Re: Alcatel-Lucent
Chris Wallace wrote: I am hoping to get some peoples opinions on Alcatel-Lucent routers. We are looking at the 7750 SR line and the 7450 ESS line. We are currently a Cisco shop but these would be deployed in a completely new network delivering mostly MPLS based services and DIA. Any comments are welcome, good and bad. ---Chris Hello !! First time on the list :) I'd like to say something in opposite . These are very weak routers .. We ( SP on country level , PL ) had two of them , implemented in core , as pure ip routers . The worst thing in it was bgp proto .. Router was unable to withstand 20+ peering sessions , most of that outgoing bgp session to customers , a few peerings , and only 1v2 incoming upstream providers When there was instability/surge in bgp updates , router was able to break itself tcp sess. Dwnld bgp table (150,000prefix) took 2h or more ... Things done in hardware should be working although ( bridge .. , maybe label switching , vpls ) Tech support is very weak. Expect problems with interoperability . Sorry to say that . It was 3+ years time ago , maybe they improved themself .. :) If you want 2 spare chassis , we have them free // best regards Piotr Sawicki .
Trojan traffic from 115.100.250.112
Hello NANOG, Yesterday we've found some strange requests in our logs, typical to the Daonol Trojan. According to the logs, the infected computers are sending personal information such as search engine lookups and browsing history. The information sent to 115.100.250.112. Log entry for example: GET http://115.100.250.112/x/?0ECiqocksamkpjqtnwhgrtieydpwgvnmktk2 HTTP/1.0..SS: More information on Daonol Trojan: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol We've blocked all communication with this address. Thank you, Hadas Shany CERT.GOV ISRAEL
Re: Locations with no good Internet
On 3/6/2010 7:28 AM, Joel Snyder wrote: Patrick Giagnocavo patr...@zill.net wrote: Isn't this really an issue (political) with tariffed T1 prices rather than a technical problem? I was told that most T1s are provisioned over a DSLAM these days anyways, and that the key difference between T1 and DSL was the SLA (99.99% guarantee vs. when we get it fixed). I don't know about anything other than Qwest-land in Arizona, but we are seeing the few T1s that are still in service provisioned as you described: a 2-wire DSL connection, although not out of a local DSLAM. Here in Maine, they use HDSL (two pair) to supply T1. They put repeaters down the line or work it out of a SLICK. The bridge taps and side taps are removed from the loops (conditioned) and then there's the SLA. I learned to always have a spare CSU/DSU on site. --Curtis
Re: IP4 Space
On Sat, 6 Mar 2010, Shon Elliott wrote: I would love to move to IPv6. However, the IPv6 addressing, I have to say, is really tough to remember and understand for most people. Where Hi Shon. But we have a system in place which allows non-technical people to ignore IP addresses entirely. Up to this point the ease of remembering IPv4 addresses has allowed their use to leak out in to the user community. It is quite common today for users to ssh to servers by IP address in many organisations. I consider this an historical accident. When setting up or upgrading corporate networks (even for small companies) I use split-view DNS. I like to point out that once IPv6 is mainstream no one is going to remember IP addresses ever again :) is a four number dotted quad was easy to remember, an IPv6 address.. not so much. I wished they had made that a little easier when they were drafting up the protocol specs. I don't believe making it easier for humans to remember or understand IP addresses would have been a good design criteria. IP addresses are principally designed for computers to understand. We humans have a parrallel structure of names that we can use. In any case humans got a break with the :: notation in IPv6 :) basically, you need technical knowledge to even understand how the IP address is split up. I wished ARIN would waive the fee for service That's actually still true in IPv4. A knowledgeable user may be able to ping an IP address but few of them will understand the concept of a subnet. Cheers, Rob -- Email: rob...@timetraveller.org IRC: Solver Web: http://www.practicalsysadmin.com I tried to change the world but they had a no-return policy
