wanted: your old NAT home router
Hi, for a measurement study done together with Markku Kojo's team at the University of Helsinki, we're looking to collect as many different NAT home routers as possible. If you have an old clunker lying around somewhere, please contact me off-list. I'll cover shipping via DHL. Feel free to forward this email as you see fit. The boxes will find a permanent home at the University of Helsinki. Study results will be published openly. The intent is that this collection become a resource for the community to be shared for future studies. Caveat: The boxes should NAT between Ethernet interfaces - we don't have DSL or cable access equipment in the lab setup at the moment. Thanks, Lars smime.p7s Description: S/MIME cryptographic signature
Re: SMW4 Routing Implications
What have been the routing implications in regards to internet traffic with SMW4 cable beign down? though i am sure there are experts who will answer, that question is not formally answerable as o if you are strictly talking about routing, then we have a problem of visibility. i.e. the edge paths do not show up in monitors. o if you are talking about traffic, then looking at routing only gives a small clue and very very far from a rigorous answer. randy
Re: wanted: your old NAT home router
Lars Eggert (lars.eggert) writes: Hi, for a measurement study done together with Markku Kojo's team at the University of Helsinki, we're looking to collect as many different NAT home routers as possible. If you have an old clunker lying around somewhere, please contact me off-list. I'll cover shipping via DHL. Feel free to forward this email as you see fit. The boxes will find a permanent home at the University of Helsinki. Study results will be published openly. The intent is that this collection become a resource for the community to be shared for future studies. Caveat: The boxes should NAT between Ethernet interfaces - we don't have DSL or cable access equipment in the lab setup at the moment. What about getting someone to donate an old DSLAM ? Wouldn't that help ? Phil
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Thu, 29 Apr 2010 10:33:02 +1000 Mark Andrews ma...@isc.org wrote: In message a3f2ff6f-afe3-4ed1-ad33-5b6277249...@virtualized.org, David Conrad writes: Mark, On Apr 28, 2010, at 3:07 PM, Mark Andrews wrote: Perhaps the ability to change service providers without having to = renumber? =20 We have that ability already. Doesn't require NAT. Cool! You've figured out, e.g., how to renumber authoritative name = servers that you don't have direct control over! Don't do that. It was a deliberate design decision to use names rather than IP addesses in NS records. This allows the operators of the nameservers to change their addresses when they need to. B.T.W. we have the technology to automatically update delegations if we need to and have for the last 10 years. People just need to stop being scared about doing it. And modify filter = lists on a firewalls across an enterprise network! And remotely update = provisioning systems and license managers without interrupting services! = Etc., etc. http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work= -05.txt A tiny home office network managed by a highly technical individual with = full control over all aspects of the network is not a good model on = which to base the definition of we. Regards, -drc Well if you insist on using IP addresses rather than real crypto for access control. I suppose it'll protect us when Skynet emerges. I think the current security threat is the people behind the machines, not the machines themselves and their IP addresses. Regards, Mark.
Re: wanted: your old NAT home router
Hi, On 2010-4-29, at 13:49, Phil Regnauld wrote: What about getting someone to donate an old DSLAM ? Wouldn't that help ? it certainly would, in the longer term. I've also been pointed at mini-DSLAMs that are reasonably cheap. (We're planning to have a first draft study ready mid-May, and for that, the best we can do is add more Ethernet-Ethernet NATs to the testbed.) Lars smime.p7s Description: S/MIME cryptographic signature
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Wed, 28 Apr 2010 17:04:25 -0500 Dave Pooser dave.na...@alfordmedia.com wrote: IPv6's fundamental goal is to restore end-to-end. For some. For many, IPv6's fundamental goal is to keep doing what we've been doing without running out of addresses. The fact that the two camps have orthogonal goals is probably part of the reason the rate of growth on IPv6 is so slow. Well they should realise that end-to-end is what made the Internet the success in the first place. On the Original Internet, when you had an IP address, one moment you could be a client, another you could be a server, or another you could be a peer - or you could be any or all three roles at the same time. What role you wanted to play was completely and absolutely up to you - no third parties to ask permission of, no router upgrades involved. You just started the (client/server/peer-to-peer) software, and off you went. The applications exist at the edge of the Internet - in the software operating on the end-nodes. The Internet itself is supposed to be a dumb, best effort packet transport between the edges - nothing more. That is why the Original Internet was good at running any application you threw at it, including new ones - because it never cared what those applications were. It just tried to do it's job of getting packets from edge sources to edge destinations, regardless of what was in them.
