...@angryox.com wrote: Why the hell can't AOL integrate the standard listserv commands integrated into many subscription emails into a friggin' button in their email client, right next to Spam (or even in place of it) that says Unsubscribe? Because a lot of spammers would prefer that people simply unsub from their lists rather than they get blocked? And because unsub urls could lead to a lot of nastiness if theres a truly malicious spammer? And because .. [lots of other reasons] On Wed, Feb 25, 2009 at 10:38 PM, Peter Beckman ALSO wrote: I realize it could be used badly if globalized, but if AOL got off their duff and vetted some of the higher volume truly honest subscription emailers and allowed their emails to activate the Spam-Unsub button, it might save everyone some headaches. As I said (but you clipped), the suggestion could (and would likely) be abused if turned on globally, but if AOL vetted some of the more popular subscription mailings where people were clicking spam rather than unsubscribe for trusted sources, it could work. There are a few (sender driven) initiatives to move towards a trusted unsubscribe, but .. I think in order for an Unsubscribe button to be implemented by Gmail, Yahoo, AOL, etc, there would have to be some sort of internally reviewed list of trusted senders for which each company had a mail admin contact for (technical implementation not applicable for this discussion). Working together to communicate openly about subscription email with trusted parties would help (in theory) to reduce the effects of clueless end users who lazily click Spam and cause headaches for both senders and receivers of legitimate subscription email. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
do I need to maintain with RADB?
Hi, need some advise here. Do I still need to maintain my objects (and pay) RADB? I use ARIN as source and all my route objects can be verified with a whois. Thanks, Zaid
Re: do I need to maintain with RADB?
It's not entirely free since you have to pay an AS maintenance fee and if you are assigned a netblock directly then you pay maintenance on that also. I would rather maintain everything in one place rather than paying an extra $495 to RADB if my BGP peers can source it from ARIN. Zaid - Original Message - From: Bruce Robertson br...@greatbasin.net To: NANOG list nanog@nanog.org Sent: Thursday, February 19, 2009 2:07:31 PM GMT -08:00 US/Canada Pacific Subject: Re: do I need to maintain with RADB? Is the ARIN registry free, then? Jon Lewis wrote: On Thu, 19 Feb 2009, Zaid Ali wrote: Hi, need some advise here. Do I still need to maintain my objects (and pay) RADB? I use ARIN as source and all my route objects can be verified with a whois. If your objects are all maintained via another routing registry (ARIN's, altdb, etc.) and you don't care to maintain objects with radb.ra.net, then you do not need to pay RADB maintenance fees. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: do I need to maintain with RADB?
Yes but I wanted to get a feel from the community and I get a notification message from RADB to pay up I wanted to get a feel from providers. I am happy to take my question off the list :) Zaid - Original Message - From: Bruce Robertson br...@greatbasin.net To: Zaid Ali z...@zaidali.com Cc: NANOG list nanog@nanog.org Sent: Thursday, February 19, 2009 2:19:42 PM GMT -08:00 US/Canada Pacific Subject: Re: do I need to maintain with RADB? But I pay for all that already, so it seems that using ARIN is a no-brainer. Zaid Ali wrote: It's not entirely free since you have to pay an AS maintenance fee and if you are assigned a netblock directly then you pay maintenance on that also. I would rather maintain everything in one place rather than paying an extra $495 to RADB if my BGP peers can source it from ARIN. Zaid - Original Message - From: Bruce Robertson br...@greatbasin.net To: NANOG list nanog@nanog.org Sent: Thursday, February 19, 2009 2:07:31 PM GMT -08:00 US/Canada Pacific Subject: Re: do I need to maintain with RADB? Is the ARIN registry free, then? Jon Lewis wrote: On Thu, 19 Feb 2009, Zaid Ali wrote: Hi, need some advise here. Do I still need to maintain my objects (and pay) RADB? I use ARIN as source and all my route objects can be verified with a whois. If your objects are all maintained via another routing registry (ARIN's, altdb, etc.) and you don't care to maintain objects with radb.ra.net, then you do not need to pay RADB maintenance fees. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: do I need to maintain with RADB?
