Re: Geolocation IP help

[Sam Kretchmer]

$100? All that gets you nowadays is a clubbing. (and no, not the Rush St bars 
type of clubbing)

On 5/22/24, 15:36, "Randy Bush" mailto:ra...@psg.com>> wrote:


> There is always talk to the local politician route so it gets raised
> in the state legislature.


this is illinois/chicago. you slip them a $100 bill under youe drivers'
license

Re: Geolocation IP help

[Sam Kretchmer]

I was trying to not make this that painfull..

__

thanks

On 5/22/24, 15:34, "Mark Andrews" mailto:ma...@isc.org>> wrote:


There is always talk to the local politician route so it gets raised in the 
state legislature.


--
Mark Andrews


> On 23 May 2024, at 06:27, Sam Kretchmer  <mailto:s...@coeosolutions.com>> wrote:
>
> Yes, this was mentioned earlier too. I am just worried that the Illinois St 
> police don't update their database through any automated system, it has been 
> over 6 years since these IP's were transferred.
>
> Thanks!
>
> Sam
>
>
> On 5/22/24, 15:20, "Randy Bush" mailto:ra...@psg.com> 
> <mailto:ra...@psg.com <mailto:ra...@psg.com>>> wrote:
>
>
>> You could try publishing Geo loc data per RFC8805
>> https://datatracker.ietf.org/doc/html/rfc8805 
>> <https://datatracker.ietf.org/doc/html/rfc8805> 
>> <https://datatracker.ietf.org/doc/html/rfc8805> 
>> <https://datatracker.ietf.org/doc/html/rfc8805;>
>
>
> or, more specifically, 9092
>
>
> randy
>
>
>

Re: Geolocation IP help

[Sam Kretchmer]

Yes, this was mentioned earlier too. I am just worried that the Illinois St 
police don't update their database through any automated system, it has been 
over 6 years since these IP's were transferred.

Thanks!

Sam


On 5/22/24, 15:20, "Randy Bush" mailto:ra...@psg.com>> wrote:


> You could try publishing Geo loc data per RFC8805
> https://datatracker.ietf.org/doc/html/rfc8805 
> <https://datatracker.ietf.org/doc/html/rfc8805>


or, more specifically, 9092


randy

Re: Geolocation IP help

[Sam Kretchmer]

I will look into this, but I’m not sure the Illinois St Police will get this 
info into their outdated DB.

Thanks


From: Chris 
Date: Wednesday, May 22, 2024 at 15:08
To: Sam Kretchmer 
Cc: "nanog@nanog.org" 
Subject: Re: Geolocation IP help

You don't often get email from ch...@noskillz.com. Learn why this is 
important<https://aka.ms/LearnAboutSenderIdentification>
You could try publishing Geo loc data per RFC8805
https://datatracker.ietf.org/doc/html/rfc8805

-Chris

On Wed, May 22, 2024 at 3:04 PM Sam Kretchmer 
mailto:s...@coeosolutions.com>> wrote:
To anyone who might be able to help me reach someone clued at the State of 
Illinois website.

We (Coeo Solutions) had to acquire an IP block, 
213.159.132.0/22<http://213.159.132.0/22>, from RIPE many years ago. This was 
due to availability issues at the time for acquiring new IP’s. This block was 
transferred to ARIN and assigned to Coeo. Before this transfer this IP block 
was sourced out of Dublin IRE. Now, the majority of Geo-location systems show 
these as being in the USA correctly, but, apparently whatever the Illinois 
State uses for their Geo-location verification is still showing these IP’s as 
being located in Dublin, and because that is outside the USA, they are blocking 
access to my customers using these IP’s. I have spent months sending emails and 
filling change requests with every Geo-location database service I can get to 
respond to me, but apparently none of them are what the St of Illinois uses for 
their Geo-location filtering.

Any assistance I can find in getting this issue resolved so all my users can 
have full access to the State of Illinois websites would be greatly appreciated!

Thanks

Geolocation IP help

[Sam Kretchmer]

To anyone who might be able to help me reach someone clued at the State of 
Illinois website.

We (Coeo Solutions) had to acquire an IP block, 213.159.132.0/22, from RIPE 
many years ago. This was due to availability issues at the time for acquiring 
new IP’s. This block was transferred to ARIN and assigned to Coeo. Before this 
transfer this IP block was sourced out of Dublin IRE. Now, the majority of 
Geo-location systems show these as being in the USA correctly, but, apparently 
whatever the Illinois State uses for their Geo-location verification is still 
showing these IP’s as being located in Dublin, and because that is outside the 
USA, they are blocking access to my customers using these IP’s. I have spent 
months sending emails and filling change requests with every Geo-location 
database service I can get to respond to me, but apparently none of them are 
what the St of Illinois uses for their Geo-location filtering.

Any assistance I can find in getting this issue resolved so all my users can 
have full access to the State of Illinois websites would be greatly appreciated!

Thanks

Windstream Contact

[sam via NANOG]

Dear Nanog


I am currently investigating a connection issue we are experiencing with our 
Midwest office.

>From what I can discern and based on the logs I have collected, it appears 
>that the problem lies between Chicago and Lincoln, NE.

I am seeking assistance in establishing contact with a Windstream 
representative.

Feel free to send a private message off-list.

Re: U.S. test of national alerts on Oct. 4 at 2:20pm EDT (1820 UTC)

[Sam Mulvey]

On 10/4/23 12:14, Grant Taylor via NANOG wrote:
I was kinda surprised that none of my NOAA weather radios went off. I 
sorta assumed they'd be tied into the whole "national" alert setup.


That surprises me.

Did the newer alert not get bridged into the same system that NOAA 
radios use?


Is this by chance a Specific Area Message Encoding (S.A.M.E.) 
filtering / lack of data issue?


Can anyone corroborate NOAA weather radios not alerting? 



I was told this was intentional, as the intent was to test IPAWS and 
associated technologies vs. the NPT chain.   I work at a few small radio 
stations, so this was most of my day.


The FCC is mandating (very shortly) that broadcasters start weighting 
the digital alerts over the messages received from other radio stations, 
which is an upgrade that's going to cost us a bit.


-Sam

Re: Spectrum networks IPv6 access issue

[Sam Thomas]

Actual data from a Spectrum residential customer in DFW.

First, IPv4:

 trace dfw.source.kernel.org
traceroute to dfw.source.kernel.org (139.178.84.217), 64 hops max, 40
byte packets
 1  my.router  0.389 ms  0.350 ms  0.292 ms
 2  142-254-130-077.inf.spectrum.com (142.254.130.77)  8.423 ms  8.408
ms  8.080 ms
 3  lag-63.artrtx2801h.netops.charter.com (24.28.88.17)  27.167 ms
25.065 ms  21.977 ms
 4  lag-22.artntxaf01r.netops.charter.com (24.175.49.233)  10.718 ms
10.083 ms  15.886 ms
 5  lag-23.mcr11crtntxjt.netops.charter.com (24.175.36.224)  13.386 ms
 11.560 ms  11.297 ms
 6  lag-21.rcr01dllatx37.netops.charter.com (24.175.49.0)  11.339 ms
lag-28.rcr01dllatx37.netops.charter.com (24.175.33.246)  11.904 ms
 128.186 ms
 7  lag-414.dllstx976iw-bcr00.netops.charter.com (66.109.6.52)  12.603 ms
lag-14.dllstx976iw-bcr00.netops.charter.com (66.109.6.88)  12.172 ms
lag-414.dllstx976iw-bcr00.netops.charter.com (66.109.6.52)  12.299 ms
 8  lag-302.pr3.dfw10.netops.charter.com (209.18.43.77)  21.570 ms
lag-0.pr3.dfw10.netops.charter.com (66.109.5.121)  11.763 ms
lag-302.pr3.dfw10.netops.charter.com (209.18.43.77)  12.182 ms
 9  dls-b23-link.ip.twelve99.net (62.115.156.208)  11.515 ms *  11.706 ms
10  packethost-ic-369414.ip.twelve99-cust.net (213.248.72.3)  11.870
ms  30.246 ms  18.199 ms
11  * * *
12  * * *
13  dfw.source.kernel.org (139.178.84.217)  12.021 ms  12.076 ms  11.922 ms

ping dfw.source.kernel.org
PING dfw.source.kernel.org (139.178.84.217): 56 data bytes
64 bytes from 139.178.84.217: icmp_seq=0 ttl=50 time=11.590 ms
64 bytes from 139.178.84.217: icmp_seq=1 ttl=50 time=11.785 ms

IPv6:

 trace6 dfw.source.kernel.org
traceroute6 to dfw.source.kernel.org (2604:1380:4641:c500::1) from
2603:8080:REDACTED, 64 hops max, 20 byte packets
 1  2603-8080-REDACTED.res6.spectrum.com  0.404 ms  0.340 ms  0.322 ms
 2  2603-90c5-0003-000e----0001.inf6.spectrum.com  10.308
ms  7.901 ms  9.902 ms
 3  lag-63.artrtx2801h.netops.charter.com  17.008 ms  10.523 ms  11.077 ms
 4  lag-22.artntxaf01r.netops.charter.com  14.638 ms * *
 5  lag-23.mcr11crtntxjt.netops.charter.com  11.090 ms  11.612 ms  12.234 ms
 6  * * *
 7  lag-414.dllstx976iw-bcr00.netops.charter.com  12.572 ms *
lag-24.dllstx976iw-bcr00.netops.charter.com  12.160 ms
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  *^C

ping6 dfw.source.kernel.org
PING6(56=40+8+8 bytes) 2603:8080:REDACTED --> 2604:1380:4641:c500::1
^C
--- dfw.source.kernel.org ping6 statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

I have a Linode VM in Dallas that I also can't get to via IPv6.
Traffic appears to take the same path for IPv4.

On Wed, Apr 26, 2023 at 10:50 AM Tom Rini  wrote:
>
> Hey all,
>
> I'm posting this here in hopes of getting the attention of someone that
> can get this issue resolved, or at least an internal ticket filed. I've
> tried the customer-facing tech support and not been able to get such a
> thing done.
>
> In short, from within Spectrum's US IPv6 network (verified in both North
> Carolina and Ohio), dfw.source.kernel.org (2604:1380:4641:c500::1) is
> unreachable and connections time out. This site is otherwise fine and
> globally accessible via IPv6, tested on both Qwest and T-Mobile hosted
> systems.  This is a regression from some time in early April this year.
>
> --
> Tom

Yahoo Mail admin assistance

[Sam Roche]

If someone from the Yahoo mail admin team is on the list, could you please 
reach out to me privately? We had an issue where our customer SMTP server was 
turned into an open relay for a short period of time. The issue was resolved a 
couple of weeks ago, however our customers with Yahoo email addresses are still 
having our invoices go to their spam folder.

Thanks in advance for your assistance.

Sam.

Sam Roche
Manager, Network Operations
[Logo  Description automatically generated]
196 Taylor Road, Bracebridge, ON P1L 1J9
Support: supp...@lakelandnetworks.com<mailto:supp...@lakelandnetworks.com>  
705-640-0556 TF: 1-844-444-4249
Direct: sro...@lakelandnetworks.com<mailto:sro...@lakelandnetworks.com>  
705-640-0086 | https://www.lakelandnetworks.com/faqs/
Lakeland Networks<http://www.lakelandnetworks.com/>

Re: ipv4/25s and above

[Sam Kretchmer]

Dave,

I work for a smaller ISP in the Midwest with clients coast-to-coast. I deliver 
internet to about 2/3 rds of them over private ethernet circuits, the rest I 
deliver private addressed SIP service. Aside a handful of them who advertise 
their own /24 to me over BGP, the rest are exclusively smaller than that. /29's 
and /30's are the most common, with a peppering of /28's and /27's. My total IP 
space is about a /19.

Cheers!


On 11/16/22, 8:41 AM, "NANOG on behalf of Dave Taht" 
 wrote:

I am kind of curious as to the distribution of connections to smaller
companies and other entities that need more than one ipv4 address, but
don't run BGP. So, for as an ISP or infrastructure provider, what is
the typical percentage nowadays of /32s /31s /30s... /25s of stuff
that gets run "elsewhere"?

Is there any correlation between the number of IPs a customer gets and
the amount of bandwidth they buy?

Obviously "retail", home use is /32s and there's an increasing amount
of CGNAT, but I can't help but imagine there are thousands of folk
running /27s and /29s for every /24 or /22 out there.

I've been paying 15/month for a /29 for forever, but barely use it.

-- 
This song goes out to all the folk that thought Stadia would work:

https://www.linkedin.com/posts/dtaht_the-mushroom-song-activity-698135607352320-FXtz
Dave Täht CEO, TekLibre, LLC

Re: Contact data for outlook.com

[sam]

Good news on our front, Microsoft did respond to cCircleNet's request 
and has cleared the issue.

Thanks for all of the feedback.

Sam Moats

On 2021-03-10 03:50, Arne Jensen wrote:

Here are some suggestions for improvements, for both of you, below...

Many postmasters (/networks) out there, are actually very strict on RFC
/ BCP compliance, where the slightest violation equals potentially
severe consequences:

Looking at circlenet.us, the domain itself has the caveat of going
directly against the Internet's RFC2182 / Best Current Practice #16.

... Are you by any chance using "Mail in a Box", or any of the other
packages, where the maintainers do not wish to follow standards / 
BCP's,

but instead suggests their users to ignore those?

-> https://discourse.mailinabox.email/t/dnswl-org-recommendations/667

Those "temporary network glitches" the author actually mentions having
"from time to time", is the exact consequence of violating the RFC2182 
/

Best Current Practice #16.

I would be very happy to see the whole world reject for such things 
like

that. Or said in another way: if you don't care enough about your own
stuff - why should any third party care about it, at all? :)

Next, it seems like your mail server DKIM signed your message, however,
there is no DKIM record on the relevant "mail._domainkey.circlenet.us."
TXT record, it yells DKIM.

Literally, for what seems to be against all kind of advice from the
whole email community, it seems like your server is actually rewriting
the client's original IP address ("Received:" header), to one of your
server's IP addresses, perhaps for some privacy reasons:


Received: from authenticated-user (mail.circlenet.us [51.222.96.171])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.circlenet.us (Postfix) with ESMTPSA id 59CE72A001B;
 Tue,  9 Mar 2021 12:07:56 + (UTC)

When Google (MX records of @NANOG.ORG) got your message, it arrived to
Google, from another IP address, with a dynamic / generic looking
hostname. This IP address was not authorized by your SPF record.

Received: from mail.circlenet.us (ip169.ip-51-222-96.net. 
[51.222.96.169])
 by mx.google.com with ESMTPS id 
i8si2272841qki.324.2021.03.09.04.07.57

 for 
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 09 Mar 2021 04:07:57 -0800 (PST)

Received-SPF: neutral (google.com: 51.222.96.169 is neither permitted 
nor

 denied by domain of s...@circlenet.us) client-ip=51.222.96.169;

Authentication-Results: mx.google.com;
 dkim=temperror (no key for signature) header.i=@circlenet.us 
header.s=mail

 header.b=WCzH8ira;
 spf=neutral (google.com: 51.222.96.169 is neither permitted nor 
denied by

 domain of s...@circlenet.us) smtp.mailfrom=s...@circlenet.us


Literally no kind of authentiation (valid SPF, valid DKIM, ...), at 
all.

Rumours goes that Outlook.com is strict at SPF.

Ideally, your SMTP HELO/EHLO name should be identical to the PTR,
"mail.circlenet.us" is not equal to "ip169.ip-51-222-96.net" above.

For both of you, I would actually lean towards cleaning up / 
maintaining

your SPF records a little better:

- Always use ip6: ip4: directives for your own (static) mail servers.
- Then add the include: or whatever mechanisms that your third parties
require you to, for example "include:_spf.google.com", *** if they are
really needed, at that specific (sub)domain level ***.
- Then end your record, preferably with "-all" (hardfail), but
absolutely minimum of softfail. As restrictive as possible.

Sam, it sounds like you have at least the IPv4 /30 subnet (adapt it to
match your subnet), so a SPF like this, would be what I would do for
"circlenet.us":


"v=spf1 ip4:51.222.96.168/30 ip4:23.25.121.0/24 ip4:173.230.144.119/32
-all"


Dan, as for yours, on "omnigo.com":


v=spf1 ***mx*** ***a*** ***ip4:13.89.36.13/32*** ip4:13.110.6.214/32
ip4:168.61.173.54/32 ip4:23.99.213.249/32 ip4:207.164.169.226/32
ip4:54.174.52.85/32 ip4:68.185.106.96/28 ip4:63.246.31.7/32
ip4:13.78.237.56/32 ip4:13.108.0.0/14 ***a:smtp01.omnigo.com***
include:aspmx.pardot.
com include:spf.protection.outlook.com include:_spf.salesforce.com
***~all***

***mx***: You are using Office 365 as inbound (MX) records, the bigger
ones are separate inbound/outbound servers, so take away this useless 
one.

***a***: You are proxying your domain over CloudFlare, CloudFlare will
never send any emails on your domain's behalf, so take away this 
useless

one.
***ip4:13.89.36.13/32***: See next, but chances are you should leave
this one.
***a:smtp01.omnigo.com***: This one literally duplicates the previous,
already authorized IP address, meaning you are authorizing
"ip4:13.89.36.13/32" twice, so take away this useless one.
***~all***: I would also here lean towards e.g. -all (hardfail).


