Re: ISP port blocking practice

2009-10-23 Thread Steve Bertrand
Chris Boyd wrote: On Oct 22, 2009, at 6:14 PM, Lyndon Nerenberg (VE6BBM/VE7TFX) wrote: My experience is that port 587 isn't used because ISPs block it out-of-hand. Or in the case of Rogers in (at least) Vancouver, hijack it with a proxy that filters out the AUTH parts of the EHLO

Re: ISP port blocking practice

2009-10-23 Thread Steve Bertrand
Michael Peddemors wrote: On October 23, 2009, Steve Bertrand wrote: http://eagle.ca/update/mail/Outlook_Express/index.html ...yes, believe it or not, even with the pictures, they will sometimes still get it wrong ;) Years in planning and implementation, but a good, large-scale learning

Re: ISP port blocking practice

2009-10-22 Thread Steve Bertrand
Sean Donelan wrote: On Thu, 22 Oct 2009, Lyndon Nerenberg (VE6BBM/VE7TFX) wrote: My experience is that port 587 isn't used because ISPs block it out-of-hand. Or in the case of Rogers in (at least) Vancouver, hijack it with a proxy that filters out the AUTH parts of the EHLO response, making

Re: ISP port blocking practice

2009-10-22 Thread Steve Bertrand
Jon Kibler wrote: Zhiyun Qian wrote: Hi all, What is the common practice for enforcing port blocking policy (or what is the common practice for you and your ISP)? More specifically, when ISPs try to block certain outgoing port (port 25 for instance), they could do two rules: 1). For any

Re: IPv6 internet broken, cogent/telia/hurricane not peering

2009-10-12 Thread Steve Bertrand
Randy Bush wrote: sure would be nice if there was a diagnosis before the lynching If this happened in v4, would customers care 'why' it happened? Obviously not. Why should v6 be any different? It either is or is not production ready. I'm interested in HE's view on that. many of us

Re: OSPF vs IS-IS vs PrivateAS eBGP

2009-08-20 Thread Steve Bertrand
Gary T. Giesen wrote: FWIW, we use BGP to our multihomed customers (even when we manage the CPE), using a private AS. OSPF doesn't have the right toolset to provide protection for inter-network route propogation, and the risk of some customer's CPE screwing up you routing is just too high to

Re: IPv6 Addressing Help

2009-08-17 Thread Steve Bertrand
Ray Burkholder wrote: Why is is necessary insist that using bits in a fashion that doesn't require that growth be predicated on requests for additional resources be considered wasteful? Don't we still need to subnet in a reasonably small fashion in order to contain broadcasts, ill-behaved

Re: Visualizing BGP paths

2009-08-12 Thread Steve Bertrand
Dylan Ebner wrote: I have been working on a project to better illustrate for our manages the provider path data takes when it flows from one of our customers to our datacenter. I have tried to use trace routes to illustrate the number of hops data takes, but when I try to show many sources on

Re: ISP best practices

2009-06-28 Thread Steve Bertrand
Barry Raveendran Greene wrote: The best training available on the Net for a small ISP to learn from the best is available . At www.nanog.org! All the NANOGs are on VOD. Just go to the presentation archive: http://www.nanog.org/presentations/archive/. Put in a keyword to search (say BGP

Re: Cogent input

2009-06-17 Thread Steve Bertrand
Joel Jaeggli wrote: Steve Bertrand wrote: Stephen Kratzer wrote: And, they have no plans to support IPv6. Ouch! I hope this is a non-starter for a lot of folks. read the rest of the thread... ...unfortunately, my message was sent out on the 11th, but just received yesterday

Re: Hurricane Electric

2009-06-17 Thread Steve Bertrand
Paul Stewart wrote: Hi folks... Looking for some feedback on using Hurricane Electric as an upstream? Even though I only have tunnel relationships with them for v6 (ie free transit), I'd have to say that between: - their excellent automation tools - their time-to-response - their level of

Re: Cogent input

2009-06-11 Thread Steve Bertrand
Stephen Kratzer wrote: And, they have no plans to support IPv6. Ouch! I hope this is a non-starter for a lot of folks. Steve smime.p7s Description: S/MIME Cryptographic Signature

Re: Multi site BGP Routing design

2009-06-05 Thread Steve Bertrand
Justin Krejci wrote: If the private link between the two sites fails, will BGP allow for us to access the IP subnets at site 2 from site 1 via the internet given that both sites are advertising under the same ASN? No, because your router at site 2 will not accept any prefix with its own AS in

Re: Multi site BGP Routing design

2009-06-05 Thread Steve Bertrand
Chuck Anderson wrote: On Fri, Jun 05, 2009 at 05:50:28PM -0500, Justin Krejci wrote: If the private link between the two sites fails, will BGP allow for us to access the IP subnets at site 2 from site 1 via the internet given that both sites are advertising under the same ASN? Maybe.