Re: [Re: http://tools.ietf.org/search/draft-hain-ipv6-ulac-01]
On Mon, 26 Apr 2010 07:46:04 -0700 Jim Burwell j...@jsbc.cc wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/26/2010 03:36, Mikael Abrahamsson wrote: On Sun, 25 Apr 2010, Owen DeLong wrote: I fail to see how link local is any more difficult than any other IPv6 address. They're different because you have to know your local network interface name as well. Windows might get interesting as windows interface naming is, uh, creative at best. Exactly. Installation software could make this easy. It could either prompt the user to type in the address on a sticker then enumerate all interfaces on the system and attempt to contact the router on each NIC. Another possibility is that it could enumerate all the interfaces, then use the IPv6 link-local scope all routers multicast (ff02::2) to enumerate a list of routers found on each link, sort them and/or filter them by ethernet OUI, and present a list of choices for the user to click on to configure the router. The user could also easily match the enet address on a little slip of paper or sticker on the router to this list, or through some initial settings on the router which allow info to be pulled from it somehow, present a list of unconfigured routers, etc, etc. Point is, I can imagine a lot of ways this could be made user-proof via software/firmware combination that requires no advanced networking knowledge. It's called multicast DNS. It's easier for that to deal just with vanilla IPv6 addresses (i.e. via application calls to getaddrinfo()), rather than IPv6 LL addrs + interface names. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvVpywACgkQ2fXFxl4S7sSCuwCg07Gwxz6NDYuTkVYr5gP5LUMC n4EAoIdqZQ7C/01X0EcV3vnZiTD4b7Vc =hDQN -END PGP SIGNATURE-
Re: Anyone from UUNET.CA around.
On Thu, 29 Apr 2010 10:56:03 +1000 Mark Andrews ma...@isc.org wrote: --- Forwarded Message [snip] n...@uunet.ca: host firewall.verizonbusiness.com[199.249.25.205] said: 530 5.7.1 This system is not an open relay.: n...@uunet.ca (in reply to RCPT TO command) I sent verizonbusiness a complaint about spam yesterday and they were so clueful that they forwarded it to the abuse address where I sent the complaint from, rather the the origin of the spam. Not only did they screw that up, but nothing was redacted, making it a worthless complaint even if they had managed to read the headers. [snip]
RE: Starting up a WiMAX ISP
Hi, Based on what the markets currently offers and what your potential customers need, you can figure out the packages that you could to sell (Internet, voip, vpn, guaranteed bandwidth...). This would give you the resources that should be considered per customer. It would also give you a hint to select the CPE (wifi, POTS, firewall...) Then, it is necessary to locate, physically the area with the greatest potential of getting customers. This would give an idea of where should the base stations be located, how many customers would be aggregated at one Base Station (having in mind how many customers will be connected concurrently) and how much downlink traffic is to be expected. In case you go for a model where the ASN-GW is centralized, all the traffic has to go from each base station to the ASN-GW. The backhauling could be done using Ethernet RF point-to-point link, re-using the mast where the Wimax antenna is. The ASN site, aggregates all the backhaul links into a switch, which then connects to the ASN-GW (BRAS like). This is where the AAA, (DHCP), DNS, NTP, NMS/EMS are also located. In my opinion, the critical point really resides on the radio part (license, authorization, legal complains, interferences...). Jean-Christophe VARAILLON -Original Message- From: Alexander Harrowell [mailto:a.harrow...@gmail.com] Sent: Wednesday, April 28, 2010 2:29 PM To: nanog@nanog.org Subject: Re: Starting up a WiMAX ISP On Wednesday 28 April 2010 03:13:24 John R. Levine wrote: Of course what they offer over those long long rural runs and what they can actually provide are two different things. DSL performance decreases with distance rather dramatically.. That's what I thought, but my friend out on the sheep farm in the next county says he gets 3Mb just like I do in the village three blocks from the CO. (Yes, he knows what he's talking about.) They must spend a lot on repeaters and concentrators. R's, John There is a great deal of relevant experience here: http://www.wirelesscowboys.com/ -- The only thing worse than e-mail disclaimers...is people who send e-mail to lists complaining about them
RE: [only half OT] A socio-psychological analysis of the first internetwar (Estonia)
No GPL for the full paper, huh? Back to the cathedral What's the toll in case I can get some buddies to pitch-in to buy access to the full content? -Original Message- From: Gadi Evron [mailto:g...@linuxbox.org] Sent: Wednesday, April 28, 2010 11:51 PM To: NANOG Subject: [only half OT] A socio-psychological analysis of the first internetwar (Estonia) Hi, In the past year I have been working in collaboration with psychologists Robert Cialdini and Rosanna Guadagno on a paper analyzing some of what I saw from the social perspective in Estonia, when I wrote the post-mortem analysis for the 2007 attacks, but didn't understand at the time. Aside to botnets and and flood-based attacks, many of the attacks were live mobs, or an online riot if you like, where individuals simply sent pings toward Estonian addresses. While it doesn't seem like pings would cause so much damage -- en masse they certainly did. Then of course, there is also the psychological aspect... ... When everyone and their grandmother attacked with pings, spammers, professionals and others who know what they are doing then got involved, attacking