Re: It's the end of the world as we know it -- REM
On Apr 30, 2013, at 1:46 AM, Jimmy Hess mysi...@gmail.com wrote: On 4/29/13, John Curran jcur...@arin.net wrote: On Apr 29, 2013, at 2:46 PM, Lee Howard l...@asgard.org wrote: On 4/29/13 1:03 AM, Jérôme Nicolle jer...@ceriz.fr wrote: specified (based on being singly-homed or multi-homed.) These same criteria now apply to receipt of an address block via transfer, so at regional IPv4 free pool depletion may be _very_ difficult to satisfy. Huh? Where did that concept come from? Alas, NRPM 8.3 requires that the recipient must demonstrate the need for up to a 24-month supply of IP address resources _under current ARIN policies_ ... which requires that transfer recipients be able demonstrate need per current IPv4 allocation or allocation policies. If you could not qualify for any IPv4 assignment or allocation from ARIN, then you are not a valid recipient. This language (or very similar) has been in the 8.3 transfer policy since inception in 2009 https://www.arin.net/policy/proposals/2009_1.html and effectively links transfers to same needs-determination language as used for assignments (only allowing for a much larger block to be transferred at 24-months than the ISP 3-month allocation size.) FYI, /John John Curran President and CEO ARIN
Office 365 broken on ipv6
https://outlook.office365.com does not work on ipv6; looks like this has been broken for some while. Can someone from Microsoft please fix? crumpet:/Users/nick% telnet -6 outlook.office365.com 443 Trying 2a01:111:f400:1000::9... telnet: connect to address 2a01:111:f400:1000::9: Connection refused Trying 2a01:111:f400:8000::2... telnet: connect to address 2a01:111:f400:8000::2: Connection refused Trying 2a01:111:f400:9800::6... telnet: connect to address 2a01:111:f400:9800::6: Connection refused Trying 2a01:111:f400:9814::12... telnet: connect to address 2a01:111:f400:9814::12: Connection refused telnet: Unable to connect to remote host crumpet:/Users/nick% Nick
Re: Office 365 broken on ipv6
from Europe, using ipv6, it seems to be working: --- zarko.ke...@rnids.rsmaster:~$ telnet -6 outlook.office365.com 443 Trying 2a01:111:f400:800::6... Connected to ipv6.exchangelabs.com. Escape character is '^]'. --- On Tue, Apr 30, 2013 at 12:33 PM, Nick Hilliard n...@foobar.org wrote: https://outlook.office365.com does not work on ipv6; looks like this has been broken for some while. Can someone from Microsoft please fix? crumpet:/Users/nick% telnet -6 outlook.office365.com 443 Trying 2a01:111:f400:1000::9... telnet: connect to address 2a01:111:f400:1000::9: Connection refused Trying 2a01:111:f400:8000::2... telnet: connect to address 2a01:111:f400:8000::2: Connection refused Trying 2a01:111:f400:9800::6... telnet: connect to address 2a01:111:f400:9800::6: Connection refused Trying 2a01:111:f400:9814::12... telnet: connect to address 2a01:111:f400:9814::12: Connection refused telnet: Unable to connect to remote host crumpet:/Users/nick% Nick -- ricky
Re: Office 365 broken on ipv6
Quite Interesting... from Europe, using ipv6, it seems to be working: --- zarko.ke...@rnids.rsmaster:~$ telnet -6 outlook.office365.com 443 Trying 2a01:111:f400:800::6... Connected to ipv6.exchangelabs.com. Escape character is '^]'. --- The IP address you have mentioned is working fine. [root@stingray ~]# telnet 2a01:111:f400:800::6 443 Trying 2a01:111:f400:800::6... Connected to 2a01:111:f400:800::6. Escape character is '^]'. but outlook.office365.com is not resolving to the above address google n he dns. Regards, Aftab A. Siddiqui
Re: Office 365 broken on ipv6
yes, you are correct... resolved at my local dns: master:~$ host outlook.office365.com outlook.office365.com is an alias for outlook.office365.com.glbdns.microsoft.com. outlook.office365.com.glbdns.microsoft.com is an alias for outlook-latam.office365.com. outlook-latam.office365.com has IPv6 address 2a01:111:f400:2c00::6 outlook-latam.office365.com has IPv6 address 2a01:111:f400:800::6 outlook-latam.office365.com has IPv6 address 2a01:111:f400:c00::6 outlook-latam.office365.com has IPv6 address 2a01:111:f400:1800::6 2a01:111:f400:c00::6 and 2a01:111:f400:1800::6 are not responding to queries on port 443, the other two (2a01:111:f400:2c00::6 and 2a01:111:f400:800::6) are working... MS should fix this... On Tue, Apr 30, 2013 at 1:45 PM, Aftab Siddiqui aftab.siddi...@gmail.comwrote: Quite Interesting... from Europe, using ipv6, it seems to be working: --- zarko.ke...@rnids.rsmaster:~$ telnet -6 outlook.office365.com 443 Trying 2a01:111:f400:800::6... Connected to ipv6.exchangelabs.com. Escape character is '^]'. --- The IP address you have mentioned is working fine. [root@stingray ~]# telnet 2a01:111:f400:800::6 443 Trying 2a01:111:f400:800::6... Connected to 2a01:111:f400:800::6. Escape character is '^]'. but outlook.office365.com is not resolving to the above address google n he dns. Regards, Aftab A. Siddiqui -- ricky
Re: Office 365 broken on ipv6
FYI: Here's what I'm seeing: puck:~$ curl -v https://outlook.office365.com/ * About to connect() to outlook.office365.com port 443 (#0) * Trying 2a01:111:f400:400::2... * Connection refused * Trying 2a01:111:f400:2c16::2... * Connection refused * Trying 2a01:111:f400:2c2a::12... * Connection refused * Trying 2a01:111:f400:83e::2... * Connection refused * Trying 2a01:111:f400:c04::9... * Connection refused * Trying 2a01:111:f400:16::6... * Connection refused * Trying 157.56.239.18... * connected * Connected to outlook.office365.com (157.56.239.18) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using SSL_RSA_WITH_RC4_128_SHA * Server certificate: * subject: CN=outlook.com,OU=Exchange,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US * start date: Sep 18 18:53:09 2012 GMT * expire date: Sep 18 18:53:09 2014 GMT * common name: outlook.com * issuer: CN=MSIT Machine Auth CA 2,DC=redmond,DC=corp,DC=microsoft,DC=com GET / HTTP/1.1 User-Agent: curl/7.27.0 Host: outlook.office365.com Accept: */* On Apr 30, 2013, at 7:58 AM, Sasa Ristic ristic.s...@gmail.com wrote: yes, you are correct... resolved at my local dns: master:~$ host outlook.office365.com outlook.office365.com is an alias for outlook.office365.com.glbdns.microsoft.com. outlook.office365.com.glbdns.microsoft.com is an alias for outlook-latam.office365.com. outlook-latam.office365.com has IPv6 address 2a01:111:f400:2c00::6 outlook-latam.office365.com has IPv6 address 2a01:111:f400:800::6 outlook-latam.office365.com has IPv6 address 2a01:111:f400:c00::6 outlook-latam.office365.com has IPv6 address 2a01:111:f400:1800::6 2a01:111:f400:c00::6 and 2a01:111:f400:1800::6 are not responding to queries on port 443, the other two (2a01:111:f400:2c00::6 and 2a01:111:f400:800::6) are working... MS should fix this... On Tue, Apr 30, 2013 at 1:45 PM, Aftab Siddiqui aftab.siddi...@gmail.comwrote: Quite Interesting... from Europe, using ipv6, it seems to be working: --- zarko.ke...@rnids.rsmaster:~$ telnet -6 outlook.office365.com 443 Trying 2a01:111:f400:800::6... Connected to ipv6.exchangelabs.com. Escape character is '^]'. --- The IP address you have mentioned is working fine. [root@stingray ~]# telnet 2a01:111:f400:800::6 443 Trying 2a01:111:f400:800::6... Connected to 2a01:111:f400:800::6. Escape character is '^]'. but outlook.office365.com is not resolving to the above address google n he dns. Regards, Aftab A. Siddiqui -- ricky
Re: Office 365 broken on ipv6
On Tue, Apr 30, 2013 at 11:33:41AM +0100, Nick Hilliard n...@foobar.org wrote: https://outlook.office365.com does not work on ipv6; looks like this has been broken for some while. Not one host in the RING says it is up: https://spodder.com/p/ByYYcAomOxawsZRPme74X9pG via https://ring.nlnog.net/ C. -- +442077294797 (Office) +442031379505 (DDI) http://mediasp.com/
Tier1 blackholing policy?
