EQUINIX

[Ryan Finnesey]

What's the going rate now a days for a rack within EQUINIX?

Cheers
Ryan

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[.]

i am not network engineer, but I follow this list to be updated about
important news that affect internet stability.

NAT is already a problem for things like videogames.  You want people
to be able to host a multiplayer game, and have his friends to join
the game. A free to play MMO may want to make a ban for a bad person
permanent, and for this banning a IP is useful,  if a whole range of
players use a ip, it will be harder to stop these people from
disrupting other people fun.  Players that can't connect to the other
players whine on the forums, and ask the game devs to fix the problem,
costing these people money. People that can't connect to other
players, for a problem that is not in his side, or under his control,
get frustrated.  This type of problems are hard to debug for users.

The people on this list have a influence in how the Internet run, hope
somebody smart can figure how we can avoid going there, because there
is frustrating and unfun.


--
--
ℱin del ℳensaje.

Re: Notice: Fradulent RIPE ASNs

[Rich Kulawiec]

On Wed, Jan 16, 2013 at 11:39:14AM -0500, William Herrin wrote:
 1. Has SPAMHAUS attempted to feed relevant portions of their knowledge
 into ARIN's reporting system for fraudulent registrations and,

I don't know the answer to that.

 2. Understanding that ARIN can only deal with fraudulent
 registrations, not any other kind of bad-actor behavior, are there
 improvements to ARIN's process which would help SPAMHAUS and similar
 organizations feed ARIN actionable knowledge?

Yes.

All ARIN (public) data should be immediately downloadable in bulk by anyone
who wishes to access it.  No registration, no limits, no nothing.  As I
pointed out here a couple of weeks ago (see below), query rate-limiting
measures such as RIPE currently employs are not only pointless but
counterproductive: the bad guys already have (or can have) the data any
time they wish, but the good guys can't.  I suggest a daily rsync'able
snapshot of the whole enchilada in whatever form(s) is/are appropriate:
text, XML, tarball, etc.

Of course I was responding to something from RIPE, but this applies
everywhere.  It's 2013.  The bad guys have had the means to easily
bypass stuff like this for about a decade, if not longer.  It's not only
silly to keep pretending they don't, but it's limiting: some of the best
techniques we have for spotting not only fraudulent registrations, but
other patterns of abuse, work best when given as much data as possible.
(It's really quite impressive what you can find with grep, if you
have enough data in the right form.)

(Incidentally, the same thing is true of all domain registration data.
The namespace, like network space, is a public resource, therefore
anyone using any of it must be publicly accountable.)

Here's what I said at the time, generalize/modify appropriately:

 Subject: Re: RIPE Database Proxy Service Issues
 
 On Wed, Jan 02, 2013 at 05:00:14PM +0100, Axel Pawlik wrote:
  To prevent the automatic harvesting of personal information (real
  names, email addresses, phone numbers) from the RIPE Database, there
  are PERSON and ROLE object query limits defined in the RIPE Database
  Acceptable Use Policy. This is set at 1,000 PERSON or ROLE objects
  per IP address per day. Queries that result in more than 1,000
  objects with personal data being returned result in that IP address
  being blocked from carrying out queries for that day.
 
 1. The technical measures you've outlined will not prevent, and have
 not prevented, anyone from automatically harvesting the entire thing.
 Anyone who owns or rents, for example, a 2M-member botnet, could easily
 retrieve the entire database using 1 query per IP address, spread out
 over a day/week/month/whatever.  (Obviously more sophisticated approaches
 immediately suggest themselves.)
 
 Of course a simpler approach might be to buy a copy from someone who
 already has.
 
 I'm not picking on you, particularly: all WHOIS operators need to stop
 pretending that they can protect their public databases via rate-limiting.
 They can't.  The only thing that they're doing is preventing NON-abusers
 from acquiring and using bulk data.
 
 2. This presumes that the database is actually a target for abusers.
 I'm sure for some it is.  But as a source, for example, of email
 addresses, it's a poor one: the number of addresses per thousand records
 is relatively small and those addresses tend to belong to people with
 clue, making them rather suboptimal choices for spamming/phishing/etc.
 
 Far richer targets are available on a daily basis simply by following
 the dataloss mailing list et.al. and observing what's been posted on
 pastebin or equivalent.  These not only include many more email addresses,
 but often names, passwords (encrypted or not), and other personal details.
 And once again, the simpler approach of purchasing data is available.
 
 3. Of course answering all those queries no doubt imposes significant
 load.  Happily, one of the problems that we seem to have pretty much
 figured out how to solve is serving up many copies of static
 content because we have tools like web servers and rsync.
 
 So let me suggest that one way to make this much easier on yourselves is
 to export a (timestamped) static snapshot of the entire database once
 a day, and let the rest of the Internet mirror the hell out of it.
 Spreads out the load, drops the pretense that rate-limiting
 accomplishes anything useful, makes all the data available to everyone
 equally, and as long as everyone is aware that it's a snapshot and not
 a real-time answer, would probably suffice for most uses.  (It would
 also come in handy during network events which render your service
 unreachable/unusable in whole or part, e.g., from certain parts of
 the world.  Slightly-stale data is way better than no data.)

Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

[john]

On 1/16/13 8:36 PM, Shrdlu wrote:
 On 1/16/2013 9:40 AM, john wrote:
 
 I took a look at this site and unfortunately the use of cookies is very
 ingrained into the code.  Removing the requirement breaks all
 functionality of www.ris.ripe.net and changing the functionality would
 require a rewrite of the site.
 
 Sooner or later, you'll get to a place where you consider a major
 update, and perhaps then you'll consider emulating NANOG's site. However...
just for clarity, i believe that the issues with requiring cookies only
affects www.ris.ripe.net and not the entire *.ripe.net site(s).  Im not
one of the developers however i believe they endeavour to keep the use
of cookies to a minimum with current and future development.
 
 I was curious, and I went to look at it. Please consider using some
 other color than lovely amber yellow you've chosen. It's very pretty,
 and exhausting to look at for any length of time. I'm a HUGE fan of gray
 scales, and of text. I see that you want a cookie when I want to look at
 one of the videos, but blocking it doesn't hurt me. Here's where you did
 something right. The video plays on my (pretty old) Firefox, which has
 no Flash (hooray!).
 