using more sophisticated tools. We analyze how the Russian-speaking population online was manipulated to attack Estonia (and Georgia) in the cyber war incidents, and how it could happen again (regardless of if any actor is behind it). The psychological aspect of this is indeed off-topic to NANOG, but the attack is analogous to network peak usages with user interest in high-bandwidth content, and how large networks prepare for such peaks. This is about the DDoS attacks, and how a human DDoS has been and can be initiated again. It also under-scores the power of individual activism on the internet, and how it can also be abused. I hope some here would find the research useful for their own interest, if nothing else. Otherwise, sorry for wasting your bandwidth and thanks for your time. Article on El Reg: http://www.theregister.co.uk/2010/04/28/web_war_one_anonymity/ Paper (for download with pay :( ): http://www.liebertonline.com/doi/abs/10.1089/cyber.2009.0134 Thanks, and any comments appreciated. If on psychology, please do it off-list, though. Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, Apr 27, 2010 at 3:24 PM, Owen DeLong o...@delong.com wrote: Here's an exercise. Wipe a PC. Put it on that cable modem with no firewall. Install XP on it. See if you can get any service packs installed before the box is infected. 1. Yes, I can. I simply didn't put an IPv4 address on it. ;-) 2. I wouldn't hold XP up as the gold standard of hosts here. One of my coworkers was IPv6ing his home network. He had to turn off the Windows firewall on the machine with the IPv6 tunnel for a couple of minutes to install some stubborn software. Then he had to reimage the box because it was pwned, and he's pretty sure that the infection came in over the IPv6 tunnel, not the hardware-firewalled IPv4. -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
David Conrad wrote: On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote: I don't understand why anyone thinks NAT should be a fundamental part of the v6 internet Perhaps the ability to change service providers without having to renumber? Number your internal network on ULA, and put public addresses on your machines as well. RFC3484 support in your OS will cause your machine to use ULA to talk to other ULA interfaces, and the public IP to the rest of the internet. If you change ISPs, send out an RA with the new addresses, wait a bit, then send out an RA with lifetime 0 on the old address. All the machines should drop their old ISP's IP, and start using the new ISP, as well as continue using ULA like nothing's changed for the internal file sharing/printing/whatever
Re: [Re: http://tools.ietf.org/search/draft-hain-ipv6-ulac-01]
On Apr 29, 2010, at 4:26 AM, Mark Smith wrote:
On Mon, 26 Apr 2010 07:46:04 -0700
Jim Burwell j...@jsbc.cc wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 4/26/2010 03:36, Mikael Abrahamsson wrote:
On Sun, 25 Apr 2010, Owen DeLong wrote:
I fail to see how link local is any more difficult than any
other IPv6 address.
They're different because you have to know your local network
interface name as well.
Windows might get interesting as windows interface naming is,
uh, creative at best.
Exactly.
Installation software could make this easy. It could either prompt
the user to type in the address on a sticker then enumerate all
interfaces on the system and attempt to contact the router on each NIC.
Another possibility is that it could enumerate all the interfaces,
then use the IPv6 link-local scope all routers multicast (ff02::2) to
enumerate a list of routers found on each link, sort them and/or
filter them by ethernet OUI, and present a list of choices for the
user to click on to configure the router. The user could also easily
match the enet address on a little slip of paper or sticker on the
router to this list, or through some initial settings on the router
which allow info to be pulled from it somehow, present a list of
unconfigured routers, etc, etc.
Point is, I can imagine a lot of ways this could be made user-proof
via software/firmware combination that requires no advanced networking
knowledge.
It's called multicast DNS. It's easier for that to deal just with
vanilla IPv6 addresses (i.e. via application calls to getaddrinfo()),
rather than IPv6 LL addrs + interface names.
Actually, mDNS will handle IPv6 LL just fine. The interface name is
automatically provided along with the scope in the return values from
getaddrinfo():
struct addrinfo {
int ai_flags; /* input flags */
int ai_family; /* protocol family for socket */
int ai_socktype;/* socket type */
int ai_protocol;/* protocol for socket */
socklen_t ai_addrlen; /* length of socket-address */
struct sockaddr *ai_addr; /* socket-address for socket */
char *ai_canonname; /* canonical name for service location */
struct addrinfo *ai_next; /* pointer to next in list */
};
struct sockaddr is an abstraction to an address-family specific structure.
The IPv6 structure (sockaddr_in6) is as follows:
struct sockaddr_in6 {
__uint8_t sin6_len; /* length of this struct(sa_family_t)*/
sa_family_t sin6_family;/* AF_INET6 (sa_family_t) */
in_port_t sin6_port; /* Transport layer port # (in_port_t)*/
__uint32_t sin6_flowinfo; /* IP6 flow information */
struct in6_addr sin6_addr; /* IP6 address */
__uint32_t sin6_scope_id; /* scope zone index */
};
Note that the sockaddr_in6 structure will contain an in6_addr structure
and a sin6_scope_id (which specifies the scope of the address and
should, according to RFC 4007 contain enough information to identify
the zone (interface) as well).
Thus you should be able to pass the return value of getaddrinfo()
with an mDNS result containing a link local address to connect()
and expect it to work just fine.
