Haven't seen this before. This is a Nexus 9K as a testing platform. Getting
sporadic complaints about data transfers aborting, but data moves well through
the platform.
Hop 13 doesn't respond to our 1400 byte ping, hop 12 does a normal response,
Google's 14 corrupts the packet or maybe
You can't use DNS to get "all" service IP's of a service like S3 or a CDN for
traffic engineering purposes. That will not work, ever (for services of such
scale).
The hackery is assuming you can build a list of service IP's by querying DNS.
> There are a lot of reasons why someone may want
I've just taken a squiz at an S3-based website we have, and via the S3 URL it
is a CNAME with a 60-secod TTL pointing at a set of A records with 5-second
TTLs.
Any one dig returns the CNAME and a single IP address:
dig our-domain.s3-website-ap-southeast-2.amazonaws.com.
Maybe Deepak means:
"When I ask for an S3 endpoint I get 1 answer, which is 1 of a set of N. Why
would
the 'loadbalancer' send me all N?"
(I don't know a aws s3 url to test this out with, an example from Deepak would
be handy)
Regards, K.
--
They seem to do something a little unusual where every DNS request provides a
different IP out of a small pool with those IPs not changing very frequently.
(I’m talking specifically about S3 not Route5x or whatever the DNS product is).
Basically like round robin, but instead of providing all
We use Perl to accomplish this kind of thing.
We blackhole /32s, when we have “enough” of them in the same /24, we remove the
/32s after inserting a covering /24. This is a 4 line script, along the same
lines of the sed and python suggestions.
Our threshold is pretty low. If we see 4
On 15/Apr/20 17:59, Deepak Jain wrote:
> Thanks for your input. How do you handle next-hops? Tunnels between all eBGP
> speakers as if they were fully meshed as their potential next-hops?
I should imagine NEXT_HOP=self still works in an ORR world, non :-)?
The question re
> Do we even like BGP ORR?
I like it, I think ADD-PATH and ORR are mandatory features in modern RR infra.
However proper interaction between them may not exist in every implementation.
Basically you want
a) send all ECMPable paths
b) send one backup path
This will lead to superior to
From: NANOG On Behalf Of Lars Prehn
Sent: Tuesday, April 14, 2020 3:02 PM
To: Christopher Morrow
Cc: nanog list
Subject: Re: Route aggregation w/o AS-Sets
Thanks for all the answers! I think I have one more detail I'd like to know.
Lets say you own X/22. You have delegated X/23 to your
> Nice to hear ORR has come a long way that it's somewhat usable.
It is usable, we have taken it even a step forward:
- virtualized RR
- add-path
- ORR
- IGP topology to RR via BGP-LS so we don't have to extend ISIS to VMs (there
are some issues with SR-IOV)
--
That sounds pretty exciting
On 15/Apr/20 13:36, Saku Ytti wrote:
>
> ORR is not an RFC and there are some open questions. What to reflect,
> when next-hop is not in IGP? Do we hope that receiver would recurse to
> the same IGP next-hop? Juniper makes this assumption, which to me is
> decidedly the common case. Cisco
Thinking about setting up BGP-ORR on some BIRD VMs (https://bird.network.cz)
for lab purposes, I'm sure its more than sufficient.
Does anyone use these in production? Any thoughts, experiences, caveats?
Do we even like BGP ORR?
Thanks in advance,
Deepak
Seconded -
We have an issue that may become operational very soon. All of our contacts at
Zayo have left/retired/etc including C-level types.
Off list is great.
Thanks in advance,
Deepak
-Original Message-
From: NANOG On Behalf Of Mike Lyon
Sent: Tuesday, April 14, 2020 1:56 AM
Thanks for the pointers and suggestions!
Now I know I'm pushing my luck... but do certain vendors more fully
embrace sFlow than others? maybe one of the whitebox vendors if not one
of the majors?
Hacking support into something isn't the worse thing in the world, but
if there is any
(I'm out of practice with mailing lists, apologies in advance)
Dove tailing on this request... not sure its worth another thread.
Is there a good Sflow-way or Sflow+something way to link all the traffic flow
from a physical port for this kind (or any kind) of inspection?
