RE: Mitigating the effects of SLAAC renumbering events (draft-ietf-6man-slaac-renum)
Such router behavior is completely legal by ND RFC. It does not matter that real routers implementations do not do this. We should think that they do because the standard permits it. And the RA in the chain may be lost. It is better to attach information about completeness to the information itself. Eduard -Original Message- From: Fernando Gont [mailto:fg...@si6networks.com] Sent: Wednesday, August 31, 2022 4:12 PM To: Vasilenko Eduard ; nanog@nanog.org Subject: Re: Mitigating the effects of SLAAC renumbering events (draft-ietf-6man-slaac-renum) Hi, On 31/8/22 09:43, Vasilenko Eduard wrote: > Hi all, > > The router could split information between RAs (and send it at > different intervals). It may be difficult to guess what is stale and > what is just "not in this RA". You ask the router, and the router responds. If you want to consider the case where the router intentionally splits the options into multiple packets (which does not exist in practice), AND the link is super lossy, you just increase the number of retransmissions. There's no guessing. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
Re: Mitigating the effects of SLAAC renumbering events (draft-ietf-6man-slaac-renum)
Hi, On 31/8/22 09:43, Vasilenko Eduard wrote: Hi all, The router could split information between RAs (and send it at different intervals). It may be difficult to guess what is stale and what is just "not in this RA". You ask the router, and the router responds. If you want to consider the case where the router intentionally splits the options into multiple packets (which does not exist in practice), AND the link is super lossy, you just increase the number of retransmissions. There's no guessing. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
RE: Mitigating the effects of SLAAC renumbering events (draft-ietf-6man-slaac-renum)
Hi all, The router could split information between RAs (and send it at different intervals). It may be difficult to guess what is stale and what is just "not in this RA". Fernando proposing (not documented yet in draft-ietf-6man-slaac-renum-04) re-asking the router by RS and using timers (size of timers is not proposed yet) To guess that router has probably supplied the full set of information And we could start concluding what is stale. There is an alternative proposal to signal by ND flag that "this RA has the complete set of information" https://datatracker.ietf.org/doc/html/draft-vv-6man-nd-prefix-robustness-02 ... then you could immediately make your reliable conclusion on what is stale. IMHO: Clear signaling that "information is complete in this RA" is better than guessing by timers. It is the more robust solution. We need to sync the state between the host and just rebooted the router. If you have an opinion on this matter, Please send a message to i...@ietf.org Thanks. Eduard -Original Message- From: NANOG [mailto:nanog-bounces+vasilenko.eduard=huawei@nanog.org] On Behalf Of Fernando Gont Sent: Wednesday, August 31, 2022 1:35 PM To: nanog@nanog.org Subject: Mitigating the effects of SLAAC renumbering events (draft-ietf-6man-slaac-renum) Folks, We have been discussing the potential problems associated with SLAAC renumbering events for a while now -- one of the most common cases being ISPs rotating home prefixes, and your devices ending up with stale/invalid addresses. We have done quite a bit of work already: * Problem statement: https://datatracker.ietf.org/doc/html/rfc8978 * CPE recommendations: https://datatracker.ietf.org/doc/html/rfc9096 But there's still some work to do to address this issue: The last remaining it is to improve SLAAC such that hosts can more gracefully deal with this renumbering events. In that light, IETF's 6man has been working on this document: https://www.ietf.org/archive/id/draft-ietf-6man-slaac-renum-04.txt And we have proposed a simple algorithm for SLAAC (an extension, if you wish) that can easily help, as follows: If you (host) receive an RA that contains options, but not all of the previously-received options/information, simply send a unicast RS to the local-router, to verify/refresh that such missing information is still valid. If the information is stale, get rid of it. I presented this algorithm at the last IETF meeting (https://youtu.be/eKEizC8xhhM?t=1308). (You may find the slides here: https://datatracker.ietf.org/meeting/114/materials/slides-114-6man-improving-the-robustness-of-stateless-address-autoconfiguration-slaac-to-flash-renumbering-events-00) Finally, I've sent draft text for the specification of the algorithm here: https://mailarchive.ietf.org/arch/msg/ipv6/KD_Vpqg0NmkVXOQntVTOMlWHWwA/ We would be super thankful if you could take a look at the draft text (i.e., https://mailarchive.ietf.org/arch/msg/ipv6/KD_Vpqg0NmkVXOQntVTOMlWHWwA/) and provide feedback/comments. If you can post/comment on the 6man wg mailing list (https://www.ietf.org/mailman/listinfo/ipv6), that´d be fabulous. But we'll appreciate your feedback off-line, on this list, etc. (that'd still be great ;-) ) Thanks in advance! Regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
Mitigating the effects of SLAAC renumbering events (draft-ietf-6man-slaac-renum)
Folks, We have been discussing the potential problems associated with SLAAC renumbering events for a while now -- one of the most common cases being ISPs rotating home prefixes, and your devices ending up with stale/invalid addresses. We have done quite a bit of work already: * Problem statement: https://datatracker.ietf.org/doc/html/rfc8978 * CPE recommendations: https://datatracker.ietf.org/doc/html/rfc9096 But there's still some work to do to address this issue: The last remaining it is to improve SLAAC such that hosts can more gracefully deal with this renumbering events. In that light, IETF's 6man has been working on this document: https://www.ietf.org/archive/id/draft-ietf-6man-slaac-renum-04.txt And we have proposed a simple algorithm for SLAAC (an extension, if you wish) that can easily help, as follows: If you (host) receive an RA that contains options, but not all of the previously-received options/information, simply send a unicast RS to the local-router, to verify/refresh that such missing information is still valid. If the information is stale, get rid of it. I presented this algorithm at the last IETF meeting (https://youtu.be/eKEizC8xhhM?t=1308). (You may find the slides here: https://datatracker.ietf.org/meeting/114/materials/slides-114-6man-improving-the-robustness-of-stateless-address-autoconfiguration-slaac-to-flash-renumbering-events-00) Finally, I've sent draft text for the specification of the algorithm here: https://mailarchive.ietf.org/arch/msg/ipv6/KD_Vpqg0NmkVXOQntVTOMlWHWwA/ We would be super thankful if you could take a look at the draft text (i.e., https://mailarchive.ietf.org/arch/msg/ipv6/KD_Vpqg0NmkVXOQntVTOMlWHWwA/) and provide feedback/comments. If you can post/comment on the 6man wg mailing list (https://www.ietf.org/mailman/listinfo/ipv6), that´d be fabulous. But we'll appreciate your feedback off-line, on this list, etc. (that'd still be great ;-) ) Thanks in advance! Regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
NANOG 84 Networking Events - N84 Kicks-Off Monday!