Owen
Edu versus Speakeasy Speedtest
I work for an Edu with multi-gigabit Internet connectivity and I get questions from users saying Why am I only getting 14Mb when I run this speed test? I have got to believe that the various Internet speed tests (Speakeasy or dslreports) are rate limited to prevent someone from shutting them down. I am able to get 300-400Mb running from a PC inside my network to NDT servers located on Internet2, so that tells me my border and internal network is healthy. Can someone on this list shed some light regarding reliability and accuracy of these various speed tests especially for an Edu with lots'o bandwidth? Thanks. Bill Murphy University of Texas Health Science Center - Houston smime.p7s Description: S/MIME cryptographic signature
Re: Edu versus Speakeasy Speedtest
Adjust your TCP window size. -Original Message- From: Murphy, William william.mur...@uth.tmc.edu Date: Thu, 29 Apr 2010 10:53:01 To: nanog@nanog.orgnanog@nanog.org Subject: Edu versus Speakeasy Speedtest I work for an Edu with multi-gigabit Internet connectivity and I get questions from users saying Why am I only getting 14Mb when I run this speed test? I have got to believe that the various Internet speed tests (Speakeasy or dslreports) are rate limited to prevent someone from shutting them down. I am able to get 300-400Mb running from a PC inside my network to NDT servers located on Internet2, so that tells me my border and internal network is healthy. Can someone on this list shed some light regarding reliability and accuracy of these various speed tests especially for an Edu with lots'o bandwidth? Thanks. Bill Murphy University of Texas Health Science Center - Houston
Re: Edu versus Speakeasy Speedtest
All the new OS's (IE Windows7) automatically adjust TCP window size. Personally I've never found those website speed test to be that accurate on fast connections (over 15Mbps full duplex). The only way to really confirm bandwidth is by running IPERF. Robert Glover wrote: Adjust your TCP window size. -Original Message- From: Murphy, William william.mur...@uth.tmc.edu Date: Thu, 29 Apr 2010 10:53:01 To: nanog@nanog.orgnanog@nanog.org Subject: Edu versus Speakeasy Speedtest I work for an Edu with multi-gigabit Internet connectivity and I get questions from users saying Why am I only getting 14Mb when I run this speed test? I have got to believe that the various Internet speed tests (Speakeasy or dslreports) are rate limited to prevent someone from shutting them down. I am able to get 300-400Mb running from a PC inside my network to NDT servers located on Internet2, so that tells me my border and internal network is healthy. Can someone on this list shed some light regarding reliability and accuracy of these various speed tests especially for an Edu with lots'o bandwidth? Thanks. Bill Murphy University of Texas Health Science Center - Houston
RE: Edu versus Speakeasy Speedtest
Agreed. Most of the sites are not accurate for large bandwidth locations. Speedtest.net is flash based, however I find that slightly more accurate up to about 50-100mbit range. -Original Message- From: Bret Clark [mailto:bcl...@spectraaccess.com] Sent: Thursday, April 29, 2010 10:05 AM To: nanog@nanog.org Subject: Re: Edu versus Speakeasy Speedtest All the new OS's (IE Windows7) automatically adjust TCP window size. Personally I've never found those website speed test to be that accurate on fast connections (over 15Mbps full duplex). The only way to really confirm bandwidth is by running IPERF. Robert Glover wrote: Adjust your TCP window size. -Original Message- From: Murphy, William william.mur...@uth.tmc.edu Date: Thu, 29 Apr 2010 10:53:01 To: nanog@nanog.orgnanog@nanog.org Subject: Edu versus Speakeasy Speedtest I work for an Edu with multi-gigabit Internet connectivity and I get questions from users saying Why am I only getting 14Mb when I run this speed test? I have got to believe that the various Internet speed tests (Speakeasy or dslreports) are rate limited to prevent someone from shutting them down. I am able to get 300-400Mb running from a PC inside my network to NDT servers located on Internet2, so that tells me my border and internal network is healthy. Can someone on this list shed some light regarding reliability and accuracy of these various speed tests especially for an Edu with lots'o bandwidth? Thanks. Bill Murphy University of Texas Health Science Center - Houston
RE: Edu versus Speakeasy Speedtest
2 things. 1: http://speakeasy.net/speedtest/issues.php (See the section on inaccurate results over 20Mbps and that the test is meant for residential broadband services) 2: Speakeasy is a commerical ISP for both residential and business users. That means it is in their best interest to encourage you to purchase their services. I have no issues with Speakeasy and have used them personally with great success in the past (great support but prices are a little high for most residential users), but why would you test one provider's service with a sales tool from another (competing) provider and expect accuracy? -Scott -Original Message- From: Bret Clark [mailto:bcl...@spectraaccess.com] Sent: Thursday, April 29, 2010 12:05 PM To: nanog@nanog.org Subject: Re: Edu versus Speakeasy Speedtest All the new OS's (IE Windows7) automatically adjust TCP window size. Personally I've never found those website speed test to be that accurate on fast connections (over 15Mbps full duplex). The only way to really confirm bandwidth is by running IPERF. Robert Glover wrote: Adjust your TCP window size. -Original Message- From: Murphy, William william.mur...@uth.tmc.edu Date: Thu, 29 Apr 2010 10:53:01 To: nanog@nanog.orgnanog@nanog.org Subject: Edu versus Speakeasy Speedtest I work for an Edu with multi-gigabit Internet connectivity and I get questions from users saying Why am I only getting 14Mb when I run this speed test? I have got to believe that the various Internet speed tests (Speakeasy or dslreports) are rate limited to prevent someone from shutting them down. I am able to get 300-400Mb running from a PC inside my network to NDT servers located on Internet2, so that tells me my border and internal network is healthy. Can someone on this list shed some light regarding reliability and accuracy of these various speed tests especially for an Edu with lots'o bandwidth? Thanks. Bill Murphy University of Texas Health Science Center - Houston