 The cookie stays around for a YEAR (if I let it), and has the following
 stuff:
 
 Name: stat-csrftoken
 Content: 7f12a95b8e274ab940287407a14fc348
 Host: stat.ripe.net
 Path: /
 Send For: Any type of connection
 Expires: Wednesday, January 15, 2014 11:29:34 AM
 
 To your credit, you only ask once, but you ought to ask zero times.
 
 The site's not bad, but please consider changing the yellow to black.
 Less beauty, more utility.
 

Thank you for this feedback, i'll pass it onto to the developers.

Regards
John

Re: How are operators using IRR?

[Pierre-Yves Maunier]

2013/1/17 ML m...@kenweb.org

 How are operators using the data available in the various IRRs?

 Using an example:

 AS1 is your customer
 AS1 has AS2, AS3 and AS4 described as customers in an IRR
 Also assume AS2 has IRR data describing AS1000 and AS2000 as it's
 customers.

 Are operators building AS path regexes such as the following automatically
 from IRR and applying that to your BGP sessions?

 
 AS1{1,}
 AS1{1,} AS2{1,}
 AS1{1,} AS3{1,}
 AS1{1,} AS2{1,} AS1000{1,}
 AS1{1,} AS2{1,} AS2000{1,}
 


 I would imagine most operators that are building policy from IRR are
 building prefix lists to limit what they are accepting.  Is this being
 paired with some AS path filtering?


 Are operators just traversing an AS-SET as far as it will go and building
 prefix lists to represent all intended prefixes to be heard on a session
 regardless of who originates them? Is the possibility of AS1000 hijacking
 AS2000 prefixes towards AS2 a problem you as the upstream to AS1 need to
 consider? (Last question assumes AS2 made a mistake and wasn't filtering
 properly on it's own customers and AS1 is just accepting all prefixes under
 the cone of AS2)

 Thanks


Hi,


I usually build a prefix-list gathering route objects having an origin AS
from the customer AS-SET.

I know some operators doing AS-PATH filtering and other who don't have
anything else than a max-prefix limit on the session.
In my previous job, one of my transit provider just had a max-prefix limit
of 4k and I was announcing 2K routes. Hopefully we were good enough to not
leak any unlegitimate routes on the sessions by misconfiguration.

-- 
Pierre-Yves

Re: NANOG Digest, Vol 60, Issue 54

[carl gough [mobsource]]

unsub=scribe please


[carl gough] founder and CEO  +61 425 266 764

mobsource.com  














On 17/01/13 11:00 PM, nanog-requ...@nanog.org nanog-requ...@nanog.org
wrote:

Send NANOG mailing list submissions to
   nanog@nanog.org

To subscribe or unsubscribe via the World Wide Web, visit
   http://mailman.nanog.org/mailman/listinfo/nanog
or, via email, send a message with subject or body 'help' to
   nanog-requ...@nanog.org

You can reach the person managing the list at
   nanog-ow...@nanog.org

When replying, please edit your Subject line so it is more specific
than Re: Contents of NANOG digest...


Today's Topics:

   1. Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT
  Instead of IPv6 ( .)
   2. Re: Notice: Fradulent RIPE ASNs (Rich Kulawiec)
   3. Re: Suggestions for the future on your web site: (was
  cookies, and before that Re: Dreamhost hijacking my prefix...)
(john)


--

Message: 1
Date: Thu, 17 Jan 2013 11:06:54 +0100
From:  . oscar.vi...@gmail.com
Cc: North American Network Operators' Group nanog@nanog.org
Subject: Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT
   Instead of IPv6
Message-ID:
   cacg3zyf65y2khi18n2azezbvarexycubzncga8kipytsdz+...@mail.gmail.com
Content-Type: text/plain; charset=UTF-8

i am not network engineer, but I follow this list to be updated about
important news that affect internet stability.

NAT is already a problem for things like videogames.  You want people
to be able to host a multiplayer game, and have his friends to join
the game. A free to play MMO may want to make a ban for a bad person
permanent, and for this banning a IP is useful,  if a whole range of
players use a ip, it will be harder to stop these people from
disrupting other people fun.  Players that can't connect to the other
players whine on the forums, and ask the game devs to fix the problem,
costing these people money. People that can't connect to other
players, for a problem that is not in his side, or under his control,
get frustrated.  This type of problems are hard to debug for users.

The people on this list have a influence in how the Internet run, hope
somebody smart can figure how we can avoid going there, because there
is frustrating and unfun.


--
--
?in del ?ensaje.



--

Message: 2
Date: Thu, 17 Jan 2013 05:33:34 -0500
From: Rich Kulawiec r...@gsp.org
To: nanog@nanog.org
Subject: Re: Notice: Fradulent RIPE ASNs
Message-ID: 20130117103334.ga7...@gsp.org
Content-Type: text/plain; charset=us-ascii

On Wed, Jan 16, 2013 at 11:39:14AM -0500, William Herrin wrote:
 1. Has SPAMHAUS attempted to feed relevant portions of their knowledge
 into ARIN's reporting system for fraudulent registrations and,

I don't know the answer to that.

 2. Understanding that ARIN can only deal with fraudulent
 registrations, not any other kind of bad-actor behavior, are there
 improvements to ARIN's process which would help SPAMHAUS and similar
 organizations feed ARIN actionable knowledge?

Yes.

All ARIN (public) data should be immediately downloadable in bulk by
anyone
who wishes to access it.  No registration, no limits, no nothing.  As I
pointed out here a couple of weeks ago (see below), query rate-limiting
measures such as RIPE currently employs are not only pointless but
counterproductive: the bad guys already have (or can have) the data any
time they wish, but the good guys can't.  I suggest a daily rsync'able
snapshot of the whole enchilada in whatever form(s) is/are appropriate:
text, XML, tarball, etc.

Of course I was responding to something from RIPE, but this applies
everywhere.  It's 2013.  The bad guys have had the means to easily
bypass stuff like this for about a decade, if not longer.  It's not only
silly to keep pretending they don't, but it's limiting: some of the best
techniques we have for spotting not only fraudulent registrations, but
other patterns of abuse, work best when given as much data as possible.
(It's really quite impressive what you can find with grep, if you
have enough data in the right form.)

(Incidentally, the same thing is true of all domain registration data.
The namespace, like network space, is a public resource, therefore
anyone using any of it must be publicly accountable.)

