Public Subnet re-assignments
First, sorry if this is a bit of a noob question. I'm trying to find a way of preventing a slew of traffic to an IP, or IP's, when I join two /30 public subnets to a /29. It appears that while the ranges are /30 someone is trying to brute-force the network and/or broadcast addresses for the ranges. When I change them to be a /29, now the router sees the traffic and starts dropping packets. Are there any suggestions for mitigating this behavior or is it just the nature of the beast? -- 101010
Re: Public Subnet re-assignments
No nothing like that. I'm just removing the .0/30 and 4/30 subnets and adding .0/29. To your previous question, yes .0 and .3 are unused. Once I change the subnet .3 becomes a usable IP and it's getting hammered with traffic, causing packet loss. On 6/25/19 3:30 PM, Mel Beckman wrote: > Also, what do you mean by “join to /30 public subnets to a /29”? You can’t > overlap subnets, if that’s what you’re thinking. > > -mel > >> On Jun 25, 2019, at 3:27 PM, Mel Beckman wrote: >> >> You’re using just the two middle IPs in the four that make up the /30 set, >> right? IOW, the subnet x.x.x.0/30 should have .0 and .3 unused (they’re >> broadcast), and you use .1 and .2. >> >> -mel >> >>> On Jun 25, 2019, at 9:41 AM, Scott wrote: >>> >>> First, sorry if this is a bit of a noob question. >>> >>> I'm trying to find a way of preventing a slew of traffic to an IP, or >>> IP's, when I join two /30 public subnets to a /29. It appears that while >>> the ranges are /30 someone is trying to brute-force the network and/or >>> broadcast addresses for the ranges. When I change them to be a /29, now >>> the router sees the traffic and starts dropping packets. Are there any >>> suggestions for mitigating this behavior or is it just the nature of the >>> beast? >>> >>> -- >>> 101010 >>> >>> -- 101010
Re: OT: Re: Can somebody explain these ransomwear attacks?
On 6/25/21 12:15 AM, Michael Thomas wrote: On 6/24/21 4:57 PM, Karl Auer wrote: Ransomwear - the latest fashion idea. "Pay me money or I will continue to wear these clothes" I reckon I could make a killing just by stepping out in a knee-length macrame skirt... Lol. Thanks, I knew that didn't look right. Maybe with a crop top to complete the ensemble. No, no, no... Some things can't be unthought! ;) scott
Re: New minimum speed for US broadband connections
On 6/1/21 9:56 PM, Mike Hammett wrote: For something "future-proof" you have to run fiber. Rural fiber would cost $5 - $10/ft. That's $26k - $52k per mile. Most rural roads around here have 2 - 3 houses per mile. I'm sure the more rural you go, the less you have. That's one hell of an install cost per home passed. - Unless I missed something, back-of-a-napkin calculations say: on the low side: $26000 / 2.5 = $10400 $50/month charge to the rural customer gives $125 $10400 / $125 = 84 months or 7 years. On the high side: 14 years. scott
Re: New minimum speed for US broadband connections
Mike Hammett wrote: For something "future-proof" you have to run fiber. Rural fiber would cost $5 - $10/ft. That's $26k - $52k per mile. Most rural roads around here have 2 - 3 houses per mile. I'm sure the more rural you go, the less you have. That's one hell of an install cost per home passed. --- *From: *"scott" Unless I missed something, back-of-a-napkin calculations say: on the low side: $26000 / 2.5 = $10400 $50/month charge to the rural customer gives $125 $10400 / $125 = 84 months or 7 years. On the high side: 14 years. -- Mike Hammett wrote: On just the installation. You'd also need to factor in all of the other monthly costs in supporting that customer, including the cost of funds. -- Ok, charge them a bit more per month. That's why I used a low figure like $50/month. scott
Myanmar internet - something to think about if you're having a bad day
These network operators are having to deal with really bad days! "At gunpoint, they ordered technicians at telecom operators to switch off the internet." A whole other level of 'bad day' than we have to deal with! "The method of choice is to decouple website addresses from the series of numbers a computer needs to look up specific sites, a practice akin to listing a wrong number under a person’s name in a phone book." I am assuming they mean they are putting false info in the DNS. ? https://www.nytimes.com/2021/02/23/world/asia/myanmar-coup-firewall-internet-china.html "The Myanmar soldiers descended before dawn on Feb. 1, bearing rifles and wire cutters. At gunpoint, they ordered technicians at telecom operators to switch off the internet. For good measure, the soldiers snipped wires without knowing what they were severing..." "The military is afraid of the online activities of people so they tried to block and shut down the internet...But now international bank transactions have stopped, and the country’s economy is declining. It’s like their urine is watering their own face.” "Myanmar’s two foreign-owned telecom operators, Telenor and Ooredoo, have complied with numerous demands from the military..." https://en.wikipedia.org/wiki/Ooredoo "is Qatari multinational telecommunications company headquartered in Doha, Qatar." https://en.wikipedia.org/wiki/Telenor "is a Norwegian majority state-owned multinational telecommunications company headquartered at Fornebu in Baerum, close to Oslo." Telenor and Ooredoo, it's time to do the right thing. scott ps. good thing for them they didn't snip DC power lines...
Re: Myanmar internet - something to think about if you're having a bad day
On 4/26/2021 10:53 AM, Andy Ringsmuth wrote: On Apr 26, 2021, at 3:23 PM, scott wrote: Telenor and Ooredoo, it's time to do the right thing. Well, for strongly held religious beliefs, some may be convicted enough to be a martyr. For internet connectivity? Likely not. I could not parse that. (autocorrect issue?) There is nothing about religion in the post. The section of my post you highlighted above was to name-and-shame companies facilitating violent repression. What started it was how a 'bad day' for network operators can mean very different things. Just some food for thought as Monday progresses...:) scott
Re: Myanmar internet - something to think about if you're having a bad day
On 4/26/2021 11:27 AM, Mel Beckman wrote: Scott, are you saying that employees of Telenor and Ooredoo are “facilitating violent repression” by following the orders of soldiers holding guns to their heads? - No. Not at all. Of course not. That would be ridiculous. I meant to say,"Myanmar’s two foreign-owned telecom operators, Telenor and Ooredoo..." should stop facilitating the repression by complying "...with numerous demands from the military, including instructions to cut off the internet each night for the past week, and block specific websites, such as Facebook, Twitter and Instagram." And, yeah, that means financial repercussions for the companies. My understanding of the rules of nano guess that there is to be no “naming and shaming“. please retract your post. --- What? You know folks do that all the time. Did I miss the change in rules? If it makes you or others feel better...I retract the post. I was having a bad day (Monday) and saw this. It made me feel better about the crap I am going through today and thought it might be the same for other ops. I also found it interesting that they were manipulating DNS servers with false IP addresses. I wonder if the people can use a different DNS server than the two ISPs? scott
Re: Myanmar internet - something to think about if you're having a bad day
On 4/26/2021 5:30 PM, George Metz wrote: First you say "not at all" and then you say "stop complying". If your employees stop complying with the orders coming from the angry men with guns held to said employees' heads, someone's going to get shot - and it's going to be the telecom employees. That's significantly more than a financial hardship and I cannot grasp how you think it could possibly be otherwise. - Last post on this for me... Dang this went off the rails fast! The main point was 'when you're thinking you're having a bad day think about what these network operators are going through', but you and Mel seemed to have missed that part. Additionally, I did not mean the -employees- should say no to the gunmen. That's ridiculous to think I meant they should die for internet connectivity to remain on! I meant the -companies- should stop facilitating the repression by complying "...with numerous demands from the military, including instructions to cut off the internet each night for the past week, and block specific websites, such as Facebook, Twitter and Instagram." This means the companies should stop selling to the military there. But that was an aside to the above. I can pass packets pretty well, but the evidence seems to show I am a pretty crappy communicator. scott
Re: FCC fines for unauthorized carrier changes and consumer billing
On 4/23/2021 5:51 AM, Eric Kuhnke wrote: Did the FCC ever collect its $50 million from "Sandwich Isles Telecommunications" for blatant fraud? At this scale I wonder how or why certain people are not in federal prison. Folks did go to prison: https://www.hawaiinewsnow.com/story/30903886/hawaii-telecom-executive-sentenced-to-46-months-behind-bars "Telecommunications executive Albert Hee was sentenced to 46 months in federal prison on Wednesday for tax charges." "Hee is the younger brother of former state Sen. Clayton Hee and the founder of Sandwich Isles Communications." https://www.bizjournals.com/pacific/news/2020/12/01/hawaiian-telcom-to-acquire-fiber-network-paniolo.html "Hee, brother of former state Sen. Clayton Hee <https://www.bizjournals.com/pacific/search/results?q=Clayton Hee>, was convicted of federal tax fraud <https://www.bizjournals.com/pacific/news/2014/12/18/alberthee-indicted-for-allegedly-taking-4m-from.html> in 2015 and was sentenced to 46 months in federal prison and was released on Sept. 19, 2019, according to the Bureau of Prisons website." good details here: http://www.hawaiifreepress.com/Articles-Main/ID/26464/FCC-Fines-Al-Hee-49M-for-Fraud He cheated folks that don't have much in the first place, so he could have millions he didn't deserve. Ugly person. We (Hawaiian Telcom) bought the Paniolo Cable Company for their interisland fiber network and have been pushing out good internet to the far-flung locations. We have really, really remote locations here. scott (paniolo means cowboy in Hawaiian)
Re: FCC fines for unauthorized carrier changes and consumer billing
:: "the Paniolo Cable Company for their interisland fiber network" I see I wasn't clear. The Paniolo Cable Company was part of SIC by ownership https://www.bizjournals.com/pacific/news/2020/12/01/hawaiian-telcom-to-acquire-fiber-network-paniolo.html That bankruptcy hearing, meanwhile, comes on the heels of a real estate fire-sale consummated on May 18 in which a company controlled by disgraced businessman Albert S.N. Hee — which owns one of the three undersea cables the entire state depends on for its data services — effectively sold parts of itself to another company controlled by the same family. The companies in question are Honolulu-based Sandwich Isles Communications and Paniolo Cable. scott
Re: Perhaps it's time to think about enhancements to the NANOG list...?
One last thing before I stop. How would the numerous NANOG archives work when everything is on Discourse? The same? scott
Re: Perhaps it's time to think about enhancements to the NANOG list...?
On 3/22/2021 11:43 AM, Edward McNair wrote: Our mailing list is a clear indication that size does not fit all. -- Could you elaborate on that? This assumes everyone agrees with the statement. I don't think that is the case. It is certainly not the case for me. I know how to filter out subjects I don't want to read. It is easy. What happens if Discourse get bought or goes out of business? scott Just a few yuck things: "Let the community suppress spam and dangerous content, and amicably resolve disputes." (that would never be misused to suppress something the community moderators don't like...never...) "When someone quotes your post, we’ll notify you. When someone mentions your @name, we’ll notify you. When someone replies to your post… well, you get the idea. And if you’re not around, we’ll email you, too." (WTF?) "Encourage positive community behaviors through the included set of badges" (ohhh, I want a shiny badge!) "Discourse was designed for high resolution touch devices..."