Re: [Re: http://tools.ietf.org/search/draft-hain-ipv6-ulac-01]
On Apr 29, 2010, at 8:45 AM, Bill Stewart wrote: On Mon, Apr 26, 2010 at 7:20 AM, Stephen Sprunk step...@sprunk.org wrote: The vast majority of residential customers have a single subnet, so they can get by just fine using IPv6 link-local addresses. The vanishingly small percentage that have multiple subnets are presumably savvy enough to set up ULA-R addresses. There is no need for ULA-C in this scenario. Actually it's pretty common for residential customers to have multiple subnets, one wired and one wireless, even if they're both NAT'd to 192.168.x.x. They may may or not be doing anything with the wired subnet, and their wireless router may also be providing a wired subnet bridged with the wireless, If it's bridged, they are not separate subnets. This is the most common configuration. For one thing, if they are both NAT'd, things on wireless the consumer expects to be able to talk to things on wired tend not to work. (This is only partially due to NAT, but, largely due to lazy code that assumes everything is on one subnet which is usually a safe assumption. The reason this became a usually safe assumption is another example of damage done by NAT). and it's all happening in little consumer-appliance boxes that work by magic, but it's out there. Not quite the way you seem to think it is. Owen
International TE
I am interested in only accepting international traffic from one of our secondary providers only. Most providers I have dealt with have a TE community list which allows me to prepend or not not advertise to their upstream peers. However, my primary provider does not have this. My goal is to not advertise internationally through this provider. I am considering just setting the communities for my provider's upstream peers (about 7 of them) to tell them to not advertise internationally. I am also trying to get my primary provider to implement this functionality. Are there any better ways to do this? Also, if anyone has a consolidated list of provider TE communities that would be a great resource. Thomas Magill Network Engineer Office: (858) 909-3777 Cell: (858) 869-9685 tmag...@providecommerce.com provide-commerce 4840 Eastgate Mall San Diego, CA 92121 ProFlowers http://www.proflowers.com/ | redENVELOPE http://www.redenvelope.com/ | Cherry Moon Farms http://www.cherrymoonfarms.com/ | Shari's Berries http://www.berries.com/
Re: Edu versus Speakeasy Speedtest
On Thu, Apr 29, 2010 at 9:53 AM, Murphy, William william.mur...@uth.tmc.edu wrote: I work for an Edu with multi-gigabit Internet connectivity and I get questions from users saying Why am I only getting 14Mb when I run this speed test? I have got to believe that the various Internet speed tests (Speakeasy or dslreports) are rate limited to prevent someone from shutting them down. I am able to get 300-400Mb running from a PC inside my network to NDT servers located on Internet2, so that tells me my border and internal network is healthy. Can someone on this list shed some light regarding reliability and accuracy of these various speed tests especially for an Edu with lots'o bandwidth? Thanks. Bill Murphy University of Texas Health Science Center - Houston Best analogy I ever saw to teach Phd's why the net was slow: Take a vacuum cleaner with extensions. Make a set of end connectors from smaller and smaller tubes (garden hose, and straw I think they were duct taped to vacuum cleaner ends). Have the complainer try to clean up a mess with each of the ends. Ask them why it took much longer with the straw versus the regular end. For the dimwitted (eg 2-3 Phd's and various honors) elaborate that the vacuum cleaner is like your computer.. for things local and on Internet2 you get a regular hose. On going to DSlreports etc you are going at some point through a straw. [Actually i think the tube had a straw duct taped at the middle... and had things painted on it saying What we control. What we don't control. What they control. What they don't control ] At this point most people realized networking wasnt' the people to complain to] -- Stephen J Smoogen. “The core skill of innovators is error recovery, not failure avoidance.” Randy Nelson, President of Pixar University. We have a strategic plan. It's called doing things. — Herb Kelleher, founder Southwest Airlines
Re: International TE
Thomas, Check this link: http://onesc.net/communities/ You can always play with as-path prepending and advertising a more specific subnets through different providers... http://onesc.net/communities/Arie On Thu, Apr 29, 2010 at 4:43 PM, Thomas Magill tmag...@providecommerce.comwrote: I am interested in only accepting international traffic from one of our secondary providers only. Most providers I have dealt with have a TE community list which allows me to prepend or not not advertise to their upstream peers. However, my primary provider does not have this. My goal is to not advertise internationally through this provider. I am considering just setting the communities for my provider's upstream peers (about 7 of them) to tell them to not advertise internationally. I am also trying to get my primary provider to implement this functionality. Are there any better ways to do this? Also, if anyone has a consolidated list of provider TE communities that would be a great resource. Thomas Magill Network Engineer Office: (858) 909-3777 Cell: (858) 869-9685 tmag...@providecommerce.com provide-commerce 4840 Eastgate Mall San Diego, CA 92121 ProFlowers http://www.proflowers.com/ | redENVELOPE http://www.redenvelope.com/ | Cherry Moon Farms http://www.cherrymoonfarms.com/ | Shari's Berries http://www.berries.com/