I have been running "-all&quo

Re: Contact data for outlook.com

[sam]

You are not alone sir, for reasons as yet unknown outlook.com has 
recently started blocking my range as well.
If I make progress in contacting someone with clue I will pass that 
information along privately.


Sam Moats

On 2021-03-08 16:18, Dan Walters via NANOG wrote:

Good afternoon,

So I'm looking for a contact at Microsoft in particular someone on the
outlook spam protection/prevention team to assist us with a IP block.
I have allready signed up for SNDS and there is no data given .
Please feel free to contact me off the list.

Best Regards,

Daniel Walters

RE: Measuring packet loss and Latency Between eastern Europe and north america

[Sam Roche]

We use Ping Plotter for similar analysis which may help you.

http://www.pingplotter.com/

Sam Roche  – Supervisor of Network Operations
Support: supp...@lakelandnetworks.com<mailto:supp...@lakelandnetworks.com>  
705-640-0556 TF: 844.444.4249
Direct: sro...@lakelandnetworks.com<mailto:sro...@lakelandnetworks.com>  
705-640-0086  | https://www.lakelandnetworks.com/faqs/

[cid:image001.png@01D6066E.91D4CD20]

From: NANOG  On Behalf Of LTGJAMAICA
Sent: Friday, March 27, 2020 7:55 PM
To: NANOG@nanog.org
Subject: Measuring packet loss and Latency Between eastern Europe and north 
america

'

EXTERNAL Email Disclaimer

CAUTION: This email originated from outside the organization. Exercise caution 
when clicking on links or opening attachments even if you recognize the sender.
I have a customer in eastern Europe accessing a SAAS application hosted in one 
of Azure's north America datacenters. for the past few days every morning 
between 3am and 6am est performance slows to crawl. This is person is like 8am 
to 11am locally so they cant get much done.

The local ISP is providing 100mbps up/down.

So far speed test to Saas providers speed test page is slow 0.02mbps down 6 
mbps up

Speedtest.net to north American ISPs like Verizon in New York slow

Speedtest to servers in Easter europe 100 up 100 down

Traceroutes/MTR dont help because a lot of hops seem to drop icmp packets

Need a tool or service that can detect packet loss/latency between provider in 
eastern europe and a north american service provider. Any help is appreciated

Anyone from OpenDNS

[sam]

Good afternoon list,
Anyone on the list from OpenDNS willing to contact me offlist? Somehow 
my $dayjobs SSL cert if being munged on your service.


Thank you
Sam Moats

RE: Purchasing IPv4 space - due diligence homework

[Sam Roche]

I used this gentleman’s Powershell script and modified it slightly to check a 
block last summer. The broker we were using said that they also did their due 
diligence on the addresses, but I wanted to do our own because of the cost of 
the IPs.

https://www.saotn.org/powershell-blacklist-check-script/

We worked with the Brander Group as a broker. They were great and have since 
launched a portal/storefront I believe.

Kind regards,

Sam.

From: NANOG  On Behalf Of John Alcock
Sent: Wednesday, April 3, 2019 11:34 AM
To: Torres, Matt 
Cc: nanog@nanog.org
Subject: Re: Purchasing IPv4 space - due diligence homework

Well,

I did all three above and still had issues.  I am still having issues.  I had 
to contact many people to get off of various blacklists, etc.  These are lists 
that are not publish and you will not know until you start using the space.

Luckily, I have had great help from the list here in getting support and in 
some cases back-channel support.

The hard part is getting a hold of the right people.

For example:

Softlayer/IBM was initially blocking my ip space.  But, it was not really them. 
 It was NTT on behalf of Softlayer.  The request has to come from Softlayer.  
That has been resolved.  I honestly do not even know who to thank.

I am currently fighting the same issue with 
playstation.com<http://playstation.com>.  Akami is blocking access on behalf of 
Sony.  The request has to come from Sony.  After many emails with 
abuse@playstation, I am making headway.  Problem is not solved yet, but I 
believe they are making headway. Luckly Akami open a ticket and told me what to 
tell the Sony NOC.


Right now, I am fighting some odd ball blocks.  Several mobile banking sites.  
There is not even a support number.  I am having to try and use the NOC/Abuse 
contacts via ARIN first and not having any luck.  Try calling a bank and 
telling them that your are a network engineer and can not access their sites.  
That goes downhill pretty quick. If you can get past the first line of tech 
support it is a challenge.  "Have you cleared your cookies?  You need to call 
your ISP", then you get a 2nd line person who basically blows you off.

Here is the thing.  You will have problems.  Just be prepared to make lots of 
phone calls and send lots of emails.  Once you get to the right person, things 
can get a moving.

John


On Wed, Apr 3, 2019 at 11:20 AM Torres, Matt via NANOG 
mailto:nanog@nanog.org>> wrote:
All,
Side stepping a migration to IPv6 debate…. I’d like to hear advise from the 
group about performing due diligence research on an IPv4 block before 
purchasing it on the secondary market (on behalf of an end-user company). My 
research has branched into two questions: a) What ‘checks’ should I perform?, 
and b) what results from those checks should cause us to walk away?

My current list is:

  1.  Check BGP looking glass for route. It should not show up in the Internet 
routing table. If it does, walk away.
  2.  Check the ARIN registry. The longer history without recent transfers or 
changes is better. I don’t know what explicit results should cause me to walk 
away here.
  3.  Check SORBS blacklisting. It should not show up except maybe the DUHL 
list(?). If it does, walk away.

Anything else? Advise?
Thanks,
Matt

DAZN Geolocation issue

[Sam Roche]

Are there any DAZN contacts on-list? We are having geolocation issues with a 
few IP blocks we purchased last summer.

Please contact me off list.

Thanks,

Sam.

Sam Roche | Supervisor of Network Operations |  Lakeland Networks
Support: supp...@lakelandnetworks.com  705-646-1846 | Direct: 
sro...@lakelandnetworks.com  705-640-0086  |  
www.lakelandnetworks.com<http://www.lakelandnetworks.com>

Re: NANOG Security Track: Route Security

[Sam Oduor]

Hi

Any online link available for remote participation or viewing ?

On Sun, Sep 30, 2018 at 7:46 PM Krassimir Tzvetanov 
wrote:

> Hello Everyone,
>
> I wanted to attract your attention to the Security Track this coming
> NANOG. We'll be meeting on Tuesday morning and the line up looks like this:
> * Andre Toonk - examples of hijacks, other ideas
> * Alexander Azimov - State of BGP Security
> * David Wishnick - ARIN TAL
> * Job Snijders - Routing security roadmap
> * Chris Morrow - So I need to start filtering routes from peers...' and
> 'hey guess who needs to update their IRR data?'
>
> Time permitting at the end of the time slot we'll have a panel and time
> for duscussion as well.
>
> Regards,
> Krassi
>
>

-- 
Samson Oduor

Re: SAFNOG-4 + EANOG, tzNOG & TISPA Meeting Announcement

[Sam Oduor]

Good stuff and great to learn about the existence of this network operator
groups !

On Wed, Jun 20, 2018 at 6:33 PM, Mark Tinka  wrote:

> Hello all.
>
> It gives me great pleasure to announce that SAFNOG-4, in collaboration
> with EANOG (East Africa Network Operators Group) and tzNOG (Tanzania
> Network Operators Group), and hosted by TISPA (Tanzania Internet Service
> Providers Association) will be held between the 24th - 29th September,
> 2018, in the warm and sunny city of Dar Es Salaam, Tanzania.
>
> What is exciting about this year's SAFNOG meeting is that it will be
> partnering with EANOG and tzNOG, to include both plenary and workshop
> sessions during the week, as part of the agenda.
>
> The main plenary meeting will be held at the Hyatt Regency Dar Es Salaam
> hotel between 24th - 26th September, while the the workshop will be held
> at the Bank of Tanzania building between 26th - 29th September, 2018.
>
> Details about the event registration and agenda will be made available
> at these locations:
>
> - www.safnog.org
> - www.tznog.or.tz
> - www.eanog.org
>
> Please mark your calendars.
>
> SAFNOG, EANOG, tzNOG and TISPA look forward to seeing you in Dar Es Salaam.
>
> Cheers,
>
> Mark Tinka
> On Behalf of the SAFNOG/EANOG/tzNOG Organizing Committee
>



-- 
Samson Oduor

Re: What are people using for IPAM these days?

[Sam Oduor]

Many options available -

1. DNSBOX - does IPAM, DHCP and DNS Management, thinking of those RDNS.

2. Infloblox - relatively same as (1) difference being cost

3. A couple of open source vendors - netbox, phpIPAM,

List never runs out - Solarwinds too has an IPAM feature.

On Sun, Jun 10, 2018 at 11:48 PM, Mike Lyon  wrote:

> Title says it all... Currently using IPPlan, but it is kinda antiquated..
>
> Thanks,
> Mike
>
> --
> Mike Lyon
> mike.l...@gmail.com
> http://www.linkedin.com/in/mlyon
>



-- 
Samson Oduor

EDGECAST / AlphaCDN

[Sam Norris]

Anyone know EDGECAST / Verizon contact and can help with geolocation /
anonymizer listings?  We finally got off the Amazon / MaxMind lists but seems
this one is stuck.

Thx,
Sam Norris
San Diego Broadband

Amazon Geolocation

[Sam Norris]

Hey all,

Having a hard time finding someone within Amazon to understand geolocation
problems.  We have lots of customers that started getting the amazon prime video
message about not being able to watch because of geolocation / vpn restrictions.

We are a wisp.  We run BGP with our own netblocks and upstream netblocks.  We
have at least 15 customers that have reported this problem - many of which
opened tickets directly with amazon but they have no clue.  My guess is its
related to entire netblocks.  

MaxMind shows the correct info and always has. 

Can someone point me to a contact at Amazon that can help?

Thx,
Sam

Websurfing trouble to .gov and .il.us

[Sam Kretchmer]

Nanog,

I am part of a small ISP based in Chicago. We have several clients complaining 
of an inability to hit a couple specific government websites, specifically 
http://tierii.iema.state.il.us/TIER2MANAGER/Account/Login.aspx and 
https://www.deadiversion.usdoj.gov/. It does seem to be related to the IP's 
they use, specifically parts of 213.159.132/22. They can surf any other site we 
can think of, do email, IPSec tunnels, anything apparently but surf these 
sites. The listed sites show "loading" then "connecting" then back to "loading" 
and so on. I have checked all the blacklist sites I can get out of google. and 
they all show all green. I am at a loss as to what else might be contributing 
to the issue. Is there anyone on list here from either of those sites who might 
be able to help who can hit me off list, or anyone at all who might have some 
advice? It would be appreciated. All I need to do is to assign different IP's 
to the client and it works fine (hopefully eliminating Layer 1 and Layer 2, 
i.e. routers, circuits, etc..) My apologies if this is not the correct forum 
for this kind of question.

Thanks

Sam

RE: Geolocation: IPv4 Subnet blocked by HULU, and others

[Sam Norris]

Anyone figure this out?  I need to get our prefixes updated as well as they are
detecting our customers in the wrong city.

Sam


> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
> li...@silverlakeinternet.com
> Sent: Wednesday, December 20, 2017 1:28 PM
> To: Mike Hammett
> Cc: nanog@nanog.org
> Subject: Re: Geolocation: IPv4 Subnet blocked by HULU, and others
> 
> I could use a contact for all of these as well.  I have been trying to
> get my subnet unblocked with all of these providers and have reached out
> in many ways to all of them over the past few months, but never get a
> response.
> 
> Thank you,
> Brett A Mansfield
> 
> On 2017-12-15 19:57, Mike Hammett wrote:
> > Bump for Hulu.
> >
> >
> >
> >
> > -
> > Mike Hammett
> > Intelligent Computing Solutions
> >
> > Midwest Internet Exchange
> >
> > The Brothers WISP
> >
> > - Original Message -
> >
> > From: "Michael Crapse" <mich...@wi-fiber.io>
> > To: nanog@nanog.org
> > Sent: Wednesday, December 6, 2017 3:38:20 PM
> > Subject: Geolocation: IPv4 Subnet blocked by HULU, and others
> >
> > I am a local WISP. And my customers have trouble reaching Hulu, Disney
> > now,
> > and previously netflix and amazon prime(both resolved).
> > I have emailed, mailed, and called both HULU and Disney now to get my
> > 196.53.96.0/22 subnet unblacklisted as a VPN provider(no longer so)
> > from
> > their services. They have replied saying it takes 3-5 days to resolve
> > the
> > issue, that was several weeks ago. Can i get contact from those two
> > services that can help my customers reach their services, thank you.
> >
> >
> > Thank you for the help.
> > -Michael

Re: Novice sysadmins

[Sam Oduor]

All industries have risks associated.

In our Sysadmin context - Though I have not heard of any yet - a case
scenario of telesurgery/remote surgery.

In the midst of this operation - a misconfiguration by either a
netadmin(bgp) or sysadmin(dns) resulting into downtime cutting off
communication = catastrophic end results.



On Wed, Dec 6, 2017 at 11:56 PM, William Herrin  wrote:

> On Wed, Dec 6, 2017 at 1:51 PM, Stephen Satchell 
> wrote:
>
> > What professional engineers you mentioned do can kill people.  I have yet
> > to hear of anyone dying from a sysadmin or netadmin screwing up. (Other
> > than dropping something heavy onto someone, using a fork lift
> > incompetently, or building an unsafe raised floor.).
> >
>
> I want pictures of the unsafe raised floor.
>
> -Bill
>
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Dirtside Systems . Web: 
>



-- 
Samson Oduor

Re: Novice sysadmins

[Sam Oduor]

Subject of interest; my 15 years experience I met a blend of senior admins
while learning the curves ..

1. Those who denied you knowledge/handover due to insecurity

2. Those who fed you with knowledge but were rude and could make you feel
like you undergoing some military training

3. Those who gave you manuals and told you go and read; hardcopy was a
common thing - I could deliberately stay back in the office and print a
whole library :-)

4. The rare breed that walked you through sysadmins !


Right now it seems the tables have turned around; I already feel I have
come to the end of the road as sysadmin but on a lighter note - I have been
working hard on passing knowledge down and this are the new blend of people
I have met.

1. Those willing to learn are very obedient but for some reason not up to
the task

2. Those who know everything you try to teach them; are kinda rude and they
bring down systems - lab systems

3. Those who commit to be taught but never show up for free lessons despite
offering them free lunch :-)

4. A rare young  breed that teaches me mobile apps and new games online -
the 90's champs !

5. A rare breed that goes the extra mile; sacrifice time and money to learn
!


I love 4 & 5 !






On Tue, Dec 5, 2017 at 7:54 PM, Grant Taylor via NANOG 
wrote:

> On 12/05/2017 09:17 AM, Harald Koch wrote:
>
>> Thirty years ago I started my sysadmin journey on an Internet that was
>> filled with helpful, experienced people that were willing to share their
>> knowledge.
>>
>
> The vast majority of what I've experienced in the last ~20 years has been
> people willing to help others who are trying to help themselves.
>
> If you are trying, make an honest mistake, and are willing to correct it
> when others politely let you know, you will quite likely find people
> willing to help you.  Especially if you return the favor in kind.
>
> If you are being a hooligan and not responding to problems reported to you
> or purposefully ~> wantonly doing things to others ... good luck.
>
>
>
> --
> Grant. . . .
> unix || die
>
>


-- 
Samson Oduor

Re: Temp at Level 3 data centers

[Sam Silvester]

On Thu, Oct 12, 2017 at 3:39 AM, Naslund, Steve <snasl...@medline.com>
wrote:

> If the ambient temperature is higher is means the temperatures throughout
> the device would be higher and the temp at those points is what really
> matters.  I would also be concerned because if they lose one of the a/c
> units what would the ambient temperature rise to?  I would want them to
> tell me what the set point of the a/c actually is.
>
> Bottom line 80 F input air is too hot in my opinion and apparently the
> equipment's opinion as well.
>

My quick thoughts on the matter:

1. Above all else, know what your DC provider states in their SLA/contract.
2. It's never a bad idea to try to be on the best possible personal terms
with the DC manager(s), the better you get along the more they're inclined
to share knowledge/issues and work with you on any concerns.
3. You can't infer faults or lack of redundancy from the running
temperature - by way of example several facilities I know run at 25 degrees
celsius but if a chilled water unit in a given data hall fails there's a
number of DX units held in standby to take over. This is where point 2
comes in handy as knowing somebody on the ground they'll often be quite
happy to run through failure scenarios with you and help make sure
everybody is happy with the risk mitigation strategy.

Out of idle curiosity - I'm curious as to if the equipment that is alarming
is configurable or not? Reason I ask is I've heard users claiming
environmental parameters were out of spec before, but then it turned out it
was their own environmental monitoring they'd installed in the rack (using
default parameters out of the box, not configured to match the facility
SLA) that was complaining about a set point of 25...

Cheers,

Sam

Re: Temp at Level 3 data centers

[Sam Kretchmer]

with a former employer we had a suite at the L3 facility on Canal in
Chicago. They had this exact issue for the entire time we had the suite.
They kept blaming a failing HVAC unit on our floor, but it went on for
years no matter who we complained to, or what we said.

Good luck.