Re: Perhaps it's time to think about enhancements to the NANOG list...?
On 3/22/2021 4:00 AM, Mike Hammett wrote: The migration happened just a month or two ago. Are we talking about the same thing? TBH, most discussion in the WISP space has moved to Facebook. The busy WISPA mailing lists used to get about 20k messages per year. When I last checked, they were down to 5k or so and on a downward trend. Meanwhile, the Facebook groups have exploded, both in members per group and the number of groups. -- Please tell me you're not suggesting that to be able to participate in NANOG a person must move to FB. I would get banned from NANOG for saying what I think about that... scott
Re: Perhaps it's time to think about enhancements to the NANOG list...?
Well, now we are likely find out what happens when Discord is bought: "Microsoft in talks to buy Discord messaging platform - sources" https://www.reuters.com/article/us-discord-m-a/microsoft-in-talks-to-buy-discord-messaging-platform-sources-idUSKBN2BE320 scott
Re: 10 years from now... (was: internet futures)
On 3/26/2021 9:42 AM, Michael Thomas wrote: LEO internet providers will be coming online which might make a difference in the corners of the world where it's hard to get access, but will it allow internet access to parachute in behind the Great Firewall? How do the Chinas of the world intend to deal with the Great Firewall implications? This is what I hope will change in the next 10 years. "Turning off the internet" will be harder and harder for folks suppressing others, many times violently, and hiding it from everyone else. A small-ish antenna easily hidden would be necessary. scott
Re: 10 years from now... (was: internet futures)
On 3/26/2021 9:42 AM, Michael Thomas wrote: LEO internet providers will be coming online which might make a difference in the corners of the world where it's hard to get access, but will it allow internet access to parachute in behind the Great Firewall? How do the Chinas of the world intend to deal with the Great Firewall implications? This is what I hope will change in the next 10 years. "Turning off the internet" will be harder and harder for folks suppressing others, many times violently, and hiding it from everyone else. A small-ish antenna easily hidden would be necessary. On 3/27/2021 5:30 PM, na...@jima.us wrote: Please don't forget that RF sources can be tracked down by even minimally-well-equipped adversaries. Spread spectrum? ;) https://en.wikipedia.org/wiki/Spread_spectrum scott
Re: Perhaps it's time to think about enhancements to the NANOG list...?
On Tue, Mar 23, 2021 at 2:35 PM scott <mailto:sur...@mauigateway.com>> wrote: Well, now we are likely find out what happens when Discord is bought: "Microsoft in talks to buy Discord messaging platform - sources" https://www.reuters.com/article/us-discord-m-a/microsoft-in-talks-to-buy-discord-messaging-platform-sources-idUSKBN2BE320 <https://www.reuters.com/article/us-discord-m-a/microsoft-in-talks-to-buy-discord-messaging-platform-sources-idUSKBN2BE320> -- On 3/23/2021 8:39 AM, Tom Beecher wrote: Nope. https://www.discourse.org/ <https://www.discourse.org/> != https://discord.com/ <https://discord.com/> Oops, thanks. I will go and hide in the corner with my coffee pot... scott
Re: Australian Dark Fibre Providers - Sydney
On 3/10/2021 3:37 PM, Rod Beck wrote: Anyone besides Superloop? --- Try over on AusNOG. scott
Re: Perhaps it's time to think about enhancements to the NANOG list...?
:: The board has been thinking about enhancements to the NANOG list for a couple of years now Please let me put in my $0.02. I would like to ask that there're no changes. For myself, it has been 24 years here and I see no problems. I enjoy the off-topic as much as the on-topic...most times. If a person can't figure out how to filter out a subject or sender in an email client they will have way more problems trying to be a network engineer on anything but the tiniest of networks. I would think a person who can't figure out how use filters on a mail client would rather configure routers through the HTTP GUI, rather than the CLI. Of course, one would not find an HTTP GUI on the bigger networks dealt with on this list; only on the tiny networks. So they're beginning learners and are, of course, welcome. They will lean a lot, just as I did in the early days and do every day now days. In agreement with others here, randy's comment: "i do not find the volume or diversity on the nanog list problematic. in fact, i suspect its diversity and openness are major factors in it being the de facto global anything-ops list. perhaps we do not need to fix that." Is spot on. And last, John Covici also hit the nail on the head and all network engineers will recognize his comment "Keep it simple, please" as a very nice way of saying KISS, which any network engineer who has had time on a network will realize as the basic design principle. scott
Re: Perhaps it's time to think about enhancements to the NANOG list...?
On 3/20/2021 2:47 PM, Matthew Petach wrote: On Sat, Mar 20, 2021 at 5:13 PM scott <mailto:sur...@mauigateway.com>> wrote: [...] Of course, one would not find an HTTP GUI on the bigger networks dealt with on this list; only on the tiny networks. So they're beginning learners and are, of course, welcome. They will lean a lot, just as I did in the early days and do every day now days. [...] Let's see... Google: Gmail Microsoft: Hotmail/Outlook/Office365 Yahoo/VerizonMedia: Yahoo Mail I'd have to say, there's some pretty big networks on this list that use HTTP GUIs for their email. You missed the sentence just before that: "I would think a person who can't figure out how use filters on a mail client would rather configure routers through the HTTP GUI, rather than the CLI." scott
Re: Perhaps it's time to think about enhancements to the NANOG list...?
On 3/20/2021 3:34 PM, David Siegel wrote: ...not to mention that all mature networks are moving more towards GUI front ends for their automated network. As the complexity of a network increases, CLI access becomes considerably more risky. The idea that "real engineers use the CLI" is dinosaur thinking that will eventually land those with that philosophy out of a job. Just my personal $.02 (though I'm certainly not alone in my opinion). - I didn't mean to imply "real engineers use the CLI" only, but that's the way you read it (perhaps others, too), so all good. Definitely, there is no shortage of network engineering jobs for those that mainly use CLI compared to those that use mainly/only a GUI, at least as far as I have seen. The CLI works on all networks, but a GUI is different in each network. As was mentioned upthread, there is a place for a GUI. I am not implying there is not a place for it. I can't even begin to imagine trying to troubleshoot the complex problems I deal with day-to-day on a GUI and I am on a medium sized network compared to those on this list. But I'd like to reiterate that the board's goal with modernization is not to alienate anyone from the existing community by forcing them into a web-interface. Discourse is under evaluation, and if it doesn't accomplish the goal we'll try something else or build our own tool. --- Thanks for that. I consider this list one of the most important tools I have for learning about networking. scott Dave On Sat, Mar 20, 2021 at 6:52 PM Matthew Petach <mailto:mpet...@netflight.com>> wrote: On Sat, Mar 20, 2021 at 5:13 PM scott mailto:sur...@mauigateway.com>> wrote: [...] Of course, one would not find an HTTP GUI on the bigger networks dealt with on this list; only on the tiny networks. So they're beginning learners and are, of course, welcome. They will lean a lot, just as I did in the early days and do every day now days. [...] scott Let's see... Google: Gmail Microsoft: Hotmail/Outlook/Office365 Yahoo/VerizonMedia: Yahoo Mail I'd have to say, there's some pretty big networks on this list that use HTTP GUIs for their email. Of course, you might be big enough that you look down on the networks of Google, Microsoft, and VZM as "tiny networks" -- in which case, you're definitely entitled to your opinion, as all 8000 pound gorillas that look down on the puny 800 lb gorillas are. ;) Matt
Re: Famous operational issues
On 2/23/2021 12:22 PM, Justin Streiner wrote: An interesting sub-thread to this could be: Have you ever unintentionally crashed a device by running a perfectly innocuous command? --- There was that time in the later 1990s where I took most of a global network down several times by typing "show ip bgp regexp " on most all of the core routers. It turned out to be a cisco bug. I looked for a reference, but cannot find one. Ahh, the earlier days of the commercial internet...gotta love'em. scott
Re: My First BGP-Hijacking Explanation
On 4/8/2021 12:19 PM, Eric Kuhnke wrote: As an anecdotal data point, the only effect this has had is teaching random 14 year olds how to use ordinary consumer grade VPNs, which work just fine. - That's a silver lining in the dark cloud. They're learning networking; sort of. :) scott
Re: DoD IP Space
--- sa...@cluecentral.net wrote: From: Sabri Berisha The true enemy here is mid-level management that refuses to prioritize deployment of IPv6. What we should be discussing is how best to approach that problem. It's where ops and corporate politics overlap. -- 100% agreed! Been whining about that here many times. I have been trying to get IPv6 going for a long time, but the above stopped my plans. One thing I mentioned recently, though, is we just got a $BIGCUSTOMER and their requirement was we do IPv6. So keep your IPv6 deployment plans ready. In my case they said a 'we need it right now' kind of thing. That could happen to anyone here. scott
Re: Famous operational issues
On 2/16/2021 9:37 AM, John Kristoff wrote: I'd suggest the AS 7007 event is perhaps the most notorious and likely to top many lists including mine. AS7007 is how I found NANOG. We (Digital Island; first job out of college) were in 10-20 countries around the planet at the time. All of them wentdown while we were in cisco training. I kept interrupting the class andtelling my manager "everything's down! We need to stop the training and get on it!" We didn't because I was new and no onebelieved that much could go down all at once. They assumed it was a monitoring glitch.So, the training continued for a while until very senior engineers got involved. One of the senior guys said something to the effect of "yeah, it's all over NANOG." I said what is NANOG? I signed upfor the list and many of you have had to listen to me ever since... ;) scott
Re: DoD IP Space