Here's what I said at the time, generalize/modify appropriately:

 Subject: Re: RIPE Database Proxy Service Issues
 
 On Wed, Jan 02, 2013 at 05:00:14PM +0100, Axel Pawlik wrote:
  To prevent the automatic harvesting of personal information (real
  names, email addresses, phone numbers) from the RIPE Database, there
  are PERSON and ROLE object query limits defined in the RIPE Database
  Acceptable Use Policy. This is set at 1,000 PERSON or ROLE objects
  per IP address per day. Queries that result in more than 1,000
  objects with personal data being returned result in that IP address
  being blocked from carrying out queries for that day.
 
 1. 

RE: How are operators using IRR?

[Phil Bedard]

I have mainly worked at small and medium sized operators and we did not
use IRR at all apart from registering our own and customer blocks with
the one upstream provider we had (Level3) which required it. We
maintained our own databases of customer prefixes tied to other
customer information strict prefix lists were generated from. I have
rarely seen as path filtering used except with large customers where
maintaining strict prefix lists wasn't manageable.

Phil From: ML
Sent: 1/16/2013 19:57
To: NANOG
Subject: How are operators using IRR?
How are operators using the data available in the various IRRs?

Using an example:

AS1 is your customer
AS1 has AS2, AS3 and AS4 described as customers in an IRR
Also assume AS2 has IRR data describing AS1000 and AS2000 as it's customers.

Are operators building AS path regexes such as the following
automatically from IRR and applying that to your BGP sessions?


AS1{1,}
AS1{1,} AS2{1,}
AS1{1,} AS3{1,}
AS1{1,} AS2{1,} AS1000{1,}
AS1{1,} AS2{1,} AS2000{1,}



I would imagine most operators that are building policy from IRR are
building prefix lists to limit what they are accepting.  Is this being
paired with some AS path filtering?


Are operators just traversing an AS-SET as far as it will go and
building prefix lists to represent all intended prefixes to be heard on
a session regardless of who originates them? Is the possibility of
AS1000 hijacking AS2000 prefixes towards AS2 a problem you as the
upstream to AS1 need to consider? (Last question assumes AS2 made a
mistake and wasn't filtering properly on it's own customers and AS1 is
just accepting all prefixes under the cone of AS2)

Thanks

Re: EQUINIX

[ML]

On 1/17/2013 4:49 AM, Ryan Finnesey wrote:

What's the going rate now a days for a rack within EQUINIX?

Cheers
Ryan



I would imagine this varies greatly by market and maybe even suite 
within the building.

Re: GPS attack vector

[Lamar Owen]

On 01/16/2013 08:06 PM, Jay Ashworth wrote:

Do you use GPS to provide any mission critical services (like time of day)
in your network?

Have you already see this? (I hadn't)

   
http://arstechnica.com/security/2012/12/how-to-bring-down-mission-critical-gps-networks-with-2500/


Hi, Jay,

Yes, saw this about a month ago.  We have a UNAVCO Plate Boundary 
Observatory station (779) on our site, and it uses a Trimble NetRS.  We 
also use GPS timing locally to generate NTP stratum 1 for our LAN via 
Agilient/HP Z3816 disciplined receivers, and individual GPS receivers 
for both of our 26 meter radio telescopes for precision local standard 
of rest calculations.


But as a frequency standard for 10MHz, we only use the output of the 
frequency locked loops in the Z3816s as references for our Efratom 
rubidium standard; even cesium clocks have more drift than rubidium 
ones, and the rubidium is manually locked, and is the master reference 
for anything that needs a frequency reference; the Z3816's can have 
significant jitter (well, significant is relative.).  Last I 
checked, the rubidium was 8.5uHz (yes, microHertz) off according to the 
GPS disciplined 10MHz signal from one of the Z3816s (we use an HP 
differential counter with a very long gate time to get that measurement 
precision).


It was interesting timing for the release of this paper, as it was 
around the time tick and tock were rebooted and went all 'Doc Brown' on us.


Anyone interested in the vagaries of serious time precision, please 
reference the 'Time-Nuts' mailing list, and other content, hosted by 
febo.com.

Re: Netflow Nfsen Server Hardware

[Joe Loiacono]

Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM:

 PowerEdge R610 -
 
 2x Intel E5540, 2.53GHz Quad Core Processor
 
 32GB RAM
 
 2x 300gb 10k 2.5 SAS HDD

Since netflow processing is generally I/O bound, you may want to invest in 
15K drives.

Joe

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Mike Jones]

On 17 January 2013 10:06, . oscar.vi...@gmail.com wrote:
 i am not network engineer, but I follow this list to be updated about
 important news that affect internet stability.

 NAT is already a problem for things like videogames.  You want people
 to be able to host a multiplayer game, and have his friends to join
 the game. A free to play MMO may want to make a ban for a bad person
 permanent, and for this banning a IP is useful,  if a whole range of
 players use a ip, it will be harder to stop these people from
 disrupting other people fun.  Players that can't connect to the other
 players whine on the forums, and ask the game devs to fix the problem,
 costing these people money. People that can't connect to other
 players, for a problem that is not in his side, or under his control,
 get frustrated.  This type of problems are hard to debug for users.

 The people on this list have a influence in how the Internet run, hope
 somebody smart can figure how we can avoid going there, because there
 is frustrating and unfun.

If you follow this list then you should already know the answer,
functional* IPv6 deployments.

- Mike

*Some ISPs have some very weird ideas that I hope never catch on.

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Brandon Ross]

On Thu, 17 Jan 2013, Mike Jones wrote:


If you follow this list then you should already know the answer,
functional* IPv6 deployments.


AND game developers who build IPv6 functionality into their products.  Do 
you hear us, PS3 and Xbox?


Oscar, make sure you are telling your favorite game developers that they 
need to support IPv6 if they want to avoid the NAT mess.


--
Brandon Ross  Yahoo  AIM:  BrandonNRoss
+1-404-635-6667ICQ:  2269442
Schedule a meeting:  https://doodle.com/brossSkype:  brandonross

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[.]

On 17 January 2013 15:29, Brandon Ross br...@pobox.com wrote:
..
 AND game developers who build IPv6 functionality into their products.  Do
 you hear us, PS3 and Xbox?

 Oscar, make sure you are telling your favorite game developers that they
 need to support IPv6 if they want to avoid the NAT mess.

Ok. I will pass the message.

Some of them ( FOSS guys) already did
http://ioquake3.org/2008/04/21/ioquake3-now-ipv6-capable/

For most commercial projects it don't have my hopes very high. Most
game software development are rushed to release.

--
--
ℱin del ℳensaje.

Re: How are operators using IRR?

[Michael Hallgren]

Hi,

Some of the networks close to me, use IRR based AS_PATH and
prefix filters at customer-route import.