On 10/11/17, 7:31 AM, "NANOG on behalf of David Hubbard"
 wrote:

>Curious if anyone on here colo¹s equipment at a Level 3 facility and has
>found the temperature unacceptably warm?  I¹m having that experience
>currently, where ambient temp is in the 80¹s, but they tell me that¹s
>perfectly fine because vented tiles have been placed in front of all
>equipment racks.  My equipment is alarming for high temps, so obviously
>not fine.  Trying to find my way up to whomever I can complain to that¹s
>in a position to do something about it but it seems the support staff
>have been told to brush questions about temp off as much as possible.
>Was wondering if this is a country-wide thing for them or unique to the
>data center I have equipment in.  I have equipment in several others from
>different companies and most are probably 15-20 degrees cooler.
>
>Thanks,
>
>David

Level3 / Cogent / NetFlix BGP Assistance

[Sam Norris]

Hey all,

 

In early October our traffic levels from NetFlix went from about half Level3 and
half Cogent - pretty well balanced - to all on Level3.  Standard multihomed BGP
setup with minimal TE if I can help it.  I am starting to run into problems with
a full gigabit port on Level3 and only 100-200mbps on Cogent at that colo.  I
tried padding, I even tried 65000:2906 bgp community, but it seems like if our
level3 port is up NetFlix chooses it solely.  How can I load balance NetFlix
traffic across my two ports so that I am not paying for overages and/or forced
to up to a 10G port immediately?  I have 3 other providers at that colo and
cannot find any mix of bgp tricks to get some of it thru our other providers.

 

I notice AS2906 has a localpref of 86 - odd ...

 

The 108.175.47.0/24 block seems to be using as 2906 so I thought a 65000:2906
wouldn't announce those prefixes to them at all.  I have about 10 prefixes being
announced so I could implement a no-export on some of them to load balance but
that doesn't work.

 

Thx,

Sam

 

 

BGP routing table entry for 108.175.47.0/24

 

Paths: (2 available, best #1)

  2906

  AS-path translation: { 108.175.47.0/24 }

   ear3.LosAngeles1 (metric 10)

Origin IGP, metric 30334, localpref 86, valid, internal, best

Community: 2906:51081 North_America Lclprf_86 United_States Level3_Peer
Los_Angeles Level3:10984

Originator: ear3.LosAngeles1

  2906

  AS-path translation: { 108.175.47.0/24 }

   ear3.LosAngeles1 (metric 10)

Origin IGP, metric 30334, localpref 86, valid, internal

Community: 2906:51081 North_America Lclprf_86 United_States Level3_Peer
Los_Angeles Level3:10984

Originator: ear3.LosAngeles1

 



 

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

[Sam Silvester]

On Tue, Sep 27, 2016 at 1:35 PM, Roland Dobbins <rdobb...@arbor.net> wrote:

> It call comes down to the network operator, one way or another.  There's
> no separation in the public mind of 'my network' from 'the Internet' that
> is analogous to the separation between 'the power company' and 'the
> electrical wiring in my house/apartment' (and even in that space, the
> conceptual separation often isn't present).
>
>
Not sure I agree with this. To my knowledge, when somebody loses power,
they go out and check circuit breakers and stuff, then either call an
electrician (if a breaker doesn't stay on or the like), or call their
electricity retailer/distributer. I'm not talking about IT / technically
savvy people either.

Now, I appreciate what you are saying though - end users are
(generalisation incoming, and I am not having a go / being a dick toward
end users) non-technical, busy and not willing to spend money on experts to
help out. They don't understand that their ISP is not responsible / in
control end to end etc, but yeah - not the best analogy above.

As a second comment...I think there is something also to be considered in
Mark's thoughts.

NAT obviously breaks visibility from a network operator's perspective. As
far as we can see, once a user is sending something flagged as abuse, the
best we can tell is the public IPv4 address. This sucks, as it basically
means suspend the user, who gets shitty as a result, and costs money and
time on the phone to helpdesk as a result.

In IPv6, it's not the case that all traffic is sourced from the same public
IP, which is interesting, especially if the network operator's abuse desk
has appropriate tooling to be able to marry that up to a device (probably
with the end user involved of course, but maybe with less effort).

I do also like the idea of IPv4 CPE having a menu displaying DHCP client
ID, in/out bps/pps counters, especially if that is able to be exposed to
the ISP helpdesk / abuse desk if needed. It's a nice to have, but not sure
it'd ever get meaningful deployment in a timeframe that makes it useful.

Food for thought.

Sam

RE: Email to text - vtext.com blacklisting ip

[Sam Norris]

Same boat...  We are sending messages to phonenum...@vtext.com and getting
bouncebacks or lost items.  I assume its because some limits are now being put
into place.  We are a Verizon subscriber so I am paying, it is not a free
service.  But  I am totally up for paid services if you can recommend some
that will reliably get us texts to our verizon phones.

Sam


> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ryan, Spencer
> Sent: Tuesday, August 16, 2016 4:17 PM
> To: Josh Luthman; Mike
> Cc: NANOG list
> Subject: RE: Email to text - vtext.com blacklisting ip
> 
> I agree. Pay Pager duty or a SMS gateway with a SLA. Relying on  the free
service
> for anything critical is asking for trouble.
> 
> 
> 
> Sent from my Verizon, Samsung Galaxy smartphone
> 
> 
>  Original message 
> From: Josh Luthman <j...@imaginenetworksllc.com>
> Date: 8/16/16 6:09 PM (GMT-05:00)
> To: Mike <mike-na...@tiedyenetworks.com>
> Cc: NANOG list <nanog@nanog.org>
> Subject: Re: Email to text - vtext.com blacklisting ip
> 
> If it's critical I'd suggest a service than can depended on...
> 
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> 
> On Aug 16, 2016 5:45 PM, "Mike" <mike-na...@tiedyenetworks.com> wrote:
> 
> > Hi,
> >
> >
> > I have a server that monitors my network and issues text messages if
> > there are events of note that require human intervention. There is some
> > process filtering that ensures it also is not able to issue more than 1
> > alert maximum per 5 minutes, to ensure it doesn't flood pagers with
> > messages all screaming the sky is falling when things are not going well.
> > Recently however, this server is no longer able to deliver messages to
> > vtext.com - it gets nothing but 554 errors:
> >
> >
> > telnet 69.78.67.53 25
> > Trying 69.78.67.53...
> > Connected to 69.78.67.53.
> > Escape character is '^]'.
> > 554 txslspamp10.vtext.com
> > Connection closed by foreign host.
> >
> > Granted on some days during challenging times it can send 30 or 40
> > messages before we get to it and get it squelched / silenced, but it's
> > otherwise reasonably well behaved IMHO and I don't think we are any heavy
> > volume sender. So I am trying to figure out why it's blacklisted then and
> > am rolling snake eyes.  If anyone who is an admin for verizon or who has
> > any insight to share I'd certainly appreciate it. Email to text is a
> > critical function we depend on.
> >
> >
> > Thank you.
> >
> >
> >

RE: Level3 (3356) to outlook.office365.com via v6?

[Sam Norris]

We have 2 customers complaining about this in the past 3 days - both using IPv4 
only.  Glad to see this because maybe it’s a larger problem outside of our 
network.

Sam


> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of David Hubbard
> Sent: Tuesday, August 02, 2016 1:48 PM
> To: nanog@nanog.org
> Subject: Level3 (3356) to outlook.office365.com via v6?
>
> Curious if anyone else is having issues reaching outlook.office365.com via 
> ipv6
> over Level 3?  Our customers have begun reporting failures checking email, 
> and in
> the ones who have had this issue, are using the mail server name
> outlook.office365.com and are on v6.  Traceroute6 shows the traffic dying 
> shortly
> into Level 3 land at 2001:1900:4:1::3d1 which is likely a Tampa-area router.
>
> Thanks,
>
> David
>
>



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

students questions

[sam]

Hello if this is not appropriate for this list please excuse me and
disregard this email. I thought of no better place than this place however
if there is a better place for this email please advise and I will direct
the email and the student to the questions.

I received an email form a student this morning asking the following
questions. 
1.  Are there any email providers that market to professional but offer
a student rate or are of good quality but inexpensive etc..

2.  I have looked at the Microsoft exchange server in the cloud while it
looks promising it does not seems to fit my cost ratio 

3.  I would mainly like to be able to have a professional email address
so when I apply for jobs and other business of that sort I can be seen as a
professional and to gather my email from various sources i.e. Gmail, Hotmail
etc. and to present a more professional appearance to my work and school
work etc..

  
  
I responded that he should look at google apps, however his questions got me
thinking and I google around for an answer to give him, however I am not as
well versed as I should be in the cloud besides for backup service and
active directory management. I would like to know if you guys have any
places I own give the student. 

  
Thanks 
Samual 
Office of technology education 
  
Please excuse grammar and spelling errors as this was typed on a smartphone.

  

-BEGIN PGP MESSAGE- 
Version: GnuPG v2 

owFdVAtsFEUYbqkQvPQoGgpUHo5FzEHKUcqr2FCoILY8pFCQR1Jlbnf2brndnXVm 
t9fjFSOCFtBUimjBNtJCI5AIFOQhFbSgxAgURQIo8rKIaUTTVBERxH9274rlcpfb 
2fn/b77/+79/yr1JCV0TScLQ81mX05oSv24JJMxZP+ZGPtE0ilQFWSGVI/ga1ELY 
NBk1mYotghTK3D1N5RYyNYI5QaRUsuFPJwgbMpJVzkgQM9kNJDpWNT8qgBW1gyEL 
UQVQUYBYFmGAgCUCW9hwo911iEZICew6RAgjggnumNJOxMGPM8FyicpdGgUoomoa 
sGFEsgRMLFLsiRW3bJkYsEOd5cs24ZZKDe73egoQ5BC1hMgQHUuD83Tg0J4ljtYp 
M1QjiDAPiz8Bo1AQMCJW9wGR1zPMj5xPHiOxirARjVNntESVCeNCBgvpmIWJQws2 
FMI5YGANBWyhnAL13yfBREdABwx4oGqQUhmOxZpqRZ141SClJjE4VIKIJfmvvlLn 
9WTFqBSgEIb3GqVhUacr0TRVYpRTxRI9haYEQSfCnFYYToCkUVtGkZCqQVMsJ5sL 
orrKRdHwSqbEtQ0nROeiDgXe6lEkUe5QVikIMrydRYTamgxVq4YWBVeFiUgJgEAB 
zXl0WOKOYsQ6KcsMXiFOgRAxAAucCiDCGgtpgDutpkJuUAPoiViquCpzyixIkKC/ 
AVEjpGP+4DGOVSgKYgdDjzdMgXJRCWYqtcXhNpOgYtVP/Og5sZ+B8qnlBArN4yAm 
UBU9w8I15IFzTJNghg3JKRjOiVAWdhK5FKJUc9cCDcyJkPsTJuUmNWQiuyUJT4cc 
MUVXREfBEEEQEeB5RvtMCeO2exNCLDG3Vuizo6rhuNidnXgqozashaKgFDZ4BBCE 
JMJSIVW/Dwvi6+5twVEEbhEEL7kwFoetGC9QuoONAoSD8bkDH8BS2DYdt6mSO8FY 
ssQx7gRTFgWTGDhIdJDR326cuGPCBo2I+yJKbRS0ozzmG5gy574QLGjEcIn/b/z9 
MTVngdnByV5PEdZhguBhuqIIIsIwRAoZVKNBMIBsS8LBRiytsMMFGGRYh/F1O2eC 
CEJPwhiF2cbcvTMi4iFqgjIAAqMM8ZYZogZxmJR16vtQQmLXhC6dO4nrOMHzcPf4 
HX1lZMrtpMXDM+ftvL7Oc7V7y5oF/sNjKk+l7Mr9nQQWdvlW2pmknlp+7vGc5rsZ 
plKfdP3MrDtZ4S8b7/0yUL634+OKtwu9F36aNzmw+c3GwP59Y+f6sof+NWtagnW6 
fvvKaxNHlc2+lH/+yfU/D/lg8Onvvqqvz1g9s7ri2dTK6ak1ZxsSq349M6P12PSj 
Ff7RV7In59+yW58YtfiN6hHW9/4iVsX63t1mp51U01O+aPCkKgPeinqtCbt6k9oP 
UZ8B/RXfp59sKn5q0I4Zrd0KG7VFM7f3qBh7zB52ee+2C1OSD2x5/XgZe/Usa/ot 
reGdjNGh4p2Dt/zQduxE9b8NzX2Ti1bU7Njwnpl2boRP2tP0uS/vwv6LgTGD0s+Y 
f+fW6X/glpu9D437qLJ1LV7X3OtmwchFvjvrtFUvZC1flpgdJs3+rav6VfXvZmS3 
bFx6Ut2aeevA8dZ/LvqkouKNNT2u8aljlz82aUVb79bnB/65enxyy5L9RnmS52DO 
o20r26bOn1t46GDpKPvI3vpb41bMTrd6NY+P1r2WenjRxEsvLqC1czOz5uyaXz0n 
r8f5JRs2bV3ax/dS3chlJ2xf9e5Ma3TnnH63NynXOl2sThzx7pArFXTg7mGD/Pt6 
BtdWPpNXUj6pLP3p67Wh9xP31BypOlc8M6u0TfXmTkuxa298M6E0+Ui/NRWb0xt7 
7mnKrWPlRWkHShf/+EjOlP8A 
=cNlY 
-END PGP MESSAGE- 

Re: Colocation Server Lifts

[Sam Oduor]

Yes, I would expect a lift at a colo but in terms of regulations (safety) I
do not think it is a mandatory requirement for most colo's

Allowing customers to use them can be a yes or no ; it requires some basic
operational skills to operate - you just cant trust a client visiting to
use it unless some vetting is in place for this.

It should be free and a datacentre operator needs to assist or at-least
supervise in usage.

The weight depends on the model of the lift .

Some helpful resources:-

https://www.youtube.com/watch?v=5uLWVMOfY0U

http://www.serverlift.com/





On Tue, Mar 29, 2016 at 3:23 PM, Jason Lee  wrote:

> Hi NANOG community,
>
> A few questions I have for the community regarding server lifts at colo
> facilities.
>
> 1. Is a server lift something you would typically expect a colo facility to
> provide?
>
> if yes,
>
> 2. Do colo facilities typically allow customers to just use them or provide
> an operator?
> 3. Is it a free offering or something they rent out?
> 4. What would be the typical device weight you would lift?
> 5. What would be the max device weight you would lift?
>
> Thanks,
>
> Jason
>



-- 
Samson Oduor

RE: Facebook & Traceroute

[Sam Norris]

> maybe their loadbalancer is a little wonky? (I don't see this in
> traceroutes from a few places, but I also don't end up at IAD for
> 'www.facebook.com' traceroutes... here's my last 4 hops though to the
> dest-ip you had:
> 
> .13.28.75)  0.597 ms ae0.dr08.ash2.tfbnw.net (31.13.26.235)  0.576 ms
>  8  * * *
>  9  * * *
> 10  * * *
> 11  edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68)  0.774 ms
> 0.755 ms  0.701 ms

This is probably because you are properly filtering your own prefixes from 
being sourced outside coming in?

Facebook & Traceroute

[Sam Norris]

Why does Facebook spoof the source IP address of the hop before this server?
They spoof the source IP address that is performing the traceroute.

66.220.156.68

---
 7  FACEBOOK-IN.ear1.Atlanta2.Level3.net (4.16.185.58)  51.736 ms  51.678 ms
52.075 ms
 8  ae2.bb01.atl1.tfbnw.net (74.119.78.214)  51.636 ms  51.584 ms  51.720 ms
 9  be36.bb01.frc3.tfbnw.net (31.13.26.199)  58.669 ms ae4.bb05.frc3.tfbnw.net
(31.13.27.129)  61.085 ms ae16.bb06.frc3.tfbnw.net (74.119.76.117)  59.731 ms
10  ae5.bb04.iad3.tfbnw.net (31.13.26.57)  111.338 ms ae7.bb04.iad3.tfbnw.net
(31.13.31.245)  110.007 ms  110.015 ms
11  ae9.dr07.ash3.tfbnw.net (31.13.29.29)  68.692 ms ae10.dr08.ash2.tfbnw.net
(31.13.28.207)  67.846 ms ae12.dr08.ash3.tfbnw.net (31.13.29.191)  68.629 ms
12  * * *
13  * * *
14  8.25.38.1 (8.25.38.1)  68.571 ms  68.718 ms  68.132 ms
15  edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68)  67.903 ms  67.752
ms  68.071 ms
---

Hop 14 is the source ip of the traceroute which is forged. This essentially
makes hop 14 reply using the same ip for src and dst.

Sam

MetroE and Telephone Taxes

[Sam Norris]

Hey all,

My provider here in SoCal is charging me 8% or so telephone taxes on our MetroE
products.  This seems fishy to me and I can't find any cut and dry rules about
private Ethernet / MetroE being under these rules.  The same provider selling
internet / DIA has no taxes whatsoever.

Anyone out there getting charged ULS and other telephone taxes on MetroE
circuits?  Or can anyone point me to somewhere that shows that it shouldn't be
charged telephone taxes?  Assume there are no voip calls traversing these
circuits.  I believe ULS is Federal, the other 3-5% is CA taxes on CLECs.

Thx,
Sam

Re: Cisco CMTS SNMP OID's

[Sam H. Merritt, III]

On Sun, 24 Jan 2016, Yang Yu wrote:


Cable Modem counts of all kinds
connected / online
ranging
offline


Not there if there are OIDs for `show cable modem docsis version summary`



http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en=Translate=1.3.6.1.2.1.10.127.1.3.3.1.9

I don't know of an OID that will say 'X number of modems online', if 
anyone does, please share.