On 2/12/2021 8:39 PM, Mark Tinka wrote: On 2/12/21 21:56, scott wrote: 100% agreed! Been whining about that here many times. I have been trying to get IPv6 going for a long time, but the above stopped my plans. One thing I mentioned recently, though, is we just got a $BIGCUSTOMER and their requirement was we do IPv6. So keep your IPv6 deployment plans ready. In my case they said a 'we need it right now' kind of thing. That could happen to anyone here. How about just doing it and then asking for forgiveness later :-)? That's what I did in 2005, but fair point, the network was only 2 routers big and in just one city :-). I would be looking for a new job and it is a much larger network than 2 routers is a big city. :) Sabri Berisha was correct: "The true enemy here is mid-level management that refuses to prioritize deployment of IPv6. What we should be discussing is how best to approach that problem. It's where ops and corporate politics overlap." What I always heard when I bring it up and they don't want to talk about it was "What's the business case?" They know there isn't one. scott
Re: netflow in the core used for surveillance
On Wed, Aug 25, 2021 at 6:15 PM Randy Bush <mailto:ra...@psg.com>> wrote: https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru used to get dissidents, activists, and journos killed at, comcast, ... zayo, please tell us you do not do this. - After the SF room thing a decade ago (or whatever timeframe it was) we have to know AT is doing it. On 8/25/21 11:01 PM, jim deleskie wrote: :: I think letting any of those people think ToR is safe as being a much bigger risk. Especially since ToR was developed by the US Navy to support spying operations. :: ...Team Cymru...and believe them to be the good guys, Agreed and I have thought so for a very long time, but sadly this casts a shadow over my interpretation of their work. Hopefully, someone there clarifies and we can go on knowing they're one of the (few) good guys. scott
Re: S.Korea broadband firm sues Netflix after traffic surge
On 10/12/21 9:15 PM, Matthew Petach wrote: So, I take it you steadfastly block *all* cookies from being stored or transmitted from your browser at home? --\ I used to when Firefox had the "ask me every time" for cookies. They got rid of that, so now I clear them out all the time. Many times a day and every time I close the browser... :) Then I found out about Mozilla Location Services, how they made it so we can't block that and realized they only blocked others and not themselves from feasting on our data. https://en.wikipedia.org/wiki/Mozilla_Location_Services https://location.services.mozilla.com Bastards! scott
Re: S.Korea broadband firm sues Netflix after traffic surge
On 10/13/21 2:39 AM, Doug Barton wrote: On the cookie issue, I have had very good luck with this in Firefox: https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/ - Nice, I have the settings to delete all history and cookies when I close the browser as well as remove them all the time while I am using it. I don't want to leave Firefox because of NoScript. That stops a lot of snooping. Too bad it doesn't work for other browsers like Vivaldi. I would switch in a heartbeat because the dirty stuff Mozilla Location Services does is ugly. scott hope this helps, Doug On 10/12/21 6:26 AM, scott wrote: On 10/12/21 9:15 PM, Matthew Petach wrote: So, I take it you steadfastly block *all* cookies from being stored or transmitted from your browser at home? --\ I used to when Firefox had the "ask me every time" for cookies. They got rid of that, so now I clear them out all the time. Many times a day and every time I close the browser... :) Then I found out about Mozilla Location Services, how they made it so we can't block that and realized they only blocked others and not themselves from feasting on our data. https://en.wikipedia.org/wiki/Mozilla_Location_Services https://location.services.mozilla.com Bastards! scott
Re: Network visibility
On 10/20/21 6:52 PM, Kain, Becki (.) wrote: Oh and I remember the day we first got mosaic and I thought “why would I need pictures on the internet?” - When Mosaic first got I remember thinking what the heck do I do with that? scott
Re: Internet history
This didn't go through. Trying again. On 10/21/2021 2:39 PM, scott wrote: On 10/21/2021 8:52 AM, Patrick W. Gilmore wrote: It was “LO”, and Mr. Kline sent the packets, but you got it essentially right. --- A picture of the sign explaining it and a picture of IMP 1 (seventeen years ago next Friday, Oct 29) at the "35th Anniversary of the Internet" at UCLA. That was 2004. A slapped together web page (you'll have to rotate a couple of the images) just for this email: http://surfer.mauigateway.com/imp/imp.html I am over 6 feet tall, so that "router" is giant! Even though it is not really a router, I like to tell non-technical folks that it is one of the internet's first two routers and then I send them to RFC 1. It takes a whole beer to finish the story of the first thing transmitted was LO as in "lo and behold...I exist". Dr Kleinrock is the nicest person. I was embarrassed to ask for a picture, which is why I look so funny (I am not a picture person, but the nerd in me couldn't resist) and he could tell. He was the nicest person to me to help me calm down. I'll not forget that. scott ps. I also am not a very good photographer, thus the light reflection on the sign. :)
Re: Better description of what happened
On 10/5/21 8:39 PM, Michael Thomas wrote: This bit posted by Randy might get lost in the other thread, but it appears that their DNS withdraws BGP routes for prefixes that they can't reach or are flaky it seems. Apparently that goes for the prefixes that the name servers are on too. This caused internal outages too as it seems they use their front facing DNS just like everybody else. Sounds like they might consider having at least one split horizon server internally. Lots of fodder here. Move fast; break things? :) scott
Re: Redploying most of 127/8 as unicast public
On 11/17/2021 1:29 PM, Jay R. Ashworth wrote: This seems like a really bad idea to me; am I really the only one who noticed? https://www.ietf.org/id/draft-schoen-intarea-unicast-127-00.html That's over a week old and I don't see 3000 comments on it, so maybe it's just me. So many things are just me. [ Hat tip to Lauren Weinstein, whom I stole it from ] - Everyone's just tired of rehashing this stuff... ;) I looked up the "IPv4 Unicast Extensions Project" the authors (S.D. Schoen, J. Gilmore and D. Täht) are a part of. https://github.com/schoen/unicast-extensions -- Fixing the odd nooks and crannies still mildly broken in IPv4, by: * Making class-e (240/4), 0/8, 127/8, 224/4 more usable * Adding 419 million new IPs to the world * Fixing zeroth networking <https://github.com/schoen/unicast-extensions/blob/master/ZEROTH.md> * Improving interoperability with multiple protocols and tunnelling technologies * Supplying tested patches and tools that address these problems -- Some of these are hardcoded in ASICs, I believe. Change that! ;) scott
Re: IPv6 and CDN's
On 11/28/2021 9:47 AM, Owen DeLong via NANOG wrote: Why not properly assign /48s to customers and /40s to cities? -- Side note: I recently tried to get /48 per customer with ARIN on repeated emails and they refused. We were already given an IPv6 block a while back. I told them I wanted to expand it so I could give out a /48 per customer and that we had more than 65535 customers, which is the block we got; 65535 /48s. I didn't even account for our needs. Without arguing the reasons, we will have to hand out /56s, rather than /48s because of this. So, it's not all /48-unicorns, puppies and rainbows. scott
Re: SRv6 Capable NOS and Devices -> MPLS instead?
On 1/15/2022 9:16 AM, Raymond Burkholder wrote: On 1/15/22 10:22 AM, Colton Conor wrote: True, but in general MPLS is more costly. It's available on limited devices, from limited vendors. Infact, many of these vendors, like Extreme, charge you if you want to enable MPLS features on a box. And in this discussion group, when MPLS is mentioned, does that include VPLS? Or do operators simply use MPLS and manually bang up the various required point-to-point links? Or is there a better way to do this? For example, Free Range Routing can do do MPLS, but I don't think it has a construct for VPLS (joining more than two sites together). --- MPLS has services that run on the top of it. VPLS is one of those services. The other two main services are VPRN and pseudowires. First the MPLS is configured (LSPs between nodes) and then the services are configured that run on top of MPLS. scott On Thu, Jan 13, 2022 at 3:11 AM Saku Ytti wrote: On Thu, 13 Jan 2022 at 00:31, Colton Conor wrote: I agree it seems like MPLS is still the gold standard, but ideally I would only want to have costly, MPLS devices on the edge, only where needed. The core and transport devices I would love to be able to use generic IPv6 enabled switches, that don't need to support LDP. Low end switches from premium vendors, like Juniper's EX2200 - EX3400 don't support LDP for example. It is utter fallacy that MPLS is costly, MPLS is systematically and fundamentally cheaper than IPv4 (and of course IPv6 costs more than IPv4). However if this doesn't reflect your day-to-day reality, then you can always do MPLSoGRE, so that core does not need more than IP. So in no scenario is this narrative justification for hiding MPLS headers inside IP headers, which is expensive and complex, systematically and fundamentally. -- ++ytti
Re: Russian aligned ASNs?
There were questions in the media about cutting off the Internet. One brief update not from the media. My Russian friend just called her Russian friend in Russia who just finished talking to a friend in Ukraine that said the cell phones and internet are up. scott
Re: Russian aligned ASNs?
On 2/24/2022 2:40 PM, William Allen Simpson wrote: There have been reports of DDoS and new targeted malware attacks. There were questions in the media about cutting off the Internet. Apparently some Russian government sites have already cut themselves off, presumably to avoid counterattacks. Would it improve Internet health to refuse Russian ASN announcements? What is our community doing to assist Ukraine against these attacks? I think everyone should keep all networks up and functional as long as possible and let information flow. The big issue, of course, will be the filling of the media with so much crap that no one knows what to believe. Apparently, they are attacking the Ukraine government. Regular people that are not being targeted, except for those unfortunate folks that are 'collateral damage". Russian and Ukraine folks are family and friends for the most part. No one on either side wants to see each other targeted. AFAIK, cell phones and internet in Ukraine are working. Someone I know called their friend in Ukraine who was on a cell. That person said Ukrainians generally are scared, but not panicking. Good call. scott
Re: Russian aligned ASNs?
On 2/24/2022 6:01 PM, scott wrote: There were questions in the media about cutting off the Internet. One brief update not from the media. My Russian friend just called her Russian friend in Russia who just finished talking to a friend in Ukraine that said the cell phones and internet are up. --- My friend just got a phone call. Electricity, cell phones and internet are all functional at this time. scott
Re: Russian aligned ASNs?