Needless to say that running periodic diffs between what's found in
IRR and what's received in RW and discuss the results with customers
is a necessary good thing to make sure that what is expected is
really happening. (And potentially a means to bump up the quality of
the IRR data set.)

Cheers,
mh


Le 17/01/2013 14:14, Phil Bedard a écrit :
 I have mainly worked at small and medium sized operators and we did not
 use IRR at all apart from registering our own and customer blocks with
 the one upstream provider we had (Level3) which required it. We
 maintained our own databases of customer prefixes tied to other
 customer information strict prefix lists were generated from. I have
 rarely seen as path filtering used except with large customers where
 maintaining strict prefix lists wasn't manageable.

 Phil From: ML
 Sent: 1/16/2013 19:57
 To: NANOG
 Subject: How are operators using IRR?
 How are operators using the data available in the various IRRs?

 Using an example:

 AS1 is your customer
 AS1 has AS2, AS3 and AS4 described as customers in an IRR
 Also assume AS2 has IRR data describing AS1000 and AS2000 as it's customers.

 Are operators building AS path regexes such as the following
 automatically from IRR and applying that to your BGP sessions?

 
 AS1{1,}
 AS1{1,} AS2{1,}
 AS1{1,} AS3{1,}
 AS1{1,} AS2{1,} AS1000{1,}
 AS1{1,} AS2{1,} AS2000{1,}
 


 I would imagine most operators that are building policy from IRR are
 building prefix lists to limit what they are accepting.  Is this being
 paired with some AS path filtering?


 Are operators just traversing an AS-SET as far as it will go and
 building prefix lists to represent all intended prefixes to be heard on
 a session regardless of who originates them? Is the possibility of
 AS1000 hijacking AS2000 prefixes towards AS2 a problem you as the
 upstream to AS1 need to consider? (Last question assumes AS2 made a
 mistake and wasn't filtering properly on it's own customers and AS1 is
 just accepting all prefixes under the cone of AS2)

 Thanks

Re: How are operators using IRR?

[Danny McPherson]

On Jan 17, 2013, at 9:44 AM, Michael Hallgren m.hallg...@free.fr wrote:

 Hi,
 
 Some of the networks close to me, use IRR based AS_PATH and
 prefix filters at customer-route import.
 
 Needless to say that running periodic diffs between what's found in
 IRR and what's received in RW and discuss the results with customers
 is a necessary good thing to make sure that what is expected is
 really happening. (And potentially a means to bump up the quality of
 the IRR data set.)

Good point...

There's some additional information at work in progress here:

http://tools.ietf.org/html/draft-grow-irr-routing-policy-considerations-00

If folks have comments, additions, etc..  email authors or g...@ietf.org.

-danny

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[William Herrin]

On Thu, Jan 17, 2013 at 5:06 AM, . oscar.vi...@gmail.com wrote:
 The people on this list have a influence in how the Internet run, hope
 somebody smart can figure how we can avoid going there, because there
 is frustrating and unfun.

Free network-based firewall to be installed next month. OPT OUT HERE
if you don't want it.

It's not a hard problem. There are yet plenty of IPv4 addresses to go
around for all the people who actually care whether or not they're
behind a NAT.

Regards,
Bill Herrin


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

Re: EQUINIX

[Rodrick Brown]

On Thu, Jan 17, 2013 at 8:39 AM, ML m...@kenweb.org wrote:

 On 1/17/2013 4:49 AM, Ryan Finnesey wrote:

 What's the going rate now a days for a rack within EQUINIX?

 Cheers
 Ryan


 I would imagine this varies greatly by market and maybe even suite within
 the building


And also power/cooling requirements.

Re: Netflow Nfsen Server Hardware

[Dobbins, Roland]

On Jan 16, 2013, at 4:51 PM, Tim Calvin wrote:

 Would one of the below configurations be okay to handle such as task? If not, 
 does anyone have any other recommendations.

Probably way overkill, but it's best to have excess capacity than not enough.

;

From what routing platform(s) are you exporting flow telemetry, at what 
sampling ratio(s)?

---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

  Luck is the residue of opportunity and design.

   -- John Milton

Re: EQUINIX

[PC]

My experience has been that the monthly rack rental fee will be a
comparative bargain to basic power and a couple in-building cross connects,
which will often more than double the cost.  When shopping for any
provider, make sure you price out all the options you need in addition to
the rack space itself.


On Thu, Jan 17, 2013 at 8:04 AM, Rodrick Brown rodrick.br...@gmail.comwrote:

 On Thu, Jan 17, 2013 at 8:39 AM, ML m...@kenweb.org wrote:

  On 1/17/2013 4:49 AM, Ryan Finnesey wrote:
 
  What's the going rate now a days for a rack within EQUINIX?
 
  Cheers
  Ryan
 
 
  I would imagine this varies greatly by market and maybe even suite within
  the building


 And also power/cooling requirements.


 
 

Re: Netflow Nfsen Server Hardware

[Christopher Morrow]

On Thu, Jan 17, 2013 at 9:05 AM, Joe Loiacono jloia...@csc.com wrote:
 Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM:

 PowerEdge R610 -

 2x Intel E5540, 2.53GHz Quad Core Processor

 32GB RAM

 2x 300gb 10k 2.5 SAS HDD

 Since netflow processing is generally I/O bound, you may want to invest in
 15K drives.

I had suggested off-list that perhaps primary storage as SSD was a
better path, is there a reason to not do that? (with some larger
storage on spinning-media for historical storage/query).

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Lee Howard]

On 1/17/13 9:54 AM, William Herrin b...@herrin.us wrote:

On Thu, Jan 17, 2013 at 5:06 AM, . oscar.vi...@gmail.com wrote:
 The people on this list have a influence in how the Internet run, hope
 somebody smart can figure how we can avoid going there, because there
 is frustrating and unfun.

Free network-based firewall to be installed next month. OPT OUT HERE
if you don't want it.

I haven't heard anyone talking about carrier-grade firewalls.  To make CGN
work a little, you have to enable full-cone NAT, which means as long as
you're connected to anything on IPv4, anyone can reach you (and for a
timeout period after that).  And most CGN wireline deployments will have
some kind of bulk port assignment, so the same ports always go to the same
users.  NAT != security, and if you try to make it, you will lose more
customers than I predicted.


It's not a hard problem. There are yet plenty of IPv4 addresses to go
around for all the people who actually care whether or not they're
behind a NAT.