Greetings, I know Tier1s are blackholing traffic all the time :) (de-peering, congestion etc.) but did it became a new role for Tier1s to go from transit provider to transit blocker? We received recently customer complaints stating they can't reach certain websites. Investigation showed that the sites were not reachable via Tier1-T, but fine via Tier1-L. I contacted Tier1-T and the answer was something like yeah, this is a known phishing site and to protect our customers we blackhole that IP (btw - it was 2 ASes away from Tier1-T). Huh? If I want to block something there, it should me my decision or that of my country's legal entities by court order and not being decided by some Tier1's intransparent security department. (Not even mentioning words like 'CGN', 'legal', 'net neutrality' or 'censorship') This might be an acceptable policy for a cable provider but not for a Tier1. Haven't seen something like this in many years. Did I miss a pardigm-shift here and has this become a common service at Tier1s? Thomas smime.p7s Description: S/MIME Cryptographic Signature
Re: Office 365 broken on ipv6
On Tue, April 30, 2013 10:33 am, Nick Hilliard wrote: https://outlook.office365.com does not work on ipv6; looks like this has been broken for some while. Can someone from Microsoft please fix? crumpet:/Users/nick% telnet -6 outlook.office365.com 443 Trying 2a01:111:f400:1000::9... telnet: connect to address 2a01:111:f400:1000::9: Connection refused Trying 2a01:111:f400:8000::2... telnet: connect to address 2a01:111:f400:8000::2: Connection refused Trying 2a01:111:f400:9800::6... telnet: connect to address 2a01:111:f400:9800::6: Connection refused Trying 2a01:111:f400:9814::12... telnet: connect to address 2a01:111:f400:9814::12: Connection refused telnet: Unable to connect to remote host crumpet:/Users/nick% I brought this up to a contact at Microsoft on 2013-04-03; the appropriate team was notified, but I guess someone dropped the ball. Oops. Jima
Re: Office 365 broken on ipv6
Hi, seems at least one box got fixed: dyn-10-0-2-50:~ local_fhibler$ telnet -6 outlook.office365.com 443 Trying 2a01:111:f400:400::6... telnet: connect to address 2a01:111:f400:400::6: Connection refused Trying 2a01:111:f400:83e::6... telnet: connect to address 2a01:111:f400:83e::6: Connection refused Trying 2a01:111:f400:c04::2... telnet: connect to address 2a01:111:f400:c04::2: Connection refused Trying 2a01:111:f400:1014::2... telnet: connect to address 2a01:111:f400:1014::2: Connection refused Trying 2a01:111:f400:2c16::6... Connected to outlook-namwest.office365.com. Escape character is '^]'. Best regards, Florian -- Florian Hibler Chief Technical Officer eMail: florian.hib...@kaiaglobal.com Kaia Global Networks Limited Internet: http://www.kaiaglobal.com Company No. 08257877 Registered Office: High Wycombe, UK Notice: This transmittal and/or attachments may be privileged or confidential. If you are not the intended recipient, you are hereby notified that you have received this transmittal in error; any review, dissemination, or copying is strictly prohibited. If you received this transmittal in error, please notify us immediately by reply and immediately delete this message and all its attachments. Thank you.
RE: Office 365 broken on ipv6
This is being esclated. -Original Message- From: Hibler, Florian [mailto:florian.hib...@kaiaglobal.com] Sent: Tuesday, April 30, 2013 4:38 AM To: nanog@nanog.org Subject: Re: Office 365 broken on ipv6 Hi, seems at least one box got fixed: dyn-10-0-2-50:~ local_fhibler$ telnet -6 outlook.office365.com 443 Trying 2a01:111:f400:400::6... telnet: connect to address 2a01:111:f400:400::6: Connection refused Trying 2a01:111:f400:83e::6... telnet: connect to address 2a01:111:f400:83e::6: Connection refused Trying 2a01:111:f400:c04::2... telnet: connect to address 2a01:111:f400:c04::2: Connection refused Trying 2a01:111:f400:1014::2... telnet: connect to address 2a01:111:f400:1014::2: Connection refused Trying 2a01:111:f400:2c16::6... Connected to outlook-namwest.office365.com. Escape character is '^]'. Best regards, Florian -- Florian Hibler Chief Technical Officer eMail: florian.hib...@kaiaglobal.com Kaia Global Networks Limited Internet: http://www.kaiaglobal.com Company No. 08257877 Registered Office: High Wycombe, UK Notice: This transmittal and/or attachments may be privileged or confidential. If you are not the intended recipient, you are hereby notified that you have received this transmittal in error; any review, dissemination, or copying is strictly prohibited. If you received this transmittal in error, please notify us immediately by reply and immediately delete this message and all its attachments. Thank you.
Re: Tier1 blackholing policy?
On 4/30/2013 10:31 AM, Thomas Schmid wrote: Greetings, I know Tier1s are blackholing traffic all the time :) (de-peering, congestion etc.) but did it became a new role for Tier1s to go from transit provider to transit blocker? We received recently customer complaints stating they can't reach certain websites. Investigation showed that the sites were not reachable via Tier1-T, but fine via Tier1-L. I contacted Tier1-T and the answer was something like yeah, this is a known phishing site and to protect our customers we blackhole that IP (btw - it was 2 ASes away from Tier1-T). Huh? If I want to block something there, it should me my decision or that of my country's legal entities by court order and not being decided by some Tier1's intransparent security department. (Not even mentioning words like 'CGN', 'legal', 'net neutrality' or 'censorship') This might be an acceptable policy for a cable provider but not for a Tier1. Haven't seen something like this in many years. Did I miss a pardigm-shift here and has this become a common service at Tier1s? Thomas Ideally what should a Tier 1 or default-free network do in this situation[1]? 1) Do nothing - They're supposed deliver any and all bits (Disregarding a DoS or similiar situation which impedes said network) 2) Prefix filter - Don't be a party (at least in one direction) to the bad actors traffic. 3) ? [1] Assuming there is some sort of security and/or wrongdoing event that isn't getting resolved via contact with their peer.
Re: Tier1 blackholing policy?
On Tue, 2013-04-30 at 10:59 -0400, ML wrote: 1) Do nothing - They're supposed deliver any and all bits (Disregarding a DoS or similiar situation which impedes said network) 2) Prefix filter - Don't be a party (at least in one direction) to the bad actors traffic. 3 - Deliver all packets unless I've signed up for an enhanced security offering? --Chris
Re: Tier1 blackholing policy?
Sounds like a no win situation. Either you let the bad guys do things or get complaints you blocked the bad guys. Jared Mauch On Apr 30, 2013, at 11:07 AM, Chris Boyd cb...@gizmopartners.com wrote: On Tue, 2013-04-30 at 10:59 -0400, ML wrote: 1) Do nothing - They're supposed deliver any and all bits (Disregarding a DoS or similiar situation which impedes said network) 2) Prefix filter - Don't be a party (at least in one direction) to the bad actors traffic. 3 - Deliver all packets unless I've signed up for an enhanced security offering? --Chris
Re: Tier1 blackholing policy?
On Apr 30, 2013, at 11:07 , Chris Boyd cb...@gizmopartners.com wrote: On Tue, 2013-04-30 at 10:59 -0400, ML wrote: 1) Do nothing - They're supposed deliver any and all bits (Disregarding a DoS or similiar situation which impedes said network) 2) Prefix filter - Don't be a party (at least in one direction) to the bad actors traffic. 3 - Deliver all packets unless I've signed up for an enhanced security offering? While I like that plan, there are a LOT more people who will scream about not being protected than those who will bitch they can't get to a phishing site. Since networks are for-profit companies, they'll lower their costs (e.g. support calls), as long as it lowers their cost more than the cost of losing a customer or two (and let's be honest, that is about all they _might_ lose) who are religious about the whole transit means everywhere thing. -- TTFN, patrick
Re: Tier1 blackholing policy?