My friend just got a phone call. Electricity, cell phones and internet are all functional at this time. -- Just imagine what it must be like trying to keep those IP networks functional at a time like this. Configuring routers while under fire... Those engineers should get some kind of award... scott
Re: Coverage of the .to internet outage
From: "Jay R. Ashworth" This piece: https://www.npr.org/2022/01/18/1073863310/an-undersea-cable-fault-could-cut-tonga-from-the-rest-of-the-world-for-weeks drills down to this piece with slightly more detail: https://www.reuters.com/markets/funds/undersea-cable-fault-could-cut-off-tonga-rest-world-weeks-2022-01-18/ I'm told their national carrier is trying to bring in a ground station as well, though not whom it will connect to. -- On Wed, 19 Jan 2022 at 15:50, Scott Weeks wrote: It's hard to imagine they don't have a lot of Kacific Terminals or other satellite connectivity there. That's what most of the South Pacific uses and all used before the cables were laid. Maybe the journalists missed that like they miss things when talking about our stuff? --- On 1/20/2022 8:18 AM, Eric Kuhnke wrote: If you're a small pacific island nation state with a limited budget, and a working submarine cable, maintaining a SCPC geostationary satellite service that might be $20,000 a month (on 36-60 month term) in transponder kHz may seem like a very large ongoing expense. Ideally it would be possible to keep a backup circuit operating in a very narrow section of kHz during normal times. Along with the contractual ability to significantly expand it on demand, but more capacity on the same satellite/same polarity without physical reconfiguration of the remote end earth station may not always be possible. --- Digicel just got them back online via sat: https://www.zdnet.com/article/digicel-reconnects-tongan-users-via-satellite-to-rest-of-the-world Digicel reconnects Tongan users via satellite to rest of the world "Telco handing out free SIMs to let people reconnect." "Digicel said on Wednesday night it successfully re-established international communication with its Tongan network thanks to a satellite link." "A preliminary technical fault investigation has established that there are two separate undersea cable breaks. The first between TCL cable landing station Sopu, Tongatapu, and FINTEL cable landing station in Suva, Fiji," Digicel said. "The international cable break is approximately 37km offshore from Tonga. The second cable break is on the domestic cable which is near the area of the recent volcanic activity." scott
Re: Operator survey: Incrementally deployable secure Internet routing
On 1/21/2022 12:07 PM, Yixin Sun wrote: We appreciate that your time is very precious, but we wanted to ask you for your help in answering a brief survey about a new secure routing system we have developed in a research collaboration between ETH, Princeton University, and University of Virginia. We'd like to thank those of you who have already helped us fill out the survey and provided insightful feedback. Your input is critical for helping inform our further work on this project. Here is the link to our survey, which takes about 10 minutes to complete, including watching a brief 3-minute introductory video: https://docs.google.com/forms/d/e/1FAIpQLSc4VCkqd7i88y0CbJ31B7tVXyxBlhEy_zsYZByx6tsKAE7ROg/viewform?usp=pp_url=NANOG+mailing+list <https://docs.google.com/forms/d/e/1FAIpQLSc4VCkqd7i88y0CbJ31B7tVXyxBlhEy_zsYZByx6tsKAE7ROg/viewform?usp=pp_url=NANOG+mailing+list> Our architecture, called Secure Backbone AS (SBAS), allows clients to benefit from emerging secure routing deployments like SCION by tunneling into a secure infrastructure. SBAS provides substantial routing security improvements when retrofitted to the current Internet. It also provides benefits even to non-participating networks and endpoints when communicating with an SBAS-protected entity. We currently have a functional prototype of this network using SCIONLab (for the secure backbone) and the PEERING testbed (to make outbound BGP announcements). Our ultimate aim is to develop and deploy SBAS beyond an experimental scope, and the input of network operators that would actually have to run these PoPs would greatly benefit this project and help make secure routing a reality. This all looks like a network made for surveilling the planet's citizens more easily. Even in the FAQs! "Do you use countries as ISDs? Doesn't that create opportunities for government intervention and censorship? We're currently looking into the best way to partition the Internet into ISDs, so using countries as ISDs is only one possible option. Countries have the advantage of providing a uniform legal environment, allowing misbehavior in an ISD to be handled according to the legal framework of that ISD." I guess each country's government will define 'misbehavior' and will have a more easy way to find the misbehaving entity? Will each ISD (ISD = Isolation Domain) have it's own DNS? What will you do about space? The moon? (That one's coming sooner that folks might expect: https://www.nokia.com/networks/insights/network-on-the-moon) Just say no to internet partitioning. scott
Re: Operator survey: Incrementally deployable secure Internet routing
Hello, "are described in further detail in the survey" Doing the survey gives legitimacy to something I feel is not correct --- "We understand the privacy concern. As for SBAS, the backbone is operated in a federated manner among PoP operators." I asked about the ISDs and put a FAQ you have as an example. I didn't ask about the SBAS. It seems to me that the ingress/egress of an ISD is the place a government surveillance network would reside. All country internet communications go through a chokepoint to get on the SBAS, so it's easier to surveil the population. Especially if you envision the ISD to have its own DNS. scott On 1/22/2022 5:22 PM, Yixin Sun wrote: Hi Scott, Thank you for your comment! We understand the privacy concern. As for SBAS, the backbone is operated in a federated manner among PoP operators. In our current deployment, the PoP operators are located across three continents. On the other hand, due to the federated structure of the SBAS PoP operators, a governance structure is needed to coordinate global operation. We have outlined four potential governance models, i.e., ICANN and Regional Internet Registries, a multi-stakeholder organization, a federation of network providers, or a decentralized governance model. The four models are described in further detail in the survey, and we would love to hear your opinions about them. Best, Yixin On Fri, Jan 21, 2022 at 8:24 PM scott wrote: On 1/21/2022 12:07 PM, Yixin Sun wrote: We appreciate that your time is very precious, but we wanted to ask you for your help in answering a brief survey about a new secure routing system we have developed in a research collaboration between ETH, Princeton University, and University of Virginia. We'd like to thank those of you who have already helped us fill out the survey and provided insightful feedback. Your input is critical for helping inform our further work on this project. Here is the link to our survey, which takes about 10 minutes to complete, including watching a brief 3-minute introductory video: https://docs.google.com/forms/d/e/1FAIpQLSc4VCkqd7i88y0CbJ31B7tVXyxBlhEy_zsYZByx6tsKAE7ROg/viewform?usp=pp_url=NANOG+mailing+list <https://docs.google.com/forms/d/e/1FAIpQLSc4VCkqd7i88y0CbJ31B7tVXyxBlhEy_zsYZByx6tsKAE7ROg/viewform?usp=pp_url=NANOG+mailing+list> Our architecture, called Secure Backbone AS (SBAS), allows clients to benefit from emerging secure routing deployments like SCION by tunneling into a secure infrastructure. SBAS provides substantial routing security improvements when retrofitted to the current Internet. It also provides benefits even to non-participating networks and endpoints when communicating with an SBAS-protected entity. We currently have a functional prototype of this network using SCIONLab (for the secure backbone) and the PEERING testbed (to make outbound BGP announcements). Our ultimate aim is to develop and deploy SBAS beyond an experimental scope, and the input of network operators that would actually have to run these PoPs would greatly benefit this project and help make secure routing a reality. This all looks like a network made for surveilling the planet's citizens more easily. Even in the FAQs! "Do you use countries as ISDs? Doesn't that create opportunities for government intervention and censorship? We're currently looking into the best way to partition the Internet into ISDs, so using countries as ISDs is only one possible option. Countries have the advantage of providing a uniform legal environment, allowing misbehavior in an ISD to be handled according to the legal framework of that ISD." I guess each country's government will define 'misbehavior' and will have a more easy way to find the misbehaving entity? Will each ISD (ISD = Isolation Domain) have it's own DNS? What will you do about space? The moon? (That one's coming sooner that folks might expect: https://www.nokia.com/networks/insights/network-on-the-moon) Just say no to internet partitioning. scott
Re: Off-Topic: use laptop only as USB power supply
On Thu, May 20, 2010 at 9:51 PM, Roy r.engehau...@gmail.com wrote: Why carry a laptop? Here are some examples http://www.walmart.com/ip/Belkin-Mini-Notebook-Surge-Portector-with-Built-In-USB-Charger/10248165?sourceid=1503142050ci_src=14110944ci_sku=10248165 If you're looking at one of these, just be aware that they are 110 volts only. Scott.
Re: List of a useful tools for network architects
--- li...@quux.de wrote: From: Jens Link li...@quux.de I am wondering what tools you consider most valuable when designing big network from scratch or perform a migration? - Experience. If possible, find someone with it. Or, start reading 24x7 immediately... ;-) scott
Re: Recommendation in Australia for ISPs to force user security?
--- g...@linuxbox.org wrote: From: Gadi Evron g...@linuxbox.org http://www.zdnet.com.au/make-zombie-code-mandatory-govt-report-339304001.htm A government report into cybercrime has recommended that internet service providers (ISPs) force customers to use antivirus and firewall software or risk being disconnected. security snip This is being discussed extensively on AUSNOG and is but one link in a long chain of gov't trying to control the internet there with little realization of how ineffective the proposals are. Seems to be politicians playing to a certain part of the populace so votes can be obtained. scott
RE: Penetration Test Vendors
If I wanted someone to do this, I'd probably look at a security vendor instead of a general purpose consulting firm. Some examples off the top of my head might include IBM's ISS and SecureWorks. -Scott -Original Message- From: Ken Gilmour [mailto:ken.gilm...@gmail.com] Sent: Tuesday, June 22, 2010 4:58 PM To: George Bonser Cc: nanog@nanog.org Subject: Re: Penetration Test Vendors Depends on where you are... I've used Sysnet in Europe (www.sysnet.ie) and they are excellent. We used Deloitte ( http://www.deloitte.com/view/en_GX/global/services/enterprise-risk-services/ security-privacy-resiliency/pcidss/index.htm) in non-european countries, with not such a good result (but other people may have different experiences). Regards, Ken On 22 June 2010 14:48, George Bonser gbon...@seven.com wrote: Anyone have any suggestions for a decent vendor that provides network penetration testing? We have a customer requirement for a third party test for a certain facility. Have you used anyone that you thought did a great job? Anyone you would suggest avoiding? Replies can be sent off list and I will summarize any feedback I might get from the community if anyone is interested. George
Re: [Bruce Hoffman] Thank-you for your recent participation.
Rob, Sorry about that. Your e-mail address was on an old SalesForce list that we forgot to remove you from. I've followed up internally to make sure it won't happen again. If anyone else gets any unwanted contact from us, please let me know and I'll make sure it's taken care of. Thanks, Scott On Thu 6/24/2010 7:14 AM, Robert E. Seastrom wrote: Amusingly, this was sent to me *after* I replied to ab...@internap complaining about getting spammed. Anyone else getting spam from this joker? Has he been doing nanog mailing list or arin database harvesting? Anyone know who his boss is? -r
Please remove me from all mailing lists !!!