Re: IP4 Space
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/03/2010 16:52, Robert Brockway wrote: On Sat, 6 Mar 2010, Shon Elliott wrote: I would love to move to IPv6. However, the IPv6 addressing, I have to say, is really tough to remember and understand for most people. Where Hi Shon. But we have a system in place which allows non-technical people to ignore IP addresses entirely. Up to this point the ease of remembering IPv4 addresses has allowed their use to leak out in to the user community. It is quite common today for users to ssh to servers by IP address in many organisations. I consider this an historical accident. It's also not that difficult to remember.. your prefix never changes so that's the first 48-64 bits taken care of. The rest you can make human readable if you want - I know people that use prefix::53 for their nameserver, prefix::80 for their webserver, etc. It's all about how you use it. Personally I use DNS.. that's what it's for. Tony -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLlS6MAAoJEJ1qCQ6ePCDUj+AH/3Kr/FBliJQeCIGSlIEOHm3K TmeGWsfD+cZR/clTN3MNAFtwH63Iowo014zU9kL2AJAkZEVs6LCx0uJ3ewDT+tfb +KGcB4KUjJkaEXxdcjIRIcJrVcW2QnMyFT/J5B+CWM7MhgPzsGL9VLmvKY2LaqBQ coGlfqsg89HTmzlK1McQy+UfhvkJx8bVKgYqHxmHQvIN3GPaWWDjjt50l6oskBy7 F8htD0+O5eM8B7/ozsxeaH7N3gTrZIlEG5MzCvXCxWXyR4wbVssUt9SEF3Gdd9sg aEC6sjUSxL9t7G9a8FyRvwufpQALxJ7mNgozxJPJF8HuHbPnGFL7ZpoH1fph0PI= =AnwO -END PGP SIGNATURE-
RE: Best VPN Appliance
We're generally happy with our Juniper SA6500s, but they, and a lot of the other SSL VPN vendor appliances will not support IPSec. Cisco's ASA does, but it's less feature-rich in the SSL VPN arena. The Juniper was the most mature and flexible of all the offerings we looked at, but also the most expensive, and it's not perfect either. Having migrated from Cisco's 3000 series appliances, the current SSL VPNs are a totally different mindset and about two orders of magnitude more complicated. Have a very good understanding of exactly what problem you're trying to solve with the product and what kind of policies and requirements you have to meet, or it's going to be a mess. I can answer more specific questions on our experiences and testing off-list. -- Toivo Voll University of South Florida Information Technology Communications -Original Message- From: Chris Campbell [mailto:chris.campb...@nebulassolutions.com] Sent: Friday, March 05, 2010 11:36 AM To: Dawood Iqbal Cc: nanog@nanog.org Subject: Re: Best VPN Appliance The Juniper SA is by far and away the market leader and in my opinion the best end user experience. On 5 Mar 2010, at 15:57, Dawood Iqbal wrote: Hello All, Is it possible to get your ideas on what VPN appliances are good to have in enterprise network? Requirements are; SSL IPSec Client and Web VPN support (Win/MAC/iPhone/Android) If webvpn is used, then when any user connects via webvpn, we should be able to re-direct him to any and ONLY specific application i.e SAP. If 2 boxes are installed then they should replicate data seamlessly. Regards, dI
Re: Best VPN Appliance
Toivo, The SA Series absolutely supports IPsec if you are using Network Connect. It defaults to using IPsec and if that is not supported then it will fall back to SSL. Of course, NC is not as secure as W-SAM, J-SAM, or Core Access in terms of role and resource granularity control but the support for IPsec is absolutely there. HTHs. Stefan Fouant --Original Message-- From: Voll, Toivo To: Chris Campbell To: Dawood Iqbal Cc: nanog@nanog.org Subject: RE: Best VPN Appliance Sent: Mar 8, 2010 11:56 AM We're generally happy with our Juniper SA6500s, but they, and a lot of the other SSL VPN vendor appliances will not support IPSec. Cisco's ASA does, but it's less feature-rich in the SSL VPN arena. The Juniper was the most mature and flexible of all the offerings we looked at, but also the most expensive, and it's not perfect either. Having migrated from Cisco's 3000 series appliances, the current SSL VPNs are a totally different mindset and about two orders of magnitude more complicated. Have a very good understanding of exactly what problem you're trying to solve with the product and what kind of policies and requirements you have to meet, or it's going to be a mess. I can answer more specific questions on our experiences and testing off-list. -- Toivo Voll University of South Florida Information Technology Communications -Original Message- From: Chris Campbell [mailto:chris.campb...