Re: Multi site BGP Routing design

2009-06-05 Thread Steve Bertrand
john.herb...@ins.com wrote: Depending on your security policies you may want to encrypt said tunnel also. Other than that, it all depends on it all depends. For example - if you receive / or have a default route pointing to the ISP, then the fact you have the same AS and won't receive the

Re: Multi site BGP Routing design

2009-06-05 Thread Steve Bertrand
Chuck Anderson wrote: On Fri, Jun 05, 2009 at 07:40:15PM -0500, john.herb...@ins.com wrote: This is a good concept but if the ISP route is a Juniper then as I recall by default it looks ahead, sees the as-path routing loop if it were to send it to the other router, and doesn't send it. So

Re: Multi site BGP Routing design

2009-06-05 Thread Steve Bertrand
Randy Bush wrote: Have you ever known an ISP to not co-operate when it comes to requesting a BGP session? yes. this problem is rampant with colonialist telcos in the poorer countries. Yeah, well, I don't live in a poorer country, and I deal with it here. *cough* Steve smime.p7s

Re: Multi-homed clients and BGP timers

2009-05-26 Thread Steve Bertrand
Steve Bertrand wrote: My problem is the noticeable delay for switchover when the fibre happens to go down (God forbid). I would like to know if BGP timer adjustment is the way to adjust this, or if there is a better/different way. It's fair to say that the fibre doesn't 'flap'. Based

Multi-homed clients and BGP timers

2009-05-22 Thread Steve Bertrand
Hi all, I've got numerous single-site 100Mb fibre clients who have backup SDSL links to my PoP. The two services terminate on separate distribution/access routers. The CPE that peers to my fibre router sets a community, and my end sets the pref to 150 based on it. The CPE also sets a higher pref

Re: Multi-homed clients and BGP timers

2009-05-22 Thread Steve Bertrand
Zaid Ali wrote: From experience I found that you need to keep all the timers in sync with all your peers. Something like this for every peer in your bgp config. neighbor xxx.xx.xx.x timers 30 60 Make sure that this is communicated to your peer as well so that their timer setting are

Re: Multi-homed clients and BGP timers

2009-05-22 Thread Steve Bertrand
Danny McPherson wrote: On May 22, 2009, at 5:15 PM, Steve Bertrand wrote: neighbor xxx.xx.xx.x timers 30 60 Make sure that this is communicated to your peer as well so that their timer setting are reflected the same. Thankfully at this point, we manage all CPE of any clients who peer

Re: Multi-homed clients and BGP timers

2009-05-22 Thread Steve Bertrand
Jack Bates wrote: Steve Bertrand wrote: Well, unfortunately, the local PUC owns the fibre, and they have a switch aggregating all of their fibre in a star pattern. They then trunk the VLANs to me across two redundant pair. I'm in the process of persuading them to allow me to put my own gear

Re: ISP best practices

2009-05-21 Thread Steve Bertrand
Philip Lavine wrote: To all, I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up

Re: ISP best practices

2009-05-21 Thread Steve Bertrand
Jon Lewis wrote: Still, it's better to get your config done right than rely on your providers to ignore what you shouldn't be advertising. I have to agree completely with Jon here. As a small SP, it is prudent to do everything you can to be a good 'netizen. Apply your outbound prefix lists

IPv6 iperf testing

2009-05-20 Thread Steve Bertrand
Hi all, I have a very quick selfish question... Is there anyone here who can provide me with an IPv6-listening iperf for a short time, so I can do some testing through my infrastructure and over my transit links? Max bandwidth 60Mb for short bursts (if I'm lucky). Steve smime.p7s

Re: IPv6 iperf testing

2009-05-20 Thread Steve Bertrand
Steve Bertrand wrote: Is there anyone here who can provide me with an IPv6-listening iperf for a short time, so I can do some testing through my infrastructure and over my transit links? I want to thank everyone who responded to my request. The responses were/are overwhelming. I've found

Re: Broadband Subscriber Management

2009-04-23 Thread Steve Bertrand
Arie Vayner wrote: You need also to remember that in many cases the DSL link is not provided by the actual ISP. In many cases this is a wholesale scenario which uses L2TP to forward the PPP session from the telco/DSL provider to the ISP. In many cases there would also be another L2TP hop to