Most of all my providers use a route registry and if they don't I would question it. I am all for a route registry but can we adopt one or one of X registries which I think is what is happening. For my ease of management I would like to use one and also pay (and budget) for one since its the same information (or should be). Zaid - Original Message - From: Heather Schiller heather.schil...@verizonbusiness.com To: Zaid Ali z...@zaidali.com Cc: Jon Lewis jle...@lewis.org, NANOG list nanog@nanog.org Sent: Thursday, February 19, 2009 3:21:13 PM GMT -08:00 US/Canada Pacific Subject: Re: do I need to maintain with RADB? No. Use of a routing registry is not required.. ARIN's, RADB's or otherwise. You might want to check out this presentation: http://nanog.org/meetings/nanog44/abstracts.php?pt=ODg4Jm5hbm9nNDQ=nm=nanog44 This is an entirely different statement from Your globally unique IP's should to be allocated to you in an RIR's database before someone routes them for you For example 207.76.0.0/14 is allocated to us, you can see it in ARIN's whois, but it is not registered in ARIN's IRRD, or any other. As further proof - note that people publicly route resources that aren't registered in a routing registry database or even registered to them by an RIR at all: http://www.cidr-report.org/as2.0/#Bogons I'm not saying this is a good thing.. I would like to see the system drastically improved and secured.. I'm just pointing out how things actually work today. Check w/ your provider, but in most cases you will find that they don't use a route registry. --Heather Heather SchillerVerizon Business Customer Security1.800.900.0241 IP Address Managementhel...@verizonbusiness.com = Jon Lewis wrote: On Thu, 19 Feb 2009, Zaid Ali wrote: Hi, need some advise here. Do I still need to maintain my objects (and pay) RADB? I use ARIN as source and all my route objects can be verified with a whois. If your objects are all maintained via another routing registry (ARIN's, altdb, etc.) and you don't care to maintain objects with radb.ra.net, then you do not need to pay RADB maintenance fees. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: IPv6 Confusion
You are arguing that ISPs should make changes without any obvious mechanism to guarantee some return on the investment necessary to pay for those changes. Nail on the head and the 800 pound gorilla in the room. Japan gave tax incentives which helped their ISP's to move to IPv6. Find a lazy lobbyist who can educate a senator to say that there will be no more tubes left on the internet and slide a tax incentive into the next stimulus package :) Zaid - Original Message - From: David Conrad d...@virtualized.org To: Mark Andrews mark_andr...@isc.org Cc: NANOG list nanog@nanog.org Sent: Tuesday, February 17, 2009 8:18:33 PM GMT -08:00 US/Canada Pacific Subject: Re: IPv6 Confusion On Feb 17, 2009, at 3:55 PM, Mark Andrews wrote: In otherwords ISP's need to enter the 21st century. Yeah, those stupid, lazy, ISPs. I'm sure they're just sitting around every day, kicking back, eating Bon Bons(tm), and thinking of all the new and interesting ways they can burn the vast tracts of ill-gotten profits they're obviously rolling in. Reality check: change in large scale production networks is hard and expensive. There needs to be a business case to justify making substantive changes. You are arguing that ISPs should make changes without any obvious mechanism to guarantee some return on the investment necessary to pay for those changes. This is a waste of time. In general, NAT is paid for by the end user, not the network provider. Migrating to IPv6 on the other hand is paid for entirely by the network provider. Guess which is easier to make a business case for? Note that I'm not saying I like the current state of affairs, rather I'm suggesting that jumping up and down demanding ISPs change because you think they're stuck in the last century is unlikely to get you very far. You want a concrete suggestion? Make configuring DDNS on BIND _vastly_ simpler, scalable to tens or hundreds of thousands of clients, and manageable by your average NOC staff. Regards, -drc