_ From: nanog-boun...@nanog.org [mailto:nanog-boun...@nanog.org] Sent: Friday, July 02, 2010 8:23 AM To: scott.amyo...@conyersdill.com Subject: The results of your email commands The results of your email command are provided below. Attached is your original message. - Unprocessed: move me. Thanks! _ From: nanog-requ...@nanog.org [mailto:nanog-requ...@nanog.org]=20 Sent: Friday, July 02, 2010 12:19 AM To: nanog@nanog.org Subject: NANOG Digest, Vol 30, Issue 4 Send NANOG mailing list submissions to =09na...@nanog.org To subscribe or unsubscribe via the World Wide Web, visit =09https://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to =09nanog-requ...@nanog.org You can reach the person managing the list at =09nanog-ow...@nanog.org When replying, please edit your Subject line so it is more specific than Re: Contents of NANOG digest... - Ignored: Today's Topics: 1. Re: The Economist, cyber war issue (andrew.wallace) 2. Re: The Economist, cyber war issue (Randy Bush) 3. Re: Finland makes broadband access a legal right (Stefan Sp?hler) 4. Re: Finland makes broadband access a legal right (William Herrin) 5. Re: XO feedback (Stefan Molnar) 6. Re: Finland makes broadband access a legal right (Matthew Walster) 7. Re: SPANS Vs Taps (Darren Bolding) 8. Re: Finland makes broadband access a legal right (Larry Sheldon) 9. Re: SPANS Vs Taps (Ricky Beam) 10. Re: Finland makes broadband access a legal right (Matthew Palmer) 11. Re: Finland makes broadband access a legal right (Marshall Eubanks) 12. Re: Type of network operators? (Martin Hannigan) -- Message: 1 Date: Thu, 1 Jul 2010 14:51:20 -0700 (PDT) From: andrew.wallace andrew.wall...@rocketmail.com Subject: Re: The Economist, cyber war issue To: Jeroen van Aart jer...@mompl.net Cc: nanog@nanog.org Message-ID: 862176.46872...@web59616.mail.ac4.yahoo.com Content-Type: text/plain; charset=3Dutf-8 There is a part 2 as well http://www.economist.com/node/16478792?story_id= =3D16478792 Andrew - Original Message From: Jeroen van Aart jer...@mompl.net To: NANOG list nanog@nanog.org Sent: Thu, 1 July, 2010 19:57:08 Subject: Re: The Economist, cyber war issue andrew.wallace wrote: Article: http://www.economist.com/node/16481504?story_id=3D16481504 I know it's shortsighted, but any article with the word cyber in it, used i= n such a way as being about cyber this-or-that, already lost its credibil= ity by virtue of using the word. It must be a of rather high quality to win= back its credibility. This economist article sadly does the opposite. Regards, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/ =20 -- Message: 2 Date: Fri, 02 Jul 2010 07:01:02 +0900 From: Randy Bush ra...@psg.com Subject: Re: The Economist, cyber war issue To: andrew.wallace andrew.wall...@rocketmail.com Cc: nanog@nanog.org Message-ID: m28w5uzwtd.wl%ra...@psg.com Content-Type: text/plain; charset=3DUS-ASCII There is a part 2 as well and this is a bug or a feature? -- Message: 3 Date: Fri, 02 Jul 2010 00:05:36 +0200 From: Stefan Sp?hler li...@stefan-spuehler.org Subject: Re: Finland makes broadband access a legal right To: nanog@nanog.org Message-ID: 4c2d1130.9030...@stefan-spuehler.org Content-Type: text/plain; charset=3DISO-8859-1 On 07/01/2010 02:04 PM, Gadi Evron wrote: http://edition.cnn.com/2010/TECH/web/07/01/finland.broadband/index.html?h= pt=3DT2 =20 =20 Interesting... Finland isn't first. http://www.comcom.admin.ch/aktuell/00429/00457/00560/index.html?lang=3Denm= sg-id=3D13239 -- Message: 4 Date: Thu, 1 Jul 2010 18:17:43 -0400 From: William Herrin b...@herrin.us Subject: Re: Finland makes broadband access a legal right To: Gadi Evron g...@linuxbox.org Cc: nanog@nanog.org Message-ID: =09aanlktilh2hagwuvcoxqkckbfhypvd3c3hzrcwqfqs...@mail.gmail.com Content-Type: text/plain; charset=3DISO-8859-1 On Thu, Jul 1, 2010 at 8:04 AM, Gadi Evron g...@linuxbox.org wrote: http://edition.cnn.com/2010/TECH/web/07/01/finland.broadband/index.html?h= pt=3DT2 In the US, the Communications Act of 1934 brought about the creation of the Universal Service Fund. The
RE: Mikrotik OC-3 Connection
I really wouldn't use the word legacy to describe SONET and OC-3's. -Scott -Original Message- From: Mike [mailto:mike-na...@tiedyenetworks.com] Sent: Saturday, July 03, 2010 4:11 PM To: Alan Bryant Cc: nanog@nanog.org Subject: Re: Mikrotik OC-3 Connection Alan Bryant wrote: I'm just trying to see what options there are and make the decision off of that. If Cisco or Juniper is the only way, then so be it. I just want to be sure. The real issue is that these legacy telco interfaces are just expensive, straight up, and being forced to use these specialized interfaces for your IP connectivity just drives your costs up for no real gain. I bet what you would really love is just a simple ethernet handoff but of course no provider in your area probabbly makes that available. So you get collared into these expensive interfaces that force you to just buy more when you need more connectivity, as opposed to ethernet which could easilly grow to 1000mbps without needing $$$ I/O cards every 155mbps along the way (and loop charges and hassle and pain, etc). On the good news front, there's lots of capable cisco hardware out there you can take multiple interfaces types on, for pretty cheap especially if you look at refurbished gear. Before you run off and make a purchase decision, most of these cisco resellers can really help you decide on the right platform (thats their value add), so if you think you might wind up with an OC3 and 8t1s for example they can help you figure out what NPE (cpu) you need and ram and ios version and such.
RE: Level3 - have they alive abuse team?
I'd probably start here: http://puck.nether.net/netops/nocs.cgi?level -Scott -Original Message- From: Popov Max [mailto:popovu...@meta.ua] Sent: Monday, July 12, 2010 5:21 AM To: nanog@nanog.org Subject: Level3 - have they alive abuse team? Hello! I am an owner of the small telecom business in Eastern Europe. We have the provider independent network and own autonomous system number. Due to the financial crisis impact, we was off-line for some time. Now it is possible to return to business. But I found our network is already announced by Level3!!! I have dropped them a letter to ab...@level3.com, then got an auto-answer from the robot, after several days have repeat it... Level3 keep silence, and our network is announced now by /24 pieces! What is the good way to push these network hijackers more efficiently? __ Я пользуюсь почтой на Мете http://webmail.meta.ua
Re: Vyatta as a BRAS
--- rdobb...@arbor.net wrote: When BCPs are followed, they don't tend to fall over the moment someone hits them with a few kpps of packets - which should be a key criteria for an edge device. --- I'm guessing a few kpps of packets is tounge-in-cheek? Entry level script kiddies can get to a few hundred kpps easily. scott
Re: 40 acres and a mule, was Lightly used IP addresses
On 08/14/2010 13:27 EDT, Jimi Thompson wrote: It was 40 acres and a mule - FYI That was Civil War, for freed slaves. Here in NY, war of independence veterans were given at least 100 acres each. See http://en.wikipedia.org/wiki/Central_New_York_Military_Tract
RE: Monitoring Tools
I'd recommend ZenOSS. -Scott -Original Message- From: Jack Bates [mailto:jba...@brightok.net] Sent: Thursday, August 19, 2010 9:47 AM To: jacob miller Cc: nanog@nanog.org Subject: Re: Monitoring Tools jacob miller wrote: Phil, Am looking for availability reports,bandwidth usage,alerting service and ability to create different logins to users so they can access diff objects For all in one, OpenNMS does decent and may meet your needs. We often utilize a mixture of tools and modify for working with what we want. My only issue with OpenNMS was that it's java and I don't care to add java to the list of languages I program in. My only complaint was it could get really weird when you have 3,000 unnumbered interfaces. :) Jack
RE: tool to wrangle config file changes
We are now using NAI for this. Free (really, not just a trial for some small number of devices), and you can very easily write plug-ins for new types of systems. http://inventory.alterpoint.com/ http://docs.inventory.alterpoint.com/doku.php?id=doc:content_guide -Scott -Original Message- From: Raymond Macharia [mailto:rmacha...@gmail.com] Sent: Thursday, August 19, 2010 6:16 AM To: Eugeniu Patrascu Cc: nanog@nanog.org Subject: Re: tool to wrangle config file changes Kiwi Cat Tools. There is a free version (supports upto 20 devices). - http://www.kiwisyslog.com/ Raymond Macharia On Thu, Aug 19, 2010 at 11:03 AM, Eugeniu Patrascu eu...@imacandi.netwrote: On Thu, Aug 19, 2010 at 03:16, Rogelio scubac...@gmail.com wrote: Long story short, a really crappy vendor is being shoved down our NOC's throat. They have a horrid CLI (if you can call it that). People don't understand it (it's non-intuitive) and are screwing up things all the time. Would be so kind to name the vendor so that other people would have an advance warning ?
RE: Monitoring Tools
The last time I looked, my main issue with Zabbix was that it required (or greatly preferred) their proprietary agent on every host. This may have changed. -Scott -Original Message- From: Nathan Eisenberg [mailto:nat...@atlasnetworks.us] Sent: Thursday, August 19, 2010 2:53 PM To: nanog@nanog.org Subject: RE: Monitoring Tools Am looking for an opensource network monitoring tool with ability to create different views for different users. Regards,Jacob Just to add another opinion to the pot, I've used zabbix in several large environments, and I like it a lot. The developer team is decently sized, and very responsive to requests and feedback (they operate a commercial 'support' model for the platform, so working on the system is literally their day job - as George pointed out, this is often a problem). Zabbix also supports distributed monitoring, which is very handy for scaling or for monitoring multiple locations without dealing with VPNS and the like (or if you have places you need to monitor behind NATs!). Its major weakness at the moment is the weak support for SNMP traps (works great in polling mode, though), so you will want a separate simple system for catching traps. In my opinion, that's just fine, because statistics/trending/basic resource alerting/etc are best kept separate from things like OMG one of my powersupplies is dead!!11one. Also supports IPMI, which is nice if you have IPMI deployed. :-) Best Regards, Nathan Eisenberg
RE: Monitoring Tools
Agreed. And it REALLY isn't that complicated. Go spend some time with CORBA or TL-1 and then re-evaluate the learning curve. SNMP is really very straight forward as a protocol. If a specific vendor's MIB is difficult to understand or use, that is an entirely different matter. -Scott -Original Message- From: Phil Regnauld [mailto:regna...@nsrc.org] Sent: Thursday, August 19, 2010 5:14 PM To: Curtis Maurand Cc: nanog@nanog.org Subject: Re: Monitoring Tools Curtis Maurand (cmaurand) writes: Oh, and it avoided us having to install an agent on 1000+ servers :) But the configuration learning curve for SNMP is very steep indeed. Doing network monitoring and not understanding SNMP is like, umm, well I fail to come up with an analogy, but you get my drift. :) It's a bullet you'll have to bite at one point.
RE: on network monitoring and security - req for monitoring tools
Are you looking only at Open Source tools? If not you are missing all of the most widely deployed tools out there (including): HP Open View Cisco Works IBM Tivoli/NetCool Smarts (now EMC Ionix) Also a few other open tools: ZenOSS Zabbix You will also need to look at separate security monitoring software if your goal is to cover that. Not including any commercial vendors, I'd say you at least need to include: SNORT (possibly including a front end like BASE/ACID) Suricata Nessus Sguil As to one solution being better than the other, a lot of it comes down to opinion and exactly what you need. Also are you willing to do a lot of coding to get it to do exactly what you want? What is your budget? How big is your network? What are the vendors in question? What is most important to you (graphing, alerting, automated fault resolution, topology discovery,...)? How much staff do you have dedicated to the project? And on and on... -Scott -Original Message- From: travis+ml-na...@subspacefield.org [mailto:travis+ml-na...@subspacefield.org] Sent: Saturday, August 21, 2010 5:58 PM To: nanog@nanog.org Subject: on network monitoring and security - req for monitoring tools Hi, I'm putting together a book on security*, and wanted some expert input onto network monitoring solutions... http://www.subspacefield.org/security/security_concepts.html Nagios, Net-SNMP, ifgraph, cacti, OpenNMS... any others? Any summaries of when one is better than the other? Any suggestions on section 13-15? I imagine I'll offend some of you by not distinguishing between system and network adminsitration, but... it's a small section right now, maybe if it grows. OT: I had issues with understanding MIBs and SNMP tools... specifically, I wanted to query and graph the pf-specific MIB... any suggested places to ask? Do I ask on the Net-SNMP list, or is there a better place? Also, cacti... seemed to behave differently based on whether the target was Linux-based or BSD-based... I suppose the cacti-users is the right place to ask, but if anyone has any suggestions, please LMK. I hate the UI. -- My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted.
Re: sort by agony
On 08/27/2010 01:46 EDT, JC Dill wrote: What is Agony, and why would I want to sort by it? Agony is our way of sorting flights to take into account price, duration, and number of stops. There's more to a flight than its price, so we provide this sort to give you better all-around results. I wonder if I could persuade it to take round trip agony into account. For example on CO I can get from here to PEK easily, but on the way back I would have to spend the night in Newark.