Pro-actively publishing IRR data

2009-03-16 Thread Steve Bertrand
I'm still working on trying to get my primary provider to BGP peer with us, but in the meantime, I'd like to pro-actively publish our objects and route policy to the IRR. My primary provider is currently advertising our IPv4 routes for us from their AS. Are there any potential dangers of

Re: Pro-actively publishing IRR data

2009-03-16 Thread Steve Bertrand
Joe Provo wrote: On Mon, Mar 16, 2009 at 12:14:08PM -0400, Steve Bertrand wrote: [snip] Are there any potential dangers of publishing our information before we use it that I may be overlooking? In case you are worried about folks who filter, recall that the IRR uniqueeness is based upon

ISP network re-design feedback requested

2009-02-28 Thread Steve Bertrand
Hi everyone, Hopefully my question is operational 'enough' to be asked here, as I don't know of any other place to ask... Still trying to redesign (as-I-go) our ISP network, I've realized that we are not large enough to deploy a full three layer approach (core, dist, acc), so I'm trying to

Re: DPI or Flow Management

2009-02-28 Thread Steve Bertrand
Francois Menard wrote: The Coalition of Internet Service Providers has filed a substantial contribution at the CRTC stating: 1) The CRTC should forbid DPI, as it cannot be proven to be 98.5% effective at trapping P2P, such as to guarantee congestion relief 2) The CRTC should allow for

Re: real hardware router VS linux router

2009-02-19 Thread Steve Bertrand
Ingo Flaschberger wrote: this plattform can handle about 100.000pps and 400mbit 1500byte packets with freebsd http://lannerinc.com/Network_Application_Platforms/x86_Network_Appliance/1U_Network_Appliances/FW-7550 hardware: 4x pci 32bit, 33mhz intel gbit 1gb cf-card 1gb ram

Re: real hardware router VS linux router

2009-02-19 Thread Steve Bertrand
Ryan Harden wrote: While you could probably build a linux router that is just as fast as a real hardware router, you're always going to run into the moving pieces part of the equation. Not if you boot directly from USB key into memory with no disk drive. Steve

Re: One /22 Two ISP no BGP

2009-02-06 Thread Steve Bertrand
Daniel Rogers wrote: The ISP may not support peering BGP with you, but can they publish routes for you? I find it hard to believe ANY ISP just doesn't support BGP. It is very possible that the ISP doesn't support BGP, but more likely, I'd bet that the ISP has never configured BGP on the client

Re: One /22 Two ISP no BGP

2009-02-06 Thread Steve Bertrand
Jason Biel wrote: The link that goes down will trigger that provider to remove the route, traffic will swing and start coming in on the backup link. This is assuming that 'ISP1' has the capability to advertise the OP's route in the first place. What if ISP1 is simply a customer of another ISP,

[Update] Re: New ISP to market, BCP 38, and new tactics

2009-02-03 Thread Steve Bertrand
For all the kind folk who have been asking how my project is going, I'll summarize here. - I've enabled strict uRPF filtering on all interfaces that I am certain what the source will be. - I've implemented a mix of loose uRPF combined with ACL's on interfaces that I know have multi-homed clients

Re: [Update] Re: New ISP to market, BCP 38, and new tactics

2009-02-03 Thread Steve Bertrand
Nathan Ward wrote: On 4/02/2009, at 2:33 PM, Steve Bertrand wrote: - Currently, (as I write), I'm migrating my entire core from IPv4 to IPv6. I've got the space, and I love to learn, so I'm just lab-ing it up now to see how things will flow with all iBGP v4 routes being advertised/routed

Re: [Update] Re: New ISP to market, BCP 38, and new tactics

2009-02-03 Thread Steve Bertrand
Skeeve Stevens wrote: Agreed. Keeping it separate works very well. Can be the same interface sure... but do it as a separate session. Yeah, that's what I thought, and that is exactly what I've been doing thus far. I was hoping to have a v6-only core, but in order to get the current project

Re: New ISP to market, BCP 38, and new tactics

2009-01-29 Thread Steve Bertrand
Raoul Bhatia [IPAX] wrote: hello steve, Steve Bertrand wrote: I've done much research on RPSL, BCP 38, and other basic filter methods (and from a systems standpoint, I always follow an allow,allow,default-deny approach) , and I am willing to follow all standards and recommended practises

New ISP to market, BCP 38, and new tactics

2009-01-26 Thread Steve Bertrand
Although I've posted to this list before, I don't want to waste your time. This is an ops question, so I'm looking for direction, off-list if necessary. We are a *very* small I-SP, and am just now being put in the position to be a backup transit for a client. Currently, our 'upstream' advertises