*NANOG 84 Networking Opportunities * Networking is essential to the health of your career! Take advantage of the opportunity to meet + greet with industry leaders + professionals at next week's networking events at NANOG 84. *Day 1: Newcomers Breakfast Orientation* Monday, Feb. 14 | 9:00am - 9:45am CST Location: Waterloo Ballroom 5-6, Level 5 New to NANOG? Don’t miss our Newcomers Breakfast Orientation happening Monday, Feb 14 at 9:00am at our upcoming meeting, NANOG 84. Have an opportunity to network with fellow newcomers! *REGISTER NOW <https://nanog.org/events/nanog-84/>* *Day 1: NANOG Networking Luncheon * Monday, Feb. 14 | 12:00pm - 1:30pm CST Location: MoonTower Hall, Level 2 Some of the tables at lunch will have "Table Topics" for you to use to chat with others & network around the same topic. - Network Management - Automation - BGP Security - Routing - Traffic Management and Policy - Job Hunting - Peering - Newcomers Networking Follow-up - War Stories - The Time I Thought I'd Get Fired Sponsors: Kentik <https://nanog.us20.list-manage.com/track/click?u=4d708401d0e69d9dc73d1c204=230d3e8f85=db9654> , Sparkle <https://nanog.us20.list-manage.com/track/click?u=4d708401d0e69d9dc73d1c204=2e418daa89=db9654> ,Telescent <https://nanog.us20.list-manage.com/track/click?u=4d708401d0e69d9dc73d1c204=a909057418=db9654> *SEE AGENDA * <https://www.nanog.org/events/nanog-84/nanog-84-agenda/> *Day 2: Women in Tech * Tuesday, Feb. 15 | 12:00pm - 1:15pm CST Location: Waterloo Ballroom 5-6, Level 5 "What makes NANOG an incredible community, also makes it intimidating - 'courageous women' helping you not feel small" - Jezzibell Gilmore Co-founder of Packetfabric This is a no-pressure space to empower your fellow (wo)man! Join us for an opportunity to meet, network + potentially find your next mentee or mentor in the Women in Tech community. *Sponsor:* AWS <https://nanog.us20.list-manage.com/track/click?u=4d708401d0e69d9dc73d1c204=220616e069=db9654> *SEE AGENDA <https://www.nanog.org/events/nanog-84/nanog-84-agenda/>* *Peering Forum Applications Still Available * NANOG 84 Peering Coordination Forum tables are still available. The forum provides time for attendees to meet + network with others in the peering community present at NANOG. Sign up for your table today! *SIGN UP * <https://www.nanog.org/events/nanog-84/peering-forum/>
[NANOG-announce] NANOG 84 Networking Events - N84 Kicks-Off Monday!
*NANOG 84 Networking Opportunities * Networking is essential to the health of your career! Take advantage of the opportunity to meet + greet with industry leaders + professionals at next week's networking events at NANOG 84. *Day 1: Newcomers Breakfast Orientation* Monday, Feb. 14 | 9:00am - 9:45am CST Location: Waterloo Ballroom 5-6, Level 5 New to NANOG? Don’t miss our Newcomers Breakfast Orientation happening Monday, Feb 14 at 9:00am at our upcoming meeting, NANOG 84. Have an opportunity to network with fellow newcomers! *REGISTER NOW <https://nanog.org/events/nanog-84/>* *Day 1: NANOG Networking Luncheon * Monday, Feb. 14 | 12:00pm - 1:30pm CST Location: MoonTower Hall, Level 2 Some of the tables at lunch will have "Table Topics" for you to use to chat with others & network around the same topic. - Network Management - Automation - BGP Security - Routing - Traffic Management and Policy - Job Hunting - Peering - Newcomers Networking Follow-up - War Stories - The Time I Thought I'd Get Fired Sponsors: Kentik <https://nanog.us20.list-manage.com/track/click?u=4d708401d0e69d9dc73d1c204=230d3e8f85=db9654> , Sparkle <https://nanog.us20.list-manage.com/track/click?u=4d708401d0e69d9dc73d1c204=2e418daa89=db9654> ,Telescent <https://nanog.us20.list-manage.com/track/click?u=4d708401d0e69d9dc73d1c204=a909057418=db9654> *SEE AGENDA * <https://www.nanog.org/events/nanog-84/nanog-84-agenda/> *Day 2: Women in Tech * Tuesday, Feb. 15 | 12:00pm - 1:15pm CST Location: Waterloo Ballroom 5-6, Level 5 "What makes NANOG an incredible community, also makes it intimidating - 'courageous women' helping you not feel small" - Jezzibell Gilmore Co-founder of Packetfabric This is a no-pressure space to empower your fellow (wo)man! Join us for an opportunity to meet, network + potentially find your next mentee or mentor in the Women in Tech community. *Sponsor:* AWS <https://nanog.us20.list-manage.com/track/click?u=4d708401d0e69d9dc73d1c204=220616e069=db9654> *SEE AGENDA <https://www.nanog.org/events/nanog-84/nanog-84-agenda/>* *Peering Forum Applications Still Available * NANOG 84 Peering Coordination Forum tables are still available. The forum provides time for attendees to meet + network with others in the peering community present at NANOG. Sign up for your table today! *SIGN UP * <https://www.nanog.org/events/nanog-84/peering-forum/> ___ NANOG-announce mailing list NANOG-announce@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-announce
Re: SLAAC in renumbering events
Hi, Bill, Thanks for the feedback! In-line On 10/3/19 13:54, William Herrin wrote: > > > On Fri, Mar 8, 2019 at 3:32 AM Fernando Gont <mailto:fg...@si6networks.com>> wrote: > > If you follow the 6man working group of the IETF you may have seen a > bunch of emails on this topic, on a thread resulting from an IETF > Internet-Draft we published with Jan Žorž about "Reaction of Stateless > Address Autoconfiguration (SLAAC) to Renumbering Events" (Available at: > > https://github.com/fgont/draft-slaac-renum/raw/master/draft-gont-6man-slaac-renum-02.txt > ) > > > Hi Fernando, > > I'm a little confused here. I can certainly see why the default timeout > of 30 days is a problem, but doesn't the host lose the route from the RA > sooner? Which route? Configuration of addresses is mostly a different business than acquiring routes. SO, in the typical scenario where the CPE crashes and reboots, hosts will even have a default route -- advertised by the router that crashed and rebooted. If you are referring to the "on-link" route -- i.e., the route introduced because the Prefix Information Option had the "L" bit set -- then I don't think there's anything in the standard to actually grabage-collect such routes. > Why would an IPv6 host originate connections from an address for > which it has no corresponding route? Isn't that broken source address > selection? Please see above. The mechanism we specified in Section 5.1.3 of our draft tries to do exactly that: Try to detect when a previously-advertised prefix has become stale... and when it's inferred to be stale, just remove all the corresponding information. Regarding fixing this issue with source address selection: some have suggested that his should be addressed in source address selection. However, there are a number of problems with this. If you prioritize addresses from the prefix that was last advertised, then source addresses are guaranteed to flap -- and in the cause of multi-prefix networks, this would become a troubleshooting nightmare. Secondly, if you don't remove the on-link route for the stale-prefix, then packets meant to the new "owners" of that prefix will be assumed to be on-link, and hence communication will fail. This should probably be an indication that the solution is not to avoid using the stale information, but rather discarding it in a timelier manner. Please do let me know if I've missed anything. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Re: SLAAC in renumbering events