@nebulassolutions.com] Sent: Friday, March 05, 2010 11:36 AM To: Dawood Iqbal Cc: nanog@nanog.org Subject: Re: Best VPN Appliance The Juniper SA is by far and away the market leader and in my opinion the best end user experience. On 5 Mar 2010, at 15:57, Dawood Iqbal wrote: Hello All, Is it possible to get your ideas on what VPN appliances are good to have in enterprise network? Requirements are; SSL IPSec Client and Web VPN support (Win/MAC/iPhone/Android) If webvpn is used, then when any user connects via webvpn, we should be able to re-direct him to any and ONLY specific application i.e SAP. If 2 boxes are installed then they should replicate data seamlessly. Regards, dI Sent from my Verizon Wireless BlackBerry
RE: Best VPN Appliance
There is also the fact to consider that Cisco has said there will be no support for Windows 64-bit on their IPSEC client, they are pushing people to the AnyConnect (An SSL-based clientless IPSEC) who want to use Windows 64-bit or other OSs, so in the future the argument for having a separate box for client-based IPSEC will be moot. Orin -Original Message- From: Stefan Fouant [mailto:sfou...@shortestpathfirst.net] Sent: Monday, March 08, 2010 11:29 AM To: Voll, Toivo; Chris Campbell; Dawood Iqbal Cc: nanog@nanog.org Subject: Re: Best VPN Appliance Toivo, The SA Series absolutely supports IPsec if you are using Network Connect. It defaults to using IPsec and if that is not supported then it will fall back to SSL. Of course, NC is not as secure as W-SAM, J-SAM, or Core Access in terms of role and resource granularity control but the support for IPsec is absolutely there. HTHs. Stefan Fouant --Original Message-- From: Voll, Toivo To: Chris Campbell To: Dawood Iqbal Cc: nanog@nanog.org Subject: RE: Best VPN Appliance Sent: Mar 8, 2010 11:56 AM We're generally happy with our Juniper SA6500s, but they, and a lot of the other SSL VPN vendor appliances will not support IPSec. Cisco's ASA does, but it's less feature-rich in the SSL VPN arena. The Juniper was the most mature and flexible of all the offerings we looked at, but also the most expensive, and it's not perfect either. Having migrated from Cisco's 3000 series appliances, the current SSL VPNs are a totally different mindset and about two orders of magnitude more complicated. Have a very good understanding of exactly what problem you're trying to solve with the product and what kind of policies and requirements you have to meet, or it's going to be a mess. I can answer more specific questions on our experiences and testing off-list. -- Toivo Voll University of South Florida Information Technology Communications -Original Message- From: Chris Campbell [mailto:chris.campb...@nebulassolutions.com] Sent: Friday, March 05, 2010 11:36 AM To: Dawood Iqbal Cc: nanog@nanog.org Subject: Re: Best VPN Appliance The Juniper SA is by far and away the market leader and in my opinion the best end user experience. On 5 Mar 2010, at 15:57, Dawood Iqbal wrote: Hello All, Is it possible to get your ideas on what VPN appliances are good to have in enterprise network? Requirements are; SSL IPSec Client and Web VPN support (Win/MAC/iPhone/Android) If webvpn is used, then when any user connects via webvpn, we should be able to re-direct him to any and ONLY specific application i.e SAP. If 2 boxes are installed then they should replicate data seamlessly. Regards, dI Sent from my Verizon Wireless BlackBerry
RE: Best VPN Appliance
I've used the Cisco ASAs without issue. Cisco flamers need not respond. :P This is a bit of a loaded question though. - Brian -Original Message- From: Dawood Iqbal [mailto:dawood_iq...@hotmail.com] Sent: Friday, March 05, 2010 9:58 AM To: nanog@nanog.org Subject: Best VPN Appliance Hello All, Is it possible to get your ideas on what VPN appliances are good to have in enterprise network? Requirements are; SSL IPSec Client and Web VPN support (Win/MAC/iPhone/Android) If webvpn is used, then when any user connects via webvpn, we should be able to re-direct him to any and ONLY specific application i.e SAP. If 2 boxes are installed then they should replicate data seamlessly. Regards, dI CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.