I doubt that very much, and look forward to your analysis supporting that
statement.

Lee



Regards,
Bill Herrin


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

Re: Netflow Nfsen Server Hardware

[PC]

I agree here with Christopher; A SSD to handle the high IOPS requirements
of real time data logging; combined with a scheduled transfer which can
move the stored data in a linear large block copy operation to ordinary
spindles, would be a cost effective hybrid solution.

This of course is assuming the application can handle this separation of
data; and I know nothing about Nfsen


On Thu, Jan 17, 2013 at 9:01 AM, Christopher Morrow morrowc.li...@gmail.com
 wrote:

 On Thu, Jan 17, 2013 at 9:05 AM, Joe Loiacono jloia...@csc.com wrote:
  Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM:
 
  PowerEdge R610 -
 
  2x Intel E5540, 2.53GHz Quad Core Processor
 
  32GB RAM
 
  2x 300gb 10k 2.5 SAS HDD
 
  Since netflow processing is generally I/O bound, you may want to invest
 in
  15K drives.

 I had suggested off-list that perhaps primary storage as SSD was a
 better path, is there a reason to not do that? (with some larger
 storage on spinning-media for historical storage/query).

Re: Netflow Nfsen Server Hardware

[Joe Loiacono]

christopher.mor...@gmail.com wrote on 01/17/2013 11:01:06 AM:

 From: Christopher Morrow morrowc.li...@gmail.com
 To: Joe Loiacono/USA/CSC@CSC
 Cc: Tim Calvin tcal...@tlsn.net, nanog@nanog.org nanog@nanog.org
 Date: 01/17/2013 11:01 AM
 Subject: Re: Netflow Nfsen Server Hardware
 Sent by: christopher.mor...@gmail.com
 
 On Thu, Jan 17, 2013 at 9:05 AM, Joe Loiacono jloia...@csc.com wrote:
  Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM:
 
  PowerEdge R610 -
 
  2x Intel E5540, 2.53GHz Quad Core Processor
 
  32GB RAM
 
  2x 300gb 10k 2.5 SAS HDD
 
  Since netflow processing is generally I/O bound, you may want to 
invest in
  15K drives.
 
 I had suggested off-list that perhaps primary storage as SSD was a
 better path, is there a reason to not do that? (with some larger
 storage on spinning-media for historical storage/query).

Nope, great suggestion. Just a cost consideration ...

Re: Netflow Nfsen Server Hardware

[Christopher Morrow]

On Thu, Jan 17, 2013 at 11:16 AM, Joe Loiacono jloia...@csc.com wrote:
 christopher.mor...@gmail.com wrote on 01/17/2013 11:01:06 AM:

 From: Christopher Morrow morrowc.li...@gmail.com
 To: Joe Loiacono/USA/CSC@CSC
 Cc: Tim Calvin tcal...@tlsn.net, nanog@nanog.org nanog@nanog.org
 Date: 01/17/2013 11:01 AM
 Subject: Re: Netflow Nfsen Server Hardware
 Sent by: christopher.mor...@gmail.com

 On Thu, Jan 17, 2013 at 9:05 AM, Joe Loiacono jloia...@csc.com wrote:
  Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM:
 
  PowerEdge R610 -
 
  2x Intel E5540, 2.53GHz Quad Core Processor
 
  32GB RAM
 
  2x 300gb 10k 2.5 SAS HDD
 
  Since netflow processing is generally I/O bound, you may want to invest
  in
  15K drives.

 I had suggested off-list that perhaps primary storage as SSD was a
 better path, is there a reason to not do that? (with some larger
 storage on spinning-media for historical storage/query).

 Nope, great suggestion. Just a cost consideration ...

ah, ok... I figure that even if you were to put in 2 || 3 SSD drives
in the 200gb range, one per controller, you'd get maximum throughput
for a few days of data at not very much of a premium, then back up /
near-line store the data longer term on spinning 2tb or so disks.

Re: Netflow Nfsen Server Hardware

[Justin M. Streiner]

On Thu, 17 Jan 2013, Joe Loiacono wrote:


Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM:


PowerEdge R610 -

2x Intel E5540, 2.53GHz Quad Core Processor

32GB RAM

2x 300gb 10k 2.5 SAS HDD


Since netflow processing is generally I/O bound, you may want to invest in
15K drives.


That, and lots of storage for flow data.  Even a small network can 
generate a lot of data.


jms

BGPMon.net IPv6 alerts?

[eric-l...@truenet.com]

We just had a DC move, so I was expecting alerts.  The move was 12AM EST on 
Wednesday and I'm still seeing alerts.
Looking at our router and some looking glass sites, we have full tables.  
Just wondering if this is anything I should be concerned about?

Sincerely,

Eric Tykwinski

Re: Netflow Nfsen Server Hardware

[Pavel Kislinger]

Better IO controller(H700) with his NVcache will make a great job.
Especially if you have more SAS disks and some SSD. For nfdump is much
better a big SAS array build from six or more 900GB SAS HDD in RAID 5
(10k 2.5'' disks are good for this task).

Pavel

On 17.1.2013 17:04, PC wrote:
 I agree here with Christopher; A SSD to handle the high IOPS requirements
 of real time data logging; combined with a scheduled transfer which can
 move the stored data in a linear large block copy operation to ordinary
 spindles, would be a cost effective hybrid solution.

 This of course is assuming the application can handle this separation of
 data; and I know nothing about Nfsen


 On Thu, Jan 17, 2013 at 9:01 AM, Christopher Morrow morrowc.li...@gmail.com
 wrote:
 On Thu, Jan 17, 2013 at 9:05 AM, Joe Loiacono jloia...@csc.com wrote:
 Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM:

 PowerEdge R610 -

 2x Intel E5540, 2.53GHz Quad Core Processor

 32GB RAM

 2x 300gb 10k 2.5 SAS HDD
 Since netflow processing is generally I/O bound, you may want to invest
 in
 15K drives.
 I had suggested off-list that perhaps primary storage as SSD was a
 better path, is there a reason to not do that? (with some larger
 storage on spinning-media for historical storage/query).

Re: Intermittent incorrect DNS resolution?

[Damian Menscher]

On Wed, Jan 16, 2013 at 8:09 PM, Erik Levinson
erik.levin...@uberflip.comwrote:

 To give an idea of the scale of the problem right now, I'm getting
 thousands of requests per minute to a new IP vs. about two requests per
 minute on the equivalent old IP, with over 60% of the latter being Baidu,
 but also a bit of Googlebot and other random bot and non-bot UAs.