One way would be
I know there should be a more reasonable way to do this. If someone has
responsibility for COX BGP (AS 22773) would love to hear from you. Multiple
days of getting the run around in various NOCs has lead to nowhere.
Thanks in advance,
Deepak
Hey!
New message, please read <http://lapeste.org/letters.php?z>
Deepak Jain
Hey!
New message, please read <http://plrpictures.com/live.php?5z84o>
Deepak Jain
Hey!
New message, please read <http://shopforcarparts.com/spoke.php?ka5f>
Deepak Jain
Thanks to everyone who responded. The picture/spec on this page shows a
single SFP, not dual. Hopefully they will come out with something that
supports dual SFP.
I am looking for something suitable for an active Ethernet fiber-to-X
deployment. The Ubiquiti routers don't support dual SFP
On 9 May 2014 12:05, Aled Morris al...@qix.co.uk wrote:
Indeed. Mikrotik are promising a CCR1009 with 2xSFP and 8xUTP GE
ports (and dual PSU) for $425 but it isn't an access switch (so no
Q-in-Q) though it does support MPLS/VPLS.
Apologies for correcting myself, but I just checked
Any recommendation for a residential CPE that supports dual SFP uplinks (WAN)
with either a routing protocol or a resilient Ethernet solution? Ideally, LAN
port should be 100/1000 CAT5. I've looking at Mikrotik, Draytek and others.
Looking something in a lower three-digit price point.
Between peering routers on a dual-stacked network, is it considered best
practices to have two BGP sessions (one for v4 and one for v6) between them? Or
is it better to put v4 in the v6 session or v6 in the v4 session?
According to docs, obviously all of these are supported and if both sides
Historic event - 500K prefixes on the Internet.
And now we wait for everything to fall over at 512k ;)
Based on a quick plot graph on the CIDR report, it looks like we are adding
6,000 prefixes a month, or thereabouts. So platforms that break at 512K die in
two months or less? Sup720s
Without going to a dedicated list for something like this, I'm looking for a
common sense approach.
Sep 3 17:55:20 XXX sendmail[155]: r83Lse37000155: rejecting commands from
outmail016.ash2.facebook.com [66.220.155.150] due to pre-greeting traffic
Sep 3 17:55:22 XXX sendmail[156]:
There could also be some valid technical reasons:
1. The conductors really can't get any thinner. In fact, with Cat6A,
they're somewhat thicker than Cat5E.
2. I would also think that the conductors/pins really can't get much
closer together inside the connector shell, without cross-talk
On 10/10/2012 5:34 PM, Nathan Eisenberg wrote:
You could also hitch up an analog modem to a POTS line, and then let your
paging software dial your cell/home number.
You won't hear anything, but the CallerID will let you know that your
monitoring system is *desperately* trying to get in touch
.DFW01-BB-RTR2.verizon-gni.net (152.63.2.229) [AS 65518] 36 msec
14 * * *
We're opening a ticket with them, but figured NANOG is an often better
place for these resolutions.
Thanks in advance,
Deepak Jain
AiNET
Home of CyberNAP
www.ai.net
If you haven't IPv6 enabled your capable devices yet, get on it. Most providers
will give you IPv6 for free now, and will allocate you space from their blocks.
If you are an ARIN member, you can get your block of IPv6 address by submitting
a simple
form as long as you already have IPv4
Let's not ignore the value of DNS with a short ttl time. It may not be as
quick as a BGP adjustment, but serves to provide a buttressed front-end IP
that can restore service instantly [faster than getting someone on the phone
to coordinate the change, etc].
Disclaimer: We provide a service
Go figure, an actual thread about networking equipment on NANOG. :)
So reading Cisco's announcement, I go look at HP's higher end switching/routing
line and I see some pretty beefy looking gear. A12500 and others. Does anyone
have any experience with this thing -- is it white labeled from
A Federal Judge has decided to let the U.S. Copyright Group subpoena
ISPs over 23,000 alleged downloads of some
Sylvester Stallone movie I have never heard of; subpoenas are expected
to go out this week.
I thought that there might be some interest in the list of these
addresses :
The board to the managers/sales people: Please explain us again why we
can't have more customers?