What I currently do is take the walk of the above OID and get all that are 
a 6 and call that online modems.



sam

AT Wholesale

[Sam Norris]

Hey everyone,

Can someone send me privately the contact info for an AT Wholesale rep for
Metro E / VPLS / Layer 2 stuff here in the SouthWest region?  Their website is
not very informative on how to make any contact with the wholesale group.

Thx,
Sam

Fw: new message

[Sam Stickland]

Hey!

 

New message, please read 
<http://internetmarketing.onnet.com.vn/knowing.php?ljhy>

 

Sam Stickland

Re: Facebook invisible in Italy

[Sam Oduor]

Experienced a down time from East Africa - Nairobi - Kenya; but it is now
back up !

2015-09-28 23:38 GMT+03:00 Jürgen Jaritsch :

> Hi,
>
> also down for us (Austria & Germany) and the OVH network.
>
> Best regards
>
>
> Jürgen Jaritsch
> Head of Network & Infrastructure
>
> ANEXIA Internetdienstleistungs GmbH
>
> Telefon: +43-5-0556-300
> Telefax: +43-5-0556-500
>
> E-Mail: jjarit...@anexia-it.com
> Web: http://www.anexia-it.com
>
> Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
> Geschäftsführer: Alexander Windbichler
> Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT
> U63216601
>
> -Ursprüngliche Nachricht-
> Von: NANOG [mailto:nanog-boun...@nanog.org] Im Auftrag von Marco Paesani
> Gesendet: Montag, 28. September 2015 22:35
> An: nanog 
> Betreff: Facebook invisible in Italy
>
> Hi,
> some issues from FB network ??
> Do you have some info ?
> Regards,
>
> --
>
> Marco Paesani
> MPAE Srl
>
> Skype: mpaesani
> Mobile: +39 348 6019349
> Success depends on the right choice !
> Email: ma...@paesani.it
>



-- 
Samson Oduor

Re: cisco.com unavailable

[Sam Oduor]

All set for me; East Africa, Kenya, Nairobi .. I can also see some serious
dude fixing a bike  on the site.

Tracing route to cisco.com [72.163.4.161]
over a maximum of 30 hops:

  1 1 ms 1 ms 1 ms  192.168.0.1
  211 ms   224 ms13 ms  10.34.0.1
  3 7 ms 7 ms 6 ms  196.207.31.181.accesskenya.com
[196.207.31.181]

  410 ms10 ms17 ms  te2-1.er1.bp.nbo.accesskenya.net
[196.207.31.145
]
  5   652 ms   161 ms   515 ms  if-6-0-2.core4.LDN-London.as6453.net
[80.231.76.
101]
  6   395 ms  1139 ms   148 ms  if-1-3-1-0.tcore1.LDN-London.as6453.net
[80.231.
76.86]
  7   197 ms   147 ms   188 ms  195.219.83.102
  8 *** Request timed out.
  9 *** Request timed out.
 10   313 ms *  283 ms  CISCO-SYSTE.ear1.Dallas1.Level3.net
[4.30.74.46]

 11   270 ms   264 ms   329 ms  rcdn9-cd2-dmzbb-gw2-ten1-1.cisco.com
[72.163.0.2
1]
 12   299 ms   326 ms   323 ms  rcdn9-cd2-dmzdcc-gw2-por2.cisco.com
[72.163.0.19
0]
 13   291 ms   534 ms   256 ms  rcdn9-16b-dcz05n-gw2-por2.cisco.com
[72.163.2.11
0]
 14   275 ms   598 ms   270 ms  www1.cisco.com [72.163.4.161]

Trace complete.




On Mon, Sep 21, 2015 at 10:03 PM, Robert Glover  wrote:

> On 9/21/2015 11:51 AM, Murat Kaipov wrote:
>
>> Hi folks!
>> Is cisco.com  unavailable or it is affected just for
>> Rostelecom?
>>
>
> All is well from Cogent, Charter, and Verizon Wireless
>
>


-- 
Samson Oduor

Re: Quakecon: Network Operations Center tour

[Sam Thomas]

Very interesting. I still have in ~/ a 6509 config I did for an early
Quakecon (or some predecessor or similar event) as a favor for a friend in
~2003. The more things change...

BTW, ISTR there's some dark fiber between Anatole and INFOMART. I'm sure
there's somebody in the 'mart who could provide $REALLY_FAST connectivity
if the fiber is still in place.

On Sat, Aug 1, 2015 at 2:27 PM, Sean Donelan s...@donelan.com wrote:


 Non-work, work related information.  Many NANOG geeks might be interested
 in this video tour of the Quakecon NOC tour.  As any ISP operator knows,
 gamers complain faster about problems than any NMS, so you've got to
 admire the bravery of any NOC in the middle of a gaming convention floor.

 What Powers Quakecon | Network Operations Center Tour
 https://www.youtube.com/watch?v=mOv62lBdlXU

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Sam Tetherow]

The IP can change on the UniFi without having to re-adopt or 
re-provision.  APs are identified by MAC address at the UniFi protocol 
level (not layer 2).


On 06/19/2015 09:09 AM, Naslund, Steve wrote:

Here is another though.  If your APs are re-provisioning every eight hours, 
what is your DHCP lease time?  Are you sure the APs are able to renew their 
leases (if not, could your scope be full)?  Do you see the IP addresses on the 
APs changing when they come back up?  These could indicate a DHCP server issue. 
 If the AP gets a new IP address it will likely have to be re-adopted to the 
controller.  You might want to static address one or more APs to test this 
theory.

Steven Naslund
Chicago IL

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Sam Tetherow]

Only have 1 Pro on my network and it hasn't given me any issues, several 
of the original AP and AP-LR as well without issues.


What is the uptime on the AP?  You should be able to ssh into the APs 
using the controller username and password.  It is a linux base so 
'uptime' will tell you.  You can also check for ethernet errors using 
'ip -s link' on the AP side.


On 06/19/2015 11:45 AM, Bob Evans wrote:

We have all APs set with static addresses. EdgeMax only hands out IPs to
clients using the APs.

This happens when people are using the APs and when no one is even in the
building  at 2am when there are no clients connected. It can happen to one
then 5 hours later it happens again...then doesn't happen again for 12
hours. Totally random no interval.

It is nice to know that others have no issues with these UniFi AP Pros.
They seem to be fine except for the 2 mins or so they randomly drop link
and reboot themselves. All are on APC UPSes and other devices in the same
switch , like voip phones, never drop the ports.

They are all new, delivered in various batches over time. We checked and
all are the latest versions.

Bob Evans





The IP can change on the UniFi without having to re-adopt or
re-provision.  APs are identified by MAC address at the UniFi protocol
level (not layer 2).

On 06/19/2015 09:09 AM, Naslund, Steve wrote:

Here is another though.  If your APs are re-provisioning every eight
hours, what is your DHCP lease time?  Are you sure the APs are able to
renew their leases (if not, could your scope be full)?  Do you see the
IP addresses on the APs changing when they come back up?  These could
indicate a DHCP server issue.  If the AP gets a new IP address it will
likely have to be re-adopted to the controller.  You might want to
static address one or more APs to test this theory.

Steven Naslund
Chicago IL

Re: Colo Capacity quote in Renton, WA 98057, USA needed

[Sam Oduor]

Hi Don


Check out http://www.quotecolo.com/colocation/  ; you will enter the
requirements inclusive the area you prefer.


They will send you referrals and you can choose who to pick.






Regards







On Thu, May 28, 2015 at 3:30 AM, Don Gould d...@bowenvale.co.nz wrote:

 Hi,

 I have half a dozen servers in a DC in  Renton, WA 98057, USA.

 I'm looking for quotes 7 RU with 100mbit PIR.  I do need A and B side
 power.

 The pricing from my current provider has got out of hand and they have
 burnt the relationship.  As a result I am interested in hearing from others
 who might be interested in servicing this small requirement.

 Cheers Don


 --
 Don Gould
 31 Acheson Ave
 Mairehau
 Christchurch, New Zealand
 Ph: + 64 3 348 7235
 Mobile: + 64 21 114 0699
 Ph: +61 3 9111 1821 (Melb)





-- 
Samson Oduor

Re: FCC form 477 geocoding

[Sam Tetherow]

Address to lat/lng using google api
http://maps.googleapis.com/maps/api/geocode/json?address=$addresssensor=true

Lat/Lng to Census Block via FCC
http://data.fcc.gov/api/block/2010/find?latitude=$latitudelongitude=$longitudeshowall=trueformat=JSON


On 03/03/2015 05:06 PM, Jay Hennigan wrote:

On 3/3/15 14:59, Josh Luthman wrote:

Well you'll need to translate those into addresses.  That should be easy
with Google or Bing.

We have the addresses, need census tract and block.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

RE: cable modem firmware upgrade

[Sam Hayes Merritt, III]

That has been my experience as well (only from the RF side) and I would
believe this was a design choice.   The ISP usually wants to keep control
over the firmware versions of the CM for various technical/support reasons
versus having consumers mess with the firmware.


Its a design choice but not one that always works out well.

Customers that bring their own modems that aren't on a certified list, 
end up with a device that the provider may not have ever seen. Then, if 
you run into an issue with the modem that can be fixed with a firmware 
issue (some vendors have issues that they cannot fix - rhymes with 
netgear) then the MSO has to work with the maker of that modem, even 
though they may have never had any interactions with them, get the 
certificate and firmware for that modem and upgrade customer owned devices 
- possibly turning them into bricks. I'd rather allow customers to turn 
their own modems into bricks.



sam

Re: North Korean internet goes dark (yes, they had one)

[Sam Mulvey]

On 12/22/14 20:16, Javier J wrote:
 But I can ping them.

 https://nknetobserver.github.io/

 And what would it matter if its offline, they already block their
 population. What exactly is offline?

I seem to recall that they also had some space on a Japanese
network.  I can't hit the Naenara website, which is the DPRK
intranet-- that might be what they're talking about.

-Sam

Re: IPv6 Default Allocation - What size allocation are you giving out

[Sam Silvester]

Why would you only allocate a residential customer a single /64?

That's totally short sighted in my view.

On Thu, Oct 9, 2014 at 2:07 PM, Faisal Imtiaz fai...@snappytelecom.net
wrote:

 We are going thru a similar process.. from all of my reading, best
 practice discussions etc..

 Here is what i have understood so far:-

 Residential Customers:   /64

 Small  Medium size Business Customers: /56

 Large Business size or a multi-location Business Customer: /48

 Don't skimp on allocating the subnets like we do on IPv4
 Better to be 'wasteful' than have to come back to re-number or re-allocate
 .

 Regards


 Faisal Imtiaz
 Snappy Internet  Telecom

 - Original Message -
  From: Erik Sundberg esundb...@nitelusa.com
  To: nanog@nanog.org
  Sent: Wednesday, October 8, 2014 9:18:16 PM
  Subject: IPv6 Default Allocation - What size allocation are you giving
 out
 
  I am planning out our IPv6 deployment right now and I am trying to
 figure out
  our default allocation for customer LAN blocks. So what is everyone
 giving
  for a default LAN allocation for IPv6 Customers.  I guess the idea of
  handing a customer /56 (256 /64s) or  a /48 (65,536 /64s) just makes me
  cringe at the waste. Especially when you know 90% of customers will never
  have more than 2 or 3 subnets. As I see it the customer can always ask
 for
  more IPv6 Space.
 
  /64
  /60
  /56
  /48
 
  Small Customer?
  Medium Customer?
  Large Customer?
 
  Thanks
 
  Erik
 
  
 
  CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents,
 files or
  previous e-mail messages attached to it may contain confidential
 information
  that is legally privileged. If you are not the intended recipient, or a
  person responsible for delivering it to the intended recipient, you are
  hereby notified that any disclosure, copying, distribution or use of any
 of
  the information contained in or attached to this transmission is STRICTLY
  PROHIBITED. If you have received this transmission in error please notify
  the sender immediately by replying to this e-mail. You must destroy the
  original transmission and its attachments without reading or saving in
 any
  manner. Thank you.
 

Re: Fwd: Interesting problems with using IPv6

[Sam Stickland]

Slightly off topic, but has there ever been a proposed protocol where hosts
can register their L2/L3 binding with their connected switch (which could
then propagate the binding to other switches in the Layer 2 domain)?
Further discovery requests (e.g. ARP, ND) from other attached hosts could
then all be directly replied, eliminating broadcast gratuitous arps. If the
switches don't support the protocol they would default to flooding the
discovery requests.

It seems to me that so many network are caused because of the inability to
change the host mechanisms.

Sam

On Mon, Sep 8, 2014 at 7:30 PM, Christopher Morrow morrowc.li...@gmail.com
wrote:

 On Mon, Sep 8, 2014 at 1:28 PM, Barry Shein b...@world.std.com wrote:
 
  Reading the article what occurs to me is:
 
  IPv4 requires a certain amount of administrative personnel overhead.
 
  It's relatively low which is certainly one reason for the success of
  IPv4. People are expensive so any new, pervasive technology will be
  judged at least in part on its personnel requirements.
 
  I'd go so far as to say that administering large IPv4 networks grows
  in personnel roughly as the log of the number of nodes.

 surely this depends a LOT on the quality of the folk doing this job
 and their foresight in automating as much as possible, no? (probably
 this point isn't for debate, but the point is any network can be run
 badly)

  If what this is telling us, or warning us, is that IPv6 networks
  require higher personnel costs then that could become a big issue.

 is this a reflection of 'new technology' to the users (network folk)
 in question?
 What in ipv6 networking is inherently 'more people required' than ipv4
 networking?

 
  Particularly among management where they've become used to a few to
  several people in a team running the heart of quite large networks.
 
  What if IPv6 deployment doubles or triples that personnel requirement
  for the same quality of administration?

 this sounds, to me, like: People need training or comfort with :
 instead of . in 'ip address' stuff... (and other similar differences
 between how v4 and v6 operate at scale)

  Does anyone know of any studies along these lines? My guess is that
  there isn't enough data yet.

 that sounds reasonable.

Re: Verizon Public Policy on Netflix

[Sam Silvester]

On Fri, Jul 11, 2014 at 11:10 AM, Miles Fidelman mfidel...@meetinghouse.net
 wrote:

 From another list, I think this puts it nicely (for those of you who don't
 know Brett, he's been running a small ISP for years http://www.lariat.net/
 )

 


Netflix generates huge amounts of wasteful, redundant traffic and then
 refuses to allow ISPs to correct this inefficiency via caching. It fails to
 provide adequate bandwidth for its traffic to ISPs' front doors and then
 blames their downstream networks when in fact they are more than adequate.
 It exercises market power over ISPs (one of the first questions asked by
 every customer who calls us is, How well do you stream Netflix?) in an
 attempt to force them to host their servers for free and to build out
 network connections for which it should be footing the bill. (Netflix told
 us that, if we wanted to improve streaming performance, we should pay
 $10,000 per month for a dedicated link, spanning nearly 1,000 miles, to one
 of its peering points -- just to serve it and no other streaming
 provider.) It then launches misleading PR campaigns against ISPs that dare
 to object to this behavior.

 --Brett Glass


As I see it, Netflix seem to have provided a reasonable set of options to
provide data to an ISP's customers:

- Over a certain volume, they'll provide caches to be hosted within the
eyeball AS
- Under that volume, you can pick it up via peering IXes
- If you don't peer with them anywhere, you can get it via transit

The complaint here seems to be that Netflix won't build out to
any/every/many smaller locations and/or pay to have their caches hosted.
Appreciate that there may be different views, but I'd say Netflix provide a
reasonable set of options here for the smaller ISP. I'd have thought
factoring in the assorted costs to access Netflix content (building to a
mutual peering IX vs. transit vs. the cost to run a local cache) would fall
into the standard sort of analysis you'd make running an ISP same as when
assessing if it makes sense to hosts a Google or Akamai cache.

Sam

Peering Latency

[Sam Norris]

Hey all - new to the list but not to the community...

Wondering if this is typical when there is too small of a pipe between peering
arrangements:

From Level3 to Time Warner

 ADDRESSSTATUS
   24.69.133.206 4ms 4ms 4ms 
   34.69.153.222 9ms 4ms 4ms 
   4 4.69.158.78 8ms 4ms 4ms  (L3)
   566.109.9.121 28ms 53ms 29ms   (TWC)   --
   6107.14.19.87 30ms 28ms 28ms 
   766.109.6.213 27ms 28ms 28ms 
   8  72.129.1.1 32ms 32ms 32ms 
   9  72.129.1.7 27ms 26ms 25ms 
  10   67.52.158.145 28ms 29ms 31ms 

From TWC to Level3

 # ADDRESS RT1   RT2   RT3   STATUS

2 24.43.183.345ms   5ms   6ms 
 3 72.129.1.14 8ms   8ms   8ms

 4 72.129.1.2  6ms   8ms   8ms

 5 107.14.19.307ms   8ms   8ms

 6 66.109.6.4  8ms   8ms   8ms

 7 107.14.19.865ms   5ms   5ms

 8 66.109.9.12234ms  33ms  31ms  (TWC)--

 9 4.69.158.65 31ms  30ms  29ms  (L3)
10 4.69.153.22133ms  33ms  34ms  
11 4.69.133.20532ms  32ms  31ms


I am showing, typically at night, a 20-40ms jump when hopping from Level3 to
Time Warner and back in Tustin, CA.  This does not happen when using Cogent or
other blended providers bandwidth.   I believe they are probably stuffing too
many bits thru the peering there and wondering whats the best way to prove to
them both (we pay for both) that they need to fix it.