On Tue, 30 Apr 2013, Thomas Schmid wrote: I know Tier1s are blackholing traffic all the time :) (de-peering, congestion etc.) but did it became a new role for Tier1s to go from transit provider to transit blocker? We received recently customer complaints stating they can't reach certain websites. Investigation showed that the sites were not reachable via Tier1-T, but fine via Tier1-L. I contacted Tier1-T and the answer was something like yeah, this is a known phishing site and to protect our customers we blackhole that IP (btw - it was 2 ASes away from Tier1-T). Huh? If I want to block something there, it should me my decision or that of my country's legal entities by court order and not being decided by some Tier1's intransparent security department. (Not even mentioning words like 'CGN', 'legal', 'net neutrality' or 'censorship') This might be an acceptable policy for a cable provider but not for a Tier1. Haven't seen something like this in many years. Did I miss a pardigm-shift here and has this become a common service at Tier1s? I vaguely recall having the same sort of problem many years ago with Above.net transit. IIRC, the sentiment back then was similarly that this was inappropriate behavior for a Tier1/2 transit provider. If you're going to propagate the routes, deliver the traffic. I suppose an argument could be made though that if there's phishing or malicious traffic targeting your customers from a single IP, it could be appropriate to blackhole the IP rather than reject the advertisement for an entire CIDR. -- Jon Lewis, MCP :) | I route | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Tier1 blackholing policy?
On Apr 30, 2013, at 10:07 PM, Chris Boyd wrote: 3 - Deliver all packets unless I've signed up for an enhanced security offering? Even if said packets from an obviously compromised server on a high-speed link are attack packets causing problems for the ISP itself as well as for its customers? Trust me, large transit ISPs don't *want* to be in the blackholing business. They only do so when they're forced into it by necessity (operational, legal, regulatory). Also note that in the case of the server(s) you can't access, they may well be on shared hosting with thousands of sites/accounts on a single IP, one or more of which may be compromised. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: Tier1 blackholing policy?
I think blocking phishing sites vs blocking ddos require a different approach. -- Tassos Jared Mauch wrote on 30/04/2013 18:11: Sounds like a no win situation. Either you let the bad guys do things or get complaints you blocked the bad guys. Jared Mauch On Apr 30, 2013, at 11:07 AM, Chris Boyd cb...@gizmopartners.com wrote: On Tue, 2013-04-30 at 10:59 -0400, ML wrote: 1) Do nothing - They're supposed deliver any and all bits (Disregarding a DoS or similiar situation which impedes said network) 2) Prefix filter - Don't be a party (at least in one direction) to the bad actors traffic. 3 - Deliver all packets unless I've signed up for an enhanced security offering? --Chris
Re: Tier1 blackholing policy?
On 30.04.2013 17:07, Chris Boyd wrote: On Tue, 2013-04-30 at 10:59 -0400, ML wrote: 1) Do nothing - They're supposed deliver any and all bits (Disregarding a DoS or similiar situation which impedes said network) 2) Prefix filter - Don't be a party (at least in one direction) to the bad actors traffic. 3 - Deliver all packets unless I've signed up for an enhanced security offering? right - I see this really as something that should be decided at the edge of the internet (Tier2+) and not in the core. smime.p7s Description: S/MIME Cryptographic Signature
Re: Office 365 broken on ipv6
Nick Hilliard n...@foobar.org wrote: https://outlook.office365.com does not work on ipv6; looks like this has been broken for some while. Can someone from Microsoft please fix? crumpet:/Users/nick% telnet -6 outlook.office365.com 443 Trying 2a01:111:f400:1000::9... telnet: connect to address 2a01:111:f400:1000::9: Connection refused Trying 2a01:111:f400:8000::2... telnet: connect to address 2a01:111:f400:8000::2: Connection refused Trying 2a01:111:f400:9800::6... telnet: connect to address 2a01:111:f400:9800::6: Connection refused Trying 2a01:111:f400:9814::12... telnet: connect to address 2a01:111:f400:9814::12: Connection refused telnet: Unable to connect to remote host crumpet:/Users/nick% JFYI, it has been like that for weeks now. Sometimes one of the hosts connects but mostly all IPv6 addresses don't work. Bernhard
Re: Tier1 blackholing policy?
On Apr 30, 2013, at 11:23 , Thomas Schmid sch...@dfn.de wrote: On 30.04.2013 17:07, Chris Boyd wrote: On Tue, 2013-04-30 at 10:59 -0400, ML wrote: 1) Do nothing - They're supposed deliver any and all bits (Disregarding a DoS or similiar situation which impedes said network) 2) Prefix filter - Don't be a party (at least in one direction) to the bad actors traffic. 3 - Deliver all packets unless I've signed up for an enhanced security offering? right - I see this really as something that should be decided at the edge of the internet (Tier2+) and not in the core. Core? Seriously? Which of these statements are true: A) Is it impossible for an end user or business (i.e. non-ISP) to get a direct connection to a Tier 1 (whatever the hell that means) provider. B) Most traffic on the Internet traverses Tier 1s today. C) A Tier 1 has a different profit motive than a Tier 2 (whatever the hell that means) providers. D) All Tier 1 providers are larger than all Tier 2 providers. We'll just skip over the E) all of the above. -- TTFN, patrick P.S. Hint: If you answered A, B, C, or D, you aren't paying attention.
Re: Tier1 blackholing policy?
On 4/30/13 8:23 AM, Thomas Schmid wrote: On 30.04.2013 17:07, Chris Boyd wrote: On Tue, 2013-04-30 at 10:59 -0400, ML wrote: 1) Do nothing - They're supposed deliver any and all bits (Disregarding a DoS or similiar situation which impedes said network) 2) Prefix filter - Don't be a party (at least in one direction) to the bad actors traffic. 3 - Deliver all packets unless I've signed up for an enhanced security offering? right - I see this really as something that should be decided at the edge of the internet (Tier2+) and not in the core. You seem to have odd ideas about what it means to be a settlement free provider. Most of their customers are not smaller internet service providers.
Re: Tier1 blackholing policy?
Am 30.04.2013 17:53, schrieb Patrick W. Gilmore: Core? Seriously? Which of these statements are true: A) Is it impossible for an end user or business (i.e. non-ISP) to get a direct connection to a Tier 1 (whatever the hell that means) provider. B) Most traffic on the Internet traverses Tier 1s today. C) A Tier 1 has a different profit motive than a Tier 2 (whatever the hell that means) providers. D) All Tier 1 providers are larger than all Tier 2 providers. We'll just skip over the E) all of the above. agree - I oversimplified, but I think you got the idea ... Thomas smime.p7s Description: S/MIME Kryptografische Unterschrift
Re: Tier1 blackholing policy?
Composed on a virtual keyboard, please forgive typos. On Apr 30, 2013, at 12:32, Thomas Schmid sch...@dfn.de wrote: Am 30.04.2013 17:53, schrieb Patrick W. Gilmore: Core? Seriously? Which of these statements are true: A) Is it impossible for an end user or business (i.e. non-ISP) to get a direct connection to a Tier 1 (whatever the hell that means) provider. B) Most traffic on the Internet traverses Tier 1s today. C) A Tier 1 has a different profit motive than a Tier 2 (whatever the hell that means) providers. D) All Tier 1 providers are larger than all Tier 2 providers. We'll just skip over the E) all of the above. agree - I oversimplified, but I think you got the idea ... No, I did not get the point. I am not trolling. I just do not understand what you meant. Probably because there is no core, so your statement did not make sense. -- TTFN, patrick
Re: Tier1 blackholing policy?
On Tue, Apr 30, 2013 at 11:22 AM, Tassos Chatzithomaoglou ach...@forthnetgroup.gr wrote: I think blocking phishing sites vs blocking ddos require a different approach. I think I agree with this, and I think it can help draw a useful line. Large DDoS attacks can and do directly affect the service that the tier 1 is providing to its customers (namely, moving their bits), so filtering such attacks seems like a reasonably agreeable thing by really anyone I think. Phishing on the other hand will not really stop bits from moving (except perhaps through rather long chain of unlikely things that'd have to happen). The last-mile consumer ISPs don't just move bits for their customers really, its more about providing internet (which is a different concept to normal users) -- and this is where filtering phishing sites and blocking port 25 and such makes much more sense, because these users will have a highly degraded experience if they become a botnet drone or some such thing. Granted, as Patrick says, tier 1 isn't really a thing, and they have a mix of customers, but I think its safe to say that these tier 1 providers should apply different policies for different types of customers, because they are providering different services (even if the underlying technology is the same/similar). -- Darius Jahandarie
Re: Tier1 blackholing policy?