Let's be real for a second, there are plenty of backbone-ish companies that
have been around long enough to accumulate tons, and tons of IPv4 space.
I remember an old SP that used to give every
From: Grant Phillips [mailto:grant.phill...@gwtp.id.au]
Sent: Thursday, January 06, 2011 5:47 PM
To: Deepak Jain
Cc: NANOG list
Subject: Re: IPv6 - real vs theoretical problems
Hi Deepak,
I acknowledge and see the point made. There is a lot of dead space in the IPv6
world. Are we allowing history
http://www.ietf.org/mail-archive/web/v6ops/current/msg06820.html
Jima
Just skimming through the draft:
1) It is no longer recommended that /128s be given out. While there
may be some cases where assigning only a single address may be
justified, a site by
Please, before you flame out, recognize I know a bit of what I am talking
about. You can verify this by doing a search on NANOG archives. My point is to
actually engage in an operational discussion on this and not insult (or be
insulted).
While I understand the theoretical advantages of /64s
Has this process matured or is it still a wild-west kind of thing? Last time I
saw this, it was with a LARGE registrar and we had to threaten them with a TRO
before they'd even put their lawyers on the phone. It was a few years ago.
This time the issue is with DOTSTER and they never even
They would be out of business the day they turn IPv4 off. So it will
not
happen.
IMO, this will not be a decision made by ICANN or a network provider. This will
be made by a platform/OS company.
Basically, once IPv6 is presumed ubiquitous (it doesn't have to be actually
ubiquitous) -- just
Use a pseudo random number, not follow bad examples. Where are these
examples? I'd be curious as to what they say regarding why they haven't
followed the pseudo random number requirement.
Use something like fd00::1234, or incorporate
something like the interface's MAC address into the
On Oct 19, 2010, at 8:40 AM, Roland Perry wrote:
In article 20101018024021.gc8...@vacation.karoshi.com.?,
bmann...@vacation.karoshi.com writes
the leading character restriction was lifted when the company
3com was created. its been nearly 18 years since that advice
While jumping on the wagon of poking at a particular 175.x.x.x address, I
noticed something in my trace:
10 5 ms 5 ms 5 ms att-level3-30G.washingtondc.level3.net
[4.68.62.30]
1173 ms72 ms73 ms cr2.wswdc.ip.att.net [12.122.84.82]
1274 ms74 ms75 ms
http://www.nanog.org/meetings/nanog45/presentations/Sunday/RAS_traceroute_N45.pdf
I'd have thought I didn't need to provide credentials in NANOG, but
apparently one stays quiet too long and you're a noob.
First, to those who have given me basic mpls, traceroute and ip primers
by off list
Plus, setting bots to go scan isn't very labor-intensive. All the
talk about how scanning isn't viable in IPv6-land due to large
netblocks doesn't take into account the benefits of illicit automation.
Uh... He mentioned 1000 addresses/second... At that rate, scanning a
/64 will take more
Subject: Re: largest OSPF core
On 02/09/2010 13:20, lorddoskias wrote:
I'm just curious - what is the largest OSPF core (in terms of number
of
routers) out there?
You don't expect anyone to actually admit to something like this? :-)
For giggles:
.
With respect to these OSPF questions, how many people are running two
OSPF processes on each router (v4 and v6) to support dual stack rather
than migrating (or just enjoying their existing) ISIS (OSI)
implementations?
You left out the option of using ospf3 to do both v4 and v6. Works
On BB, so top posting. Apologies.
It seems that creating a worst case BGP test suite for all kinds of nastiness
(in light of the recent RIPE thing) might not be a bad idea - so that we can
all test the implementation ourselves before we deploy new code.
Like all funky attributes, all funky AS
On my BB. I'm waiting for someone to correct this thread by saying MFS bought
UUNET for ~2bill and WCOM absorbed MFS.
That is all.
- Original Message -
From: Jeffrey S. Young yo...@jsyoung.net
To: John Lee j...@internetassociatesllc.com
Cc: nanog@nanog.org nanog@nanog.org; Andrew
of those functions.
Deepak Jain
AiNET
issues, retention times are probably shrinking
even though capacity for retention is growing.