On Fri, Mar 8, 2019 at 3:32 AM Fernando Gont wrote: > If you follow the 6man working group of the IETF you may have seen a > bunch of emails on this topic, on a thread resulting from an IETF > Internet-Draft we published with Jan Žorž about "Reaction of Stateless > Address Autoconfiguration (SLAAC) to Renumbering Events" (Available at: > > https://github.com/fgont/draft-slaac-renum/raw/master/draft-gont-6man-slaac-renum-02.txt > ) > Hi Fernando, I'm a little confused here. I can certainly see why the default timeout of 30 days is a problem, but doesn't the host lose the route from the RA sooner? Why would an IPv6 host originate connections from an address for which it has no corresponding route? Isn't that broken source address selection? I'd love to see that addressed in your draft. Obviously having the router always explicitly expire the old addresses is a non-starter. There's no certainty that the router knows what the old addresses were, that it's even the same piece of equipment or that all the hosts will see the packet if it does manage to send one. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Dirtside Systems . Web: <http://www.dirtside.com/>
Re: SLAAC in renumbering events
Fernando Gont wrote: There are a number of scenarios where SLAAC hosts may end up using stale configuration information. That's because SLAAC maintain address configuration state in fully distributed manner without any authority, which is the worst possible way to do so. The only reasonable solution is to ban SLAAC. Masataka Ohta
Re: SLAAC in renumbering events
On 3/8/19 6:32 AM, Fernando Gont wrote: Folks, If you follow the 6man working group of the IETF you may have seen a bunch of emails on this topic, on a thread resulting from an IETF Internet-Draft we published with Jan Žorž about "Reaction of Stateless Address Autoconfiguration (SLAAC) to Renumbering Events" (Available at: https://github.com/fgont/draft-slaac-renum/raw/master/draft-gont-6man-slaac-renum-02.txt ) [...] We are looking forward to more input on the document (or any comments on the issue being discussed), particularly from operators. So feel free to send your comments on/off list as you prefer Thanks for bringing this to the attention of operators. Too few IETF documents have operational considerations.
SLAAC in renumbering events
Folks, If you follow the 6man working group of the IETF you may have seen a bunch of emails on this topic, on a thread resulting from an IETF Internet-Draft we published with Jan Žorž about "Reaction of Stateless Address Autoconfiguration (SLAAC) to Renumbering Events" (Available at: https://github.com/fgont/draft-slaac-renum/raw/master/draft-gont-6man-slaac-renum-02.txt ) Short version of story: There are a number of scenarios where SLAAC hosts may end up using stale configuration information. For example, a typical IPv6 deployment scenario is that in which a CPE router requests an IPv6 prefix to an ISP via DHCPv6-PD, and advertises a sub-prefix of of the leased prefix on the LAN-side, via SLAAC. In such scenarios, if the CPE router crashes and reboots, it may loose all information about the previously-leased prefix. Upon reboot, the CPE router may be leased a new prefix that will result in a new sub-prefix being advertised on the LAN-side of the CPE router. As a result, hosts will normally configure addresses for the newly-advertised prefix, but will normally also keep (and use) the previously-configured (and now stale!) IPv6 addresses, leading to interoperability problems. The RIPE-690 BCOP document had originally tried to address this problem by recommending operators to lease stable IPv6 prefixes to CPE routers. However, for a variety of reasons ISP may not be able (or may not want) to lease stable prefixes, and may instead lease dynamic prefixes. Most of the voices on the 6man wg mailing-list fell into one of the following camps: * "ISPs should be leasing stable prefixes -- if they don't, they are asking for trouble!" * "CPE routers should record leased prefixes on stable storage, such that they can 'deprecate' such prefixes upon restart -- if they don't, they are asking for trouble!" * "No matter whose fault is this (if there is any single party to blame in the first place), we should improve the robustness of IPv6 deployments" Our Internet-Draft tries to improve the current state of affairs via the following improvements: * Allow hosts to gracefully recover from stale network configuration information -- i.e., detect and discard stale network configuration information * Have SLAAC routers employ more appropriate timers, such that information is phased-out in a timelier manner -- unless it is actively refreshed by Router Advertisement messages * Specify the interaction between DHCPv6-PD and SLAAC -- which was rather under-specified * Require CPE routers to store leased prefixes on stable storage, and deprecate stale prefixes (if necessary) upon restart We are looking forward to more input on the document (or any comments on the issue being discussed), particularly from operators. So feel free to send your comments on/off list as you prefer Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
RE: Your opinion on network analysis in the presence of uncertain events
> From: Mel Beckman > Sent: Wednesday, January 16, 2019 9:21 PM > > MTBF can’t be used alone to predict failure probability, because product > mortality follows the infamous “bathtub curve”. Products are as likely to fail > early in their lives as later in their lives. MTBF as a scalar value is just > an > average. > Yes very good point -however that's where the historical data should come to rescue to help bend the MTBF line into this expected "bathtub curve". adam
Re: Your opinion on network analysis in the presence of uncertain events
On Tue, 15 Jan 2019 at 19:01, Vanbever Laurent wrote: > > Hi NANOG, > > Networks evolve in uncertain environments. Links and devices randomly fail; > external BGP announcements unpredictably appear/disappear leading to > unforeseen traffic shifts; traffic demands vary, etc. Reasoning about network > behaviors under such uncertainties is hard and yet essential to ensure > Service Level Agreements. > > We're reaching out to the NANOG community as we (researchers) are trying to > better understand the practical requirements behind "probabilistic" network > reasoning. Some of our questions include: Are uncertain behaviors > problematic? Do you care about such things at all? Are you already using > tools to ensure the compliance of your network design under uncertainty? Are > there any good? > > We designed a short anonymous survey to collect operators answers. It is > composed of 14 optional questions, most of which (13/14) are closed-ended. It > should take less than 10 minutes to complete. We expect the findings to help > the research community in designing more powerful network analysis tools. > Among others, we intend to present the aggregate results in a scientific > article later this year. > > It would be *terrific* if you could help us out! > > Survey URL: https://goo.gl/forms/HdYNp3DkKkeEcexs2 > > Thanks much! > > Laurent Vanbever, ETH Zürich > > > PS: It goes without saying that we would also be extremely grateful if you > could forward this email to any operator you know and who may not read NANOG. Hi Laurent, I have filled out the survey however, I would just like to request that in the future you don't use a URL shortner like goo.gl; many people don't like those because we can't see were you're sending us until we click that link. Some people also block them because they are a security issue (our corporate proxy does, I have to drop off the VPN or use a URL expander to retrieve the original URL). Also have you seen Batfish? I looks like you guys want to write a tool that has some overlap with Batfish. Batfish can ingest the configs from my network and answer questions such as "can host A can reach host B?" or "will prefix advertisement P from host A will be filtered/accepted by host B?", "if I ping from this source IP who has a return route and can respond?" etc. Kind regards, James.