RE: NANOG Digest, Vol 32, Issue 25
--- m.ho...@hotze.com wrote: From: Martin Hotze m.ho...@hotze.com I have a private website; I don't want the site to be listed or content found via a search engine. I want to be able to give the URL out to friends etc. but I don't want all of the world hotlink or whatever[...] -- Don't put links on the main page. Put up example.com with only html /html or nothing even. Then your friends have to know to go to example.com/mypage.html but the web crawlers never know about mypage.html because there's no link on the top page. scott
Re: POS to Ethernet Converter
They're called routers. ;) Otherwise, your framing is completely different between those mediums, so it's not like going from 100Base-FX ethernet to 100Base-TX ethernet! HTH, Scott Morris, CCIEx4 (RS/ISP-Dial/Security/Service Provider) #4713, CCDE #2009::D, JNCIE-M #153, JNCIS-ER, CISSP, et al. CCSI #21903, JNCI-M, JNCI-ER [1]...@emanon.com Knowledge is power. Power corrupts. Study hard and be Eeeevl.. On 9/9/10 1:59 PM, Alan Bryant wrote: I did a quick google search for a converter but either I'm not understanding, or I'm not searching for the right thing. We currently have a POS OC-3 that I would like to be able to convert it to Ethernet, if possible. Do such devices exist? References 1. mailto:s...@emanon.com
Re: Convenience or slippery slope... or something else?
On Sat, Sep 11, 2010 at 8:24 PM, N. Yaakov Ziskind aw...@ziskind.us wrote: Jon Lewis wrote (on Fri, Sep 10, 2010 at 01:44:02PM -0400): On Fri, 10 Sep 2010, Reese wrote: A friend brought this to my attention: http://ipq.co/ And now FF blocks it as a reported attack page. Bound to happen... http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://ipq.co/ Over the past 90 days, ipq.co appeared to function as an intermediary for the infection of 4 site(s) including [...] (Domains removed so as to not trigger anyones anti-spam software...) Scott
RE: Netflow Tool
If you want something scalable and commercial (read: with support) check out these guys, I have been using it for a while and it has tons of features and very flexible reporting (including exports to PDF, CSV, etc): http://www.netflowauditor.com/ They have a free version as well with limits. -Scott -Original Message- From: Mike Gatti [mailto:ekim.it...@gmail.com] Sent: Friday, September 17, 2010 2:50 PM To: nanog@nanog.org Subject: Netflow Tool Anyone out there using a good netflow collector that has the capability data to export to CSV? Open Source would be best, but any suggestions are welcome. Thanks, =+=+=+=+=+=+=+=+=+=+=+=+= Michael Gatti cell.703.347.4412 ekim.it...@gmail.com =+=+=+=+=+=+=+=+=+=+=+=+=
Re: Facebook Issues/Outage in Southeast?
--- jer...@mompl.net wrote: From: Jeroen van Aart jer...@mompl.net (apologies for cross posting) -- Then don't. Number 3: http://www.nanog.org/mailinglist scott
Re: LISP Works - Re: Facebook Issues/Outage in Southeast?
--- ja...@puck.nether.net wrote: From: Jared Mauch ja...@puck.nether.net It's working over LISP: http://www.lisp4.facebook.com/ - LISP as in Locator/ID Separation Protocol? scott
Re: AS11296 -- Hijacked?
On Wed, Sep 29, 2010 at 9:26 AM, N. Yaakov Ziskind aw...@ziskind.us wrote: And, even if it *is* unreasonable, well, his network, his rules, right? I block all SMTP traffic from IPV4 servers (clients?) which have odd numbers in the third octet. might not be a good idea for a high volume mail server with clients, but if it's your network, go for it. Except that this thread started with a recommendation to block an entire AS, containing a reasonable number of networks. Recommendations such as that are only as credible as the source they are coming from, and knowing that the person making the request also believes that blocking all mail from gmail.com is a valid anti-spam technique probably results in a different credibility level than one might otherwise have. Scott.
Re: RIP Justification
I think you're right that everything has its' place. But you gotta know where that is and why you choose it! RIP(v2) is great in that there aren't neighbor relationships, so you can shoot routes around in a semi-sane-haphazard fashion if need be. Whatever your reality you exist in like satellite (or other one-way links from the hinterlands). But anything, ask why you are using it. To exchange routes, yes... but how many. Is sending those every 30 seconds good? Sure, tweak it. But are you gaining anything over static routes? Perhaps you are, and if so, it's a great choice in that situation. But I'd certainly think it would be considered to be the edge variety of your network and hopefully not planning to use it through your entire network! :) But yeah, I'd agree with the time and place argument for it. If you have a Cisco-only shop, ODR can be kinda cool in situations like that as well. Something to think about! My two cents. Scott On 9/29/10 4:20 PM, Jesse Loggins wrote: A group of engineers and I were having a design discussion about routing protocols including RIP and static routing and the justifications of use for each protocol. One very interesting discussion was surrounding RIP and its use versus a protocol like OSPF. It seems that many Network Engineers consider RIP an old antiquated protocol that should be thrown in back of a closet never to be seen or heard from again. Some even preferred using a more complex protocol like OSPF instead of RIP. I am of the opinion that every protocol has its place, which seems to be contrary to some engineers way of thinking. This leads to my question. What are your views of when and where the RIP protocol is useful? Please excuse me if this is the incorrect forum for such questions.
Re: RIP Justification
One would assume you aren't doing this for nostalgic reasons. At least I would hope that! Like anything, if you decide to vary outside the 'accepted norms', then have a reason for it! Understand your technology, understand your topology (re: before about RIP not needing peered neighbors whereas OSPF does) and you may have your justification. If it's for nostalgia or just because, then I'd say everyone agrees that RIP has passed its usefulness! Scott On 9/29/10 11:32 PM, Chris Woodfield wrote: On Sep 29, 2010, at 6:14 PM, Scott Morris wrote: But anything, ask why you are using it. To exchange routes, yes... but how many. Is sending those every 30 seconds good? Sure, tweak it. But are you gaining anything over static routes? For simple networks, RIP(v2, mind you) works fine. You're correct that the number of advertisements sent over the wire every 30 seconds won't scale, but with today's routers and bandwidths it takes quite a lot to start to cause issues. The real nail in RIP's coffin is that with most (if not all) routers out there today, it's no more work to turn on and configure OSPF than it is to do RIP, and OSPF will help you scale much better as you go without being too complex for the simpler setups as well. As such, it really doesn't make sense to go with RIP for mere nostalgia's sake. If you have a specific reason not to run OSPF, fine, but those reasons are few and far between. -C
Re: RIP Justification
On 9/30/10 12:57 AM, Mark Smith wrote: On Thu, 30 Sep 2010 14:13:11 +1000 Julien Goodwin [1]na...@studio442.com.au wrote: On 30/09/10 13:42, Mark Smith wrote: One of the large delays you see in OSPF is election of the designated router on multi-access links such as ethernets. As ethernet is being very commonly used for point-to-point non-edge links, you can eliminate that delay and also the corresponding network LSA by making OSPF treat the link as a point-to-point link e.g. int ethernet0 ip ospf network point-to-point If your implementation doesn't support point-to-point mode for an interface, point-to-multipoint mode on an ethernet would achieve something somewhat equivalent. Do any implementations go point-to-point automatically if an ethernet has a /30 or /31 mask? Don't know. Nope. Not Cisco anyway. NDC-R1-CustA(config)#int f0/0 NDC-R1-CustA(config-if)#ip addr 10.111.1.1 255.255.255.254 % Warning: use /31 mask on non point-to-point interface cautiously NDC-R1-CustA(config-if)# *Sep 30 15:18:22.710: %OSPF-5-ADJCHG: Process 1, Nbr 10.133.1.2 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached NDC-R1-CustA(config-if)# NDC-R1-CustA(config-if)#do sh ip o i f0/0 | i Type|Address Internet Address 10.111.1.1/31, Area 0 Process ID 1, Router ID 192.168.1.1, Network Type BROADCAST, Cost: 1 NDC-R1-CustA(config-if)# HTH, Scott On 9/30/10 12:57 AM, Mark Smith wrote: On Thu, 30 Sep 2010 14:13:11 +1000 Julien Goodwin [2]na...@studio442.com.au wrote: On 30/09/10 13:42, Mark Smith wrote: One of the large delays you see in OSPF is election of the designated router on multi-access links such as ethernets. As ethernet is being very commonly used for point-to-point non-edge links, you can eliminate that delay and also the corresponding network LSA by making OSPF treat the link as a point-to-point link e.g. int ethernet0 ip ospf network point-to-point If your implementation doesn't support point-to-point mode for an interface, point-to-multipoint mode on an ethernet would achieve something somewhat equivalent. Do any implementations go point-to-point automatically if an ethernet has a /30 or /31 mask? Don't know. If you want to see what interface model OSPF is using, on a Cisco you use show ip ospf interface blah The interface type for loopback interfaces can be a bit surprising and the consequences a bit unexpected if you're intentionally or otherwise not using a /32 prefix length on one. Regards, Mark. References 1. mailto:na...@studio442.com.au 2. mailto:na...@studio442.com.au
Re: RIP Justification
Maybe I WAY under-read the initial poster's question, but I was pretty sure he wasn't talking about running it as a CORE routing protocol or anything on the middle of their network where MPLS would be expected on top of it! If I missed it and he did intend that, then I'd certainly agree with you (among many other reasons why it would be a horrible idea)! ;) Scott On 9/30/10 12:59 PM, Glen Kent wrote: RIP cannot also be used for traffic engineering; so if you want MPLS then you MUST use either OSPF or ISIS. RIP, like any other distance vector protocol, converges extremely slowly - so if you want faster convergence then you have to use one of ISIS or OSPF. Glen
RE: ATT Dry Pairs?
We order these all of the time ( as a CLEC) for EoC connections or DSL on our equipment. The correct terminology is usually 2-wire or 4-wire copper loops. There will be specific NC/NCI codes depending on the iLEC region you are in and LEC you are working with. Within these loops, you will generally see at least the following types of circuits, normally these are really just different levels of qualifications the LEC is required to meet on the copper they provide (in terms of noise, attenuation, load coils, and # feet of bridge tap): HDSL (best) ADSL UCL (Unbundled copper loop - worst) Now the main issue is that these circuits are normally provisioned between a CO and an end-user location. I don't know if you'd be able to get them directly between two sites that are not ATT facilities without going back to the CO first (greatly increasing total loop length and probably decreasing max DSL speeds). The other thing to know is that in busy CO's, some of these line types (especially the higher quality loops) may be blacklisted meaning you either can't order them at all, or you can order them a different way at a much higher rate. The last issue I can think of is that you may not be able to get these at all from ATT's retail or business side of the house. If that is the case, find a local CLEC and see if they will help you out. -Scott -Original Message- From: Brandon Galbraith [mailto:brandon.galbra...@gmail.com] Sent: Thursday, September 30, 2010 4:53 PM To: nanog@nanog.org Subject: ATT Dry Pairs? Has anyone had any luck lately getting dry pairs from ATT? I'm in the Chicago area attempting to get a dry pair between two buildings (100ft apart) for some equipment, but when speaking to several folks at ATT the response I get is You want ATT service without the service? That's not logical!. Had no problems 3-4 years ago getting these sorts of circuits, but it appears it's gone the way of the dodo now. Any emails off-list are appreciated. -- Brandon Galbraith US Voice: 630.492.0464
Re: Request for participation - Arbor 2010 Worldwide Infrastructure Security Report.