On Apr 30, 2013, at 12:43 PM, Darius Jahandarie djahanda...@gmail.com wrote: I think I agree with this, and I think it can help draw a useful line. Large DDoS attacks can and do directly affect the service that the tier 1 is providing to its customers (namely, moving their bits), so filtering such attacks seems like a reasonably agreeable thing by really anyone I think. Phishing on the other hand will not really stop bits from moving (except perhaps through rather long chain of unlikely things that'd have to happen). The last-mile consumer ISPs don't just move bits for their customers really, its more about providing internet (which is a different concept to normal users) -- and this is where filtering phishing sites and blocking port 25 and such makes much more sense, because these users will have a highly degraded experience if they become a botnet drone or some such thing. If the phishing attack is against an enterprise that is also an ISP, surely you can imagine a case where they might block traffic to prevent folks from being phished. i think it's great that someone is blocking folks from being infected with either malware or giving up their private details improperly. Typically these sites are hacked anyways or something else. I think that keeping the broadest set of people from being phished or compromised is a good thing(tm). Typically a site is cleaned up in a few hours or day or two without trouble. If your communication is that urgent, there are other methods like phone to communicate with the other party. not ideal, but they do exist. - jared
Re: Tier1 blackholing policy?
Am 30.04.2013 18:41, schrieb Patrick W. Gilmore: Composed on a virtual keyboard, please forgive typos. On Apr 30, 2013, at 12:32, Thomas Schmid sch...@dfn.de wrote: Am 30.04.2013 17:53, schrieb Patrick W. Gilmore: Core? Seriously? Which of these statements are true: A) Is it impossible for an end user or business (i.e. non-ISP) to get a direct connection to a Tier 1 (whatever the hell that means) provider. B) Most traffic on the Internet traverses Tier 1s today. C) A Tier 1 has a different profit motive than a Tier 2 (whatever the hell that means) providers. D) All Tier 1 providers are larger than all Tier 2 providers. We'll just skip over the E) all of the above. agree - I oversimplified, but I think you got the idea ... No, I did not get the point. I am not trolling. I just do not understand what you meant. Probably because there is no core, so your statement did not make sense. Patrick, what I mean is that someone that I pay money for providing me access to the guys I don't peer with, decides for me what's good (according to his criteria) for me and my customers or even my customer's customers etc. If one of my peers blackholes his customers, it's his business and not mine and I don't care. While I eventually could vote with my wallet if I don't like that policy, my question was more, if that behavior is already that common at 'Tier1s' (definition omitted) that it would not make a difference anyway. Thomas smime.p7s Description: S/MIME Kryptografische Unterschrift
Andros Island Connectivity?
I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A
Re: Andros Island Connectivity?
Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon
Re: Andros Island Connectivity?
Aaron are they supporting the range? If so there are options. On Apr 30, 2013, at 4:28 PM, Aaron C. de Bruyn wrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A
Re: Andros Island Connectivity?
I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon
Re: Tier1 blackholing policy?
On Tue, Apr 30, 2013 at 10:31 AM, Thomas Schmid sch...@dfn.de wrote: We received recently customer complaints stating they can't reach certain websites. Investigation showed that the sites were not reachable via Tier1-T, but fine via Tier1-L. I contacted Tier1-T and the answer was something like yeah, this is a known phishing site and to protect our customers we blackhole that IP (btw - it was 2 ASes away from Tier1-T). Hi Thomas, On the one hand, companies providing Internet transit are not generally compelled by law to pass packets for any other given company on the Internet. On the other hand, announcing via BGP that you will carry particular packets and then intentionally dropping them on the floor could easily be construed as tortious interference. The middle ground... propagating a BGP announcement but blocking a small piece within it... I think I'd want to cover my backside by setting a BGP community on that route which advised my peers that a portion of it is dead-routed within my network so that they may discard or deprioritize it if they choose. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Andros Island Connectivity?
It's the quickest but certainly not the cheapest. On Tue, Apr 30, 2013 at 1:56 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Tier1 blackholing policy?
On Apr 30, 2013, at 2:50 PM, bmann...@vacation.karoshi.com wrote: Phone? You mean like Jitsi or Skype? Fax? I'd like to see some numbers to back your assertion of Typical restoration times of days. my vendors deliver software fixes for BGP doesn't work in weeks, so I think that the following timeline and process I'm going to outline exceeds their BGP problems. 0 hour - Issue Reported 0-24 hours - triage; send to customer/internal customer to mitigate/remediate 25-48 hours - Customer responds, host taken down if hacked, etc.. 48-96 hours+ - If no response, IP null0'ed per AUP as network security risk 48-96 hours is also where the customer freaks out and quickly fixes their problem to come in compliance with AUP. This is a natural process. Null0 or ACLs don't stay up for days or weeks on end. That doesn't mean this catches 100% of all cases, but many ISPs get a daily report of phishing sites and malware hosted on their network each morning. You can get one too! http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork You can get a daily ATLAS report from Arbor as well: http://atlas.arbor.net/ (Although I can't get anyone to fix a problem with it, so anyone there can email me if you have the power to fix it). There are other aggregators of data as well, such as SIE. If you don't know the health of your network, take a look. Many folks will email you these reports automatically, or provide you a direct feed (some in realtime, such as SIE). - Jared
Re: Andros Island Connectivity?
Says.. Who? Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:19 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? It's the quickest but certainly not the cheapest. On Tue, Apr 30, 2013 at 1:56 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Andros Island Connectivity?
Yeah, how many thousands is it per meg of space segment? On Tue, Apr 30, 2013 at 2:20 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Says.. Who? Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:19 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? It's the quickest but certainly not the cheapest. On Tue, Apr 30, 2013 at 1:56 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Andros Island Connectivity?
Not that I'll argue it isn't costly, but how else can you rail in up to 100mbps in an afternoon..? I would imagine this type of inquiry comes in after it has been established that there is little to no connectivity. Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:19 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? It's the quickest but certainly not the cheapest. On Tue, Apr 30, 2013 at 1:56 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Andros Island Connectivity?
Depends.. Space segment runs from 1300 a mhz for inclined all the way to 6k a month a mhz for hard to get weird stuff. We oversub to make the economics work often. Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:22 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Yeah, how many thousands is it per meg of space segment? On Tue, Apr 30, 2013 at 2:20 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Says.. Who? Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:19 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? It's the quickest but certainly not the cheapest. On Tue, Apr 30, 2013 at 1:56 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Andros Island Connectivity?
Bingo. And you're absolutely right in that setting it up can be really fast. But cheap? Not for a quality connection. On Tue, Apr 30, 2013 at 2:23 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Depends.. Space segment runs from 1300 a mhz for inclined all the way to 6k a month a mhz for hard to get weird stuff. We oversub to make the economics work often. Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:22 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Yeah, how many thousands is it per meg of space segment? On Tue, Apr 30, 2013 at 2:20 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Says.. Who? Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:19 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? It's the quickest but certainly not the cheapest. On Tue, Apr 30, 2013 at 1:56 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Andros Island Connectivity?
We can make it work usually. An Hd TV channel takes something like 3mhz now. Things have improved greatly in our industry. Not to say there isn't the occasional weird situation. But when you come in to a site and it's up within an hour you are usually elevated to rockstar status. It takes longer to demarc a loop at the niu than it does to point an antenna. Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:25 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Bingo. And you're absolutely right in that setting it up can be really fast. But cheap? Not for a quality connection. On Tue, Apr 30, 2013 at 2:23 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Depends.. Space segment runs from 1300 a mhz for inclined all the way to 6k a month a mhz for hard to get weird stuff. We oversub to make the economics work often. Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:22 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Yeah, how many thousands is it per meg of space segment? On Tue, Apr 30, 2013 at 2:20 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Says.. Who? Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:19 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? It's the quickest but certainly not the cheapest. On Tue, Apr 30, 2013 at 1:56 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Andros Island Connectivity?