Re: SMW4 Routing Implications
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, shake righa wrote: What have been the routing implications in regards to internet traffic with SMW4 cable beign down? - --- Latency and slowness then again things are starting to change (mid-2010) in terms of traffic balance as fibers are being lit across diverse paths. regards, /virendra Regards, Shake Righa -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFL2eHbpbZvCIJx1bcRAjLfAKDl8ouIT9zH2pzjs/1uIafx8E281gCgvRXn NdDyrX58kLpasNXDEcVgMCo= =/YYx -END PGP SIGNATURE-
Terry Childs conviction
I'm a bit surprised that after the furor here on NANOG when the story first broke (in 2008) that there's been no discussion about the recent outcome of his trial (convicted, one count of felony network tampering). http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/04/27/BA4V1D5Q22.D TLtsp=1 -JFO
Re: Terry Childs conviction
On Apr 29, 2010, at 4:11 PM, Olsen, Jason wrote: I'm a bit surprised that after the furor here on NANOG when the story first broke (in 2008) that there's been no discussion about the recent outcome of his trial (convicted, one count of felony network tampering). === I'm not surprised. It has little or no direct operational impact. James R. Cutler james.cut...@consultant.com
Re: Terry Childs conviction
Anytime you mess with a government entity, without legal guidance, you are at great risk. Mr.Childs took a risk and jury decided he was wrong. He faces 5 years in prison. -henry From: Olsen, Jason jol...@devry.com To: nanog@nanog.org Sent: Thu, April 29, 2010 1:11:07 PM Subject: Terry Childs conviction I'm a bit surprised that after the furor here on NANOG when the story first broke (in 2008) that there's been no discussion about the recent outcome of his trial (convicted, one count of felony network tampering). http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/04/27/BA4V1D5Q22.D TLtsp=1 -JFO
Time Warner Cable / Roadrunner contact - routing issue
If there is a Time Warner Cable / Roadrunner routing engineer monitoring this list can you please contact me off list regarding a routing issue from your IP block: 76.168.0.0/13 Thank you.
Re: Rate of growth on IPv6 not fast enough?
On Wed, 21 Apr 2010 14:24:37 -0400 William Herrin b...@herrin.us wrote: On Tue, Apr 20, 2010 at 9:34 PM, Karl Auer ka...@biplane.com.au wrote: On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote: On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote: NAT _always_ fails-closed Stateful Inspection can be implemented fail-closed. Not to take issue with either statement in particular, but I think there needs to be some consideration of what fail means. Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. Fail is expecting a low level staff member, who doesn't know better, to substitute for a senior one, who does. Would you also let a helpdesk teamleader (low level, relatively inexperienced management position) take over the CEO's job if the CEO was available and there was a business crisis? A medical student take over from a doctor in an emergency ward? Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: [only half OT] A socio-psychological analysis of the first internet war (Estonia)
--- On Thu, 29/4/10, Gadi Evron g...@linuxbox.org wrote: A socio-psychological analysis of the first internet war (Estonia) There has been no cyber war yet. Estonia was not a cyber war. You've got it fundamentally wrong on the world stage infront of everyone. Andrew
Re: Edu versus Speakeasy Speedtest
1) The capacity that a campus has into I2 or NLR is different than the BW the campus purchases from their commercial provider(s). 2) The commercial BW test sites are not optimized for speed. They do not have unlimited capacity network connections. And, they have not tuned their network stack for HS operation: notably, their OS will impose memory limits on the socket / transmit-buffer pool; so even if a receiver advertises a big window, frequently the transmitter (speed test server) will never queue enough data to fill the pipe 3) Peering capacity is not what it should be into the networks used by some of the BW test sites. On 4/29/2010 8:53 AM, Murphy, William wrote: I work for an Edu with multi-gigabit Internet connectivity and I get questions from users saying Why am I only getting 14Mb when I run this speed test? I have got to believe that the various Internet speed tests (Speakeasy or dslreports) are rate limited to prevent someone from shutting them down. I am able to get 300-400Mb running from a PC inside my network to NDT servers located on Internet2, so that tells me my border and internal network is healthy. Can someone on this list shed some light regarding reliability and accuracy of these various speed tests especially for an Edu with lots'o bandwidth? Thanks. Bill Murphy University of Texas Health Science Center - Houston
Re: Terry Childs conviction
On Thu, 2010-04-29 at 15:11 -0500, Olsen, Jason wrote: I'm a bit surprised that after the furor here on NANOG when the story first broke (in 2008) that there's been no discussion about the recent outcome of his trial (convicted, one count of felony network tampering). Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I fail to see the operational relevance to this conviction; it's basic common sense. William
Re: Rate of growth on IPv6 not fast enough?