Re: ? how cisco router handle the out-of-order ICMP echo-reply packets

2009-01-06 Thread Steve Bertrand
Scott Morris wrote: There aren't sequence numbers with ICMP. And the timeout value is watched/triggered before the next ICMP is sent, so there shouldn't really be any ordering problem/interpretation anyway. FYI, from RFC 792: Sequence Number Description The data received in the

Re: ? how cisco router handle the out-of-order ICMP echo-reply packets

2009-01-06 Thread Steve Bertrand
Steve Bertrand wrote: Scott Morris wrote: There aren't sequence numbers with ICMP. And the timeout value is watched/triggered before the next ICMP is sent, so there shouldn't really be any ordering problem/interpretation anyway. FYI, from RFC 792: My apologies. I should have actually used

Re: What to do when your ISP off-shores tech support

2008-12-27 Thread Steve Bertrand
Matthew Black wrote: I've had difficulties reaching anyone with a brain at my DSL provider Verizon California. I can reliably ping the first hop from my home to the CO with a 25ms delay. But if I ping any other location, packets get dropped or significantly delayed. To me, this sounds like

Re: BGP, ebgp-multihop and multiple peers

2008-08-27 Thread Steve Bertrand
Iljitsch van Beijnum wrote: On 27 aug 2008, at 7:58, Paul Wall wrote: - single loopback/single IP for all peers, or; - each peer with its own loopback/IP? You should use caution when using loopback IP addresses and building external multihop BGP sessions. By permitting external devices to

Re: BGP, ebgp-multihop and multiple peers

2008-08-27 Thread Steve Bertrand
Iljitsch van Beijnum wrote: The advantage of a separate loopback address is that if you ever have any trouble, you can simply remove that address and the trouble is gone, too. This wouldn't work for the loopback address you also use for iBGP or a physical interface. Ok. It probably would

BGP, ebgp-multihop and multiple peers

2008-08-26 Thread Steve Bertrand
Hi everyone, This question comes after likely overlooking an IETF document or BCP that describes what I'm after. Given that I am looking for advice from someone who is more experienced operationally in this regard than me, and that this technically is an implementation-neutral question, I

Aid in bypassing DNS issue

2008-07-28 Thread Steve Bertrand
With the time I've had, I've tried my best to keep up with every message related to the current issue upon us related to DNS. I am a small op, amongst many that I've met the last few days that may need assistance. I would like at least someone from a large operation to read what I've done,

Re: SMTP no-such-user issues

2008-06-18 Thread Steve Bertrand
Steve Bertrand wrote: Hi everyone, We are experiencing an issue in regards to SMTP MTA relay responses regarding 'no such user', and it *apparently* appears to be only occurring when a particular site attempts to deliver email to us. For the sake of completeness... The problem has been

Re: SMTP no-such-user issues

2008-06-17 Thread Steve Bertrand
Steve Bertrand wrote: Hi everyone, We are experiencing an issue in regards to SMTP MTA relay responses regarding 'no such user', and it *apparently* appears to be only occurring when a particular site attempts to deliver email to us. Any advice on how to further troubleshoot my issue would

Re: SMTP no-such-user issues

2008-06-17 Thread Steve Bertrand
Frank Bulk - iNAME wrote: Once you've performed a full capture on port 25, Wireshark does a nice job of providing an option to extract the relevant conversation by right-clicking on just one packet in that conversation and choosing something called Follow the TCP stream, I believe. Ok. I've

Re: SMTP no-such-user issues

2008-06-17 Thread Steve Bertrand
Shane Short wrote: are you using vpopmail with your qmail install? (I can't seem to load your errors again, I recall they were chkuser failures) Yes, vpopmail against MySQL. I've had this problem before when I've run out of MySQL connections and vchkuser was then failing. Thanks for the

SMTP no-such-user issues

2008-06-16 Thread Steve Bertrand
Hi everyone, We are experiencing an issue in regards to SMTP MTA relay responses regarding 'no such user', and it *apparently* appears to be only occurring when a particular site attempts to deliver email to us. Any advice on how to further troubleshoot my issue would be greatly appreciated.

Re: Cable Colors

2008-06-16 Thread Steve Bertrand
David Coulson wrote: Jon Kibler wrote: Not based on any standard, but here is a schema I have used many times: snip Where I used to work - ISP. All of the above - Yellow. Where I work now - Enterprise. All of the above - Grey. LOL, simplicity via obscurity at its finest ;) Colour coding

Re: Cable Colors

2008-06-16 Thread Steve Bertrand
David Coulson wrote: Steve Bertrand wrote: LOL, simplicity via obscurity at its finest ;) Colour coding works great, and it's easy to follow. Then there is that issue that pops up where *that* cable over there will work! 90% of our movable cable patches (aka stuff that is not hard wired

<    1   2