During non-peak traffic times these look normal (sub 10s).

Sam

Re: looking for feedback on virtual/dedicated server providers in latin/south america/UK

[Sam Moats]

I have to recommend Linode in the UK, from my experience they have 
their act together and their prices are reasonable.

Sam Moats
Circle Net

On 2014-02-18 12:50, Carlos Kamtha wrote:

Hi,

Just wondering if anyone could share some experiences with
server providers specifically in argentina, columbia and costa rica,
and pretty much anywhere in the UK region.

Please respond offlist.

Any feedback would be greatly appreciated. :)

Carlos.

Re: carrier comparison

[Sam Moats]

+1 Same feeling here.
Sam Moats

On 2014-02-06 16:22, Matthew Crocker wrote:

IMHO  Cogent bandwidth is fine so long as it isn’t your only
bandwidth.  Good, Cheap, Fast,  Pick any two.


--
Matthew S. Crocker
President
Crocker Communications, Inc.
PO BOX 710
Greenfield, MA 01302-0710

E: matt...@crocker.com
P: (413) 746-2760
F: (413) 746-3704
W: http://www.crocker.com



On Feb 6, 2014, at 10:17 AM, Adam Greene maill...@webjogger.net 
wrote:



Hi,



We're a small ISP / datacenter with a Time Warner fiber-based DIA 
contract

that is coming up for renewal.



We're getting much better pricing offers from Cogent, and are 
finding out
what Level 3 can do for us as well. Both providers will use Time 
Warner

fiber for last mile.



My questions are:

-  Will we be sacrificing quality if we spring for Cogent?
(yesterday's Cogent/Verizon thread provided some cold chills for my 
spine)


-  Is there a risk with contracting a carrier that utilizes 
another

carrier (such as Time Warner) for the last mile? (i.e. if there is a
downtime situation, are we going to be caught in a web of confusion 
and

finger-pointing that delays problem resolution)?

-  How are peoples' experiences with L3 vs TWC?



Although I assume everyone on the list would be interested in what 
others
have to say about these questions, out of respect for the carriers 
in

question, I encourage you to email frank opinions off list.



Or if there are third party tools or resources you know that I could 
consult
to deduce the answers to these questions myself, they are most 
welcome.




Thanks,

Adam

Re: looking for good AU dedicated server providers..

[Sam Hayes Merritt, III]

I've used shared hosting from Rimuhosting (www.rimuhosting.com) for years. 
They have dedicated servers in Brisbane. Looks like they are colo'ed with 
Oz Servers.



sam

Re: NSA able to compromise Cisco, Juniper, Huawei switches

[Sam Moats]

This might be an interesting example of it's (mis)use.
http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%932005
Sam Moats

On 2013-12-30 11:16, Enno Rey wrote:

On Mon, Dec 30, 2013 at 04:03:07PM +, Dobbins, Roland wrote:


On Dec 30, 2013, at 10:44 PM, valdis.kletni...@vt.edu 
valdis.kletni...@vt.edu wrote:


 What percentage of Cisco gear that supports a CALEA lawful 
intercept mode is installed in situations where CALEA doesn't apply, 
and thus there's a high likelyhood that said support is misconfigured 
and abusable without being noticed?


AFAIK, it must be explicitly enabled in order to be functional.  It 
isn't the sort of thing which is enabled by default, nor can it be 
enabled without making explicit configuration changes.


at least back in 2007 it could be enabled/configured by SNMP RW
access [see slide 43 of the presentation referenced in this post

http://www.insinuator.net/2013/07/snmp-reflected-amplification-ddos-attacks/]
so knowing the term private m
ight be enough to perform the task remotely.

have a good one

Enno







---
Roland Dobbins rdobb...@arbor.net // 
http://www.arbornetworks.com


  Luck is the residue of opportunity and design.

   -- John Milton

RE: Help me make sense of these traceroutes please

[Sam Moats]

Thanks to everyone who responded off list and on.
Sam Moats

On 2013-12-26 11:21, Josephson, Marcus wrote:

Start at slide 50:

This is documented further by the following Nanog presentation.

http://www.nanog.org/meetings/nanog47/presentations/Sunday/RAS_Traceroute_N47_Sun.pdf

-Marcus


-Original Message-
From: Jimmy Hess [mailto:mysi...@gmail.com]
Sent: Wednesday, December 25, 2013 10:28 AM
To: Martin Hotze
Cc: nanog@nanog.org
Subject: Re: Help me make sense of these traceroutes please

On Wed, Dec 25, 2013 at 8:03 AM, Martin Hotze m.ho...@hotze.com 
wrote:


 On 2013-12-25 00:16, Sam Moats wrote:


...


 You are likely seeing the effects of asymmetric routing.
. .. or the effect of passing traffic through NSA infrastructure.



Ah... NSA.   That's probably it.
So much for my theory of a Router virtual chassis  straddling  the 
atlantic.


 or the extra kinetic energy carried by the overseas-bound packet
took longer for the router to absorb and rebound with an ICMP.





But in all seriousness --- what is probably happening here, is  the
result of extra  hops  that don't show up in  traceroute.
MPLS tunnels could well fit the bill.



Other things to consider when latency seems sensitive to destination
IP --- are preceding device in the traceroute might also have 
multiple

links to the same device;  with one link congested and some form of
IP-based load sharing,  that happens to be the toward-overseas link.




SCNR, #m


--
-JH

Help me make sense of these traceroutes please

[Sam Moats]

Hello Nanog community,
I would like to enlist your help with understanding this latency I'm 
seeing.


First some background,
I have Level3 circuits in the US and some services in Europe. From 
Comcast to the US level3 IPs the performance is excellent. The same 
traceroute to Europe is terrible. The strange part is the problem 
appears to begin stateside on the same infrastructure that carriers the 
us traffic.


Here is a trace to one of my IPs in the US from Comcast

Tracing route to 4.30.x.x over a maximum of 30 hops

  1 3 ms 1 ms 1 ms  10.1.1.1
  230 ms29 ms29 ms  71.62.150.1
  3 9 ms 9 ms 9 ms  
xe-0-1-0-32767-sur01.winchester.va.richmond.comc

ast.net [68.85.71.165]
  4 9 ms14 ms10 ms  
xe-9-0-3-0-ar02.staplesmllrd.va.richmond.comcast

.net [68.86.125.149]
  532 ms30 ms34 ms  68.86.91.153
  636 ms38 ms53 ms  23.30.207.98
  734 ms28 ms33 ms  vlan51.ebr1.Atlanta2.Level3.net 
[4.69.150.62]
  829 ms28 ms20 ms  ae-63-63.ebr3.Atlanta2.Level3.net 
[4.69.148.241]


  927 ms29 ms30 ms  ae-2-2.ebr1.Washington1.Level3.net 
[4.69.132.86]


 1024 ms30 ms24 ms  ae-71-71.csw2.Washington1.Level3.net 
[4.69.134.1

34]
 1129 ms31 ms39 ms  ae-41-90.car1.Washington1.Level3.net 
[4.69.149.1

95]
 1230 ms30 ms29 ms  ae-2-23.edge7.Washington1.Level3.net 
[4.68.106.2

38]
 1338 ms44 ms43 ms  4.79.x.x
 14 *** Request timed out. (My firewall)
 1539 ms39 ms39 ms  4.30.x.x

Trace complete.

Now here is the same computer tracing to a level3 circuit in Ireland.

Tracing route to xxx.yyy.ie [193.1.x.x]
over a maximum of 30 hops:

  1 1 ms 1 ms 1 ms  10.1.1.1
  238 ms33 ms25 ms  71.62.150.1
  310 ms 9 ms 9 ms  
xe-0-1-0-32767-sur01.winchester.va.richmond.comc

ast.net [68.85.71.165]
  414 ms15 ms15 ms  
xe-9-0-3-0-ar02.staplesmllrd.va.richmond.comcast

.net [68.86.125.149]
  528 ms30 ms30 ms  68.86.95.65
  637 ms37 ms37 ms  23.30.207.98
  7   118 ms*   218 ms  vlan51.ebr1.Atlanta2.Level3.net 
[4.69.150.62]
  8   119 ms   218 ms   119 ms  ae-63-63.ebr3.Atlanta2.Level3.net 
[4.69.148.241]


  9   221 ms   119 ms   119 ms  ae-2-2.ebr1.Washington1.Level3.net 
[4.69.132.86]


 10   118 ms   119 ms   118 ms  ae-91-91.csw4.Washington1.Level3.net 
[4.69.134.1

42]
 11   119 ms   119 ms   119 ms  ae-92-92.ebr2.Washington1.Level3.net 
[4.69.134.1

57]
 12   117 ms   126 ms   120 ms  ae-43-43.ebr2.Paris1.Level3.net 
[4.69.137.57]
 13   128 ms   118 ms   120 ms  ae-6-6.car1.Dublin3.Level3.net 
[4.69.148.53]

 14   122 ms   225 ms   124 ms  4.69.148.58
 15   124 ms   118 ms   120 ms  ae-11-11.car1.Dublin1.Level3.net 
[4.69.136.93]



Notice that the hop from 23.30.207.98 to 4.69.150.62 seems very 
respectable at around 30ms for US bound traffic. However when I'm 
tracing from the same Comcast network to an IP that is in Europe the 
very same hope produces 100ms of latency and about 12% packet loss. Why 
does this hop treat traffic differently based on it's destination? Is 
this some weird result of complex asymmetrical routing or something 
else?



I can route around this problem, but it does seem strange and I want to 
understand it


Thanks,
Sam Moats

Re: Help me make sense of these traceroutes please

[Sam Moats]

On 2013-12-24 18:55, Jeroen Massar wrote:

On 2013-12-25 00:16, Sam Moats wrote:

Hello Nanog community,
I would like to enlist your help with understanding this latency I'm
seeing.


You are likely seeing the effects of asymmetric routing.


That's what I was thinking to.


[..]

Tracing route to xxx.yyy.ie [193.1.x.x]


www.heanet.ie by chance? :)


Yes they were the owners of the IP I used for the example case and the 
heanet folks are actually totally awesome :-)




Though you could use for instance:
http://planchet.heanet.ie/toolkit/gui/reverse_traceroute.cgi

to do a reverse traceroute, do make sure you force your connectivity 
to
IPv4 as that host will do IPv6 too. (locally nullrouting the 
destination

/128 is the trick I use for 'disabling' IPv6 temporarily).

Otherwise the HEANET folks are extremely helpful and clued in, you 
can
always ask them for help with issues. It is the end-of-year though 
and

those Irish folks have lots of really good whiskey, Guinness thus you
might have to be patient till the new year.


Also you'd be amazed how many network issues can be solved with a bunch 
of IT folks and an ample supply of Guinness




Alternatively, you could use a tool like 'tracepath' or 'mtr' as 
those
reports multiple answers to a response and also check for the TTL on 
the

return packets.

Greets,
 Jeroen


Thanks, this isn't affecting my service now I've worked around it so 
it's more a curiosity than anything. It seems really odd to me that the 
same L3 edge router would route the ICMP unreachable back to me via 
different paths based on the final destination IP of the of the ICMP 
echo packet.


Well its Christmas eve here and the customers are happy so Guinness 
seems like the best approach now :-)


Thanks and have a good Holiday,
Sam Moats

Re: do ISPs keep track of end-user IP changes within thier network?

[Sam Moats]

That's the day we decided we needed better edge routers :-).. I watch a 
modem pool infected with code red melt a cisco 3640. Had to throw a 
Linux box in it's place while I waited for Cisco equipment.

Sam Moats

On 2013-12-17 09:54, Blake Dunlap wrote:
All I remember from the TNT days is the meltdown when Code Red 
happened.
Why exactly an access platform should melt down when a worm occurs 
still

bothers me.

-Blake


On Tue, Dec 17, 2013 at 8:44 AM, vinny_abe...@dell.com wrote:


Dell - Internal Use - Confidential

I personally never ran the Ascend gear (outside of a setting up a
customer's Ascend Superpipe 95 dual ISDN router one time), but I 
heard that
the TNT gear doubled as space heaters. I remember one facility we 
were in
that had a catastrophic cooling failure and the temperatures went to 
insane
levels. Our PM3's happily kept running and never had an issue where 
I heard

every TNT box in the facility kept rebooting and crashing.

-Vinny

-Original Message-
From: Nick Hilliard [mailto:n...@foobar.org]
Sent: Monday, December 16, 2013 4:22 PM
To: Paul Stewart
Cc: nanog@nanog.org
Subject: Re: do ISPs keep track of end-user IP changes within thier
network?

On 16/12/2013 21:09, Paul Stewart wrote:
 Back in the day (geesh I feel old just saying that), I deployed a 
lot of
 PM3’s …. Then we moved to Ascend TNT Max stuff - that was very 
exciting

 back then!

Exciting was just the word for Ascends.  In the mid 90s, I cured 
lots of
this excitement by putting my ascends on a socket timer which 
physically

rebooted them a couple of times daily.  The support load dropped off
substantially due to that.

Nick

Re: do ISPs keep track of end-user IP changes within thier network?

[Sam Moats]

I still have a soft spot for the Portmasters :-). We had rows of PM2's 
with US robotics 33.6K sportster modems attached on 8mm tape racks.
Back when a town of 40K people could all connect through 2XT1's and 
everyone was happy.

Sam Moats

On 2013-12-13 16:59, Jon Lewis wrote:

On Thu, 12 Dec 2013, Sam Moats wrote:

I'm not sure about the current state of the industry it's been a 
while since I was responsible for an access network. In the past we 
would keep radius logs for about 4 months, these would include the 
username,IP address and yes (to date myself) the caller id of the 
customer at the time.


We used to keep several years worth of RADIUS summary data, which
included username, call end time, duration, IP, NAS-IP, ANI, and 
DNIS,

except for where the telco wouldn't sell PRI and we had to use CT1,
where those weren't available.  How's that for dating?  :)

Want to go back a little further?

http://www.lewis.org/~jlewis/modems1.jpg

Rack of Sportsters, Digicrap[1] on top, and some Total Control USR
modems on the table/overflow.

[1] That's what I ended up nicknaming Digicom's rackmount modem
chassis as their modems were unreliable (would repeatedly lock up
requiring manual/physical resets and causing major problems for our
hunt group).  We eventually got them to buy it back as they were
unable to resolve their problems.


--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public 
key_

Re: do ISPs keep track of end-user IP changes within thier network?

[Sam Moats]

I'm not sure about the current state of the industry it's been a while 
since I was responsible for an access network. In the past we would keep 
radius logs for about 4 months, these would include the username,IP 
address and yes (to date myself) the caller id of the customer at the 
time.


Sam Moats

On 2013-12-12 03:49, Ray Wong wrote:
been a while, but seems like lately it's more a question of how long. 
ISPs
can be in position where they need to, but as things have 
consolidated,
seems like they'd really like to forget it as soon as they can. If 
you've
got a specific case in mind, likely best to find a direct contact and 
get a
response about policy, even if it has to be off-record. The big ones 
(like
one I likely shouldn't mention by name unless they do as I don't work 
for
them) definitely do, at least long enough to handle DMCA requests and 
other

legal obligations.

-R


On Wed, Dec 11, 2013 at 9:36 PM, Mikael Abrahamsson 
swm...@swm.pp.sewrote:



On Wed, 11 Dec 2013, Carlos Kamtha wrote:

 just a general curiousity question. it's been a long time since ive

worked at an ISP.

back then it was non-expiring DHCP leases and in some cases static 
IP for

all.. (yes it was long ago..)

Any feedback would be greatly appreciated..



Yes, it's very common to keep track of what user account/line had 
what IP

at what time.

--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: CWDM question

[Sam Roche]

RE: OT: Below grade fiber interconnect points

[Sam Roche]

Here is a link to a Raycom Fosc that has pigtails and bulkheads in it that I'm 
guessing would suit your needs. We use them underground in vaults a various 
points where a pedestal doesn't make sense. You need to make sure there is 
proper drainage in the vault though

Without knowing more about the physical facility, it's hard to know for sure 
what you need.

http://www.google.ca/url?sa=trct=jq=esrc=ssource=webcd=10ved=0CGsQFjAJurl=http%3A%2F%2Fwww.raycom.cz%2Fdl2%3Fid_download%3D164ei=KS-FUpm3M-PayAGMkIDQDwusg=AFQjCNGrdt4iDKOmh6CNXG4YtwxZocBJTwbvm=bv.56343320,d.aWccad=rja
 


Sam Roche - Supervisor of Network Operations - Lakeland Networks
sro...@lakelandnetworks.com| Office:  705-640-0086  | Cell: 705-706-2606| 
www.lakelandnetworks.com



IT SOLUTIONS for BUSINESS
Fiber Optics, Wireless, DSL Network Provider; I.T. Support; Telephony Hardware 
and Cabling; SIP Trunks, VoIP; Server Hosting; Disaster Recovery Systems


The information contained in this message is directed in confidence solely to 
the person(s) named above and may not be otherwise distributed, copied or 
disclosed.  The message may contain information that is privileged, proprietary 
and/or confidential and exempt from disclosure under applicable law.  If you 
have received this message in error, please notify the sender immediately 
advising of the error and delete the message without making a copy.


-Original Message-
From: Thomas [mailto:grave...@swbell.net] 
Sent: November-14-13 9:17 AM
To: Justin M. Streiner
Cc: nanog@nanog.org
Subject: Re: OT: Below grade fiber interconnect points

Another option is an above ground  cabinet.  Many telecoms use them.