Re: Your opinion on network analysis in the presence of uncertain events
Hi Adam/Mel, Thanks for chiming in! My understanding was that the tool will combine historic data with the MTBF datapoints form all components involved in a given link in order to try and estimate a likelihood of a link failure. Yep. This could be one way indeed. This likelihood could also be taking the form of intervals in which you expect the true value to lies (again, based on historical data). This could be done both for link/devices failures but also for external inputs such as BGP announcements (to consider the likelihood that you receive a route for X in, say, NEWY). The tool would then to run the deterministic routing protocols (not accounting for ‘features’ such as prefer-oldest-route for a sec.) on these probabilistic inputs so as to infer the different possible forwarding outcomes and their relative probabilities. For now we had something like this in mind. One can of course make the model more and more complex by e.g. also taking into account data plane status (to model gray failures). Intuitively though, the more complex the model, the more complex the inference process is. Heck I imagine if one would stream a heap load of data at a ML algorithm it might draw some very interesting conclusions indeed -i.e. draw unforeseen patterns across huge datasets while trying to understand the overall system (network) behaviour. Such a tool might teach us something new about our networks. Next level would be recommendations on how to best address some of the potential pitfalls it found. Yes. I believe some variants of this exist already. I’m not sure how much they are used in practice though. AFAICT, false positives/negatives is still a big problem. Non-trivial recommendation system will require a model of the network behavior that can somehow be inverted easily which is probably something academics should spend some time on :-) Maybe in closed systems like IP networks, with use of streaming telemetry from SFPs/NPUs/LC-CPUs/Protocols/etc.., we’ll be able to feed the analytics tool with enough data to allow it to make fairly accurate predictions (i.e. unlike in weather or markets prediction tools where the datasets (or search space -as not all attributes are equally relevant) is virtually endless). I’m with you. I also believe that better (even programmable) telemetry will unlock powerful analysis tools. Best, Laurent PS: Thanks a lot to those who have already answered our survey! For those who haven’t yet: https://goo.gl/forms/HdYNp3DkKkeEcexs2 (it only takes a couple of minutes).
Re: Your opinion on network analysis in the presence of uncertain events
MTBF can’t be used alone to predict failure probability, because product mortality follows the infamous “bathtub curve”. Products are as likely to fail early in their lives as later in their lives. MTBF as a scalar value is just an average. -mel via cell On Jan 16, 2019, at 12:43 PM, "adamv0...@netconsultings.com<mailto:adamv0...@netconsultings.com>" mailto:adamv0...@netconsultings.com>> wrote: My understanding was that the tool will combine historic data with the MTBF datapoints form all components involved in a given link in order to try and estimate a likelihood of a link failure. Heck I imagine if one would stream a heap load of data at a ML algorithm it might draw some very interesting conclusions indeed -i.e. draw unforeseen patterns across huge datasets while trying to understand the overall system (network) behaviour. Such a tool might teach us something new about our networks. Next level would be recommendations on how to best address some of the potential pitfalls it found. Maybe in closed systems like IP networks, with use of streaming telemetry from SFPs/NPUs/LC-CPUs/Protocols/etc.., we’ll be able to feed the analytics tool with enough data to allow it to make fairly accurate predictions (i.e. unlike in weather or markets prediction tools where the datasets (or search space -as not all attributes are equally relevant) is virtually endless). adam From: NANOG mailto:nanog-boun...@nanog.org>> On Behalf Of Mel Beckman Sent: Tuesday, January 15, 2019 10:40 PM To: Vanbever Laurent mailto:lvanbe...@ethz.ch>> Cc: nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: Your opinion on network analysis in the presence of uncertain events I know of none that take probabilities as inputs. Traditional network simulators, such as GNS3, let you model various failure modes, but probability seems squishy enough that I don’t see how it can be accurate, and thus helpful. It’s like that Dilbert cartoon where the pointy haired boss asks for a schedule of all future unplanned outages :) https://dilbert.com/strip/1997-01-29 -mel On Jan 15, 2019, at 11:59 AM, Vanbever Laurent mailto:lvanbe...@ethz.ch>> wrote: I took the survey. It’s short and sweet — well done! Thanks a lot, Mel! Highly appreciated! I do have a question. You ask "Are there any good?” Any good what? I just meant whether existing network analysis tools were any good (or good enough) at reasoning about probabilistic behaviors that people care about (if any). All the best, Laurent
RE: Your opinion on network analysis in the presence of uncertain events
My understanding was that the tool will combine historic data with the MTBF datapoints form all components involved in a given link in order to try and estimate a likelihood of a link failure. Heck I imagine if one would stream a heap load of data at a ML algorithm it might draw some very interesting conclusions indeed -i.e. draw unforeseen patterns across huge datasets while trying to understand the overall system (network) behaviour. Such a tool might teach us something new about our networks. Next level would be recommendations on how to best address some of the potential pitfalls it found. Maybe in closed systems like IP networks, with use of streaming telemetry from SFPs/NPUs/LC-CPUs/Protocols/etc.., we’ll be able to feed the analytics tool with enough data to allow it to make fairly accurate predictions (i.e. unlike in weather or markets prediction tools where the datasets (or search space -as not all attributes are equally relevant) is virtually endless). adam From: NANOG On Behalf Of Mel Beckman Sent: Tuesday, January 15, 2019 10:40 PM To: Vanbever Laurent Cc: nanog@nanog.org Subject: Re: Your opinion on network analysis in the presence of uncertain events I know of none that take probabilities as inputs. Traditional network simulators, such as GNS3, let you model various failure modes, but probability seems squishy enough that I don’t see how it can be accurate, and thus helpful. It’s like that Dilbert cartoon where the pointy haired boss asks for a schedule of all future unplanned outages :) https://dilbert.com/strip/1997-01-29 -mel On Jan 15, 2019, at 11:59 AM, Vanbever Laurent mailto:lvanbe...@ethz.ch> > wrote: I took the survey. It’s short and sweet — well done! Thanks a lot, Mel! Highly appreciated! I do have a question. You ask "Are there any good?” Any good what? I just meant whether existing network analysis tools were any good (or good enough) at reasoning about probabilistic behaviors that people care about (if any). All the best, Laurent
Re: Your opinion on network analysis in the presence of uncertain events
I know of none that take probabilities as inputs. Traditional network simulators, such as GNS3, let you model various failure modes, but probability seems squishy enough that I don’t see how it can be accurate, and thus helpful. It’s like that Dilbert cartoon where the pointy haired boss asks for a schedule of all future unplanned outages :) https://dilbert.com/strip/1997-01-29 -mel On Jan 15, 2019, at 11:59 AM, Vanbever Laurent mailto:lvanbe...@ethz.ch>> wrote: I took the survey. It’s short and sweet — well done! Thanks a lot, Mel! Highly appreciated! I do have a question. You ask "Are there any good?” Any good what? I just meant whether existing network analysis tools were any good (or good enough) at reasoning about probabilistic behaviors that people care about (if any). All the best, Laurent
Re: Your opinion on network analysis in the presence of uncertain events
> I took the survey. It’s short and sweet — well done! Thanks a lot, Mel! Highly appreciated! > I do have a question. You ask "Are there any good?” Any good what? I just meant whether existing network analysis tools were any good (or good enough) at reasoning about probabilistic behaviors that people care about (if any). All the best, Laurent
Re: Your opinion on network analysis in the presence of uncertain events
I took the survey. It’s short and sweet — well done! I do have a question. You ask "Are there any good?” Any good what? -mel On Jan 15, 2019, at 10:59 AM, Vanbever Laurent mailto:lvanbe...@ethz.ch>> wrote: Hi NANOG, Networks evolve in uncertain environments. Links and devices randomly fail; external BGP announcements unpredictably appear/disappear leading to unforeseen traffic shifts; traffic demands vary, etc. Reasoning about network behaviors under such uncertainties is hard and yet essential to ensure Service Level Agreements. We're reaching out to the NANOG community as we (researchers) are trying to better understand the practical requirements behind "probabilistic" network reasoning. Some of our questions include: Are uncertain behaviors problematic? Do you care about such things at all? Are you already using tools to ensure the compliance of your network design under uncertainty? Are there any good? We designed a short anonymous survey to collect operators answers. It is composed of 14 optional questions, most of which (13/14) are closed-ended. It should take less than 10 minutes to complete. We expect the findings to help the research community in designing more powerful network analysis tools. Among others, we intend to present the aggregate results in a scientific article later this year. It would be *terrific* if you could help us out! Survey URL: https://goo.gl/forms/HdYNp3DkKkeEcexs2 Thanks much! Laurent Vanbever, ETH Zürich PS: It goes without saying that we would also be extremely grateful if you could forward this email to any operator you know and who may not read NANOG.