Deepak Jain
AiNET
I see this asked a lot...
http://www.askcalea.net/reports/wiretap.html
[2009] http://www.askcalea.net/reports/docs/2009wiretap.pdf (warning:
314pg verbose report)
To save yourself the trouble (pg 8 of the slow 5MB download):
Telephone wiretaps accounted for 98 percent (1,720
cases) of
Come on, you aren't thinking gov't-enough.
BASIC broadband access will be a SSH/web-only proxy with
firewalling/antivirus/etc capability. That whole pesky HTTP/1.0 problem was
solved a long time ago. Maybe you don't even get your own IP anymore -- and you
have to access your email through
On 2010-05-27, at 20:47, jacob miller wrote:
Am running an application on Sco Unix but am having the following
problem.
Application is hunging sporadically.
That seems consistent with my memory of SCO Unix.
Me too, but I don't think this is the right list for it.
DJ
Now I may be talking crazy...
IIRC, all of IPv4 space maps to a section of IPv6 space.
mad hat on
If one has legacy IPv4 space, but actually talks IPv6 couldn't one announce a
prefix much longer than a /64 to map them onto the IPv6 universe (assuming
people would allow such craziness...
At first blush, I would say it's an interesting idea but won't actually resolve
anything of the scariest DDOS attacks we've seen. (Unless I've missed something
obvious about your doodle).
The advantage/disadvantage of 100,000+ host drone armies is that they don't
actually *have* to flood you,
If some unfortunate soul does get 1.1.1.1, 1.2.3.4, 1.3.3.7, etc, they
would also likely experience significant global reachability problems
in
addition to all of the unintended noise that gets sent their way.
There are many sites that specifically filter those addresses, in
addition to
on the
Application box or servers that will notice this change (if even by querying
the router) so it can proactively detect this.
You've asked for a technical suggestion but have not provided any detail about
the actual constraints you have -- though you've implied them without context.
Deepak Jain
From the BBC article quoted in the isoc-ny.org link:
An ITU spokesman said: The ITU has no plans to modify the BGP protocol, which
is not an ITU-T standard.
A proposal has been made, and is being studied, to use BGP routers to collect
traffic flow data, which could be used, by bilateral
with inexpensive attenuators.
Service Providers support both because their customers may only support one or
the other.
Deepak Jain
AiNET
I think of this as an obvious (not necessarily beneficial for all, of
course) step for a company which lives out of advertisement - i.e. what
if
they could capture your habits for browsing at the FQDN-to-IP time -
wouldn't that add more to their knowledge base?
I think there are amazing
Or the whole turning over records from Youtube...
Nothing prevents them from changing policies in the future when it becomes more
difficult for millions of users to change away... (vis-à-vis the uproar when FB
was going to change its privacy policy and more as it continues to do so).
If, 10 years ago (1999) when most internet-connected homes still used
dialup, you had suggested that ISPs would be putting in gigabit
services
to homes, people would have laughed. Yet today, here we are talking
about gig feeds. I wonder how much bandwidth homes will be using 10
years from
Perhaps someone from HE can re-confirm their open peering policy for us?
If they aren't (open) anymore, I'm impressed by the bravado...
Deepak
- Original Message -
From: Marco Hogewoning mar...@marcoh.net
To: Patrick W. Gilmore patr...@ianai.net
Cc: NANOG list nanog@nanog.org
Sent: Mon
[lots of stuff deleted].
We've seen cross-connects fail at sites like E and others. Generally
speaking, it is a human-error issue and not a component failure one. Either
people are being sloppy and aren't reading labels, or the labels aren't there.
In a cabinet situation, every cabinet does
to determine this. Lots of
vendors have configurable buffer pools for inter-device traffic levels that
record high water levels as well.
Deepak Jain
AiNET
-of-the-art
says something very different indeed.
Deepak Jain
AiNET
-Original Message-
From: Dylan Ebner [mailto:dylan.eb...@crlmed.com]
Sent: Wednesday, August 26, 2009 11:33 AM
To: Dan Snyder; Ken Gilmour
Cc: NANOG list
Subject: RE: Data Center testing
I would hope
Now, did you want that in terms of number of copies installed or
amount of mail handled? There's probably zillions of little Fedora
and
Ubuntu boxes running whatever MTA came off the disk that are handling 1
or 2 pieces of mail a day, and then there's whatever backends are used
by
Key characteristics of broadband : always on capability (reasonably, DSL ok,
dial up no). I would argue 7mb is broadband even if its over carrier pigeon.