--- rdobb...@arbor.net wrote: From: Dobbins, Roland rdobb...@arbor.net The 2009 edition of the survey is available here (registration required): Why are we required to register to look at the survey? scott
Re: Scam telemarketers spoofing our NOC phone number for callerid
On Wed, Oct 6, 2010 at 8:55 AM, Jon Lewis jle...@lewis.org wrote: Some do. Anyone with control of a phone system with digital lines (i.e. asterisk with PRI) can trivially set callerID to whatever they want. There are perfectly legitimate, and not so legitimate uses for this. You don't even need the PRI. There's a number of SIP providers that will allow you to set CallerID. In some cases they do some level of verification first, but in many cases it's just a free-for-all. There were some laws passed recently which makes faking caller-id illegal, although I'm not sure exactly what the details are (eg, I'm fairly sure sending your cell phone number from a desk phone is fine as you own both of them). Scott.
Re: Mobile Operator Connectivity
Cameron Byrne allegedly wrote on 10/10/2010 15:38 EDT: LTE provides some latency benefits on the wireless interface, but the actual packet core architecture is very similar to GSM / UMTS. and it's going to be a long time before Local Breakout gets noticeably deployed.
Re: Network Operators Unite Against SORBS
On Tue, Oct 12, 2010 at 5:35 AM, iHate SORBS ihateso...@gmail.com wrote: I am calling on all Network Operators to stand up and stop routing dnsbl.sorbs.net until that time they can commit to making real changes. What sort of changes are you suggesting? Suggesting a block unless they make undisclosed changes is simply asinine. I'm no fan of SORBS, but at the end of the day (ignoring the issues like they had last week) they do what they say they do. The problem with SORBS is not SORBS itself, but the mail admins that are stupid enough to use it - or at least stupid enough to use it as a straight blacklist (as opposed to a scoring blacklist). Start up a campaign against those if you like - perhaps an RBL of people who are using the SORBS RBL - but asking people to stop routing a DNS domain just because you don't like their clearly stated listing criteria simply isn't going to fly. Scott.
Re: Choice of network space when numbering interfaces with IPv6
http://www.google.com/search?q=nanog+126+64 would be a good place to start... (And I'm guessing you mean that /64 is awfully large, not /126) Scott. On Fri, Oct 15, 2010 at 12:26 PM, Zaid Ali z...@zaidali.com wrote: SO I have been turning up v6 with multiple providers now and notice that some choose /64 for numbering interfaces but one I came across use a /126. A /126 is awfully large (for interface numbering) and I am curious if there is some rationale behind using a /126 instead of a /64. Zaid
Re: ipv6 vs. LAMP
Public or not, if someone wants to run IPv6 only, they shouldn't have to have the v4 stack just for the database. Databases must work on the v6 stack. On 10/22/2010 10:02 AM, Carlos Martinez-Cagnazzo wrote: IMHO you should never, ever make your MySQL accesible over the public Internet, which renders the issue of MySQL not supporting IPv6 correctly mostly irrelevant. You could even run your MySQL behind your web backend using RFC1918 space (something I do recommend). Moreover, if you need direct access to the engine, you can trivially create an SSH tunnel (You can even do this in a point-and-click way using the latest MySQL Workbench). SSH works over IPv6 just fine. And for the LAMP stack, as long as the A fully supports IPv6 (which it does), we are fine. Warm regards, Carlos On Thu, Oct 21, 2010 at 8:06 PM, Joel Jaegglijoe...@bogus.com wrote: On 10/21/10 2:59 PM, Brandon Galbraith wrote: On Thu, Oct 21, 2010 at 4:53 PM, Dan Whitedwh...@olp.net wrote: On 21/10/10 14:43 -0700, Leo Bicknell wrote: In a message written on Thu, Oct 21, 2010 at 01:53:49PM -0700, Christopher McCrory wrote: open to the world. After a few google searches, it seems that PostgreSQL is in a similar situation. I don't know when PostgreSQL first supported IPv6, but it works just fine. I just fired up a stock FreeBSD 8.1 system and built the Postgres 8.4 port with no changes, and viola: All this is pretty moot point if you run a localized copy of your database (mysql or postgres) and connect via unix domains sockets. True. It mostly affects shared/smaller hosting providers who have customers that want direct access to the database remotely over the public network (and don't want to use some local admin tool such as phpMyAdmin). linux/unix machines can trivially build ip-tunnels of several flavors. -brandon -- Scott Reed Owner NewWays Networking, LLC Wireless Networking Network Design, Installation and Administration Mikrotik Advanced Certified www.nwwnet.net (765) 855-1060
Re: IPv6 Routing table will be bloated?
Why would the assumption be the ISP = knowledgeable or even caring about RIRs, etc.? When I started my ISP 6 years ago I knew someone issued IP addresses to my upstream provider, but I really didn't care who that was. The upstream took care of everything related to getting and assigning addresses as far as I was concerned. Even when I changed upstream providers they took care of the addresses. It was at that time I realized I need to learn more about the whole IP address assignment process so I wouldn't have to renumber next time I changed providers. I dug far enough to find that my ISP was not big enough to get an assignment and the required fee was more than the cost to renumber, so I didn't look any farther. So, as a log of start-ups and small businesses do, I learned enough to make what I needed work, but not everything that may have been beneficial. On 10/26/2010 3:20 PM, George Bonser wrote: -Original Message- From: Jack Bates [mailto:jba...@brightok.net] Sent: Tuesday, October 26, 2010 11:23 AM To: Randy Carpenter Cc: nanog@nanog.org Subject: Re: IPv6 Routing table will be bloated? On 10/26/2010 1:01 PM, Randy Carpenter wrote: Wait... If you are issuing space to ISPs that are multihomed, they should be getting their own addresses. Even if they aren't multihomed, they should probably be getting their own addresses. Why would you be supplying them with address space if they are an ISP? Because they are my customer. They don't know much about RIRs, paying membership fees, etc. They just know they want address space, and I provide that. If they are ISPs and don't know much about RIRs, can you please name them and provide their ASNs ... oh, wait ... they won't have an ASN if they don't know about RIRs and fees and such. Something isn't passing the smell test here. -- Scott Reed Owner NewWays Networking, LLC Wireless Networking Network Design, Installation and Administration Mikrotik Advanced Certified www.nwwnet.net (765) 855-1060
RINA - scott whaps at the nanog hornets nest :-)
It's really quiet in here. So, for some Friday fun let me whap at the hornets nest and see what happens... ;-) http://www.ionary.com/PSOC-MovingBeyondTCP.pdf -- NAT is your friend IP doesn’t handle addressing or multi-homing well at all The IETF’s proposed solution to the multihoming problem is called LISP, for Locator/Identifier Separation Protocol. This is already running into scaling problems, and even when it works, it has a failover time on the order of thirty seconds. TCP and IP were split the wrong way IP lacks an addressing architecture Packet switching was designed to complement, not replace, the telephone network. IP was not optimized to support streaming media, such as voice, audio broadcasting, and video; it was designed to not be the telephone network. -- And so, ...the first principle of our proposed new network architecture: Layers are recursive. I can hear the angry hornets buzzing already. :-) scott
Re: RINA - scott whaps at the nanog hornets nest :-)
--- na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org wrote: From: Mark Smith na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org http://www.ionary.com/PSOC-MovingBeyondTCP.pdf Who ever wrote that doesn't know what they're talking about. LISP is not the IETF's proposed solution (the IETF don't have one, the IRTF do), and streaming media was seen to be one of the early applications of the Internet - these types of applications is why TCP was split out of IP, why UDP was invented, and why UDP has has a significantly different protocol number to TCP. -- That's interesting, I wasn't aware of that. I will look into that bit of history just for fun. Getting over misstated things like you've pointed out, what do you think of the concept? scott
Re: RINA - scott whaps at the nanog hornets nest :-)
--- r...@e-gerbil.net wrote: From: Richard A Steenbergen r...@e-gerbil.net On Fri, Nov 05, 2010 at 03:32:30PM -0700, Scott Weeks wrote: It's really quiet in here. So, for some Friday fun let me whap at the hornets nest and see what happens... ;-) Arguments about locator/identifier splits aside (which I happen to agree with), this thing goes off the deep end on page 7 when it starts talking about peering infrastructure. Infact pretty much every sentence on that page is blatantly wrong. :) On re-reading it, I understand what you're saying, but the concept seems to have merit. Were you able to get past the mis-statements and get to the meat of the paper? It's concept, not running code, but very interesting. scott
Re: RINA - scott whaps at the nanog hornets nest :-)
On 11/08/2010 07:57 GMT+08:00, William Herrin wrote: On Fri, Nov 5, 2010 at 6:32 PM, Scott Weeks sur...@mauigateway.com wrote: It's really quiet in here. So, for some Friday fun let me whap at the hornets nest and see what happens... ;-) And so, ...the first principle of our proposed new network architecture: Layers are recursive. Hi Scott, Anyone who has bridged an ethernet via a TCP based IPSec tunnel understands that layers are recursive. See also G.805 et seq.
Re: RINA - scott whaps at the nanog hornets nest :-)
Been unexpectedly gone for the weekend, apologies for the delay. Wow, can subjects get hijacked quickly here. I think it happened within one or two emails. It was just for weekend fun anyway... --- b...@herrin.us wrote: From: William Herrin b...@herrin.us And so, ...the first principle of our proposed new network architecture: Layers are recursive. : Anyone who has bridged an ethernet via a TCP based : IPSec tunnel understands that layers are recursive. WRT the paper I'm having trouble correlating what you say with their notion of recursive layer network communications. It seems apples and oranges, but maybe I have Monday-its. It's only a little after noon here. http://www.ionary.com/PSOC-MovingBeyondTCP.pdf : John Day has been chasing this notion long enough to write three : network stacks. If it works and isn't obviously inferior in its : operational resource consumption, where's the proof-of-concept code? Not having read the following enough, being in operations and not in the research areas as much as others on this list I don my flameproof underpants and post this: pouzinsociety.org gives: - The TSSG developed CBA prototype, which consists of a fully functional componentised network stack and the ancillary supporting infrastructure, has been contributed to the Pouzin Society as the TINOS project. TINOS will provide the underlying platform and execution environment upon which a RINA prototype can be developed. The TSSG and i2CAT will be joining forces with the Pouzin Society to contribute to the development of a RINA prototype based on the TINOS platform. The TINOS code is freely available under the LGPL license. - the CBA prototype link being: http://www.tssg.org/4WARD/2010/07/component_based_architecture_n.html Seemingly unfortunate (to me) is: ...an open-source project to create a Java platform operating system. : The last time this was discussed in the Routing Research Group, none : of the proponents were able to adequately describe how to build a : translation/forwarding table in the routers or whatever passes for : routers in this design. When I asked on RRG I was told by the chairs, privately, that no open-slate designs would be considered. No RINA proponents are participating in the list, as well. WRT RRG I had assumed various proposals would be considered with equal respect and dignity, the basic components described, a 'winner' selected and then the engineering details designed. Watching the list has been an experience in reality (it's not all peace, love and happiness out there :-) and I now more clearly understand the comments made by others on this list about the process. Since it wasn't allowed on RRG, I hoped to spur discussion here between those who spend more cycles in research and learn from that discussion. It didn't happen yet... ;-) scott ps. Thanks for the response. I am really curious about the approach. It would seem to weed out a lot of redundant things that various layers repeat.