Thomas L Graves
Sent from my IPhone 


 On Nov 13, 2013, at 8:04 PM, Justin M. Streiner strei...@cluebyfour.org 
 wrote:
 
 On Wed, 13 Nov 2013, Roy Hockett wrote:
 
 Thank you for comments. Let me clarify the situation.  We have a 
 building that has been fiber cross connect location and is being 
 demolished.  This location has about 20 fiber cable entering where we 
 patch between fiber paths.  If we relocated these cross connect field 
 to another building and that build is demolished we have to do this 
 all over again, so the desire was to have an independent facility for 
 the fiber cross connect field, but I am guessing due to esthetics the below 
 ground vault was selected, we just learned of this selection and thus my 
 query to this group to find other that have dealt with similar situations 
 and if so, experience base recommendations, and things to be aware of.
 
 If the vault has a controlled environment and access, similar to what you 
 would find inside of a comms room, that's one thing.  If it's more like a 
 typical manhole (damp, dirty, dark, possible temperature extremes, other 
 utilities/hazards), then the only thing that should be in there is a 
 water-tight splice case.  Fiber patches need to be in a clean environment.
 
 Did this project provide any funds for relocation or replacement of the 
 communications facilities that would be lost due to the demolition?  We've 
 gone through this many times on our campus.
 
 jms
 

Re: Automatic abuse reports

[Sam Moats]

I expect this from the doofus in $pain_in_the_butt_county but I am 
surprised when I see this behavior
from large companies and I really don't understand it. Having a working 
abuse/response system is beneficial
to us all including the gorillas. There is a cost to us if we're 
spending expensive engineering time,
and network resources to deal with the traffic. Also there is an 
intangible affect on our customers opinion

of our service.

The only thing I can think of is that they are making the decisions 
about how important their abuse desk
is based solely on the cost of running that desk. They are seeing it as 
a cost center and not thinking
about it's long term benefit to the entire network. I can't think of a 
way to remove the incentive for this

short term thinking.

If I were the big cheese of the internet?
1. Transit providers would properly implement RFC 2827 filtering facing 
their downstream single homed customers.
If you only connect to me and I send you x.x.x.0/24 down your T1 I 
shouldn't be getting y.y.y.0 traffic from you.

This is easy to do.

2. Tier 1 backbone providers should be willing to de-peer non 
responsive global networks. I've lost faith in
regulations to actually curb the flow but the tier 1 providers may have 
the leverage to encourage good behavior.
For example if $pain_in_the_butt telco in $pain_in_the_butt country has 
to start paying for transit to get to
$big_tier_1 then maybe they would clean up their act. The problem with 
this is I can't think of a financial way

to get buy in to for idea from the business types in these companies.

3. There needs to be more responsible network citizenship among the 
providers large enough to have an AS number.
It's harder to do ingress filtering if your customers are running BGP, 
I can see reasonable cases where a
customer might throw traffic at me from source addresses that I didn't 
expect. At this point you should require your customers to
police their internal network and be willing to give up on their 
revenue if they refuse to do so.
Perhaps requiring a 24 hour human response to abuse@ emails as a 
condition of having an AS from an RIR or as a
requirement for turning up a BGP connection? We expect a good NOC for a 
peer but care less about a customer in most

cases.

4. Large eyeball networks would see the value in protecting their own 
people and would implement RFC2827 as close
to their customers as possible. As soon as you can drop that packet on 
the floor the better. The giant zombie

bot armies are a pain to them to.

Thats all I can think of at 4am, I bet you can see why nobody would 
ever appoint me big cheese of the internet.


Sam Moats


On 2013-11-13 00:57, Hal Murray wrote:

William Herrin b...@herrin.us said:
That's the main problem: you can generate the report but if it's 
about

some doofus in Dubai what are the odds of it doing any good?


It's much worse than that.

Several 500 pound gorillas expect you to jump through various hoops
to report
abuse.  Have you tried reporting a drop box to Yahoo or Google 
lately?


On top of that, many outfits big enough to own a CIDR block are 
outsourcing
their mail to Google.  Google has a good spam filter.  It's good 
enough to

reject spam reports to abuse@hosted-by-google

I wonder what would happen if RIRs required working abuse mailboxes.  
There
are two levels of working.  The first is doesn't bounce or get 
rejected

with a sensible reason.  The second is actually gets acted upon.

If you were magically appointed big-shot in charge of everything, how 
long
would you let an ISP host a spammer's web site or DNS server or ...?  
What

about retail ISPs with zillions of zombied systems?

Re: Automatic abuse reports

[Sam Moats]

There are good guys out there :-), and some are gorilla sized thats why 
I
obfuscated the names in my response. No offense intended to the goood 
ones.

Sam Moats

On 2013-11-13 05:48, Paul Bennett wrote:

I can't speak directly for them, as I'm not an official company
spokesperson, but this conversation has got my dander up enough that 
I

can't keep my big mouth shut.

I know of at least one 500 pound gorilla (with zillions of retail
customers, and their share of 500 pound gorillas as customers (and
everything in between)) that has a working and effective abuse@
address, one that can and does aggregate and pass on abuse 
complaints,

and that can and does suspend service over failure to fix. On
occasion, I understand even significant customers have been not just
suspended but terminated over failure to follow the ToS/AUP.

The company in question accepts abuse complaints in ARF, MARF, X-ARF
and IODEF format, among others, and (I cannot emphasize this enough)
does act on them.

Anyone who suggests roundfiling abuse@ complaints is (IMNSHO) 
actively

working to make the problem worse, not better. Anyone who thinks that
all networks do roundfile abuse@ complaints would seem to be making 
an

over-generalization.

Note, once again, that these are my opinions, and not my employers',
so much so that I can't even tell you directly who my employer is. 
Not

that it's hard to find out, but I'm so very much not speaking in an
official capacity here.


--
Paul

Re: Automatic abuse reports

[Sam Moats]

Don't have access to a normal PC right now but I agreed with this 
approach so much that I'm typing a response on a 10 button pad.

Sam

On 2013-11-13 21:33, Jimmy Hess wrote:

On Wed, Nov 13, 2013 at 3:46 AM, Sam Moats s...@circlenet.us [1]
wrote:

  


about its long term benefit to the entire network. I cant think of a
way to remove the incentive for this
short term thinking.


The end users can,  by inquiring  about the abuse desk, before
agreeing to sign up for service.

In this manner  Not having a good abuse  desk becomes a cost
center, in the form of suppressed opportunities for future revenue.

Federal entities, etc,  when soliciting for proposals from ISPs and
service providers    in addition to the  Must have IPv6
support,

could add a line  Must have a highly-responsive abuse desk/abuse
contact;  with 4  professional references from email or network
operators in the industry who have worked with the abuse desk;

must  aggregate and report  matters of potential abuse or complaints
 regarding subscribers  outgoing mail or IP traffic within  3 hours
on average, during business hours and within  5 hours  24x7 ...
etc...

--
-JH 

Links:
--
[1] mailto:s...@circlenet.us

Re: Automatic abuse reports

[Sam Moats]

We used to use a small perl script called tattle that would parse out 
the /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, 
lookup the proper abuse contacts and report them. I haven't seen 
anything similar in years but it would be interesting to do more than 
null route IPs.


The problem we had with the automated reporting was dealing with 
spoofed sources, we see lots of traffic that is obviously hostile but 
unless it becomes serious enough to impact performance we rarely report 
it. An automated system didn't seem to fit anymore due to false 
positives.


A number of providers who aren't exactly interested in the overall good 
health of the net do a poor job of network ingress filtering that unless 
I closely examine the traffic and it's origins. Without being able to 
trust the source address information in the DDOS traffic I run the risk 
of crying wolf to a provider who is just as much a victim as I am. 
(Think of my ACK packets piling in his network in response to the bogus 
SYN packets I'm getting). So we reserve complaints for when there is an 
actual impact and try to keep the signal to noise ratio in our reports 
decent.


I'm not really happy with this approach and I'm open to ideas!

Thanks
Sam Moats

On 2013-11-12 16:58, Jonas Björklund wrote:

Hello,

We got often abuse reports on hosts that has been involved in DDOS 
attacks.

We contact the owner of the host help them fix the problem.

I also would like to start send these abuse report to the ISP of the 
source.


Are there any avaliable tools for this? Is there any plugin for 
nfsen?


Do I need to write my own scripts for this?

/Jonas

Re: Automatic abuse reports

[Sam Moats]

Your right they wouldn't get all of the way through. The three way 
handshake is great against blind spoofing attacks. That said the 
original poster was focused on a DOS event,to do that you really don't 
need the full handshake.


I'm not sure if the end goal of whomever we were dealing with was to 
DOS us or if was some screwed up half open syn scans, or my personnel 
guess it was to generate enough bogus log traffic to hide which 
connections were legitimate threats. Either way enough inbound SYN 
connections on port 22 would tip over the servers, this was LONG ago 
circa 97~99, so the traffic we saw was an effective DOS.


We had inetd calling ssh and also telnet (Change comes slowly and 
cyrpto was painful to implement for us at the time). In our setup inetd 
decided to log the sessions both ssh and telnet as soon as the daemon 
was called. So even if we didn't do the full session setup the machine 
would still log an event for each tcp session.


In hindsight we could have cleaned it up so that it wouldn't log before 
completing the handshake or tweaked the perl script to filter them out 
but I was a newbie at that point and placing ACLs in my border router to 
drop inbound ssh traffic that didn't come from netblocks I expected and 
moving off of the default port were the easiest solutions at the time.


Now it would be trivial to setup syslog and sshd to give only the 
sessions that complete the handshake, however I'm also not sure how 
responsive some of the abuse contacts may be. I'll keep my restrictive 
network settings for the time being.


Sam Moats


On 2013-11-12 20:43, William Herrin wrote:

On Tue, Nov 12, 2013 at 4:52 PM, Sam Moats s...@circlenet.us wrote:
We used to use a small perl script called tattle that would parse 
out the
/var/log/secure on our *nix boxes, isolate the inbound ssh exploits, 
lookup
the proper abuse contacts and report them. I haven't seen anything 
similar

in years but it would be interesting to do more than null route IPs.

The problem we had with the automated reporting was dealing with 
spoofed
sources, we see lots of traffic that is obviously hostile but unless 
it

becomes serious enough to impact performance we rarely report it. An
automated system didn't seem to fit anymore due to false positives.


Hi Sam,

Out of curiosity -- how does one get a false positive on an ssh
exploit attempt? Does the origin IP not have to complete a 3-way
handshake before it can attempt an exploit?

Regards,
Bill Herrin

Re: DNS and nxdomain hijacking

[Sam Hayes Merritt, III]

Are any of you doing it?


At one time we did.

The money just wasn't worth the hassle.  I kept a close eye on our reports 
and the dollar amounts just kept falling. And IIRC, Google would not team 
with you to do it, you had to redirect to Yahoo or Bing.



sam

RE: BGP failure analysis and recommendations

[Sam Roche]

We had a similar issue happen and modified our BGP peering to use one BGP 
session per provider, as we had multiple neighbours for one of our peers. 

It seems to have resolved this particular issue for us.

I would love to hear how others are actively probing their peers networks using 
an NMS to verify connectivity.


Sam Roche - Supervisor of Network Operations - Lakeland Networks
sro...@lakelandnetworks.com| Office:  705-640-0086  | Cell: 705-706-2606| 
www.lakelandnetworks.com



IT SOLUTIONS for BUSINESS
Fiber Optics, Wireless, DSL Network Provider; I.T. Support; Telephony Hardware 
and Cabling; SIP Trunks, VoIP; Server Hosting; Disaster Recovery Systems


The information contained in this message is directed in confidence solely to 
the person(s) named above and may not be otherwise distributed, copied or 
disclosed.  The message may contain information that is privileged, proprietary 
and/or confidential and exempt from disclosure under applicable law.  If you 
have received this message in error, please notify the sender immediately 
advising of the error and delete the message without making a copy.


-Original Message-
From: Christopher Morrow [mailto:morrowc.li...@gmail.com] 
Sent: October-23-13 11:06 PM
To: JRC NOC
Cc: nanog list
Subject: Re: BGP failure analysis and recommendations

On Wed, Oct 23, 2013 at 10:40 PM, JRC NOC nospam-na...@jensenresearch.com 
wrote:
 Is this just an unavoidable issue with scaling large networks?

nope... sounds like (to me at least) the forwarding plane and control plane are 
non-congruent in your provider's network :( so as you said, if the 
forwarding-plane is dorked up between you and 'the rest of their netowrk', but 
the edge device you are connected to thinks next-hops for routes are still 
valid... oops :(

 Is it perhaps a known side effect of MPLS?

nope.

 Have we/they lost something important in the changeover to converged 
 mutiprotocol networks?
 Is there a better way for us edge networks to achieve IP resiliency in 
 the current environment?

sadly I bet not, aside from active probing and disabling paths that are 
non-functional.

Re: Pad 1310nm cross-connects?

[Sam Roche]

Re: google / massive problems

[Sam Moats]

Works for me from Nova, Level3 and Cogent.
Sam Moats

On 2013-10-09 12:17, Anthony Williams wrote:

Same. Works for me (WashDC/NoVA Area).

-Alby






On 10/9/2013 12:14 PM, Paul Ferguson wrote:

On 10/9/2013 9:00 AM, Blair Trosper wrote:

  Can someone from Google Drive or Gmail contact me off-list?

  The sign in services and applications are outright down trying to 
use
  them in Chrome.  Trying to contact enterprise support via several 
numbers

  just results in an immediate disconnect.

I can't speak to enterprise services, but I just logged in to my own
personal GMail account -- with 2 FA -- with no problems, from the 
Seattle

metro area.

- ferg

RE: Phoenix - Single Mode SFP GBIC

[Sam Roche]

Try sfpplus, compufox or fiberstore.com


Sam Roche - Supervisor of Network Operations - Lakeland Networks
sro...@lakelandnetworks.com| Office:  705-640-0086  | Cell: 705-706-2606| 
www.lakelandnetworks.com



IT SOLUTIONS for BUSINESS
Fiber Optics, Wireless, DSL Network Provider; I.T. Support; Telephony Hardware 
and Cabling; SIP Trunks, VoIP; Server Hosting; Disaster Recovery Systems


The information contained in this message is directed in confidence solely to 
the person(s) named above and may not be otherwise distributed, copied or 
disclosed.  The message may contain information that is privileged, proprietary 
and/or confidential and exempt from disclosure under applicable law.  If you 
have received this message in error, please notify the sender immediately 
advising of the error and delete the message without making a copy.



-Original Message-
From: Chris Cariffe [mailto:ccari...@gmail.com] 
Sent: October 5, 2013 10:20 PM
To: NANOG
Subject: Phoenix - Single Mode SFP GBIC

Any chance someone can help me out with one in the Phoenix area?  Tried Fry's, 
MMF only...
CDW won't get one here till Tuesday.
thanks

-chris

Re: iOS 7 update traffic

[Sam Hayes Merritt, III]

We are seeing Akamai traffic up about 100-300% since noon CDT.  Seeing
similar increased from our participants - colleges and universities mainly.


Ours is not so much Akamai as Limelight. Spiked to about 7 times normal.

sam

Re: The US government has betrayed the Internet. We need to take it back

[Sam Moats]

I'm sorry if you don't share my view. Personally I think the Patriot 
Act is unconsitutional

and CALEA is a tool to enable the total invasion of privacy. I think
the laws need changed, I want to change. That said I will not break 
them and neither will you.


How would/does your company respond to NSLs or subpoenas? Do you comply 
with
FCC 499 requirements and with CALEA requirements? I do, and I'm betting 
you will to.


Does it suck? Yea of course it does but unless you have a better plan 
for a US based provider

I will keep doing what I'm doing.

Sam

On 2013-09-06 18:29, Scot Weeks wrote:

--- s...@circlenet.us wrote:
From: Sam Moats s...@circlenet.us

There only options are to:

Disobey the law, unacceptable in my opinion

Close down services, noble but I need to eat and you probably want to
keep getting email

Compromise your principles and obey the law, the path often choosen.



So, there's no choice except to get a 5-gallon bucket of gov't-ky
jelly and take it?  So many things come to mind on your flag-waving
emails, I can't think of what to say first.  And believe me, that's
not usual...  ;-)  After a while, you'll become raw and probably
change your mind.

scott

Re: The US government has betrayed the Internet. We need to take it back

[Sam Moats]

I believe you are correct, whatever technical hurdles we put in place 
will be overcome by policy. As long as you can legally require me to 
make my network intercept able for lawful purposes and are able to 
prevent me from explaining these purposes to my users any security that 
I would put in place is effectively neutered.


I give up trying to resist, I am now firmly in the tin foil hat club.

Sam

On 2013-09-06 05:57, Roland Dobbins wrote:

Eugen Leitl eu...@leitl.org wrote:


We engineers built the Internet – and now we have to fix it


Nonsense. This is not a technical issue, it's a socio-political
issue. It’s both naive  distracting to try  solve this set of
problems with code and/or silicon, when it must in fact be addressed
within the civic arena.

There are no purely technical solutions to social ills.  Schneier of
all people should know this.


---
Roland Dobbins rdobb...@arbor.net

Re: The US government has betrayed the Internet. We need to take it back

[Sam Moats]

True I shot from the hip, he does address the concerns later. I'm used 
to implementing technologies to solve security problems. It's just damn 
frustrating to have your hands tied in such a way that you can not and 
that's the position that I see myself and most other network ops in.