Your opinion on network analysis in the presence of uncertain events
Hi NANOG, Networks evolve in uncertain environments. Links and devices randomly fail; external BGP announcements unpredictably appear/disappear leading to unforeseen traffic shifts; traffic demands vary, etc. Reasoning about network behaviors under such uncertainties is hard and yet essential to ensure Service Level Agreements. We're reaching out to the NANOG community as we (researchers) are trying to better understand the practical requirements behind "probabilistic" network reasoning. Some of our questions include: Are uncertain behaviors problematic? Do you care about such things at all? Are you already using tools to ensure the compliance of your network design under uncertainty? Are there any good? We designed a short anonymous survey to collect operators answers. It is composed of 14 optional questions, most of which (13/14) are closed-ended. It should take less than 10 minutes to complete. We expect the findings to help the research community in designing more powerful network analysis tools. Among others, we intend to present the aggregate results in a scientific article later this year. It would be *terrific* if you could help us out! Survey URL: https://goo.gl/forms/HdYNp3DkKkeEcexs2 Thanks much! Laurent Vanbever, ETH Zürich PS: It goes without saying that we would also be extremely grateful if you could forward this email to any operator you know and who may not read NANOG.
ARIN on the Road events - San Diego (23 Jan) and Albuquerque (25 Jan)
NANOGers - If you know of anyone who would benefit from learning more about the ARIN registry and related services, feel free to direct them to one of these upcoming "ARIN on the Road” events taking place later this month in San Diego and Albuquerque - registration now open and there is no charge for participation. Thank you! /John John Curran President and CEO American Registry for Internet Numbers (ARIN) === ARIN on the Road: San Diego Tuesday, 23 January 2018 9:30 AM – 3:45 PM PST; Registration and Continental Breakfast at 9:00 AM PST Register at: https://www.arin.net/sandiego ARIN on the Road: Albuquerque Thursday, 25 January 2018 9:30 AM – 3:45 PM MST; Registration and Continental Breakfast at 9:00 AM MST Register at: https://www.arin.net/albuquerque Each one-day event is an opportunity to learn about topics like: • ARIN Technical Services • Policy Development at ARIN • IPv4 Services – Waiting List, Transfers, and more • ARIN Security Services – DNSSEC, RPKI, and more • ARIN Directory Services – RDAP, Whois, Whowas, Data Accuracy • IPv6 Services – Obtaining Resources, Networking Plans • Community Engagement with ARIN Connect with colleagues and ARIN staff. Registration is free and lunch is included! Seating is limited so register today. If you know other individuals whom you feel may benefit from attending these events, please extend this invitation to them as well. Feel free to contact us at meeti...@arin.net if you have any questions. ===
Two upcoming "ARIN on the Road" events - Nashville and Oklahoma City
NANOGers - Just a reminder that there are two "ARIN on the Road” events coming up – in each we will cover a range of registry related topics including DNSSEC, RPKI, ARIN tools and services, and more. We will be in Nashville on 10 November 2016, and Oklahoma City on 8 December 2016. These events are open to all and registration is free. For more information (including venue, agenda, and registration), go to the ARIN Meetings page: https://www.arin.net/participate/meetings/index.html Thanks! /John John Curran President and CEO ARIN
Re: events
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/04/2011 01:33 AM, Brian Spade wrote: When is [OpenNMS] 1.10 going to be released? When it's done :) Most likely this month. The unit tests are failing right now: http://bamboo.internal.opennms.com:8085/ But that means that we know where the bugs are :) The 1.9.91 (aka 1.10.0rc2) release is quite solid, and we hope that Tuesday's 1.9.92 (RC3) will be the final release candidate. If you give it a try and run into trouble, be sure to hit the project mailing lists and IRC channel. - -jeff -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6McyQACgkQB3953+hexDrOyQCgqu/MGMXAhfREgwytLkSpq9yQ SLYAn3RWWmvGMi06Hbl1062zoqXTinM8 =13RE -END PGP SIGNATURE-
Re: events
I've tried quite a few solutions. And the solution that works for engineers who know linux and text parsing, is often ill-suited to many operations folks. I have to admit, Splunk is nice and I prefer it, but the price it outrageous. If I'm logging from 500 routers/switches, I can likely get away with a reasonable 5gb/day license. However, any firewall logging per-connection statistics towards anything reasonably busy will quickly chew through the 5gb in no time with a single device, and I don't like paying more in software licensing to log than I did for the firewall itself. This, combined with the removal of e-mail alerts in the 4.0 version when upgrading from 3.0 resulting in breakage without warning and no downgrade path, irked me. So that solution is out. I've also heard of a coworker liking a solution called PHP-SYSLOG-NG. It's claim to fame was putting the events in a database so they are easily and quickly searchable. I didn't explore it further when I looked about a year ago, as it was clear further development had ceased as the author had turned it into a commercial solution called logzilla. I haven't explored pricing. I now use SEC/simple event coorelator linked by someone below. It works adequately well if you can write a REGEX which matches what you're watching for and an output action. Performance is acceptable, but there is some hit. However, it can keep the logs available in text file format which is nice for data parsing with command line tools for certain cases, where many of the database alternatives don't. The one thing SEC is missing that I would enjoy, is a community based rules database for common alerts in network products. I believe there are adequate open source solutions, but the best seem to be the commercial products, IMHO. On Tue, Oct 4, 2011 at 8:27 AM, Jason LeBlanc j...@packetpimp.org wrote: +1 for SEC, minimal hit on the cpu like most parsing tools, the regexp can be painful but it is fairly extensible. Once you get used to it you'll love it. On 10/04/2011 05:58 AM, Ben Roeder wrote: Hi Mike, We have used octopussy ( http://www.8pussy.org/** dokuwiki/doku.php?id=homehttp://www.8pussy.org/dokuwiki/doku.php?id=home yes it is work safe :-) ) with ok results. Have used sec ( simple event correlator http://simple-evcorr.** sourceforge.net/ http://simple-evcorr.sourceforge.net/ ) to some success in simple cases. Currently having another look at this myself and the following look interesting, but have not deployed them yet http://logstash.net/ http://graylog2.org/about Ben On 30 Sep 2011, at 14:50, harbor235 wrote: What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike
Re: events
Jeff, When is 1.10 going to be released? thx, /bs On Fri, Sep 30, 2011 at 11:53 AM, Jeff Gehlbach je...@opennms.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/30/2011 09:50 AM, harbor235 wrote: Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? We've made some great strides in OpenNMS in the area of syslog event processing. The upcoming 1.10 release will be much easier to get going, particularly since we now have pluggable message parsers -- you no longer need Wireshark and a black belt in regular expressions to start receiving events from syslog sources. We've also made it possible to split the syslog rules across multiple files, which makes maintaining your own rules much easier compared to the old monolithic style. It's still not going to be Splunk-easy to configure, but it's now darned close to Netcool OMNIbus syslogd probe-easy. Plus you get pretty JasperReports reports based on your events like this one (or roll your own): http://opennms.org/~jeffg/event-analysis-sample.pdf Also flexible event notifications, event de-duplication, and SNMP trap handling as well as service-assurance polling, performance data collection via SNMP, HTTP, WMI, SQL/JDBC, and other protocols. Oh yeah, it's 100% free / libre / open source software. And you can get support for it from my employer. PR hat off, - -jeff -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6GEB0ACgkQB3953+hexDrEPACfRzSKZxijkirgVgTA0OTRrGjX 27IAoJ7Ef0Cv33zRsYVN50YNbL3tVvLq =5v3H -END PGP SIGNATURE-
Re: events
Hi Mike, We have used octopussy ( http://www.8pussy.org/dokuwiki/doku.php?id=home yes it is work safe :-) ) with ok results. Have used sec ( simple event correlator http://simple-evcorr.sourceforge.net/ ) to some success in simple cases. Currently having another look at this myself and the following look interesting, but have not deployed them yet http://logstash.net/ http://graylog2.org/about Ben On 30 Sep 2011, at 14:50, harbor235 wrote: What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike
Re: events
8pussy.org ? -- Leigh Porter On 4 Oct 2011, at 10:59, Ben Roeder ben.roe...@sohonet.co.uk wrote: Hi Mike, We have used octopussy ( http://www.8pussy.org/dokuwiki/doku.php?id=home yes it is work safe :-) ) with ok results. Have used sec ( simple event correlator http://simple-evcorr.sourceforge.net/ ) to some success in simple cases. Currently having another look at this myself and the following look interesting, but have not deployed them yet http://logstash.net/ http://graylog2.org/about Ben On 30 Sep 2011, at 14:50, harbor235 wrote: What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Re: events
+1 for SEC, minimal hit on the cpu like most parsing tools, the regexp can be painful but it is fairly extensible. Once you get used to it you'll love it. On 10/04/2011 05:58 AM, Ben Roeder wrote: Hi Mike, We have used octopussy ( http://www.8pussy.org/dokuwiki/doku.php?id=home yes it is work safe :-) ) with ok results. Have used sec ( simple event correlator http://simple-evcorr.sourceforge.net/ ) to some success in simple cases. Currently having another look at this myself and the following look interesting, but have not deployed them yet http://logstash.net/ http://graylog2.org/about Ben On 30 Sep 2011, at 14:50, harbor235 wrote: What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike
Re: events
http://code.google.com/p/eventlog-to-syslog/ On Oct 4, 2011, at 11:47 AM, Jones, Barry wrote: A sub question to this would be - is anyone using an app or client that will forward windows OS events to said collector? I've seen Loglogic and others. Was just curious if you've used a small scale version to collect security events - log on, log off, etc...? -Original Message- From: Harry Hoffman [mailto:hhoff...@ip-solutions.net] Sent: Friday, September 30, 2011 6:56 AM To: nanog@nanog.org Subject: Re: events It's a bit old but still works well. Russel Fulton and I worked on this when I was down in NZ. You still need to run syslog-ng but this allows you to ignore, warn, alert on logs via regex. http://www.ip-solutions.net/syslog-ng/ Cheers, Harry On 09/30/2011 09:50 AM, harbor235 wrote: What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike smime.p7s Description: S/MIME cryptographic signature
events
What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike
Re: events
It's a bit old but still works well. Russel Fulton and I worked on this when I was down in NZ. You still need to run syslog-ng but this allows you to ignore, warn, alert on logs via regex. http://www.ip-solutions.net/syslog-ng/ Cheers, Harry On 09/30/2011 09:50 AM, harbor235 wrote: What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike
RE: events
I've been testing ManageEngines Syslog application. It works pretty good so far, I haven't really hammered it with a lot of devices. Splunk is suppose to be king of the hill I hear, but so is their pricing. Date: Fri, 30 Sep 2011 09:50:29 -0400 Subject: events From: harbor...@gmail.com To: nanog@nanog.org What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike
Re: events
We use splunk works ok except with the amount of text data you can process with it (depends on license). -B On Fri, Sep 30, 2011 at 7:50 AM, harbor235 harbor...@gmail.com wrote: What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/
RE: events
Is it really that expensive, and WORTH the expense? Date: Fri, 30 Sep 2011 10:37:22 -0600 Subject: Re: events From: pfu...@gmail.com To: harbor...@gmail.com CC: nanog@nanog.org We use splunk works ok except with the amount of text data you can process with it (depends on license). -B On Fri, Sep 30, 2011 at 7:50 AM, harbor235 harbor...@gmail.com wrote: What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/
Re: events
Use Splunk here. Cheers, RR On Fri, Sep 30, 2011 at 9:50 AM, harbor235 harbor...@gmail.com wrote: What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike
Re: events
On Fri, Sep 30, 2011 at 11:21 AM, Brandon Kim brandon@brandontek.com wrote: Is it really that expensive, and WORTH the expense? IMO, from price quotes I've gotten in the past, it's astronomically expensive. As for worth it...depends. If you're dealing with events for say payment processing systems, it might be. But as a general use tool, it's way outside of being worth it. You license based on the incoming bytes of logging data. But you still have to buy the hardware to process it. They also expect you to pay for that license time and time again.