RE: Best VPN Appliance
-Original Message- From: Blomberg, Orin P (DOH) [mailto:orin.blomb...@doh.wa.gov] Sent: Monday, March 08, 2010 11:37 AM To: sfou...@shortestpathfirst.net; Voll, Toivo; Chris Campbell; Dawood Iqbal Cc: nanog@nanog.org Subject: RE: Best VPN Appliance There is also the fact to consider that Cisco has said there will be no support for Windows 64-bit on their IPSEC client, they are pushing people to the AnyConnect (An SSL-based clientless IPSEC) who want to use Windows 64-bit or other OSs, so in the future the argument for having a separate box for client-based IPSEC will be moot. The beta 64-bit VPN client has been released, FYI. Mike
Re: Best VPN Appliance
On Mon, Mar 08, 2010 at 11:37:02AM -0800, Blomberg, Orin P (DOH) wrote: There is also the fact to consider that Cisco has said there will be no support for Windows 64-bit on their IPSEC client, they are pushing people to the AnyConnect (An SSL-based clientless IPSEC) who want to use Windows 64-bit or other OSs, so in the future the argument for having a separate box for client-based IPSEC will be moot. Cisco has released a beta version of their 64-bit IPSec client for Windows 7. -- Brandon Ewing(nicot...@warningg.com) pgp74fjV0kodI.pgp Description: PGP signature
RE: Best VPN Appliance
There is also the fact to consider that Cisco has said there will be no support for Windows 64-bit on their IPSEC client [...] Amazingly, and to many people's great surprise, Cisco recently made available a beta version of the IPSEC VPN client that supports 64-bit. ~JasonG smime.p7s Description: S/MIME cryptographic signature
RE: Best VPN Appliance
Thanks for the information. I am just going on what we have been formally told by our onsite Cisco engineers on several occasions. It may be that they were misinformed, or that they are trying to make the sell for AnyConnect Licensing, but I had been going with the facts I had. I am glad there is a 64-bit in beta, at least, now I don't have to migrate all those people off the ASAs right away. Orin -Original Message- From: Michael K. Smith - Adhost [mailto:mksm...@adhost.com] Sent: Monday, March 08, 2010 11:43 AM To: Blomberg, Orin P (DOH); sfou...@shortestpathfirst.net; Voll, Toivo; Chris Campbell; Dawood Iqbal Cc: nanog@nanog.org Subject: RE: Best VPN Appliance -Original Message- From: Blomberg, Orin P (DOH) [mailto:orin.blomb...@doh.wa.gov] Sent: Monday, March 08, 2010 11:37 AM To: sfou...@shortestpathfirst.net; Voll, Toivo; Chris Campbell; Dawood Iqbal Cc: nanog@nanog.org Subject: RE: Best VPN Appliance There is also the fact to consider that Cisco has said there will be no support for Windows 64-bit on their IPSEC client, they are pushing people to the AnyConnect (An SSL-based clientless IPSEC) who want to use Windows 64-bit or other OSs, so in the future the argument for having a separate box for client-based IPSEC will be moot. The beta 64-bit VPN client has been released, FYI. Mike
Re: Best VPN Appliance