Our customers decided at the ballot box that they didn't want 
protection and it was acceptable to entrust their privacy to the system. 
They seem to forget that decision when they ask if they are vulnerable 
to this type of intercept and what they can do about it. The answer is 
not much because I will not and can not break the law, it's unethical 
and wrong. I will encourage people to seek to change the laws to 
encourage true end to end security but the odds of that happening are 
near 0.

Sam

On 2013-09-06 06:47, John S. Quarterman wrote:

On 2013-09-06 05:57, Roland Dobbins wrote:


 There are no purely technical solutions to social ills.  Schneier 
of

 all people should know this.


Schneier does know this, and explicitly said this.

-jsq



http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying

Three, we can influence governance. I have resisted saying this up to 
now,

and I am saddened to say it, but the US has proved to be an unethical
steward of the internet. The UK is no better. The NSA's actions are
legitimizing the internet abuses by China, Russia, Iran and others. 
We
need to figure out new means of internet governance, ones that makes 
it
harder for powerful tech countries to monitor everything. For 
example,
we need to demand transparency, oversight, and accountability from 
our

governments and corporations.

Unfortunately, this is going play directly into the hands of 
totalitarian
governments that want to control their country's internet for even 
more
extreme forms of surveillance. We need to figure out how to prevent 
that,
too. We need to avoid the mistakes of the International 
Telecommunications
Union, which has become a forum to legitimize bad government 
behavior,

and create truly international governance that can't be dominated or
abused by any one country.

Generations from now, when people look back on these early decades of
the internet, I hope they will not be disappointed in us. We can 
ensure
that they don't only if each of us makes this a priority, and engages 
in
the debate. We have a moral duty to do this, and we have no time to 
lose.


Dismantling the surveillance state won't be easy. Has any country 
that

engaged in mass surveillance of its own citizens voluntarily given up
that capability? Has any mass surveillance country avoided becoming
totalitarian? Whatever happens, we're going to be breaking new 
ground.


Again, the politics of this is a bigger task than the engineering, 
but
the engineering is critical. We need to demand that real 
technologists
be involved in any key government decision making on these issues. 
We've
had enough of lawyers and politicians not fully understanding 
technology;

we need technologists at the table when we build tech policy.

To the engineers, I say this: we built the internet, and some of us 
have
helped to subvert it. Now, those of us who love liberty have to fix 
it.

RE: The US government has betrayed the Internet. We need to take it back

[Sam Moats]

+1 I couldn't have said it any better.
Sam

On 2013-09-06 10:27, Naslund, Steve wrote:

The error in this whole conversation is that you cannot take it
back as an engineer.  You do not own it.  You are like an architect
or carpenter and are no more responsible for how it is used than the
architect is responsible that the building he designed is being used
as a crack house.  Do Ford engineers have a social contract to
ensure that I do not run over squirrels with my Explorer, will they
take it back if I do so?  The whole social contract argument is
ridiculous.  You have a contract (or most likely an at will
agreement) with your employer to build what they want and operate it
in the way that they want you to.  If it is against your ethics to do
so, quit.  The companies that own the network have a fiduciary
responsibility to their investors and a responsibility to serve their
customers.  If anyone is really that bent out of shape by the NSA
tactics (and I am not so sure they are given the lack of political
backlash) here is what you can do.

In the United States there are two main centers of power that can
affect these policies, the consumer and the voter.

1.  We vote in a new executive branch every four years.  They control
and appoint the NSA director.  Vote them out if you don't like how
they run things.  Do you think a President wants to maintain power?
Of course they do and they will change a policy that will get them
tossed out (if enough people actually care).

2.  The Congress passes the laws that govern telecom and intelligence
gathering.  They also have the power to impeach and/or prosecute the
executive branch for misdeeds.  They will pass any law or do whatever
it takes to keep themselves in power.  Again this requires a lot of
public pressure.

3.  The companies that are consenting to monitoring (legal or
illegal) are stuck between two powers.  The federal government's 
power
to regulate them and the investors / consumers they serve.  
Apparently

they are more scared of the government even though the consumer can
put them out of business overnight by simply not using their product
any more.  If everyone cancelled their gmail accounts, stopped using
Google search, and stopped paying for Google placement and ads, their
stock would go to zero nearly overnight.  Again, no one seems to care
about the issue enough to do this because I have seen no appreciable
backlash against these companies.

If a social contract exists at all in the United States, it would be
to hold your government and the companies you do business with to 
your

ethical standards.  Another things to remember is that the NSA
engineers were probably acting under their social contract to 
defend
the United States from whatever enemies they are trying to monitor 
and
also felt they were doing the right thing.  The problem with 
social

contracts is that they are relative.

As far as other countries are concerned, you can affect their
policies as well.  US carriers are peered with and provide transit to
Chinese companies.  If the whole world is that outraged with what 
they
do, they just need to pressure the companies they do business with 
not

to do business with China.

Steven Naslund
Chicago IL

-Original Message-
From: Jorge Amodio [mailto:jmamo...@gmail.com]
Sent: Friday, September 06, 2013 8:51 AM
To: NANOG
Subject: Re: The US government has betrayed the Internet. We need to
take it back

 The US government has betrayed the Internet. We need to take it 
back



 

 Who is we ?

If you bothered to read the 1st paragraph you would know.



I read all of it, the original article and other references to it.

IMHO, there is no amount of engineering that can fix stupid people
doing stupid things on both sides of the stupid lines.

By trying to fix what is perceived an engineering issue (seems that
China doing the same or worse for many years wasn't an engineering
problem) the only result you will obtain is a budget increase on the
counter-engineering efforts, that may represent a big chunk of money
that can be used in more effective ways where it is really needed.

My .02
-J

Re: The US government has betrayed the Internet. We need to take it back

[Sam Moats]

I don't suggest a riot. I do believe in the rule of law, as a member of 
a democracy
I need to accept that I will not always agree with the laws that are 
enacted. If we
lived in China or somewhere else where there was no method to change 
laws that were
unfair or unjust then yea I would support the civil disobiedence 
approach whole heartedly


I do love my country, always have and I firmly believe in the concept 
of government
by the consent of the governed. These rules were made by the people we 
choose, perhaps

these were bad choices but they were are collective choices.

Perhaps we should educate our user base so that in the future they make 
better choices.
I suggest in an only half snarky way we just push out the standard DOD 
warning banner

to them all. Since it now seems to apply...

Below is a sample banner (IS is information System)

By using this IS (which includes any device attached to this IS), you 
consent to the following conditions:


-The USG routinely intercepts and monitors communications on this IS 
for purposes including, but not limited to, penetration testing, COMSEC 
monitoring, network operations and defense, personnel misconduct (PM), 
law enforcement (LE), and counterintelligence (CI) investigations.


-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are 
subject to routine monitoring, interception, and search, and may be 
disclosed or used for any USG authorized purpose.


-This IS includes security measures (e.g., authentication and access 
controls) to protect USG interests--not for your personal benefit or 
privacy.


-Notwithstanding the above, using this IS does not constitute consent 
to PM, LE or CI investigative searching or monitoring of the content of 
privileged communications, or work product, related to personal 
representation or services by attorneys, psychotherapists, or clergy, 
and their assistants. Such communications and work product are private 
and confidential.



Sam


On 2013-09-06 10:14, Ishmael Rufus wrote:

So when do we riot? I've been waiting for months now.


On Fri, Sep 6, 2013 at 8:50 AM, Jorge Amodio jmamo...@gmail.com 
wrote:


  The US government has betrayed the Internet. We need to take it 
back


  
 
  Who is we ?

 If you bothered to read the 1st paragraph you would know.


I read all of it, the original article and other references to it.

IMHO, there is no amount of engineering that can fix stupid people 
doing

stupid things on both sides of the stupid lines.

By trying to fix what is perceived an engineering issue (seems that 
China
doing the same or worse for many years wasn't an engineering 
problem) the
only result you will obtain is a budget increase on the 
counter-engineering
efforts, that may represent a big chunk of money that can be used in 
more

effective ways where it is really needed.

My .02
-J

Re: The US government has betrayed the Internet. We need to take it back

[Sam Moats]

This is part of the purpose behind the separation of powers between 
executive, legislative and judicial.
William Pitt wrote Unlimited power is apt to corrupt the minds of 
those who possess it . As such constraints

are needed and in place.

We expect politician to cheat,lie,be stupid and self serving. Because 
we like people who tell us what we
want to hear and most of us vote for people that we like. The do not 
have to be wise, or even competent.


Personally I think most of the fault currently lies with the Judicial 
side. These laws were enacted as a
knee jerk reaction to an event. I can understand the passions of people 
at that time because I shared them,
however the courts are supposed to be a bulwark against this very kind 
of rash action.
These men and women are supposed to be well educated in the fundamental 
concepts that constructed our republic
and appointed to terms that prevent them from worrying about the 
political whims of the time.




Sam


On 2013-09-06 10:55, Royce Williams wrote:
On Fri, Sep 6, 2013 at 6:27 AM, Naslund, Steve snasl...@medline.com 
wrote:


[snip]

1.  We vote in a new executive branch every four years.  They 
control and
appoint the NSA director.  Vote them out if you don't like how they 
run
things.  Do you think a President wants to maintain power?  Of course 
they
do and they will change a policy that will get them tossed out (if 
enough

people actually care).


2.  The Congress passes the laws that govern telecom and 
intelligence

gathering.  They also have the power to impeach and/or prosecute the
executive branch for misdeeds.  They will pass any law or do whatever 
it
takes to keep themselves in power.  Again this requires a lot of 
public

pressure.

Historically speaking, I'm not convinced that a pure political 
solution

will ever work, other than on the surface.  The need for surveillance
transcends both administrations and political parties.  Once the 
newly
elected are presented with the intel available at that level, even 
their
approach to handling the flow of information and their social 
interaction

have to change in order to function.

Daniel Ellsberg's attempt to explain this to Kissinger is insightful. 
It's
a pretty quick read, with many layers of important observations. 
(It's

Mother Jones, but this content is apolitical):



http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-knowledge

I think that Schneier's got it right.  The solution has to be both
technical and political, and must optimize for two functions: catch 
the bad

guys, while protecting the rights of the good guys.

When the time comes for the political choices to be made, the good
technical choices must be the only ones available.

Security engineering must pave the way to the high road -- so that 
it's the

only road to get there.

Royce

Re: The US government has betrayed the Internet. We need to take it back

[Sam Moats]

The problem being is when you do have a provider that appears to be 
secure
and out of reach, think lavabit, that provider will not survive for 
long.

The CALEA requirements, and Patriot Act provisions will force them into
compliance.
There only options are to:
Disobey the law, unacceptable in my opinion
Close down services, noble but I need to eat and you probably want to 
keep getting email

Compromise your principles and obey the law, the path often choosen.

Sam Moats

On 2013-09-06 13:20, Nicolai wrote:

On Fri, Sep 06, 2013 at 02:27:32PM +, Naslund, Steve wrote:

If everyone cancelled their gmail accounts, stopped using Google 
search,
and stopped paying for Google placement and ads, their stock would 
go to

zero nearly overnight.  Again, no one seems to care about the issue
enough to do this because I have seen no appreciable backlash 
against

these companies.


I think Joe 6mbps sitting at home reads that everything he uses has 
been

subverted.  He doesn't know what alternatives exist, and doesn't have
the technical knowledge neccessary to find them on his own.  And 
faced
with a false choice -- stop using the Internet, or continue using it 
as

he knows how -- he chooses the one that retains his ability to
communicate with family and friends and keep up on the things he 
cares

about.

Schneier is saying we need to build better options for Joe 6mbps,
competing with the PRISM-compatable services, so that 
privacy-respecting

services become known and commonplace.

Nicolai

Re: Parsing Syslog and Acting on it, using other input too

[Sam Moats]

My view on splunk,
+1 if you intend to have a human act on the reports, it does an 
excellent job of reducing huge amounts of audit data into the valuable 
bits.
-1 Seemed to be a pita to integrate with my scripting enviroment. I 
ended up kludging wget,awk and telnet together in a totally undignified 
way to make it reach out and act on something.


+2 Customizable ingestion/parsing, I'm feeding everything from linux 
audit data to weird proprietary serial output from a multiplexer into 
it.
-1 Proprietary database I would have liked to see an sql plugin for 
data storage, I would like the data in Mysql/Oracle but no-joy from 
splunk so that I can use other tools on it easily.


+1 Free demo. You can download an eval version that is rate limited and 
cripples itself after a fixed time.
-1 because The license costs are a bit high if your moving lots of data 
through it



Sam Moats
On 2013-08-29 09:10, Jason Biel wrote:
You should look into SPLUNK (http://www.splunk.com/), it will 
collect/store
your syslog data and you can run customized reports and then act on 
them.



On Thu, Aug 29, 2013 at 8:03 AM, Kasper Adel karim.a...@gmail.com 
wrote:



Hello.

I am looking for a way to do proactive monitoring of my network, 
what I am
specifically thinking about is receiving syslog msgs from the 
routers and
the backend engine would correlate certain msgs with output/data 
that i am
receiving through SSH/telnet sessions. What i am after is not 
exposed to

SNMP so i need to do it on my own.


I am sure there are many tools that can do parsing of syslog and 
acting
upon it but i wonder if there is something more flexible out there 
that I

can just re-use to do the above ? Please point me to known public or
home-grown scripts in use to achieve this.

Regards,

Sam

Feds snooping and FCC 477 and FCC 499 forms and 214 licenses

[sam]

Good Morning Nanog List,
I'm not normally the tinfoil hat type howerver I do want to know
other operators opinions on the FCC 477, 499 and the 214 license
requirements in light of the recent revealations.
Do you think the info is actually for the stated purposes? I'm trying
hard not to become a member of the tin foil club but it's getting hard
each day.

Thanks.
Sam

* Moderators please delete the copy of this I sent from s...@circlenet.us.

Feds snooping and FCC 477 and FCC 499 forms and 214 licenses

[Sam Moats]

On 2013-08-01 10:57, Sam Moats wrote:
Good Morning Nanog List,
I'm not normally the tinfoil hat type howerver I do want to know
other operators opinions on the FCC 477, 499 and the 214 license
requirements in light of the recent revealations.
Do you think the info is actually for the stated purposes? I'm trying
hard not to become a member of the tin foil club but it's getting hard
each day.

Thanks.
Sam

FCC 477 and FCC499 forms

[Sam Moats]

Good Morning Nanog List,
I'm not normally the tinfoil hat type howerver I do want to know other 
operators opinions on the FCC 477, 499 and the 214 license requirements 
in light of the recent revealations.
Do you think the info is actually for the stated purposes? I'm trying 
hard not to become a member of the tin foil club but it's getting hard 
each day.


Thanks.
Sam

Re: Security over SONET/SDH

[sam]

Well put, and point taken :-).
Sam

 On Jun 25, 2013, at 6:34 PM, s...@wwcandt.com wrote:

 I believe that if you encrypted your links sufficiently that it was
 impossible to siphon the wanted data from your upstream the response
 would
 be for the tapping to move down into your data center before the crypto.

 With CALEA requirements and the Patriot Act they could easily compel you
 to give them a span port prior to the crypto.

 The value here isn't preventing insert federal agency from getting the
 data, as you point out there are multiple tools at their disposal, and
 they will likely compel data at some other point in the stack.  The value
 here is increasing the visibility of the tapping, making more people aware
 of how much is going on.  Forcing the tapping out of the shadows and into
 the light.

 For instance if my theory that some cables are being tapped at the landing
 station is correct, there are likely ISP's on this list right now that
 have transatlantic links /and do not know that they are being tapped/.  If
 the links were encrypted and they had to serve the ISP directly to get the
 unencrypted data or make them stop encrypting, that ISP would know their
 data was being tapped.

 It also has the potential to shift the legal proceedings to other courts.
 The FISA court can approve tapping a foreign cable as it enters the
 country in near perfect, unchallengeable secrecy.  If encryption moved
 that to be a regular federal warrant under CALEA there would be a few more
 avenues for challenging the order legally.

 People can't challenge what they don't know about.

 --
Leo Bicknell - bickn...@ufp.org - CCIE 3440
 PGP keys at http://www.ufp.org/~bicknell/

Re: Security over SONET/SDH

[sam]

Even if your crypto is good enough end to end CALEA will require you to
hand over the keys and/or put in a backdoor if you have a US nexus.

From Wikipedia
http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

USA telecommunications providers must install new hardware or software, as
well as modify old equipment, so that it doesn't interfere with the
ability of a law enforcement agency (LEA) to perform real-time
surveillance of any telephone or Internet traffic. Modern voice switches
now have this capability built in, yet Internet equipment almost always
requires some kind of intelligent Deep Packet Inspection probe to get the
job done. In both cases, the intercept-function must single out a
subscriber named in a warrant for intercept and then immediately send some
(headers-only) or all (full content) of the intercepted data to an LEA.
The LEA will then process this data with analysis software that is
specialized towards criminal investigations.

All traditional voice switches on the U.S. market today have the CALEA
intercept feature built in. The IP-based soft switches typically do not
contain a built-in CALEA intercept feature; and other IP-transport
elements (routers, switches, access multiplexers) almost always delegate
the CALEA function to elements dedicated to inspecting and intercepting
traffic. In such cases, hardware taps or switch/router mirror-ports are
employed to deliver copies of all of a network's data to dedicated IP
probes.