unsolicited name transfers from Godaddy
I have been receiving a high number of unsolicited domain transfer requests from Godaddy and have also written to Godaddy support about unsolicited domain transfer requests. Since I am not a Godaddy customer I got a standard talk to the hand. I have colleagues confirming that some similar chatter is also happening in the ICANN space with respect to Godaddy. Are folks here experiencing this also? Thanks, Zaid
Re: Private use of non-RFC1918 IP space
I don't consider IPv6 a popularity contest. It's about the motivation and the willingness to. Technical issues can be resolved if you and people around you are motivated to do so. I think there are some hard facts that need to be addressed when it comes to IPv6. Facts like 1. How do we migrate to a IPv6 stack on all servers and I am talking about the thousands of servers that exist on peoples network that run SaaS, Financial/Banking systems. 2. How do we make old applications speak IPv6? There are some old back-end systems that run core functions for many businesses out there that don't really have any upgrade path and I don't think people are thinking about this. From a network perspective IPv6 adoption is just about doing it and executing with your fellow AS neighbors. The elephant in the room is the applications that ride on your network. Zaid - Original Message - From: Roger Marquis marq...@roble.com To: nanog@nanog.org Sent: Tuesday, February 3, 2009 9:39:33 AM GMT -08:00 US/Canada Pacific Subject: Re: Private use of non-RFC1918 IP space Stephen Sprunk wrote: Patrick W. Gilmore wrote: Except the RIRs won't give you another /48 when you have only used one trillion IP addresses. Are you sure? According to ARIN staff, current implementation of policy is that all requests are approved since there are no defined criteria that would allow them to deny any. So far, nobody's shown interest in plugging that hole in the policy because it'd be a major step forward if IPv6 were popular enough for anyone to bother wasting it... Catch 22? From my experience IPv6 is unlikely to become popular until it fully supports NAT. Much as network providers love the thought of owning all of your address space, and ARIN of billing for it, and RFCs like 4864 of providing rhetorical but technically flawed arguments against it, the lack of NAT only pushes adoption of IPv6 further into the future. Roger Marquis
Re: Private use of non-RFC1918 IP space
Yes we all go to NANOG meetings and talk about these solutions but the change has to come from within. its not just a technical solution. There has to be motivation and incentive for people to make this change. Zaid - Original Message - From: Paul Timmins p...@telcodata.us To: Zaid Ali z...@zaidali.com Cc: Roger Marquis marq...@roble.com, nanog@nanog.org Sent: Tuesday, February 3, 2009 10:22:16 AM GMT -08:00 US/Canada Pacific Subject: Re: Private use of non-RFC1918 IP space Zaid Ali wrote: I don't consider IPv6 a popularity contest. It's about the motivation and the willingness to. Technical issues can be resolved if you and people around you are motivated to do so. I think there are some hard facts that need to be addressed when it comes to IPv6. Facts like 1. How do we migrate to a IPv6 stack on all servers and I am talking about the thousands of servers that exist on peoples network that run SaaS, Financial/Banking systems. Just upgrade your load balancer (or request a feature from your load balancer company) to map an external IPv6 address to a pool of IPv4 servers. Problem solved. 2. How do we make old applications speak IPv6? There are some old back-end systems that run core functions for many businesses out there that don't really have any upgrade path and I don't think people are thinking about this. Continue to run IPv4 internally for this application. There's no logical reason that IPv4 can't continue to coexist for decades. Heck, people still run IPX, right? -Paul