If you can use 3rd party VPN clients the ShrewSoft IPSec client on Windows 7 works great with Cisco concentrators. http://www.shrew.net/software On Mon, Mar 8, 2010 at 1:37 PM, Blomberg, Orin P (DOH) orin.blomb...@doh.wa.gov wrote: There is also the fact to consider that Cisco has said there will be no support for Windows 64-bit on their IPSEC client, they are pushing people to the AnyConnect (An SSL-based clientless IPSEC) who want to use Windows 64-bit or other OSs, so in the future the argument for having a separate box for client-based IPSEC will be moot. Orin -Original Message- From: Stefan Fouant [mailto:sfou...@shortestpathfirst.net] Sent: Monday, March 08, 2010 11:29 AM To: Voll, Toivo; Chris Campbell; Dawood Iqbal Cc: nanog@nanog.org Subject: Re: Best VPN Appliance Toivo, The SA Series absolutely supports IPsec if you are using Network Connect. It defaults to using IPsec and if that is not supported then it will fall back to SSL. Of course, NC is not as secure as W-SAM, J-SAM, or Core Access in terms of role and resource granularity control but the support for IPsec is absolutely there. HTHs. Stefan Fouant --Original Message-- From: Voll, Toivo To: Chris Campbell To: Dawood Iqbal Cc: nanog@nanog.org Subject: RE: Best VPN Appliance Sent: Mar 8, 2010 11:56 AM We're generally happy with our Juniper SA6500s, but they, and a lot of the other SSL VPN vendor appliances will not support IPSec. Cisco's ASA does, but it's less feature-rich in the SSL VPN arena. The Juniper was the most mature and flexible of all the offerings we looked at, but also the most expensive, and it's not perfect either. Having migrated from Cisco's 3000 series appliances, the current SSL VPNs are a totally different mindset and about two orders of magnitude more complicated. Have a very good understanding of exactly what problem you're trying to solve with the product and what kind of policies and requirements you have to meet, or it's going to be a mess. I can answer more specific questions on our experiences and testing off-list. -- Toivo Voll University of South Florida Information Technology Communications -Original Message- From: Chris Campbell [mailto:chris.campb...@nebulassolutions.com] Sent: Friday, March 05, 2010 11:36 AM To: Dawood Iqbal Cc: nanog@nanog.org Subject: Re: Best VPN Appliance The Juniper SA is by far and away the market leader and in my opinion the best end user experience. On 5 Mar 2010, at 15:57, Dawood Iqbal wrote: Hello All, Is it possible to get your ideas on what VPN appliances are good to have in enterprise network? Requirements are; SSL IPSec Client and Web VPN support (Win/MAC/iPhone/Android) If webvpn is used, then when any user connects via webvpn, we should be able to re-direct him to any and ONLY specific application i.e SAP. If 2 boxes are installed then they should replicate data seamlessly. Regards, dI Sent from my Verizon Wireless BlackBerry
Re: Best VPN Appliance
We've been running various Fortinet Fortigate appliances since 2003 and have had very good luck with them. Clustering is plug-and-play...boxes act as a single managed unit and do stateful failover of VPN connections. We use the IPsec for site-to-site between our offices and our data centers, the SSL VPN we use for all of our road tunnels. SSL clients work great on WinXP, Win7 and OS X. There's a new iPhone app as well for the web-based VPN. -J Jason J. W. Williams, COO/CTO DigiTar william...@digitar.com V: 208.343.8520 F: 208.322.8522 M: 208.863.0727 www.digitar.com On Mar 5, 2010, at 8:57 AM, Dawood Iqbal wrote: Hello All, Is it possible to get your ideas on what VPN appliances are good to have in enterprise network? Requirements are; SSL IPSec Client and Web VPN support (Win/MAC/iPhone/Android) If webvpn is used, then when any user connects via webvpn, we should be able to re-direct him to any and ONLY specific application i.e SAP. If 2 boxes are installed then they should replicate data seamlessly. Regards, dI !SIG:4b912af4162726244877506!