Harris/CAPROCK, http://www.harriscaprock.com, provides VSAT worldwide to shipping, offshore platforms and remote islands. Additionally, Andros has quite a bit of undersea fiber going to it. The USAF Eastern Test Range and the Naval base there was the forcing function. The range contractor, http://computersciencesraytheon.com, could probably give you a heads up or if I can help I can call some friends there. Tom On Apr 30, 2013, at 5:23 PM, Warren Bailey wrote: Depends.. Space segment runs from 1300 a mhz for inclined all the way to 6k a month a mhz for hard to get weird stuff. We oversub to make the economics work often. Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:22 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Yeah, how many thousands is it per meg of space segment? On Tue, Apr 30, 2013 at 2:20 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Says.. Who? Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:19 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? It's the quickest but certainly not the cheapest. On Tue, Apr 30, 2013 at 1:56 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Andros Island Connectivity?
Or you could just use my networks? Sent from my T-Mobile 4G LTE Device Original message From: TR Shaw ts...@oitc.com Date: 04/30/2013 2:45 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Hale eyeronic.des...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Harris/CAPROCK, http://www.harriscaprock.com, provides VSAT worldwide to shipping, offshore platforms and remote islands. Additionally, Andros has quite a bit of undersea fiber going to it. The USAF Eastern Test Range and the Naval base there was the forcing function. The range contractor, http://computersciencesraytheon.com, could probably give you a heads up or if I can help I can call some friends there. Tom On Apr 30, 2013, at 5:23 PM, Warren Bailey wrote: Depends.. Space segment runs from 1300 a mhz for inclined all the way to 6k a month a mhz for hard to get weird stuff. We oversub to make the economics work often. Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:22 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Yeah, how many thousands is it per meg of space segment? On Tue, Apr 30, 2013 at 2:20 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Says.. Who? Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:19 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? It's the quickest but certainly not the cheapest. On Tue, Apr 30, 2013 at 1:56 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Andros Island Connectivity?
Now we are partying! Let me get on my computer so I can respond. Sent from my T-Mobile 4G LTE Device Original message From: Ryan Wilkins r...@deadfrog.net Date: 04/30/2013 3:16 PM (GMT-08:00) To: Mike Hale eyeronic.des...@gmail.com Cc: Warren Bailey wbai...@satelliteintelligencegroup.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? If you need more than a megabit, don't forget to factor in the link budget and the resulting power and hardware requirements to support larger bandwidths. Then you're looking at something that is probably not available today on the island. If the connection needs to be up 24/7, even in heavy rains, then you're looking at something in C-band which then requires a larger antenna. You'll be hard pressed to do any real bandwidth at Ku-band with anything less than a 1.2m antenna. C-band, you're looking at 3.7m or so minimum. The Ku-band iDirect system I manage for the City of Chicago runs 3 Mbps up and 3 Mbps down at Ku-band. There are 6 remotes on the system, 5 are vehicles. The vehicle antennas are 1.2m but they require 25 Watt amplifiers to reliably close the link all the time. Clear day is fine on much less power. Heavy rains, forget it. 25 Watts isn't enough. On Apr 30, 2013, at 5:24 PM, Mike Hale eyeronic.des...@gmail.com wrote: Bingo. And you're absolutely right in that setting it up can be really fast. But cheap? Not for a quality connection. On Tue, Apr 30, 2013 at 2:23 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Depends.. Space segment runs from 1300 a mhz for inclined all the way to 6k a month a mhz for hard to get weird stuff. We oversub to make the economics work often. Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:22 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Yeah, how many thousands is it per meg of space segment? On Tue, Apr 30, 2013 at 2:20 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Says.. Who? Sent from my T-Mobile 4G LTE Device Original message From: Mike Hale eyeronic.des...@gmail.com Date: 04/30/2013 2:19 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Mike Lyon mike.l...@gmail.com,Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org,NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? It's the quickest but certainly not the cheapest. On Tue, Apr 30, 2013 at 1:56 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Network Engineering Stack Exchange site in Area51 (fwd)
The proposal currently needs just 13 more committers with 200+ SE points on any site... http://area51.stackexchange.com/proposals/52519/network-engineering The SE site proposal for 'network engineering' is so close to going into Beta. It's up to 441 committers, and is currently 7th overall, (of 800+ proposals,) on the hottest proposal list. -- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ To stay awake all night adds a day to your life - Stilgar | eMT.
Mitigating DNS amplification attacks
Hi! I was wondering if anyone had any experience with dealing with open resolvers as a web hoster? We currently have some 40,000 ip's that respond to DNS in our AS, the majority of which are not open but do reply with a referral to the root zones. We've been sending emails to our clients but as the servers are not managed by us, there's not much we can do at that level. Recently we've seen a large increase in the number and volume of DNS amplification DDOS's that are being reflected off of our AS. Just today we've seen at least 6 different attacks with between 4 and 10gbps leaving our AS each time. It's not really causing us issues at the moment because we have the capacity, but I'd hate to be on the receiving side. (and indeed, have been on the receiving side in the past, so I know how much it can suck) Has anyone ever tried mitigating/rate-limiting/etc these attacks in the network before? (vs at the server/application level) We have an Arbor peakflow device, but it's not really geared for this scenario I find. It will detect the outgoing attack via the flows, but all we can really do is null-route the victims ip in our AS. Ideally we would need a way to rate-limit DNS packets based on source ip. Maybe a linux box that handles dropping packets from the same source-ip over 1000/sec with some policy-based routing sending the DNS traffic to it? Does such a box exist already? If anyone has any ideas or suggestions, then by all means! There must be a better way to do this, and I'd really like to avoid re-inventing the wheel if it's been invented already. :) Thanks! Thomas
Re: Mitigating DNS amplification attacks
On May 1, 2013, at 6:43 AM, Thomas St-Pierre wrote: We've been sending emails to our clients but as the servers are not managed by us, there's not much we can do at that level. Sure, there is - shut them down if they don't comply. Most ISPs have AUP verbiage which would apply to a situation of this type. Has anyone ever tried mitigating/rate-limiting/etc these attacks in the network before? (vs at the server/application level) QoS doesn't work, as the programmatically-generated attack traffic 'crowds out' legitimate requests. We have an Arbor peakflow device, but it's not really geared for this scenario I find. Peakflow SP is a NetFlow-based anomaly-detection system which performs attack detection/classification/traceback. Please feel free to ping me offlist about additional system elements which perform attack mitigation. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: Mitigating DNS amplification attacks
Hi! On 13-04-30 7:57 PM, Dobbins, Roland rdobb...@arbor.net wrote: On May 1, 2013, at 6:43 AM, Thomas St-Pierre wrote: We've been sending emails to our clients but as the servers are not managed by us, there's not much we can do at that level. Sure, there is - shut them down if they don't comply. Most ISPs have AUP verbiage which would apply to a situation of this type. Unfortunately I somehow doubt management is going to look favourably on a request to shut down so many clients. :( The large majority of the servers being used in the attacks are not open resolvers. Just DNS servers that are authoritative for a few domains, and the default config of the dns application does referrals to root for anything else. Yes there are ways of protecting against this on the server itself, but I don't see it happening here given the complexity of many of the solutions. I hate to say it, but if it's not next - next - next - finish, or integrated as an option in one of the common web hosting panels (cPanel, Plesk, etc) people won't do it. We still struggle just getting people to close actual open resolvers, and that is easy to configure. Has anyone ever tried mitigating/rate-limiting/etc these attacks in the network before? (vs at the server/application level) QoS doesn't work, as the programmatically-generated attack traffic 'crowds out' legitimate requests. We have an Arbor peakflow device, but it's not really geared for this scenario I find. Peakflow SP is a NetFlow-based anomaly-detection system which performs attack detection/classification/traceback. Please feel free to ping me offlist about additional system elements which perform attack mitigation. Pinged off-list! Thanks! Thomas
Re: Mitigating DNS amplification attacks