RE: events
Thank you! That's a bummer about the way they license their product. All it takes is another splunk company to come out with something just as competitive I've been happy with my basic ManageEngine's syslog, but I may be looking at Solarwinds too... Date: Fri, 30 Sep 2011 11:36:58 -0600 Subject: Re: events From: mlof...@wgops.com To: brandon@brandontek.com CC: pfu...@gmail.com; harbor...@gmail.com; nanog@nanog.org On Fri, Sep 30, 2011 at 11:21 AM, Brandon Kim brandon@brandontek.com wrote: Is it really that expensive, and WORTH the expense? IMO, from price quotes I've gotten in the past, it's astronomically expensive. As for worth it...depends. If you're dealing with events for say payment processing systems, it might be. But as a general use tool, it's way outside of being worth it. You license based on the incoming bytes of logging data. But you still have to buy the hardware to process it. They also expect you to pay for that license time and time again.
Re: events
On 2011-09-30, at 2:13 PM, Brandon Kim wrote: I've been happy with my basic ManageEngine's syslog, but I may be looking at Solarwinds too... I've just installed the Splunk eval myself, but I'm curious about your ManageEngine experiences. I don't have any interest in using ManageEngine as an NMS; I have a couple of tools that I use for that already. Can you use ManageEngine's syslog without having to set it up to monitor all of your devices first? Have you looked at the TRAP support in ManageEngine?
RE: events
I'm obviously biased as I'm the Head Geek here at SolarWinds but if you need any help or guidance with our products feel free to ping me off list. Josh -Original Message- From: Brandon Kim [mailto:brandon@brandontek.com] Sent: Friday, September 30, 2011 1:14 PM To: mlof...@wgops.com Cc: nanog group Subject: RE: events Thank you! That's a bummer about the way they license their product. All it takes is another splunk company to come out with something just as competitive I've been happy with my basic ManageEngine's syslog, but I may be looking at Solarwinds too... Date: Fri, 30 Sep 2011 11:36:58 -0600 Subject: Re: events From: mlof...@wgops.com To: brandon@brandontek.com CC: pfu...@gmail.com; harbor...@gmail.com; nanog@nanog.org On Fri, Sep 30, 2011 at 11:21 AM, Brandon Kim brandon@brandontek.com wrote: Is it really that expensive, and WORTH the expense? IMO, from price quotes I've gotten in the past, it's astronomically expensive. As for worth it...depends. If you're dealing with events for say payment processing systems, it might be. But as a general use tool, it's way outside of being worth it. You license based on the incoming bytes of logging data. But you still have to buy the hardware to process it. They also expect you to pay for that license time and time again.
Re: events
Have you tried qradar? It's rather good On 30 Sep 2011, at 19:21, Jason Lixfeld ja...@lixfeld.ca wrote: On 2011-09-30, at 2:13 PM, Brandon Kim wrote: I've been happy with my basic ManageEngine's syslog, but I may be looking at Solarwinds too... I've just installed the Splunk eval myself, but I'm curious about your ManageEngine experiences. I don't have any interest in using ManageEngine as an NMS; I have a couple of tools that I use for that already. Can you use ManageEngine's syslog without having to set it up to monitor all of your devices first? Have you looked at the TRAP support in ManageEngine?
Re: events
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/30/2011 09:50 AM, harbor235 wrote: Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? We've made some great strides in OpenNMS in the area of syslog event processing. The upcoming 1.10 release will be much easier to get going, particularly since we now have pluggable message parsers -- you no longer need Wireshark and a black belt in regular expressions to start receiving events from syslog sources. We've also made it possible to split the syslog rules across multiple files, which makes maintaining your own rules much easier compared to the old monolithic style. It's still not going to be Splunk-easy to configure, but it's now darned close to Netcool OMNIbus syslogd probe-easy. Plus you get pretty JasperReports reports based on your events like this one (or roll your own): http://opennms.org/~jeffg/event-analysis-sample.pdf Also flexible event notifications, event de-duplication, and SNMP trap handling as well as service-assurance polling, performance data collection via SNMP, HTTP, WMI, SQL/JDBC, and other protocols. Oh yeah, it's 100% free / libre / open source software. And you can get support for it from my employer. PR hat off, - -jeff -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6GEB0ACgkQB3953+hexDrEPACfRzSKZxijkirgVgTA0OTRrGjX 27IAoJ7Ef0Cv33zRsYVN50YNbL3tVvLq =5v3H -END PGP SIGNATURE-
RE: events
Good question, we do not use manageengine for NMS and I have no desire to use them either. I tried their NMS platform last year and it was ok, the interface just seemed a little clunky Setting up ManageEngine syslog was a breeze and now we get alerts based on what kind of messages we want, it's pretty hands off, I'm sure you could fine tune it further... But I hear that solarwinds NPM has syslog built into it, so I'm thinking of going with one product that covers it all Subject: Re: events From: ja...@lixfeld.ca Date: Fri, 30 Sep 2011 14:21:38 -0400 To: nanog@nanog.org On 2011-09-30, at 2:13 PM, Brandon Kim wrote: I've been happy with my basic ManageEngine's syslog, but I may be looking at Solarwinds too... I've just installed the Splunk eval myself, but I'm curious about your ManageEngine experiences. I don't have any interest in using ManageEngine as an NMS; I have a couple of tools that I use for that already. Can you use ManageEngine's syslog without having to set it up to monitor all of your devices first? Have you looked at the TRAP support in ManageEngine?