Re: Best VPN Appliance
Why would you migrate them away instead of buying a $150/$250 one-time license? tv - Original Message - From: Blomberg, Orin P (DOH) orin.blomb...@doh.wa.gov To: nanog@nanog.org Sent: Monday, March 08, 2010 1:50 PM Subject: RE: Best VPN Appliance Thanks for the information. I am just going on what we have been formally told by our onsite Cisco engineers on several occasions. It may be that they were misinformed, or that they are trying to make the sell for AnyConnect Licensing, but I had been going with the facts I had. I am glad there is a 64-bit in beta, at least, now I don't have to migrate all those people off the ASAs right away. Orin -Original Message- From: Michael K. Smith - Adhost [mailto:mksm...@adhost.com] Sent: Monday, March 08, 2010 11:43 AM To: Blomberg, Orin P (DOH); sfou...@shortestpathfirst.net; Voll, Toivo; Chris Campbell; Dawood Iqbal Cc: nanog@nanog.org Subject: RE: Best VPN Appliance -Original Message- From: Blomberg, Orin P (DOH) [mailto:orin.blomb...@doh.wa.gov] Sent: Monday, March 08, 2010 11:37 AM To: sfou...@shortestpathfirst.net; Voll, Toivo; Chris Campbell; Dawood Iqbal Cc: nanog@nanog.org Subject: RE: Best VPN Appliance There is also the fact to consider that Cisco has said there will be no support for Windows 64-bit on their IPSEC client, they are pushing people to the AnyConnect (An SSL-based clientless IPSEC) who want to use Windows 64-bit or other OSs, so in the future the argument for having a separate box for client-based IPSEC will be moot. The beta 64-bit VPN client has been released, FYI. Mike
PPP+RADIUS - routing subnets to end users - Framed-Route vs. Framed-IP-Netmask
Scenario: with the help of RADIUS, routing subnets to end users connecting via PPP. Discussion: pros/cons of using Framed-IP-Address+Framed-Route versus Framed-IP-Address+Framed-IP-Netmask. We're talking here in generic terms, so as far as the behaviour of the LNS or access concentrator or whatever else is receiving the Access-Accept and terminating the ppp session, we're assuming more or less sane behaviour, roughly as follows. In the first alternative, the IP address on the ppp link is outside the subnet indicated by Framed-Route and one or more subnets are routed via the link; one such subnet per Framed-Route attrib. In the second alternative, the one subnet routed is that which contains the Framed-IP-Address and is as large as the Framed-IP-Netmask indicates. I'm arguing to a colleague that the first alternative is better, non-/32 netmasks on a ppp link make no sense (since netmasks on point-to-point links don't matter anyway), that the second alternative doesn't allow users to make use of their allocated space as easily and effectively as the first alternative, and that the second alternative is limited to routing one subnet (though you might be able to mix Framed-IP-Netmask and Framed-Route together?). Comments? How are others doing it and why? Erik
Re: PPP+RADIUS - routing subnets to end users - Framed-Route vs. Framed-IP-Netmask
We've always considered the WAN and LAN to be different objects so our history is to prefer the method you think is 'better.' Seems this model has been around since the dialin days. We also have customers with multiple routes so it seems a logical separation. Failover might be a bit more flexible too since you can control some parameters of the Framed Route. I know some people use RFC1918 addresses for WAN which might be a factor (we do not). Perhaps in some network strategies the lines between WAN and LAN may be a bit more blurred than ours. George On Mar 8, 2010, at 6:10 PM, Erik L wrote: Scenario: with the help of RADIUS, routing subnets to end users connecting via PPP. Discussion: pros/cons of using Framed-IP-Address+Framed-Route versus Framed-IP-Address+Framed-IP-Netmask. We're talking here in generic terms, so as far as the behaviour of the LNS or access concentrator or whatever else is receiving the Access-Accept and terminating the ppp session, we're assuming more or less sane behaviour, roughly as follows. In the first alternative, the IP address on the ppp link is outside the subnet indicated by Framed-Route and one or more subnets are routed via the link; one such subnet per Framed-Route attrib. In the second alternative, the one subnet routed is that which contains the Framed-IP-Address and is as large as the Framed-IP-Netmask indicates. I'm arguing to a colleague that the first alternative is better, non-/32 netmasks on a ppp link make no sense (since netmasks on point-to-point links don't matter anyway), that the second alternative doesn't allow users to make use of their allocated space as easily and effectively as the first alternative, and that the second alternative is limited to routing one subnet (though you might be able to mix Framed-IP-Netmask and Framed-Route together?). Comments? How are others doing it and why? Erik smime.p7s Description: S/MIME cryptographic signature