Re: RINA - scott whaps at the nanog hornets nest :-)
--- d...@dotat.at wrote: From: Tony Finch d...@dotat.at : I note that he doesn't actually describe how to implement : a large-scale addressing and routing architecture. It's all : handwaving. There is more discussed in the book. The paper was written by another person and had to only hit the highlights, or it'd be too long for folks to want to read. I'd imagine you can get a copy of the book in a university library. :And he seems to think that core routers can cope with per-flow state. Can you elaborate for me? : The only bits he's at all concrete about are the transport : protocol, which isn't really where the unsolved problems are. It wasn't about just solving problems. It seems to me to be about if you could clean-slate design, what would you do? AFAICT the RRG folks are specifically focused on fixing problems: map-n-encap and tunneling being the most liked solutions. One similar thing to other proposals on that list, though, that has me wondering is the use of a 'server' in the middle to keep track of everything. scott
Re: RINA - scott whaps at the nanog hornets nest :-)
--- eu...@leitl.org wrote: From: Eugen Leitl eu...@leitl.org Networks are much too smart still, what you need is the barest decoration upon the raw physics of this universe. -- Yes, that's one thing I note. The mapping server idea that several proposals use do not appear to keep the smartness at the edges, rather they seem try to make a smarter core network. scott
Re: RINA - scott whaps at the nanog hornets nest :-)
--- d...@dotat.at wrote: The point of a clean slate design is to rethink the foundations of your architecture, and get rid of constraints that set you up to fail. -- Yes, and I thought this idea could be the beginning of one way to do that and became interested in what others thought. However, there're not very many avenues to ask for competent responses on things like this. Thanks for the responses. scott ps. The NAT is your friend part is what I thought would whap at the nest for weekend fun... :-)
Re: RINA - scott whaps at the nanog hornets nest :-)
--- b...@herrin.us wrote: really would. Maybe you can tell me the page number, 'cause I just can't wade through the rest of it. - Don't read anything until around chapter 6 or 7. Also, skip the last one. Thanks for the responses. scott
Re: RINA - scott whaps at the nanog hornets nest :-)
--- d...@dotat.at wrote: From: Tony Finch d...@dotat.at On Mon, 8 Nov 2010, Scott Weeks wrote: The mapping server idea that several proposals use do not appear to keep the smartness at the edges, rather they seem try to make a smarter core network. Is a DNS server core or edge? ILNP aims to use the DNS as its mapping service. -- DNS root name servers are at the 'core'. No? scott
Re: AS path question.
--- valdis.kletni...@vt.edu wrote: From: valdis.kletni...@vt.edu One has to wonder how many places are using the prepend-me-harder commands to do traffic engineering, and have absolutely no clue that their prepends are having the opposite effect because the prefix is being dropped entirely by some AS's. -- Do you think (or is there evidence) that very many ASs use maxas-limit type commands? I have never used it and never had any problems... -- I suppose the exact same issue applies for those places that deaggregate in an attempt to to TE, and the de-aggregated prefixes get munched by somebody's prefix-length filter. Only if they're longer than a /24, though; yes? I imagine no one really filters shorter than a /24 these days. scott
Re: AS path question.
--- jba...@brightok.net wrote: From: Jack Bates jba...@brightok.net On 11/10/2010 5:44 PM, Scott Weeks wrote: Do you think (or is there evidence) that very many ASs use maxas-limit type commands? I have never used it and never had any problems... : ...but just to be safe I added it to all my routers. I : don't know where I came up with the magical 75 number, : but it definitely seems reasonable that anything with : 75+ ASNs in the path probably don't deserve to be in : my table. Why did that make you feel safe? Other than a bug, and ignorance of BGP, what is unsafe about a lotta prepends? scott
Re: AS path question.
--- jle...@lewis.org wrote: From: Jon Lewis jle...@lewis.org On Wed, 10 Nov 2010, Scott Weeks wrote: Why did that make you feel safe? Other than a bug, and ignorance of BGP, what is unsafe about a lotta prepends? Ignorance of BGP? There's a known cisco bug that causes BGP session -- I meant ignorance of BGP in that 50, 75 or 100 prepends will basically make no difference in your paths. So, other than for fun and testing why prepend that much? scott
Re: Introducing draft-denog-v6ops-addresspartnaming
If 8 bits is a byte, then 16 bits should be a mouthful. ;) Scott On 11/18/10 10:45 PM, George Bonser wrote: Hi all, as most of you are aware, there is no definite, canonical name for the two bytes of IPv6 addresses between colons. This forces people to use a description like I just did instead of a single, specific term. I am ok with quibble but I don't think it will gain wide usage in the US. We use quad at work. G
Re: Introducing draft-denog-v6ops-addresspartnaming
Given that a meal is often comprised of several mouthfuls, wouldn't it stand to reason that the entire address would suffice there? ;) Scott On 11/19/10 11:06 AM, Richard Hartmann wrote: On Fri, Nov 19, 2010 at 14:14, Scott Morris s...@emanon.com wrote: If 8 bits is a byte, then 16 bits should be a mouthful. When does it become a meal and, more importantly, do you want to supper (sic) size? RIchard
RE: Level 3 Communications Issues Statement Concerning Comcast's Actions
Unless I am missing something, Level3 is just the transit provider. Level 3 (via one of their acquisition a few years back) does have a very popular CDN product, but even if they are the source from an IP perspective, they still do not own the content, that is still primarily the networks and studios. Also as to GoogleTV, from what I have seen so far they are simply providing an interface (via an OS for 3rd party hardware) to access already available content, so yes they would be affected. -Scott -Original Message- From: Seth Mattinen [mailto:se...@rollernet.us] Sent: Monday, November 29, 2010 6:02 PM To: nanog@nanog.org Subject: Re: Level 3 Communications Issues Statement Concerning Comcast's Actions On 11/29/2010 14:40, Rettke, Brian wrote: Essentially, the question is who has to pay for the infrastructure to support the bandwidth requirements of all of these new and booming streaming ventures. I can understand both the side taken by Comcast, and the side of the content provider, but I don't think it's as simple as the slogans spewed out regarding Net Neutrality, which has become so misused and abused as a term that I don't think it has any credulous value remaining. Is Level3 the content provider though? Or did Comcast just decide they don't want to do the settlement free peering thing anymore for traffic transiting via Level 3? ~Seth
Re: The scale of streaming video on the Internet.
Sunday Night Football at the top last week, with 7.1% of US homes watching. That's over 23 times as many folks watching as the 0.3% in our previous math! Ok, 23 times 150Gbps. 3.45Tb/s. Yowzer. That's a lot of data. 345 10GE ports for a SINGLE TV show. But that's 7.1% of homes, so scale up to 100% of homes and you get 48Tb/sec, that's right 4830 simultaneous 10GE's if all of Comcast's existing high speed subs dropped cable and watched the same shows over the Internet. I think we all know that streaming video is large. Putting the real numbers to it shows the real engineering challenges on both sides, generating and sinking the content, and why comapnies are fighting so much over it. Anything that is live likely to be watched by lots of people at the same time like sports can handled via multicast. The IPTV guys have had a number of years to get that work fairly well in telco environments. The content that can't be handled with multicast, like on demand programming, is where you lose your economy of scale. -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 Looking for hand-selected news, views and tips for independent broadband providers? Follow us on Twitter! http://twitter.com/ZCorum
Re: The scale of streaming video on the Internet.
On 12/4/10 5:56 PM, Jay Ashworth wrote: I recently calculated the capacity of a 747F full of LTO-4 tapes; it's about 8.7 exabytes. I *think* it's within weight and balance for the airframe. Cheers, -- jra Just how much free time do you have? :) Scott
Re: Lightning Debates at NANOG 51
--- t...@dyn.com wrote:From: Tom Daly t...@dyn.com Ethernet: 40GE vs. 100GE people are debating which is better? really? I'm sure someone has an opinion... On NANOG? Naahhh ;-) scott
Re: A fascinating piece of spam
--- s...@cs.columbia.edu wrote: From: Steven Bellovin s...@cs.columbia.edu Yup, same purported sender... From what company? So we don't make the mistake of buying from them. scott
Re: A fascinating piece of spam
From: Scott Weeks sur...@mauigateway.com From: Steven Bellovin s...@cs.columbia.edu Yup, same purported sender... From what company? So we don't make the mistake of buying from them. -- Never mind, I got one too. www.bradleydentaloffice.com 8 ae1d0.mcr1.saltlake2-ut.us.xo.net (216.156.1.2) 9 ip65-46-63-46.z63-46-65.customer.algx.net (65.46.63.46) 10 206.130.126.61.west-datacenter.net (206.130.126.61) 11 68.169.38.135.static.westdc.net (68.169.38.135) Someone from Westhost here? plonk them please! scott
RE: SONET and MAC address
Don't know the FlashWave gear well, but in the Cisco ONS/Cerent world GigE ports can be configured in different modes, some of which do in fact learn MAC addresses. Others emulate a single layer-2 link and as the vendor stated, would not look at the MAC address at all. -Scott -Original Message- From: Jay Nakamura [mailto:zeusda...@gmail.com] Sent: Wednesday, December 08, 2010 3:33 PM To: NANOG Subject: SONET and MAC address We have a Gigabit Ethernet transport between cities by a vendor. We found that when there are identical MAC address that are on different VLANs on different side of the circuit, one of the VLAN looses packets. This situation came up because two different networks that travel over the Ethernet were using HSRP with the same virtual MAC address. The vendor says both sides are directly connected to Fujitsu SONET gear and the equipment doesn't even look at the MAC address so it's not their circuit. All I know is, I can't recreate the problem if this circuit is not in the path. I haven't worked with Fujitsu SONET gear so I don't know if their claim is true or not. I vaguely remember someone talking about some equipment actually having a builtin switch on the SONET port and that was messing up the forwarding. Also, on one side of the circuit, there is a copper to fiber media converter. I am going to find out what model this is and see if that could be the cause. Anyone have any thoughts on what I should look into or have the vendor look into? Anyone run into this situation? Thanks!