It's common for malware to spoof the Googlebot user-agent since they know
most webmasters won't block it.  You might want to check whether the IPs
you're seeing it from are really allocated to us -- if so, I'd be
interested in tracking down why we're crawling your old IP.

Damian

Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

[Matt Palmer]

[Cookies on stat.ripe.net]

On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote:
 The cookie stays around for a YEAR (if I let it), and has the
 following stuff:
 
 Name: stat-csrftoken
 Content: 7f12a95b8e274ab940287407a14fc348

[...]

 To your credit, you only ask once, but you ought to ask zero times.

CSRF protection is one of the few valid uses of a cookie.  It shouldn't need
to be set on every page, though, and it should be cleared immediately after
the form submission.  It's typically a lot easier in the site code just to
set it once and be done with it.

By the way, if anyone *does* know of a good and reliable way to prevent CSRF
without the need for any cookies or persistent server-side session state,
I'd love to know how.  Ten minutes with Google hasn't provided any useful
information.

- Matt

Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

[Scott Weeks]

--- mpal...@hezmatt.org wrote: ---
From: Matt Palmer mpal...@hezmatt.org
[Cookies on stat.ripe.net]

On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote:
 The cookie stays around for a YEAR (if I let it), and has the
 following stuff:

CSRF protection is one of the few valid uses of a cookie.  
snip
By the way, if anyone *does* know of a good and reliable way to prevent CSRF
without the need for any cookies or persistent server-side session state,
I'd love to know how.  Ten minutes with Google hasn't provided any useful
information.
-


But, if I understand correctly, it only only if you are authenticated can
anything bad be made to happen:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29

CSRF attacks generally target functions that cause a state change on the 
server but can also be used to access sensitive data.

For most sites, browsers will automatically include with such requests any 
credentials associated with the site, such as the user's session cookie, 
basic auth credentials, IP address, Windows domain credentials, etc. 
Therefore, if the user is currently authenticated to the site, the site will 
have no way to distinguish this from a legitimate user request.

In this way, the attacker can make the victim perform actions that they 
didn't intend to, such as logout, purchase item, change account information, 
retrieve account information, or any other function provided by the 
vulnerable website.


So, if someone is just looking around, why is the cookie needed?  

scott

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[William Herrin]

On Thu, Jan 17, 2013 at 11:01 AM, Lee Howard l...@asgard.org wrote:
 On 1/17/13 9:54 AM, William Herrin b...@herrin.us wrote:
On Thu, Jan 17, 2013 at 5:06 AM, . oscar.vi...@gmail.com wrote:
 The people on this list have a influence in how the Internet run, hope
 somebody smart can figure how we can avoid going there, because there
 is frustrating and unfun.

Free network-based firewall to be installed next month. OPT OUT HERE
if you don't want it.

 I haven't heard anyone talking about carrier-grade firewalls.  To make CGN
 work a little, you have to enable full-cone NAT, which means as long as
 you're connected to anything on IPv4, anyone can reach you (and for a
 timeout period after that).  And most CGN wireline deployments will have
 some kind of bulk port assignment, so the same ports always go to the same
 users.  NAT != security, and if you try to make it, you will lose more
 customers than I predicted.

Hi Lee,

Then it's a firewall that mildly enhances protection by obstructing
90% of the port scanning attacks which happen against your computer.
It's a free country so you're welcome to believe that the presence or
absence of NAT has no impact on the probability of a given machine
being compromised. Of course, you're also welcome to join the flat
earth society. As for me, the causative relationship between the rise
of the DSL router implementing negligible security except NAT and
the fall of port scanning as a credible attack vector seems blatant
enough.


It's not a hard problem. There are yet plenty of IPv4 addresses to go
around for all the people who actually care whether or not they're
behind a NAT.

 I doubt that very much, and look forward to your analysis supporting that
 statement.

If you have the data I'll be happy to crunch it but I'm afraid I'll
have to leave the data collection to someone who is paid to do that
very exhaustive work.

Nevertheless, I'll be happy to document my assumptions and show you
where they lead.

I assume that fewer than 1 in 10 eyeballs would find Internet service
behind a NAT unsatisfactory. Eyeballs are the consumers of content,
the modem, cable modem, residential DSL customers. Some few of them
are running game servers, web servers, etc. but 9 in 10 are the email,
vonage and netflix variety who are basically not impacted by NAT.

I assume that 75% or more of the IPv4 addresses which are employed in
any use (not sitting idle) are employed by eyeball customers. Verizon
Wireless has - remind me - how many /8's compared to, say, Google?

If you count from the explosion of interest in the Internet in 1995 to
now, it took 18 years to consume all the IPv4 addresses. Call it
consumption of 1/18th of the address space per year.

From my assumption, 25% of the addresses are consumed by non-eyeball
customers who will continue consuming them at 1/(18*4)= 1/72 of the
address space per year. Assuming that server ops still need that many
addresses when acquiring them is not so close to free.

From my assumptions 75% * 0.9 = 67.5% of the addresses are currently
consumed by eyeball customers who can convert to NAT. Match the
previous paragraph's math at 49/72's of the address space recoverable
at some cost that while not trivial is also not exorbitant.

Eyeballs were consuming at (1*3)/(18*4)= 3/72's per year but if only 1
in 10 needs a global address that slows to 3/720's.

13/720's per year consumes 490/720's after 37 years.

37 years.

So, where am I wrong? Is it more like 1 in 5 customers would cough up
an extra $5 rather than use a NAT address? The nearest comparable
would be your ratio of dynamic to static IP assignments. Does your
data support that being higher than 1 in 10? I'd bet the broad data
sets don't.

Is the current use pattern more like 50/50 between server users and
eyeball users? That'd cut things closer to a decade and a half but
what data I've glanced at from CAIDA, ARIN and the like doesn't seem
to support a belief that eyeballs aren't the major direct user of IPv4
addresses.

Perhaps consumption is accelerating, but a lot of that has been
low-key hoarding during the past 5 years or so. Even with accelerating
consumption we're still looking at a couple decades before we have to
really scrape for IPv4 addresses.

Perhaps I fouled the math itself. I've been known to miscarry a 1. All
the same, the sky doesn't seem to be falling.

Regards,
Bill Herrin


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Owen DeLong]

 
 Nevertheless, I'll be happy to document my assumptions and show you
 where they lead.
 
 I assume that fewer than 1 in 10 eyeballs would find Internet service
 behind a NAT unsatisfactory. Eyeballs are the consumers of content,
 the modem, cable modem, residential DSL customers.