On Tue, Apr 30, 2013 at 5:28 PM, Thomas St-Pierre tstpie...@iweb.comwrote: On 13-04-30 7:57 PM, Dobbins, Roland rdobb...@arbor.net wrote: On May 1, 2013, at 6:43 AM, Thomas St-Pierre wrote: We've been sending emails to our clients but as the servers are not managed by us, there's not much we can do at that level. Sure, there is - shut them down if they don't comply. Most ISPs have AUP verbiage which would apply to a situation of this type. Unfortunately I somehow doubt management is going to look favourably on a request to shut down so many clients. :( The large majority of the servers being used in the attacks are not open resolvers. Just DNS servers that are authoritative for a few domains, and the default config of the dns application does referrals to root for anything else. Offering a DNS service to your customers may allow you to provide a good alternative to push those customers onto. You can then manage it properly. But I think DNS isn't the real issue here, it's the fact you're receiving spoofed traffic. I'd start by tracking the attacks backwards through your upstreams, as obviously someone in the path isn't enforcing BCP 38. Stop the spoof capability and the attacks will stop. It requires less effort overall (vs your counterparts at every hosting provider needing to solve the problem for their networks) and provides the best benefit to the victims. Damian
Re: Mitigating DNS amplification attacks
Please look at something like rate limiting. Please look at preventing these spoofed packets from entering your network and report the issue. Please provide advice and insights as well as directing customers to the openresolverproject.org website. We want to close these down, if you need an accurate list of IPs in your ASN, please email me and I can give you very accurate data. Thanks! On Apr 30, 2013, at 7:43 PM, Thomas St-Pierre tstpie...@iweb.com wrote: Hi! I was wondering if anyone had any experience with dealing with open resolvers as a web hoster? We currently have some 40,000 ip's that respond to DNS in our AS, the majority of which are not open but do reply with a referral to the root zones. We've been sending emails to our clients but as the servers are not managed by us, there's not much we can do at that level. Recently we've seen a large increase in the number and volume of DNS amplification DDOS's that are being reflected off of our AS. Just today we've seen at least 6 different attacks with between 4 and 10gbps leaving our AS each time. It's not really causing us issues at the moment because we have the capacity, but I'd hate to be on the receiving side. (and indeed, have been on the receiving side in the past, so I know how much it can suck) Has anyone ever tried mitigating/rate-limiting/etc these attacks in the network before? (vs at the server/application level) We have an Arbor peakflow device, but it's not really geared for this scenario I find. It will detect the outgoing attack via the flows, but all we can really do is null-route the victims ip in our AS. Ideally we would need a way to rate-limit DNS packets based on source ip. Maybe a linux box that handles dropping packets from the same source-ip over 1000/sec with some policy-based routing sending the DNS traffic to it? Does such a box exist already? If anyone has any ideas or suggestions, then by all means! There must be a better way to do this, and I'd really like to avoid re-inventing the wheel if it's been invented already. :) Thanks! Thomas
Re: Mitigating DNS amplification attacks
Hi Damian! We offer a DNS hosted solution, most people still use their own servers though. (especially those with control panels such as cPanel or plesk, where it's built-in). As for BCP38, I would love to stop the spoofed packets, however with them coming from our upstreams, (Level3, Cogent, Tata, etc) I don't see how we can. Thanks!, Thomas From: Damian Menscher dam...@google.commailto:dam...@google.com Date: Tuesday, 30 April, 2013 8:32 PM To: Thomas St.Pierre tstpie...@iweb.commailto:tstpie...@iweb.com Cc: Dobbins, Roland rdobb...@arbor.netmailto:rdobb...@arbor.net, NANOG list nanog@nanog.orgmailto:nanog@nanog.org Subject: Re: Mitigating DNS amplification attacks On Tue, Apr 30, 2013 at 5:28 PM, Thomas St-Pierre tstpie...@iweb.commailto:tstpie...@iweb.com wrote: On 13-04-30 7:57 PM, Dobbins, Roland rdobb...@arbor.netmailto:rdobb...@arbor.net wrote: On May 1, 2013, at 6:43 AM, Thomas St-Pierre wrote: We've been sending emails to our clients but as the servers are not managed by us, there's not much we can do at that level. Sure, there is - shut them down if they don't comply. Most ISPs have AUP verbiage which would apply to a situation of this type. Unfortunately I somehow doubt management is going to look favourably on a request to shut down so many clients. :( The large majority of the servers being used in the attacks are not open resolvers. Just DNS servers that are authoritative for a few domains, and the default config of the dns application does referrals to root for anything else. Offering a DNS service to your customers may allow you to provide a good alternative to push those customers onto. You can then manage it properly. But I think DNS isn't the real issue here, it's the fact you're receiving spoofed traffic. I'd start by tracking the attacks backwards through your upstreams, as obviously someone in the path isn't enforcing BCP 38. Stop the spoof capability and the attacks will stop. It requires less effort overall (vs your counterparts at every hosting provider needing to solve the problem for their networks) and provides the best benefit to the victims. Damian
Re: Mitigating DNS amplification attacks
On May 1, 2013, at 7:42 AM, Thomas St-Pierre wrote: As for BCP38, I would love to stop the spoofed packets, however with them coming from our upstreams, (Level3, Cogent, Tata, etc) I don't see how we can. Contact them on a case-by-case basis to report the spoofed traffic used to stimulate the servers into responding, including the layer-4 classification criteria, traffic rates, and timestamps available via flow telemetry. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: Andros Island Connectivity?
Protracted discussion (and promotion) has glossed over one key point: None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. They will not be happy with VSAT latency (typically 700ms though physics says you can never do better than 550, and that's for the space segment alone) if they are running RDP, VNC, Citrix, or similar technologies. Sorry for being a buzzkill, Warren. :) -r
Re: Andros Island Connectivity?
BuzKil!!! Actually, we use some TCP ninja techniques to make Citrix/RDP work. Basically, we ack the packets on both sides to prevent the delay from occurring. It's kind of like acceleration, except there aren't really any devices in between the session. There is a single box at the transmit station (we call it a hub) and nothing on the other side. And for the record, you're never a buzzkill Rob. I live with latency every day, she's a decent girl when you treat her right.. ;) On 4/30/13 6:13 PM, Rob Seastrom r...@seastrom.com wrote: Protracted discussion (and promotion) has glossed over one key point: None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. They will not be happy with VSAT latency (typically 700ms though physics says you can never do better than 550, and that's for the space segment alone) if they are running RDP, VNC, Citrix, or similar technologies. Sorry for being a buzzkill, Warren. :) -r
Re: Andros Island Connectivity?
I was going to mention this but failed to do so. At the very least, do some testing first to make sure that the latency isn't going to introduce unforeseen issues. Case in point, the Chicago satellite-based network that I manage is sometimes used for Police / Fire / EMS dispatching. The City's Computer Aided Dispatch system ended up crashing during an early test when it was discovered that it couldn't handle the high latencies encountered on satellite links. This required the vendor to adjust the code to deal with these issues. Granted this is an extreme example, but the point is that the physics of satellite links can do all sorts of things to applications that one might not expect. Cheers, Ryan Wilkins On Apr 30, 2013, at 9:13 PM, Rob Seastrom r...@seastrom.com wrote: They will not be happy with VSAT latency (typically 700ms though physics says you can never do better than 550, and that's for the space segment alone) if they are running RDP, VNC, Citrix, or similar technologies. Sorry for being a buzzkill, Warren. :)
Re: Andros Island Connectivity?
http://www.xiplink.com is who we work with (and sell). Don't mean to advertise on NANOG, more of an FYI and place for those who care to learn something. I hate the fact that satellite is looked at like a white unicorn, it's a pretty cool solution that will perform day in and out for as long as you need it to. On 4/30/13 6:29 PM, Ryan Wilkins r...@deadfrog.net wrote: I was going to mention this but failed to do so. At the very least, do some testing first to make sure that the latency isn't going to introduce unforeseen issues. Case in point, the Chicago satellite-based network that I manage is sometimes used for Police / Fire / EMS dispatching. The City's Computer Aided Dispatch system ended up crashing during an early test when it was discovered that it couldn't handle the high latencies encountered on satellite links. This required the vendor to adjust the code to deal with these issues. Granted this is an extreme example, but the point is that the physics of satellite links can do all sorts of things to applications that one might not expect. Cheers, Ryan Wilkins On Apr 30, 2013, at 9:13 PM, Rob Seastrom r...@seastrom.com wrote: They will not be happy with VSAT latency (typically 700ms though physics says you can never do better than 550, and that's for the space segment alone) if they are running RDP, VNC, Citrix, or similar technologies. Sorry for being a buzzkill, Warren. :)
Re: Andros Island Connectivity?