Probes can either send directly to the LEA according to the industry
standard delivery formats (c.f. ATIS T1.IAS, T1.678v2, et al.); or they
can deliver to an intermediate element called a mediation device, where
the mediation device does the formatting and communication of the data to
the LEA. A probe that can send the correctly formatted data to the LEA is
called a self-contained probe.

In order to be compliant, IP-based service providers (Broadband, Cable,
VoIP) must choose either a self-contained probe (such as made by
IPFabrics), or a dumb probe component plus a mediation device (such as
made by Verint, or they must implement the delivery of correctly formatted
for a named subscriber's data on their own.



 Link encryption isn't to protect the contents of the user's
 communication. There is no reason for users to trust their
 ISP more than a national institution full of people vetted
 to the highest level.

 What link encryption gets the user is protection from traffic
 analysis from parties other than the ISP.

 You've seen in the NSA documents how highly they regard this
 traffic analysis. I'd fully expect the NSA to collect it by
 other means.

 -glen

 --
 Glen Turner http://www.gdt.id.au/~gdt/

Re: Security over SONET/SDH

[sam]

The sticky problem remains for any communications carrier, we are looking
for a technical solution to a legal problem.

I believe that if you encrypted your links sufficiently that it was
impossible to siphon the wanted data from your upstream the response would
be for the tapping to move down into your data center before the crypto.

With CALEA requirements and the Patriot Act they could easily compel you
to give them a span port prior to the crypto.

Regardless of how well built our networks are internally and externally we
still must obey a court order.

Sam



 --- morrowc.li...@gmail.com wrote:
 From: Christopher Morrow morrowc.li...@gmail.com
 On Tue, Jun 25, 2013 at 2:02 PM, William Allen Simpson
 william.allen.simp...@gmail.com wrote:

 :: ...in addition to everything else What security protocols
 :: are folks using to protect SONET/SDH?  At what speeds?

 : Correct.

 : But the answer appears to be: none.  Not Google.  Not any
 : public N/ISP.


 would they say if they had?
 ---


 Yes, especially in light of the current news regarding
 internet privacy.  Could you imagine the advertising
 they'd be able to do to prospective customers?

 scott

A spoof film about networking

[Sam Stickland]

Apologies for the off-topic post, but I thought some of you might get
enjoyment out of this...

After four and a half years and around 5,000 man hours we finally
finished our feature film comedy about networking. If nothing else I
think this must be the only film in existence that has eight CCIEs in
the cast!

I'll keep this brief. There's a two minute trailer here:
http://www.youtube.com/watch?v=9t3B3hBXKCc

And the full film (one hour long) is here:
http://www.youtube.com/watch?v=07H0ci7-OMw

We now return to your regular scheduled programming...

Sam

Re: need help about free bandwidth graph program

[Sam Hayes Merritt, III]

Do you know any opensource program bandwidthgraph by ipaddess?


What are you trying to accomplish?

sam

Re: Verizon DSL moving to CGN

[Sam Hayes Merritt, III]

MAP is all about stateless (NAT64 of Encapsulation) and IPv6 enabled 
access. MAP makes much more sense in any SP network having its internet 
customers do IPv4 address sharing and embrace IPv6.


What may make 'much more sense' in one network, doesn't necessarily make 
as much since in another network. As I understand it, MAP requires at 
least a software change on existing CPE, if not wholesale CPE change. 
Some providers may prefer to implement CGN instead if the capital outlay 
is less (and providing new CPE to customers through walkins or truck rolls 
can be problematic).


Our plan for my company at this time is to deploy native IPv4+IPv6 to 
all customers. While we are doing that, continue discussions and testing 
with CGN providers so that when we are unable to obtain anymore IPv4 
addresses, we can then deploy CGN. Our hope is that we never get to the 
point of having to go CGN but we have to be ready in case that day comes 
and have our implementation and opt-out (if available) processes ready.



What devices does Cisco support MAP on? Specifically, does the DPC3827 
support it?



sam

Re: How to get DID local numbers (IP Telephony)

[sam]

I'm not sure about the license that you may need IANAL but you can get
DIDs from a number of resellers I use http://www.voxbeam.com/, Level3
http://www.level3.com, and vitelity http://www.vitelity.com

Hope that helps.

Sam Moats







 Hi there,

 Can someone explain me how can I get an block of DID (Telephony numbers)?
 For example I need 200 numbers. Is that special organization or I must buy
 it somewhere? 
 What the rule for USA (NY) about telephony providing ? Should I have a
 licence to sale ip telephony?

 Thanks. 

Re: [tor-talk] William was raided for running a Tor exit node. Please help if you can.

[Sam Tetherow]

On 11/30/2012 03:30 PM, Naslund, Steve wrote:

WAIT A SECOND HERE!?!?

I just read below that this guy runs a large ISP in Austria.  I thought
his Tor node was hosted with an external provider.  If he runs the ISP,
why would he not host his own server in house?  I suppose there are
reasons but I can't think of one, especially if you feel so strongly
about this being your right.

He talks about moving it to another ISP in the article interviewing him.
How about moving it to the large ISP you run?

If he runs a large ISP he must not be very good at it if he needs our
donations to help him defend himself from a crime he has not been
charged with yet.  Most of the guys I know that run large ISPs have
legal guys available to them.  They could also come up with 1EUR if
necessary.

What is he going to do with this money if no charges are filed and they
give his gear back?  If he believes that he is innocent of any crime
then he should be confident they won't find anything to charge him with,
right?


If convicted i could face up to 6 years in jail, of course i do not
want that and i also want to try to set a legal base for running Tor
exit nodes in Austria or even the EU.


Six years in jail for what?  They didn't arrest you yet.  How do you
know what the charges are?  The cops must not be too worried about the
Tor node if they did not seize it.  They seem a lot more interested in
his personal storage devices.  He seems to have a lot of data at home,
not illegal (possibly) but I am wondering what it all might be.  The
cops have a lot of looking around ahead of them.  Seems awful worried
for a guy who claims to be innocent.  I am wondering why he seems so
sure he will be charged that he is building a legal defense fund before
being arrested.



Sadly we have nothing like the EFF here that could help me in this
case by legal assistance, so i'm on my own and require a good

lawyer.

Thus i'm accepting donations for my legal expenses which i expect to
be around 5000-1 EUR.

So you know how much it costs to defend a case with unknown charges and
without knowing if you will be arrested yet?!?!?!

This whole thing sounds flakier with every new detail.

Steven Naslund

-Original Message-
From: Eugen Leitl [mailto:eu...@leitl.org]
Sent: Friday, November 30, 2012 1:25 AM
To: NANOG list
Subject: Re: [tor-talk] William was raided for running a Tor exit node.
Please help if you can.

- Forwarded message from Asad Haider a...@asadhaider.co.uk -

From: Asad Haider a...@asadhaider.co.uk
Date: Thu, 29 Nov 2012 19:37:24 +
To: tor-t...@lists.torproject.org
Subject: Re: [tor-talk] William was raided for running a Tor exit node.
Please help if you can.
Reply-To: tor-t...@lists.torproject.org

William will be posting a statement soon which will explain everything
that's happened and give a detailed account of events, along with
evidence including pictures showing the aftermath of the raid in his
apartment, as well as copies of the warrant and inventory of seized
items.

He runs a large ISP in Austria and is a well respected member of the
community, a lot of us have already sent in donations.

His blog is https://rdns.im/ and I'm guessing the statement will be
posted on there, I'll send everyone a link once it's finished being
written.

On 29 November 2012 19:22, Eugen Leitl eu...@leitl.org wrote:


- Forwarded message from Emily Ozols win...@team-metro.net -

From: Emily Ozols win...@team-metro.net
Date: Fri, 30 Nov 2012 01:14:08 +1100
To: nanog@nanog.org
Subject: Re: William was raided for running a Tor exit node. Please

help if

 you can.

Hi,

I gotta ask and I'm sure someone would if I didn't, but how do we know
this guy is legit?
He's jumped up on a forum saying, Hey, police raided me, help. gib
mone plz and failed to provide and reason as to how he's real and not
just making it up.

Maybe if there's a way to know this guy is legit, I'll help out if
possible, but until then I'm just going to watch others with caution
and I suggest others do as well.

On Fri, Nov 30, 2012 at 12:04 AM, Chris cal...@gmail.com wrote:

I'm not William and a friend pasted a link on IRC to me. I'm going
to send him a few bucks because I know how it feels to get
blindsided by the police on one random day and your world is turned

upside down.

Source:

http://www.lowendtalk.com/discussion/6283/raided-for-running-a-tor-exi
t-accepting-donations-for-legal-expenses

 From the URL:

Yes, it happened to me now as well - Yesterday i got raided for
someone sharing child pornography over one of my Tor exits.
I'm good so far, not in jail, but all my computers and hardware have
been confiscated.
(20 computers, 100TB+ storage, My Tablets/Consoles/Phones)

If convicted i could face up to 6 years in jail, of course i do not
want that and i also want to try to set a legal base for running Tor
exit nodes in Austria or even the EU.

Sadly we have nothing like the EFF here that could help me in this
case by legal 

Re: Operation Ghost Click

[Sam Tetherow]

On 04/26/2012 05:00 PM, Andrew Latham wrote:

On Thu, Apr 26, 2012 at 5:57 PM, Kyle Creytskyle.cre...@gmail.com  wrote:

http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

On Apr 26, 2012 5:48 PM, Leigh Porterleigh.por...@ukbroadband.com
wrote:


On 26 Apr 2012, at 22:47, Andrew Latham
lath...@gmail.commailto:lath...@gmail.com  wrote:


On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart
jer...@mompl.netmailto:jer...@mompl.net  wrote:

Yes its a major problem for the users unknowingly infected.  To them
it will look like their Internet connection is down.  Expect ISPs to
field lots of support s

Is there a list of these temporary servers so I can see what customers are
using them (indicating infection) and head off a support call with some
contact?

--
Leigh

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255


Or for those that don't want to do the math, here they are in CIDR notation

85.255.112.0/20
67.210.0.0/20
93.188.160.0/21
77.67.83.0/24
213.109.64.0/20
64.28.176.0/20

Re: SORBS?!

[Sam Oduor]

Some of the IP's I manage got blacklisted and its true they were spamming
and Sorbs had a very valid reason for blacklisting them.

I got this response response from sorbs after resolving the problem
amicably. Sorbs responded well on time.

*Your request appear to have been resolved. If you have any
further questions or concerns, please respond to this message.

Please note:

If your IP address has been delisted (marked as 'Inactive'), it will
take up to 2 hours to get from the database to all the SORBS DNS
servers.  Changes to the database are exported to the DNS zone files
periodically, not immediately after every change.  Furthermore, after
the updated database contents have been exported to the DNS zone
files, it will then take up to 48 hours for the outdated DNS
information to be removed from DNS caches around the world - none
of these are in SORBS' control.

Please do not reply to this call with problems not related to
this ticket or your request will be ignored.



*
*On Wed, Apr 4, 2012 at 10:53 PM, Chris Conn cc...@b2b2c.ca wrote:
*

 *Hello,

 Is anyone from SORBS still listening?   We have a few IP addresses here
 and there that are listed, one in particular that has been for a spam
 incident from over a year ago.  The last spam date is 03/05/2011
 according to their lookup tools.* *

 We don't have access to their Net Manager even if our ARIN POC corresponds
 to the account on their system we opened a while ago.  We use their ISP
 feedback form and never get any responses back.* *

 Is SORBS still relevant and functional?* *

 Sincerely,*

 Chris Conn
 B2B2C.ca




-- 
Samson Oduor

Re: Any recommended router. They are reliable and have good support.

[Sam Tetherow]

http://imagestream.com

On 11/22/11 9:38 AM, Deric Kwok wrote:
 Hi

 Can I know any selection of Linux routers except cisco / juniper?

 They are reliable and have  good support provided

 We would like to get one for testing.

 Thank you

Cable standards question

[Sam (Walter) Gailey]

Hello, newbie question of the morning time, but hopefully not too off-topic...

I run a small town network. A new building is being built that the town wants 
fiber access to. I have to specify for vendors what it is that the town expects 
in the cabling. I am (obviously) not a fiber expert, and I'm having trouble 
phrasing the language of the RFP so that we are assured a quality installation.

My question is this; Is there an appropriate standard to specify for 
fiber-optic cabling that if it is followed the fiber will be installed 
correctly? Would specifying TIA/EIA 568-C.3, for example, be correct?

I'm envisioning something like;

The vendor will provide fiber connectivity between (building A) and (building 
B). Vendor will be responsible for all building penetrations and terminations. 
When  installing the fiber-optic cable the vendor will follow the appropriate 
TIA/EIA 568 standards for fiber-optic cabling.

Any suggestions or examples of language would be very appreciated. Offlist 
contact is probably best.

Many thanks,

---Sam

RE: Cable standards question

[Sam (Walter) Gailey]

First off, thanks to everyone who has replied, both on and off list, I've 
gotten some very good information on this, raising things I hadn't considered, 
particularly involving testing and warranties.

Daniel Seagraves wrote:
Is it appropriate to just say When installing fiber-optic cable the vendor 
will ensure the resulting installation does not suck.?

Getting an installation that doesn't suck is indeed the core of the matter. 
However, doesn't suck is a rather vague concept as a point of law in case you 
have to sue your vendor for having installed something that sucks. That's why I 
was looking for a set of standards that I can point to and say (as an example)  
your installation sucks, and it sucks because you didn't follow X standard, 
and ran unshielded fiber at a 90 degree angle over a knife edge.

 Maybe there should be a legal definition of the concept of suck, so that 
suckage could be contractually minimized.

Unfortunately vendors install suckage all the time. Our own particular horror 
story was one of our schools where half the school was experiencing 
intermittent issues of crosstalk, lag, unexplained packet loss, etc. Some days 
it was fine, others it wasn't and it took us some time to find out that the 
cabling vendor had connected the two network closets via plain old cat 5 cable, 
a run that was considerably longer than 300 feet. You wouldn't normally expect 
to have to specify to telecommunications vendors that you don't exceed the 
maximum cable length, but there it was. We replaced that link with multimode, 
and the problems immediately vanished. I'm sure others have similar stories. 

A number of people have asked for more details on the project and I 
deliberately didn't put those in because I was looking more for a standard 
that, if followed, produces acceptable link no matter what the project details 
are. For the curious, it's a simple point-to-point link involving an existing 
building and new construction that are about a mile apart . It will be 
singlemode, we will provide the racks on both ends, and we're specifying SC 
terminations. Whether we own or lease the fiber, lit or dark, depends on the 
economics of the quotes that come back to us. It's not a complicated project, 
but I shouldn't have to re-write a cabling spec as part of the RFP just to keep 
the vendors honest. A number of good references have been sent to me so I think 
I'm all set. Thanks, NANOG! :)

---Sam 



-Original Message-
From: Daniel Seagraves [mailto:dseag...@humancapitaldev.com] 
Sent: Monday, November 14, 2011 9:58 AM
To: nanog@nanog.org
Subject: Re: Cable standards question


On Nov 14, 2011, at 8:42 AM, Sam (Walter) Gailey wrote:

 The vendor will provide fiber connectivity between (building A) and 
 (building B). Vendor will be responsible for all building penetrations and 
 terminations. When  installing the fiber-optic cable the vendor will follow 
 the appropriate TIA/EIA 568 standards for fiber-optic cabling.
 
 Any suggestions or examples of language would be very appreciated. Offlist 
 contact is probably best.

Is it appropriate to just say When installing fiber-optic cable the vendor 
will ensure the resulting installation does not suck.?
That would seem to me to be the most direct solution to the problem. I mean, 
standards are all well and good, but what if the standard sucks?
Then you'd be up a creek.

Maybe there should be a legal definition of the concept of suck, so that 
suckage could be contractually minimized.

RE: SFP vs. SFP+

[Sam Chesluk]

Depends on the switch.  Some, like the 2960S and 4948E, have 1G/10G
ports.  They will, however, not operate at 4Gbps (that particular speed
was chosen to allow the core components to work for gigabit Ethernet,
OC48, 2G FC, and 4G FC).

Sam Chesluk
Network Hardware Resale


-Original Message-
From: Jimmy Changa [mailto:jimmy.changa...@gmail.com] 
Sent: Thursday, February 17, 2011 3:39 PM
To: Sam Chesluk
Cc: Jason Lixfeld; nanog@nanog.org
Subject: Re: SFP vs. SFP+

I'm curious also. Could you use a SFP in a ten gig port if you only need
4gb of throughput?

Sent from my iPhone

On Feb 17, 2011, at 6:25 PM, Sam Chesluk s...@networkhardware.com
wrote:

 Jason - there are no SFP-10G parts based off of the original SFP; they
 all are based on the SFP+ standard, so there will be no issues with
the
 optic not being able to work at the full 10Gbps it's rated for.
 
 Sam Chesluk 
 Network Hardware Resale
 
 
 -Original Message-
 From: Jason Lixfeld [mailto:ja...@lixfeld.ca] 
 Sent: Thursday, February 17, 2011 3:00 PM
 To: nanog@nanog.org
 Subject: SFP vs. SFP+
 
 I was asked today what the difference between SFP and SFP+ is.  I did
 really know, so I looked it up and it seems that the SFP spec provides
 capabilities for data rates up to 4.25Gb/s, whereas SFP+ supports up
to
 10Gb/s.  Naturally, this made me wonder whether or not an optic that
 supported 10GbE always conformed to the SFP+ standard inherently, or
if
 there are cases where a 10GbE optic might only support the SFP
standard,
 thus having a 4.25Gb/s bottleneck.