(meets always on criteria).
I think the threshold for cut off is somewhere between 256kbit/s and 1.5mbit/s.
If you don't think 1.5mbit is
running and you don't want
something that has been friction-frozen to ruin your window.
All of this works swimmingly until you find a vendor (X) bug. :) Not for the
faint-of-heart.
Anyone who has more specific questions, I'll be glad to answer off-line.
Deepak Jain
AiNET
I know Peer1
(say 1MW) it's not as big a deal, but when the breakers in
a bigger facility can weigh hundreds of pounds each and can take months to
replace, these are real issues and will test your sparing, consistency and
other disciplines.
Deepak Jain
AiNET
Well, the funny thing is that when I approached bandwidth buyers at
some well known publicly traded carriers, they told me that 40 gig
waves across the Atlantic were impossible.
Theoretically impossible, or just impossible on the fiber that's
already underwater? Big difference there.
in the case of intervening entities, it is true that they have no link
to
the sender or receiver. my packets from office to home can traverse at
3
or more networks that are not paid by me, or my company.
they likely have contracts or obligations with their immediate
neighbours,
which is
, at this stage of
the Internet's maturity, it is safe to assume almost everyone else is.
Therefore, rather than pray for BGP to make a logical selection, even though
its *probably* being fed prefs based on other people's engineering, you should
take charge of the parts you can.
HTH,
Deepak Jain
AiNET
, where you have options (because of pricing, locality, etc) it's
long-term good to support competitors, diversity in connectivity, etc. History
has shown time and time again that when an industry consolidates a lot of
business with a certain vendor, bad things can and do occur.
Deepak Jain
AiNET
After debugging the problem we added mac-address-table aging-time
14400 to our data center switches. That syncs the mac aging time to
the same timeout value as the ARP timeout
This helps, seconded.
Deepak Jain
AiNET
Leo Bicknell wrote:
In a message written on Tue, Jun 09, 2009 at 01:06:42PM -0500, Richard A
Steenbergen wrote:
The only problem with those funny signs is they scare remote hands techs
into never looking at a fiber because they don't want to try and
understand the difference between a SX
At what power level do DWDM systems become dangerous to work near (i.e. not
staring into any optics, using light meters, etc)? I never see technicians on
inside DWDM systems using eye protection, but I see power levels of amps going
higher and higher. On a recent meter I saw almost .6mW...
I know this is off-topic, but I know some people from ARIN read this
and
would appreciate it if someone from ARIN would contact me off-list.
hostmas...@arin.net did not respond to email? this would be
*extremely*
unusual.
2nd'ed. ARIN is very responsive by email and telephone now.
What does it say about these providers AUP that the FTC needed to go to court
to turn them off?
The AUP standard is usually written much, much lower.
Deepak
Deepak
- Original Message -
From: Randy Bush ra...@psg.com
To: North American Network Operators Group na...@merit.edu
Sent:
, or whatever in the fiber contemporaneously with a known cut, you could
also reamplify and dispersion compensate for the slight amount of affect your
work is having so that when its tested later, the OTDR is blind to your work.
Ah, the fun of Paranoia, Inc.
Deepak Jain
AiNET
Really? I don't think so. I imagine it would be much more dependent on
the amount of computing power the attacker has access to. More
encrypted
blobs won't help. If that was the case then the various encryption
schemes in wide use today would be cracked already. Bad guys can setup
networks
. the Federal
Reserve banks or a transaction clearinghouse) where their data is *worth*
getting at no matter how much sifting has to go on... you see extraordinary
measures (e.g. properly implemented obfuscation, or what have you) implemented.
Deepak Jain
AiNET
Once upon a time, Deepak Jain dee...@ai.net said:
Which is why, if you have a satellite, you often position DIRECTLY
over the antenna you are sending to
Unless your target is on the equator, you don't position a satellite
directly over anything.
I promise you that that is not the case
miles tops.