Re: events
On Fri, Sep 30, 2011 at 2:44 PM, Ukpong Ukpong ukpong.ukp...@gmail.com wrote: Have you tried qradar? It's rather good I've used Splunk and QRadar; both are available as free VMware appliances with limitations on log volume, sufficient for testing. Or if you're mostly looking at webserver/proxy/firewall logs, Sawmill is worth checking out. I've also been looking into using Lancope's replicator to take in syslog UDP and send copies to multiple loggers, since some appliances only support a single syslog destination. Kevin
Re: Research Project: Internet capacity during pandemic events
It's not related to Canada directly but but it is related to your question. The following links are to the NANOG archive from Sep 11th 2001 where there was some very good communication, specifically from Sean Donnelan regarding connectivity during crisis. It shows the unknowns that people faced and the teamwork involved in ensuring everyone could communicate (if you overlook the religious and opinionated posts from other members). http://www.merit.edu/mail.archives/nanog/2001-09/ http://www.merit.edu/mail.archives/nanog/2001-09/msg00384.html Regards, Ken On 2 February 2010 21:59, ha...@ualberta.ca wrote: Hello everyone, My name is Mike Haska, and I am a graduate student at the University of Alberta. I am conducting research into Internet capacity issues during pandemic events. In order to analyze certain aspects of this topic, I need to get in touch with representatives from the major Internet service providers in Canada - some of whom, I am hoping, are members of this distribution. Specifically, I am looking to get in touch with individuals who are familiar with the structure of their network and with any pandemic contingency plans that are in place within their organization. If you think you may be able to assist, or if you know of anyone who could, please contact me at (haska at ualberta.ca) and I will provide further information on all aspects of this study. To put your mind at ease - I'm not fishing around for sensitive information or your root passwords; I'm looking for an overview of your policies and your responses to hypothetical scenarios. Your confidentiality is assured and you are welcome to preview all the questions to be asked before you commit to participating in any way. I feel this topic has important implications to network operators in Canada, so any support you can offer to this research project is greatly appreciated. Best regards, -Mike
Re: Research Project: Internet capacity during pandemic events
Mike, Is your interest events like the recent semi-non-event with H1N1, where for contagation management, workforce labor and school age children were not compulsorily aggregated, or morbidity and mortality effects on network operator labor for an event such as the dispersal of a weaponized biological? Restated, is your interest bursty behavior on the edge (houses of workers at big box employers X,Y,Z), rather than at the core (big box employer X,Y,Z), or how do network operators plan continuity as the skilled labor available count goes to zero? We sort of had the latter exercise over the past three weeks in Haiti, where fuel, food, and families assumptions about operational readiness were tested, and only just kept above zero. Eric On 2/2/10 10:59 PM, ha...@ualberta.ca wrote: Hello everyone, My name is Mike Haska, and I am a graduate student at the University of Alberta. I am conducting research into Internet capacity issues during pandemic events. In order to analyze certain aspects of this topic, I need to get in touch with representatives from the major Internet service providers in Canada - some of whom, I am hoping, are members of this distribution. Specifically, I am looking to get in touch with individuals who are familiar with the structure of their network and with any pandemic contingency plans that are in place within their organization. If you think you may be able to assist, or if you know of anyone who could, please contact me at (haska at ualberta.ca) and I will provide further information on all aspects of this study. To put your mind at ease - I'm not fishing around for sensitive information or your root passwords; I'm looking for an overview of your policies and your responses to hypothetical scenarios. Your confidentiality is assured and you are welcome to preview all the questions to be asked before you commit to participating in any way. I feel this topic has important implications to network operators in Canada, so any support you can offer to this research project is greatly appreciated. Best regards, -Mike
Research Project: Internet capacity during pandemic events
Hello everyone, My name is Mike Haska, and I am a graduate student at the University of Alberta. I am conducting research into Internet capacity issues during pandemic events. In order to analyze certain aspects of this topic, I need to get in touch with representatives from the major Internet service providers in Canada - some of whom, I am hoping, are members of this distribution. Specifically, I am looking to get in touch with individuals who are familiar with the structure of their network and with any pandemic contingency plans that are in place within their organization. If you think you may be able to assist, or if you know of anyone who could, please contact me at (haska at ualberta.ca) and I will provide further information on all aspects of this study. To put your mind at ease - I'm not fishing around for sensitive information or your root passwords; I'm looking for an overview of your policies and your responses to hypothetical scenarios. Your confidentiality is assured and you are welcome to preview all the questions to be asked before you commit to participating in any way. I feel this topic has important implications to network operators in Canada, so any support you can offer to this research project is greatly appreciated. Best regards, -Mike
Re: Research Project: Internet capacity during pandemic events
http://www.ncs.gov/library/pubs/Pandemic%20Comms%20Impact%20Study%20(December%202007).pdf Department of Homeland Security Pandemic Influenza Impact on Communications Networks Study December 2007
[NANOG-announce] A few notes on recent events and items of interest for NANOG 47
Folks, A few notes on recent events and items of interest: (i).The NANOG Steering Committee approved the 2009 Election Ballot. It will be posted on Sunday, October 18 by noon when the polls open. (ii). Charter amendments http://nanog.org/governance/elections/2009elections/2009charteramend.php (iii). SC Candidates http://nanog.org/governance/elections/2009elections/2009sc_candidates.php (iv). Current PC Candidates http://nanog.org/governance/elections/2009elections/2009pc_candidates.php (v).Important dates - Voting for the 2009/2010 NANOG SC opens: 1200 EDT 10-18-09 - Voting for the 2009/2010 NANOG SC closes: 0915 EDT 10-21-09 - PC Candidate Information posted/nominations close: 10-19-09 The NANOG 47 agenda has been posted, so please check that out. We have a great line-up of topics and presenters. We hope to see many more in Dearborn. For those who are considering a NANOG Sponsorship, we encourage you to contact market...@merit.edu. The community really appreciates the support and vendors do have a wonderful opportunity to showcase their products. Thanks, and see you all in Dearborn. Dave signature.asc Description: Digital signature ___ NANOG-announce mailing list nanog-annou...@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-announce
Re: looking for help for the statistics data on spoofing attack events on Internet
Dear Mr. Morrow: Thank you! We have already found CAIDA's backscatter, MIT's spoofer project. Spoofer project focuses on how much space in the Internet could be spoofable. It is very helpful for our experiment. But we also want to know how often the spoofing events(such spoofing IP attacks, spoofing route update) occurs, or the degree of their activity in real world. Monitoring the Internet widely is very difficult,so I hope to get some useful infomation by surveying the related statistical data and report from organization. currently, this way has no effective result. 2007/12/24, Christopher Morrow [EMAIL PROTECTED]: On Dec 24, 2007 12:08 AM, yangyang. wang [EMAIL PROTECTED] wrote: We are conducting an experiment to evaluate IP source address spoofing attacks on Internet and want to collect some statistics data or report about it Which organization or research group could support some statistics data, report or hints on the spoofed IP source address attack events, DNS spoofing events, router forged update events on the whole Internet or regional network for research analysis? you might get some mileage from the spoofer-project out of MIT: http://spoofer.csail.mit.edu/ have fun!
Re: looking for help for the statistics data on spoofing attack events on Internet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- yangyang. wang [EMAIL PROTECTED] wrote: We have already found CAIDA's backscatter, MIT's spoofer project. Spoofer project focuses on how much space in the Internet could be spoofable. It is very helpful for our experiment. But we also want to know how often the spoofing events(such spoofing IP attacks, spoofing route update) occurs, or the degree of their activity in real world. Monitoring the Internet widely is very difficult,so I hope to get some useful infomation by surveying the related statistical data and report from organization. currently, this way has no effective result. As one of the co-authors to RFC2827/BCP38, I certainly understand your concerns. Which is why I encourage anyone who is interested to put their efforts into SAVA/SAVI work currently underway in the IETF. [SAVA: Source Address Validation Architecture] I personally think this is important work, but probably for different reasons than most people. ;-) - - ferg [1] http://www3.ietf.org/proceedings/07dec/minutes/savi.txt [2] https://datatracker.ietf.org/meeting/70/materials.html -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHcdDjq1pz9mNUZTMRArXRAKDpcxR12OA08jJxzpllaHBo46nVfwCdGTSI zhA1liWpRtcvZ+yupsb+AGc= =Gogs -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/