Re: XO Outage
I am seeing it on my end also: traceroute: Warning: www.cnn.com has multiple addresses; using 157.166.224.25 traceroute to www.cnn.com (157.166.224.25), 64 hops max, 40 byte packets 1 hq-rtr1.genius.local (64.244.66.1) 0.891 ms 0.429 ms 0.449 ms 2 ip65-46-253-157.z253-46-65.customer.algx.net (65.46.253.157) 1.856 ms 2.860 ms 1.881 ms 3 p3-0-0.mar2.fremont-ca.us.xo.net (207.88.80.181) 16.922 ms 2.041 ms 2.013 ms 4 p4-3-0.rar2.sanjose-ca.us.xo.net (65.106.5.161) 2.637 ms 2.192 ms 2.823 ms 5 p6-0-0.rar1.la-ca.us.xo.net (65.106.0.17) 10.308 ms 10.258 ms 10.386 ms 6 207.88.13.22.ptr.us.xo.net (207.88.13.22) 10.931 ms 10.535 ms 10.037 ms 7 *^C Justin Sharp wrote: We are seeing some issues w/ XO/Savvis peering.. Trace from XO to Savvis IP space (64.75.10.151) Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. scrubbed 0.0% 60.6 0.5 0.4 0.6 0.1 2. ip65-44-114-97.z114-44-65.customer.algx.net 0.0% 61.3 1.3 1.2 1.4 0.1 3. ??? Trace from Savvis to XO IP space (65.44.114.97) 1. scrubbed 0.0%380.4 0.4 0.3 0.5 0.1 2. 64.41.199.129 0.0%371.0 24.0 0.6 330.2 80.4 3. hr1-ge-7-47.santaclarasc5.savvis.net 0.0%370.7 1.4 0.6 27.3 4.4 4. er1-te-1-0-0.sanjose3equinix.savvis.net 0.0%370.7 5.2 0.6 140.3 23.2 5. cr1-tenge-0-7-5-0.sanfrancisco.savvis.net 2.7%372.9 4.0 2.6 16.6 2.5 6. cr2-pos-0-0-3-3.dallas.savvis.net 0.0%37 42.6 43.1 42.3 51.4 1.4 7. dpr1-ge-4-0-0.dallasequinix.savvis.net 0.0%37 43.1 44.8 42.9 76.9 6.7 8. er1-te-2-1.dallasequinix.savvis.net 0.0%37 43.3 49.2 42.8 233.6 31.6 9. 208.175.175.90 0.0%37 43.0 42.8 42.6 43.6 0.2 10. 65.106.1.102 75.0%37 43.5 46.5 43.4 62.9 6.3 11. 65.106.1.101 0.0%37 43.4 47.8 43.2 112.3 12.5 12. 65.106.0.41 0.0%37 57.5 65.1 57.1 177.3 21.0 13. 65.106.1.73 0.0%37 57.4 66.5 57.1 162.1 24.2 14. ??? Trying to call into XO and they aren't even taking calls, they mention something about network issues in Spokane. Any ideas as to what is going on/ETA to fix? --Justin
Re: ICANN opens up Pandora's Box of new TLDs
I hear from my friend's attending ICANN in Paris that there are tons of business folks who want to scoop up a gTLD. I haven't heard of anything that will be structured so looks like it will be a blood bath. Zaid On Jun 26, 2008, at 1:34 PM, Ken Simpson wrote: Two years ago I posed the question here about the need for TLDs (http://www.mcabee.org/lists/nanog/May-06/msg00110.html). I summerizsed that companies IP (Intellectual Property) guidelines would never allow domain.org to exist if they owned domain.com (ibm.org vrs ibm.com).I felt that TLDs really represented a monetary harvesting scheme as every new TLD forced companies to pay for yet another domain name (slowly milking businesses). At that time several knowledgeable folks commented that TLDs were necessary in the beginning due to the need to distribute queries. Now it seems, ICANN has decided to add a new paradigm :-) How will a TLD like .ibm be handled now, and how is this different than what I proposed in 2006? How will ICANN be allocating these? An auction format? It will be a blood bath otherwise.. And for abuse and spam, this is a nightmare.
XO contact
Can someone from XO who handles this neighbor 65.46.253.157 help me out with a BGP session going down? This is the second time within a week where a misconfiguration of an ACL on XO end is bringing down my BGP session with you and its frustrating to go through the normal tech support chain. Zaid