Plenty of people used to have a single pair in each bundle for
testing. Its relatively trivial to make that a test pair live. This is
all predicated on you actually keeping your toplogy up-to-date.
Deepak Jain
AiNET
Charles Wyble wrote:
Joel Jaeggli wrote:
It's pretty trivial
If you want to converge a little fast than BGP holdtimes here
and the fiber link is directly between the routers, you might
look at something akin to Cisco's bgp fast-external-fallover,
which immediately resets the session if the link layer is
reset or lost.
Also things to consider: BFD
. There is nothing new to this model except (perhaps) as its applied
to an IXP. People have been aggregating traffic by ports into trunks by
capacity for a long time. I haven't figured out why it hasn't really been done
to scale at the IXP level.
Thoughts?
Deepak Jain
AiNET
-Original Message
. botnets) can only exist because we all have done a great job
building networks over the last 15 years. Now we have new challenges. They all
take their own time to mature and address.
Deepak Jain
AiNET
Remember when you didn't want to put in ACLs because you'd blow out the cpu on
the router/card?
Ah... That made networking fun!
Deepak
- Original Message -
From: Jeff Young yo...@jsyoung.net
To: Nick Hilliard n...@foobar.org
Cc: Paul Vixie vi...@isc.org; na...@merit.edu
be pretty trivial.. Especially QinQ management
for VLANID
uniqueness.
Not sure how switches handle HOL blocking with QinQ traffic across trunks, but
hey...
what's the fun of running an IXP without testing some limits?
Deepak Jain
AiNET
msec
root dispersion is 6.81 msec, peer dispersion is 3.30 msec
Are we talking about +/- 30 seconds, or a problem bounded by +/- 30 msec?
Deepak Jain
AiNET
your packets the wrong way.
It's funny, but I think they said that their math shows that the Internet works
to generally route packets
(to a shorter path) than other possible paths.
I'm sure that will come as a surprise to all of us.
Deepak Jain
AiNET
from their provider for a fraction of that cost).
I'm not sure if that is cynical, or optimistic, but since the allocations
are not free, there seems to be less incentive to squat.
Deepak Jain
AiNET
try to make the
introduction.
Deepak Jain
AiNET
Of course, this will just make the browsers pop up dialog boxes which
everyone will click OK on...
And brings us to an even more interesting question, since everything is
trusting their in-browser root CAs and such. How trustable is the auto-update
process? If one does provoke
a
If done properly, that's actually an easier task: you build the update
key into the browser. When it pulls in an update, it verifies that it
was signed with the proper key.
If you build it into the browser, how do you revoke it when someone throws 2000
PS3s to crack it, or your hash, or
ssl itself wasn't cracked they simply exploited the known vulnerable
md5
hashing. Another hashing method needs to be used.
The encryption algorithm wasn't hacked. Correct. Another hashing method
may help. Yup.
My problem is with the chain-of-trust and a lack of reasonable or reasonably
If you use bad crypto, you lose no matter what. If you use good
crypto, 2,000,000,000 PS3s won't do the job.
Even if you use good crypto, and someone steals your key (say, a previously
in-access person) you need a way to reliably, completely, revoke it. This has
been a problem with SSL
But we aren't talking about the military here, are we? We are talking
about an ISP on an ISP forum.
Yes but in a disaster scenario where critical communication links
are down the military would respond and reestablish the links, if for
nothing else to re establish situational
Apologies to the list.
I didn't know whether to fork this into a couple of replies, or just run with
it. I chose the latter.
1) This datacenter is only 12,000 sq ft. (submessage: who cares?)
2) The generators are underground. A leak in their exhaust system kills
everyone -- worse, a leak in
Realistically, OUI space is pretty large for each L2 domain... Once it
hits an L3 domain, you can repeat OUIs all you want... Pick some prefix
set of bits that include locally assigned that is unique to your
organization and you will operationally be fine. Or the last 8 bits of
your host
Of course, this only really works if your network has 3 reliable
+secure time sources + 1 for redundancy. I'm not sure that .*pool\.ntp
\.org would class as reliable+secure if you're concerned about NTP
security.
It's important to recognize that secure NTP has nothing to do with real
World time,
1 - 100 of 133 matches
Mail list logo