I've used them before on SCPC links. I discovered on a boat one time that the XipLink unit we were using wasn't exactly designed to handle vibrations from engines nor the constant pounding of a hull on water when in the ocean with large swells. Back then the boxes were 1U rackmount PCs running some variant of BSD, and we had issues with the Ethernet card coming out of the PCI slot after a few hours of operational use. Maybe they've migrated to something a little more robust now. Of course, most normal customers don't put them on boats to begin with. :-) I agree with your comment about satellite. It has its place. Some things it is particularly well suited for. Other things, maybe not so much. I often don't mention satellites when someone asks what I do because most people assume I'm a DirecTV installer which couldn't be further from the truth. On Apr 30, 2013, at 9:33 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: http://www.xiplink.com is who we work with (and sell). Don't mean to advertise on NANOG, more of an FYI and place for those who care to learn something. I hate the fact that satellite is looked at like a white unicorn, it's a pretty cool solution that will perform day in and out for as long as you need it to.
Re: Andros Island Connectivity?
Protracted discussion (and promotion) has glossed over one key point: None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. They will not be happy with VSAT latency (typically 700ms though physics says you can never do better than 550, and that's for the space segment alone) if they are running RDP, VNC, Citrix, or similar technologies. Sorry for being a buzzkill, Warren. :) Actually, Citrix (in particular) works quite well over satellite latencies. The network project I'm working on right now is wrapping up an app rollout to about 100 countries, many of which we can only reach via VSAT. Testing showed that Citrix performance is much better for AJAX-y web apps than pure HTTP. Citrix has a bunch of intelligence built-in specifically to deal with issues related to high-latency/low-bandwidth circuits, including local mouse, local echo, click/movement aggregation into large packets, and of course compression-before-encryption. It's not quite Memorex, but it's very usable. I'd be happy to share the data with anyone who is interested; I also showed that F5 Big-IP load balancers can make really horrible ERP apps (*ahem* Oracle eBusiness *cough* *cough* *cough*) work a lot better as well, if you decide not to use Citrix. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: Andros Island Connectivity?
Joel M Snyder joel.sny...@opus1.com writes: Actually, Citrix (in particular) works quite well over satellite latencies. The network project I'm working on right now is wrapping up an app rollout to about 100 countries, many of which we can only reach via VSAT. Testing showed that Citrix performance is much better for AJAX-y web apps than pure HTTP. Citrix has a bunch of intelligence built-in specifically to deal with issues related to high-latency/low-bandwidth circuits, including local mouse, local echo, click/movement aggregation into large packets, and of course compression-before-encryption. It's not quite Memorex, but it's very usable. That's good to know that it's evolved so well. Painful, almost repressed memories suggest that it wasn't always so good. -r
Re: Andros Island Connectivity?
Put that in your pipe and smoke it, Seastrom! ;) On 4/30/13 7:02 PM, Joel M Snyder j...@opus1.com wrote: Protracted discussion (and promotion) has glossed over one key point: None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. They will not be happy with VSAT latency (typically 700ms though physics says you can never do better than 550, and that's for the space segment alone) if they are running RDP, VNC, Citrix, or similar technologies. Sorry for being a buzzkill, Warren. :) Actually, Citrix (in particular) works quite well over satellite latencies. The network project I'm working on right now is wrapping up an app rollout to about 100 countries, many of which we can only reach via VSAT. Testing showed that Citrix performance is much better for AJAX-y web apps than pure HTTP. Citrix has a bunch of intelligence built-in specifically to deal with issues related to high-latency/low-bandwidth circuits, including local mouse, local echo, click/movement aggregation into large packets, and of course compression-before-encryption. It's not quite Memorex, but it's very usable. I'd be happy to share the data with anyone who is interested; I also showed that F5 Big-IP load balancers can make really horrible ERP apps (*ahem* Oracle eBusiness *cough* *cough* *cough*) work a lot better as well, if you decide not to use Citrix. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: It's the end of the world as we know it -- REM
On Tuesday, April 30, 2013, John Curran wrote: On Apr 30, 2013, at 1:46 AM, Jimmy Hess mysi...@gmail.com javascript:; wrote: On 4/29/13, John Curran jcur...@arin.net javascript:; wrote: On Apr 29, 2013, at 2:46 PM, Lee Howard l...@asgard.org javascript:; wrote: On 4/29/13 1:03 AM, Jérôme Nicolle jer...@ceriz.fr javascript:; wrote: specified (based on being singly-homed or multi-homed.) These same criteria now apply to receipt of an address block via transfer, so at regional IPv4 free pool depletion may be _very_ difficult to satisfy. Huh? Where did that concept come from? Alas, NRPM 8.3 requires that the recipient must demonstrate the need for up to a 24-month supply of IP address resources _under current ARIN policies_ ... This says demonstrate the need for resources. The under current policies bit is redundant, because the transfer policy is referring to itself. Of course the current policies always apply; so this is some strange infinitely recursive oddity. It doesn't say the qualifications and requirements will be the same as if the transfer request was a request for a /20 allocation from the free pool, or as if the transfer were an assignment (things that it is not); only that the transfer policy asserts the requirement to demonstrate need, As long as the need can be demonstrated as explained in 4.1, then any 8.3 transfer should be approved, even if the criteria given in 4.2 for initial allocations are not met. Since there is not yet a policy there that addresses or places specific requirements for need determination for transferred resources, as-opposed to allocation requests The initial allocation rule should not be getting applied to 8.3 transfers in any case... -- -JH -- -Mysid
Re: Andros Island Connectivity?
Good 'ol Warren, sure knows how to make friends and influence people. -r Warren Bailey wbai...@satelliteintelligencegroup.com writes: Put that in your pipe and smoke it, Seastrom! ;) On 4/30/13 7:02 PM, Joel M Snyder j...@opus1.com wrote: Protracted discussion (and promotion) has glossed over one key point: None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. They will not be happy with VSAT latency (typically 700ms though physics says you can never do better than 550, and that's for the space segment alone) if they are running RDP, VNC, Citrix, or similar technologies. Sorry for being a buzzkill, Warren. :) Actually, Citrix (in particular) works quite well over satellite latencies. The network project I'm working on right now is wrapping up an app rollout to about 100 countries, many of which we can only reach via VSAT. Testing showed that Citrix performance is much better for AJAX-y web apps than pure HTTP. Citrix has a bunch of intelligence built-in specifically to deal with issues related to high-latency/low-bandwidth circuits, including local mouse, local echo, click/movement aggregation into large packets, and of course compression-before-encryption. It's not quite Memorex, but it's very usable. I'd be happy to share the data with anyone who is interested; I also showed that F5 Big-IP load balancers can make really horrible ERP apps (*ahem* Oracle eBusiness *cough* *cough* *cough*) work a lot better as well, if you decide not to use Citrix. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: Andros Island Connectivity?