CEO position - Did you know: The majority of SP 500 CEOs are in their 50s 29% of SP 500 CEOs have an advanced degree other than an MBA CEOs in the SP 401-500 group are more likely to have a shorter tenure with his or her company than other SP 500 CEOs 60% of SP 500 CEOs have been in office less than six years CEOs of the top 100 SP 500 companies are more likely than the rest of the SP 500 CEOs to have been with the same company throughout their entire career Operation Director - some say that age wouldn't be that important, though maturity might. How would they feel about being given this much power? What kinds of goals should they have in mind if they get the job? Don't forget that the person over 30 may be just as new to IT as a fresh college graduate. more ...and more .you just won't believe how this is smashing your hearts to pieces .. CAREER HISTORY 1996-2000: Graduate trainee rising to marketing manager Are you sure you don't need a network technician to do the job? - Original Message From: Mark Smith na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org To: William Herrin b...@herrin.us Cc: nanog@nanog.org Sent: Thu, April 29, 2010 10:24:03 PM Subject: Re: Rate of growth on IPv6 not fast enough? On Wed, 21 Apr 2010 14:24:37 -0400 William Herrin b...@herrin.us wrote: On Tue, Apr 20, 2010 at 9:34 PM, Karl Auer ka...@biplane.com.au wrote: On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote: On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote: NAT _always_ fails-closed Stateful Inspection can be implemented fail-closed. Not to take issue with either statement in particular, but I think there needs to be some consideration of what fail means. Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. Fail is expecting a low level staff member, who doesn't know better, to substitute for a senior one, who does. Would you also let a helpdesk teamleader (low level, relatively inexperienced management position) take over the CEO's job if the CEO was available and there was a business crisis? A medical student take over from a doctor in an emergency ward? Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: DNSSEC Deployment in ARPA Children
On 2010-04-28, at 9:29 AM, Joe Abley wrote: Colleagues, ICANN plans to begin a test deployment of DNSSEC in various zones starting on 2010-04-29: IN-ADDR-SERVERS.ARPA IP6.ARPA IP6-SERVERS.ARPA IRIS.ARPA URI.ARPA URN.ARPA These zones will be signed using RSASHA256 and NSEC with 2048-bit KSKs and 1024-bit ZSKs. The maintenance is complete, all of the zones are now DNSSEC signed. We expect to include trust anchors for these zones following a testing period of around two weeks, given no observed or reported harmful effects. If you observe any issues, or have any concerns please let us know at tic...@dns.icann.org. Kind regards, Dave Knight Senior DNS Engineer, ICANN
Re: Terry Childs conviction
On Thu, 29 Apr 2010 16:47:02 CDT, William Pitcock said: On Thu, 2010-04-29 at 15:11 -0500, Olsen, Jason wrote: I'm a bit surprised that after the furor here on NANOG when the story first broke (in 2008) that there's been no discussion about the recent outcome of his trial (convicted, one count of felony network tampering). Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. Unfortunately, Terry Childs was withholding the passwords because he thought (with some justification) that they'd adger up the net if they had the passwords. So if you want to make an analogy, it's more like taking the keys away from a drunk so they can't drive. Good luck finding a DA who will indict you for grand theft auto for taking the keys to prevent a DWI. Operational content: What design, procedure, and policy errors did the network owners make that Childs was able to do that to them? (The cynic in me says that if the net management was that screwed up that he *could* do it, he was justified in doing it... :) pgpKHXLySE42Y.pgp Description: PGP signature
Re: Terry Childs conviction
Henry Linneweh wrote: Anytime you mess with a government entity, without legal guidance, you are at great risk. Mr.Childs took a risk and jury decided he was wrong. He faces 5 years in prison. Unlikely. From the article: However, Judge Teri Jackson is expected to impose a sentence under which Childs would serve a few additional months at most, after she gives him credit for the nearly two years he has spent in county jail since being arrested in July 2008 I didn't know jury trials went this way, if a juror doesn't agree you simply kick the person out. You learn something new every day. :-) The jury deliberated for several days before a lone holdout against conviction was removed from the panel, for reasons that were not disclosed. After an alternate was put in that juror's place, the panel started over and reached a decision in a matter of hours. And one can argue he behaved like any security conscious IT person should behave, although I'm sure in this case the truth lies more in the middle: Shikman acknowledged that Childs may have been paranoid about protecting the system and undiplomatic with his bosses, but nothing worse (..) All they had to do was ask him (for the passwords) in a secure and professional way, consistent with policy and standards, Shikman told the jury. Regards, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/
Re: Terry Childs conviction
On Thu, Apr 29, 2010 at 7:15 PM, valdis.kletni...@vt.edu wrote: So if you want to make an analogy, it's more like taking the keys away from a drunk so they can't drive. Good luck finding a DA who will indict you for grand theft auto for taking the keys to prevent a DWI. According to news reports in this case it was not a charge of theft, but a charge of criminal Denial of Service.The service denied being the ability to administer their network devices by their authorized admins: in this case that Childs had been ordered by people with management authority over him on various occasions to provide some access to equipment they owned, and he had refused on all occasions, or deceived them by intentionally providing incomplete or useless access details. It was well within management's authority to demand this, and not in violation of any laws (not equivalent to DWI). It may be of concern to some individuals, but the operational impact to well-managed networks should be zero. Make sure the collective management of the organization that owns the network has a means of directly conveying full access at all times to any user they authorize, that is provided on demand, or that there is a clear password policy that ensures that administration cannot be denied to authorized users ? Theft of keys does not equal theft of vehicle, and restraining someone who is not acting rationally and is intent upon committing a crime, directly endangering lives, is completely different Courts might take a much more dim view towards a valet/driver re-assigned to a different job refusing to surrender the keys to the owner's new valet, out of fear the vehicle might get treated in a way they considered poor or reckless. -- -J
Re: Terry Childs conviction
On Thu, 2010-04-29 at 16:47 -0500, William Pitcock wrote: Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I've seen a dismissed employee withhold a password. The owner of the company threatened legal action, considering it, like you, theft. My father-in-law is an attorney, so I asked him about the situation. He said that it wouldn't be called theft, rather illegal control. http://www.infoworld.com/t/insider-threat/terry-childs-still-faces-one-charge-one-he-shouldnt-face-746 The more-informed reporting on this says that the charge was actually illegal denial of service. I'm guessing this is what my father-in-law was getting at, or that this is what illegal control means when applied to computer equipment. dk
Re: Rate of growth on IPv6 not fast enough?