And this is where you run off the rails… You are assuming that NAT today
and CGN provide similar functionality from an end-user perspective.

The reality is that they do not. CGN is a substantially more degraded
form of internet access than current traditional per-site NAT.

1.  The end-site does not control the NAT box.
2.  UPnP and NAT-PMP do NOT work through CGN.
3.  There is no other provision in most CGNs to allow for inbound
connection trickery that allows many of today's applications to
function in spite of NAT.

 Some few of them
 are running game servers, web servers, etc. but 9 in 10 are the email,
 voyage and netflix variety who are basically not impacted by NAT.

Vonage will, in most cases fail through CGN as will Skype, Xbox-360,
and many of the other IM clients.

 I assume that 75% or more of the IPv4 addresses which are employed in
 any use (not sitting idle) are employed by eyeball customers. Verizon
 Wireless has - remind me - how many /8's compared to, say, Google?

Are you sure that 75% of VZW's IP addresses are assigned to end-customer
devices? I am not.

 If you count from the explosion of interest in the Internet in 1995 to
 now, it took 18 years to consume all the IPv4 addresses. Call it
 consumption of 1/18th of the address space per year.
 

I'll leave the obvious math error in this assumption as an exercise for
the reader.

 From my assumption, 25% of the addresses are consumed by non-eyeball
 customers who will continue consuming them at 1/(18*4)= 1/72 of the
 address space per year. Assuming that server ops still need that many
 addresses when acquiring them is not so close to free.
 

This assumption ignores non-customer use of addresses which, while minor,
is not insignificant.


 From my assumptions 75% * 0.9 = 67.5% of the addresses are currently
 consumed by eyeball customers who can convert to NAT. Match the
 previous paragraph's math at 49/72's of the address space recoverable
 at some cost that while not trivial is also not exorbitant.

This makes a rather absurd assumption that the majority of those eyeball
addresses are not already assigned to eyeball NAT pools. This is the
second place where your assumptions run wildly off the rails IMHO.

 Eyeballs were consuming at (1*3)/(18*4)= 3/72's per year but if only 1
 in 10 needs a global address that slows to 3/720's.
 

While the math works, it would be a lot more clear to say 1/4 * 3/18 = 3/72.

 13/720's per year consumes 490/720's after 37 years.
 
 37 years.
 
 So, where am I wrong? Is it more like 1 in 5 customers would cough up
 an extra $5 rather than use a NAT address? The nearest comparable
 would be your ratio of dynamic to static IP assignments. Does your
 data support that being higher than 1 in 10? I'd bet the broad data
 sets don't.

First, it's more like 1/100 customers that are not already behind NAT
of some form, so your 37 years drops to 0.37 years (a little more than
4 months).

This seems very disruptive and rather heavy on the overhead for a 4-month
stop-gap.

Owen

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Jeff Kell]

On 1/17/2013 6:50 PM, Owen DeLong wrote:
 Vonage will, in most cases fail through CGN as will Skype, Xbox-360,
 and many of the other IM clients. 

Not sure about Vonage, but Skype, Xbox, and just about everything else
imaginable (other than hosting a server) works just fine over NAT with
default-deny inbound here, and we have several thousand students in the
dorms that bang the heck out of those services.  Most applications have
adapted to the SOHO NATing router that is prevalent today on broadband
internet.  And if it didn't work, believe me, I'd hear about it :)

Jeff

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Eric Tykwinski]

I'll agree there, as developers have built in some tricks to work around NAT 
issues.  But in reality doing away with NAT is a much better alternative for 
the long haul.  So you are both right, but I'll side with Owen when doing 
network deployments as to ease my future headaches.

Sent from my iPhone

On Jan 17, 2013, at 7:30 PM, Jeff Kell jeff-k...@utc.edu wrote:

 On 1/17/2013 6:50 PM, Owen DeLong wrote:
 Vonage will, in most cases fail through CGN as will Skype, Xbox-360,
 and many of the other IM clients.
 
 Not sure about Vonage, but Skype, Xbox, and just about everything else
 imaginable (other than hosting a server) works just fine over NAT with
 default-deny inbound here, and we have several thousand students in the
 dorms that bang the heck out of those services.  Most applications have
 adapted to the SOHO NATing router that is prevalent today on broadband
 internet.  And if it didn't work, believe me, I'd hear about it :)
 
 Jeff
 
 
 
 

For those who may use a projector in the NOC

[Michael Painter]

http://www.colorlightoutput.com/

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Owen DeLong]

On Jan 17, 2013, at 4:30 PM, Jeff Kell jeff-k...@utc.edu wrote:

 On 1/17/2013 6:50 PM, Owen DeLong wrote:
 Vonage will, in most cases fail through CGN as will Skype, Xbox-360,
 and many of the other IM clients. 
 
 Not sure about Vonage, but Skype, Xbox, and just about everything else
 imaginable (other than hosting a server) works just fine over NAT with
 default-deny inbound here, and we have several thousand students in the
 dorms that bang the heck out of those services.  Most applications have
 adapted to the SOHO NATing router that is prevalent today on broadband
 internet.  And if it didn't work, believe me, I'd hear about it :)
 

NAT yes.

NAT + NAT (NAT444 or CGN which is what we are talking about here), not so much.

Owen

Re: Intermittent incorrect DNS resolution?

[Erik Levinson]

Thanks Damian. I see four requests with Google UAs from actual Google IPs, 
66.249.73.45 and 66.249.73.17 (PTR and rwhois seem yours for both), in a period 
of 30 minutes (compared to over 80 per minute on the new IPs). This is pretty 
low, so I'm not too worried. 

Baidu is the main culprit now; there's little other traffic. In fact, we're 
getting no traffic from Baidu on the new IPs, only to the old ones. I've 
already e-mailed their spider help e-mail, but it's fallen on deaf ears.

Erik

-Original Message-
From: Damian Menscher dam...@google.com
Sent: Thursday, January 17, 2013 1:58pm
To: Erik Levinson erik.levin...@uberflip.com
Cc: NANOG mailing list nanog@nanog.org
Subject: Re: Intermittent incorrect DNS resolution?

On Wed, Jan 16, 2013 at 8:09 PM, Erik Levinson
erik.levin...@uberflip.comwrote:

 To give an idea of the scale of the problem right now, I'm getting
 thousands of requests per minute to a new IP vs. about two requests per
 minute on the equivalent old IP, with over 60% of the latter being Baidu,
 but also a bit of Googlebot and other random bot and non-bot UAs.