The chicks certainly know my name.. Sent from my T-Mobile 4G LTE Device Original message From: Rob Seastrom r...@seastrom.com Date: 04/30/2013 8:00 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Joel M Snyder j...@opus1.com,nanog@nanog.org,aa...@heyaaron.com Subject: Re: Andros Island Connectivity? Good 'ol Warren, sure knows how to make friends and influence people. -r Warren Bailey wbai...@satelliteintelligencegroup.com writes: Put that in your pipe and smoke it, Seastrom! ;) On 4/30/13 7:02 PM, Joel M Snyder j...@opus1.com wrote: Protracted discussion (and promotion) has glossed over one key point: None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. They will not be happy with VSAT latency (typically 700ms though physics says you can never do better than 550, and that's for the space segment alone) if they are running RDP, VNC, Citrix, or similar technologies. Sorry for being a buzzkill, Warren. :) Actually, Citrix (in particular) works quite well over satellite latencies. The network project I'm working on right now is wrapping up an app rollout to about 100 countries, many of which we can only reach via VSAT. Testing showed that Citrix performance is much better for AJAX-y web apps than pure HTTP. Citrix has a bunch of intelligence built-in specifically to deal with issues related to high-latency/low-bandwidth circuits, including local mouse, local echo, click/movement aggregation into large packets, and of course compression-before-encryption. It's not quite Memorex, but it's very usable. I'd be happy to share the data with anyone who is interested; I also showed that F5 Big-IP load balancers can make really horrible ERP apps (*ahem* Oracle eBusiness *cough* *cough* *cough*) work a lot better as well, if you decide not to use Citrix. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: It's the end of the world as we know it -- REM
On Apr 30, 2013, at 10:56 PM, Jimmy Hess mysi...@gmail.commailto:mysi...@gmail.com wrote: On Tuesday, April 30, 2013, John Curran wrote: On Apr 30, 2013, at 1:46 AM, Jimmy Hess mysi...@gmail.comjavascript:; wrote: On 4/29/13, John Curran jcur...@arin.netjavascript:; wrote: On Apr 29, 2013, at 2:46 PM, Lee Howard l...@asgard.orgjavascript:; wrote: On 4/29/13 1:03 AM, Jérôme Nicolle jer...@ceriz.frjavascript:; wrote: specified (based on being singly-homed or multi-homed.) These same criteria now apply to receipt of an address block via transfer, so at regional IPv4 free pool depletion may be _very_ difficult to satisfy. Huh? Where did that concept come from? Alas, NRPM 8.3 requires that the recipient must demonstrate the need for up to a 24-month supply of IP address resources _under current ARIN policies_ ... This says demonstrate the need for resources. The under current policies bit is redundant, because the transfer policy is referring to itself. Of course the current policies always apply; so this is some strange infinitely recursive oddity. Jimmy - Actually, I'm quite confident in the interpretation... Note that the reading that this language would require qualification under current IPv4 allocation policies was also confirmed in the Staff Assessment when the proposed NRPM 8.3 language was under consideration as a draft policy - http://lists.arin.net/pipermail/arin-ppml/2011-August/022870.html It is easy enough to change if desired (and apparently some folks are looking at doing that per any earlier reply on this thread) but as it stands there is a chance that ISPs seeking to obtain IPv4 space from the transfer market will not be able to participate if they haven't made use of provider-assigned space first. FYI, /John John Curran President and CEO ARIN
Re: It's the end of the world as we know it -- REM
This says demonstrate the need for resources. The under current policies bit is redundant, because the transfer policy is referring to itself. Of course the current policies always apply; so this is some strange infinitely recursive oddity. Jimmy, With all due respect, this is a reference in section 8.3 to call out that the policies in section 4 regarding qualification of recipients are to be followed when determining eligibility for an 8.3 transfer. This is understood by the AC and by ARIN staff. I believe it is also well understood by the majority of the community. I would be happy to submit clarifying text as an editorial amendment if you feel it would be helpful. I would suggest that considering the expressed intent of the policy is more useful than attempting to nit-pick the most nonsensical possible interpretations of the particular wording. It doesn't say the qualifications and requirements will be the same as if the transfer request was a request for a /20 allocation from the free pool, or as if the transfer were an assignment (things that it is not); only that the transfer policy asserts the requirement to demonstrate need, That is the express intent of that clause in the rationale and according to the authors during discussions of the policy text prior to its adoption. Further, it is (correctly, IMHO), the ARIN staff interpretation of the policy. As long as the need can be demonstrated as explained in 4.1, then any 8.3 transfer should be approved, even if the criteria given in 4.2 for initial allocations are not met. 4.1 provides only general principles. In and of itself it is not a complete set of policies. In addition to the guidance provided by 4.1, one must qualify under 4.2 if one is an ISP/LIR or 4.3 if one is an end-user. There are exceptions provided in 4.4 et. seq. for certain special cases. Since there is not yet a policy there that addresses or places specific requirements for need determination for transferred resources, as-opposed to allocation requests The text in section 8.3 effectively incorporates 4.2 et. seq. by reference, whether you like that fact or not. The initial allocation rule should not be getting applied to 8.3 transfers in any case... IMHO, your interpretation is contrary to the text and the intent of NRPM 8.3. It appears that staff agrees with me. The proposal that later became 8.3 was discussed in the community as it is currently interpreted by staff. At no point prior to your current objection was anything like your intended interpretation ever expressed as a viable outcome of the text in question. Owen
Re: Andros Island Connectivity?
Hi, Please also note that modern VSAT hubs (idirect, viasat) -some better than other- can emulate SCPC. They also support QoS, tcp spoofing and many other nice features. Regards, --Original Message-- From: Rob Seastrom To: TR Shaw Cc: Aaron C. de Bruyn Cc: NANOG mailing list Subject: Re: Andros Island Connectivity? Sent: Apr 30, 2013 8:43 PM Protracted discussion (and promotion) has glossed over one key point: None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. They will not be happy with VSAT latency (typically 700ms though physics says you can never do better than 550, and that's for the space segment alone) if they are running RDP, VNC, Citrix, or similar technologies. Sorry for being a buzzkill, Warren. :) -r Este mensaje ha sido enviado gracias al servicio BlackBerry de Movilnet
Re: Andros Island Connectivity?
Doesn't cable Bahamas sell in andros Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: It's the end of the world as we know it -- REM
On 4/30/13, Owen DeLong o...@delong.com wrote: With all due respect, this is a reference in section 8.3 to call out that the policies in section 4 regarding qualification of recipients are to be followed when determining eligibility for an 8.3 transfer. I don't read a reference to section 4 there. don't think it's a reasonable belief, that a network operator supplicating for transfer of IPv4 resources, would come to this conclusion -- there is no reason to select a specific section to apply because no section is mentioned, reading the policy on their own, and what you are seeing there -- may be a result of bias from your prior exposure to another interpretation of the language. Its also possible, that all of us who were reviewing the proposed transfer policy language read some rationale statement at one time or another, and just (incorrectly) assumed that the final language accomplished our intended effect. I don't think this issue should effect any network operators at this time, but nonetheless i'm concerned about the RIR policy having confusing, surprising, or hidden ramifications built into it, which are problematic and not previously considered. I would suggest that considering the expressed intent of the policy is more useful than attempting to nit-pick the most nonsensical possible I looked at the intent of the policy specifically, and it seems pretty obvious that 4.2.2.1.1 and 4.2.2.1.3 very clearly do not intend that they apply to transfers, or other situations where a /20 is not involved. If 8.3 says the current policy applies, then, that by definition imports also the intent and scope restriction in the other sections of the policy, not just the procedures or rules. Specific evidence of intent from 4.2.2.1.1 quote: if an organization holds a smaller allocation, such as 12 /24s, from its upstream provider, the organization would not meet the minimum utilization requirements of a /20. Furthermore, the 8.3 transfer rule specifically states that the minimum is /24. And the stated requirement is demonstrated need, not whatever constraints apply to other kinds of allocations/assignment. When the interpretation is intent, with these two statements taken together, we have here, a contradiction between the acceptance of a /24 that can only be resolved by refraining from applying 4.2.2.1.1 and 4.2.2.1.3, or the antecedent is false (you're not requesting a /20, so it follows that you don't need to meet the minimum utilization requirements of a /20). There _is_ a reasonable demonstrated need criteria, in 4.2, that could apply to transfers; though, it's 4.2.3.Reassignment of address space... The characterization of the transfer recipient as a customer for reassignment purposes, seems less-problematic than the characterization of a /24 as a /20, for imposing 4.2.2.1.1 , and carries no requirement for a prior upstream assignment. That is the express intent of that clause in the rationale and according to the authors during discussions of the policy text prior to its adoption. My expectation about 8.3 is that justification is still to be required. But not the application of /20 justification criterion to a /23 or smaller. Also, i'm not sure what bearing the author's intent may have, as a policy document has to be able to stand on its own, and different members of the community, may aparently have had a different understanding of some of the ramifications of the language. If the language doesn't convey the intent in a clear, at least discernible way, that can be shown through sufficient evidence in the document, then the supposed intent may as well not exist: I mean, it's like saying the developed policy didn't matter just the author's intent?. 4.1 provides only general principles. In and of itself it is not a complete set of policies. In addition to the guidance provided by 4.1, one must qualify under 4.2 if one is an ISP/LIR or 4.3 if one is an end-user. There are exceptions provided in 4.4 et. seq. for certain special cases. Yes; i'm not sure, what, if any relevance these distinctions really have or ought to have, with transfers, and a minimum size of /24, and /23s allowed as well, however. And I sure don't expect applicants for transfer applicants to sort all that out; the policy should be more explicit, and have conditions to clearly apply to the situation. -- -JH