On Thu, Apr 29, 2010 at 11:24 AM, Mark Smith na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org wrote: On Wed, 21 Apr 2010 14:24:37 -0400 William Herrin b...@herrin.us wrote: Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. Fail is expecting a low level staff member, who doesn't know better, to substitute for a senior one, who does. Funny thing about junior staff... Their reach is often longer than their grasp. Someone has to have the keys when the senior guy is away... Even if they don't always have the good judgment to know what they can safely do with them. As the senior guy, I'd rather find out about the mistake when the panicked junior calls me on the cell phone because he crashed the network, not when I get back and find the company jewels have been stolen. NAT protecting unroutable addresses gives me a better chance that junior's mistake only causes a network outage. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Terry Childs conviction
On Thu, 2010-04-29 at 21:48 -0400, David Krider wrote: On Thu, 2010-04-29 at 16:47 -0500, William Pitcock wrote: Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I've seen a dismissed employee withhold a password. The owner of the company threatened legal action, considering it, like you, theft. My father-in-law is an attorney, so I asked him about the situation. He said that it wouldn't be called theft, rather illegal control. Same difference, he still committed a crime and anyone who is defending him seems to not understand this. Whatever we want to call that crime, it's still a crime, and he got the appropriate penalty. William
Re: Terry Childs conviction
Illegal control = Conversion = at least a tort, but could also be a crime. On Apr 29, 2010, at 10:05 PM, William Pitcock wrote: On Thu, 2010-04-29 at 21:48 -0400, David Krider wrote: On Thu, 2010-04-29 at 16:47 -0500, William Pitcock wrote: Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I've seen a dismissed employee withhold a password. The owner of the company threatened legal action, considering it, like you, theft. My father-in-law is an attorney, so I asked him about the situation. He said that it wouldn't be called theft, rather illegal control. Same difference, he still committed a crime and anyone who is defending him seems to not understand this. Whatever we want to call that crime, it's still a crime, and he got the appropriate penalty. William
Re: Terry Childs conviction
On Thu, 29 Apr 2010, William Pitcock wrote: Same difference, he still committed a crime and anyone who is defending him seems to not understand this. Whatever we want to call that crime, it's still a crime, and he got the appropriate penalty. Hi William. I have to agree that it does seem he committed an offence but we will have to agree to disagree on the penalty. Two years (or more) in jail for withholding a password for one week seems disproportionate to me. I wonder how expensive the trial was. Rob -- Email: rob...@timetraveller.org IRC: Solver Web: http://www.practicalsysadmin.com Open Source: The revolution that silently changed the world
Re: Rate of growth on IPv6 not fast enough?
On Thu, 29 Apr 2010 15:58:24 -1000, William Herrin said: Funny thing about junior staff... Their reach is often longer than their grasp. Someone has to have the keys when the senior guy is away... Isn't that the defense that Terry Childs used? :) (Sorry, couldn't resist. :) pgpDBzT2JrQcL.pgp Description: PGP signature
Re: Terry Childs conviction
On Thu, 2010-04-29 at 21:23 -0500, Larry Sheldon wrote: On 4/29/2010 21:05, William Pitcock wrote: On Thu, 2010-04-29 at 21:48 -0400, David Krider wrote: On Thu, 2010-04-29 at 16:47 -0500, William Pitcock wrote: Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I've seen a dismissed employee withhold a password. The owner of the company threatened legal action, considering it, like you, theft. My father-in-law is an attorney, so I asked him about the situation. He said that it wouldn't be called theft, rather illegal control. Same difference, he still committed a crime and anyone who is defending him seems to not understand this. Whatever we want to call that crime, it's still a crime, and he got the appropriate penalty. I beg to differ (the archives may reflect my objection last time around). I agree that a crime was committed. It was committed by the management that allowed this situation to exist. It is a pretty easy matter to maintain controls that make the passwords secure but still available to management when they need it. The simplest system was one of sealed envelopes in several different District Managers locked desks. Every now and again a manager would take his or her envelope out and test the passwords to see if they worked (usually just before the scheduled password change each month). I don't disagree, but he should not have withheld passwords to devices that were not his direct property when asked by a superior. William