It's common for malware to spoof the Googlebot user-agent since they know
most webmasters won't block it.  You might want to check whether the IPs
you're seeing it from are really allocated to us -- if so, I'd be
interested in tracking down why we're crawling your old IP.

Damian

Re: Intermittent incorrect DNS resolution?

[Erik Levinson]

Upon further investigation, in this particular Google case, it seems to be a 
customer's CNAME to a record of theirs which is an actual A record to our old 
IP, contrary to our instructions (we tell everyone to CNAME us, so we can 
change IPs as we wish, which we've done for the first time this year). So there 
is no Google problem.

-Original Message-
From: Erik Levinson erik.levin...@uberflip.com
Sent: Thursday, January 17, 2013 8:42pm
To: Damian Menscher dam...@google.com
Cc: NANOG mailing list nanog@nanog.org
Subject: Re: Intermittent incorrect DNS resolution?

Thanks Damian. I see four requests with Google UAs from actual Google IPs, 
66.249.73.45 and 66.249.73.17 (PTR and rwhois seem yours for both), in a period 
of 30 minutes (compared to over 80 per minute on the new IPs). This is pretty 
low, so I'm not too worried. 

Baidu is the main culprit now; there's little other traffic. In fact, we're 
getting no traffic from Baidu on the new IPs, only to the old ones. I've 
already e-mailed their spider help e-mail, but it's fallen on deaf ears.

Erik

-Original Message-
From: Damian Menscher dam...@google.com
Sent: Thursday, January 17, 2013 1:58pm
To: Erik Levinson erik.levin...@uberflip.com
Cc: NANOG mailing list nanog@nanog.org
Subject: Re: Intermittent incorrect DNS resolution?

On Wed, Jan 16, 2013 at 8:09 PM, Erik Levinson
erik.levin...@uberflip.comwrote:

 To give an idea of the scale of the problem right now, I'm getting
 thousands of requests per minute to a new IP vs. about two requests per
 minute on the equivalent old IP, with over 60% of the latter being Baidu,
 but also a bit of Googlebot and other random bot and non-bot UAs.


It's common for malware to spoof the Googlebot user-agent since they know
most webmasters won't block it.  You might want to check whether the IPs
you're seeing it from are really allocated to us -- if so, I'd be
interested in tracking down why we're crawling your old IP.

Damian

Re: For those who may use a projector in the NOC

[Eric Adler]

This appears to be an Epson / 3LCD marketing campaign.

whois shows an admin contact at wintergroup.net.  wintergroup.net (on http)
is the home to a marketing agency, their client links below include Epson
and 3LCD; clicking 3LCD brings up a still image showing this page.
Searching for 3LCD finds this Epson page: 
http://global.epson.com/innovation/projection_technology/3LCD_technology/.
http://3lcd.com/ has a very familiar 'feel' as well... and has an admin
contact at Seiko Epson Corporation


I won't get into display theory on this list (feel free to contact me if
you want to discuss such)

- Eric Adler
Broadcast Engineer

Re: For those who may use a projector in the NOC

[Mike Jones]

On 18 January 2013 02:19, Eric Adler eapt...@gmail.com wrote:
 This appears to be an Epson / 3LCD marketing campaign.

 whois shows an admin contact at wintergroup.net.  wintergroup.net (on http)
 is the home to a marketing agency, their client links below include Epson
 and 3LCD; clicking 3LCD brings up a still image showing this page.
 Searching for 3LCD finds this Epson page: 
 http://global.epson.com/innovation/projection_technology/3LCD_technology/.
 http://3lcd.com/ has a very familiar 'feel' as well... and has an admin
 contact at Seiko Epson Corporation


 I won't get into display theory on this list (feel free to contact me if
 you want to discuss such)

 - Eric Adler
 Broadcast Engineer

The only thing I can think relevant regarding projector/monitors in a
NOC situation would be general eye strain issues, which should be
taken in to account in the same way as keyboard/chair positioning etc
by whoever is responsible for health and safety. Anything beyond eye
strain is probably just getting in to colour reproduction discussions
which are largely irrelivant in a NOC.

I for example have all my monitors set to a lower colour temperature
and dimmed as much as feasable, colour reproduction is terrible but
great for avoiding eye strain. I switch back to reasonably normal
settings for watching videos and films etc, but during normal NOC
operation I doubt the colour accuracy needs to be able to distinguish
more than than green/yellow/red (with maybe some shades between).

- Mike

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Constantine A. Murenin]

On 17 January 2013 17:17, Owen DeLong o...@delong.com wrote:

 On Jan 17, 2013, at 4:30 PM, Jeff Kell jeff-k...@utc.edu wrote:

 On 1/17/2013 6:50 PM, Owen DeLong wrote:
 Vonage will, in most cases fail through CGN as will Skype, Xbox-360,
 and many of the other IM clients.

 Not sure about Vonage, but Skype, Xbox, and just about everything else
 imaginable (other than hosting a server) works just fine over NAT with
 default-deny inbound here, and we have several thousand students in the
 dorms that bang the heck out of those services.  Most applications have
 adapted to the SOHO NATing router that is prevalent today on broadband
 internet.  And if it didn't work, believe me, I'd hear about it :)


 NAT yes.

 NAT + NAT (NAT444 or CGN which is what we are talking about here), not so 
 much.

 Owen

Once you are doing NAT and your immediate gateway does not supports
UPnP, what's the difference if it's NAT44 or NAT444?

I'm currently using NAT44, with at least two layers of 802.11g
WiFi and 5 routers that seem to be doing independent NAT.  Two of them
are mine, then the other 3 are of the ISP, to whom I connect through
802.11g, and it generally works just fine; traceroute on the final
hosts shows 5 first hops being in various separate 192.168.0.0/16 and
10.0.0.0/8 networks.  iChat works.  SIP works, too (for both incoming
and outgoing voice call).  Even ssh connections stay alive for more
than 24h with a mere 240s keepalive setting.

IPv6 is obviously the solution, but I think CGN poses more
technological and legal problems for the carriers as opposed to their
clients or the general-purpose non-server non-p2p application
developers.

CGN breaks the internet, but it doesn't break non-p2p VoIP at all whatsoever.

C.

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Brandon Ross]

On Thu, 17 Jan 2013, Constantine A. Murenin wrote:


I'm currently using NAT44, with at least two layers of 802.11g
WiFi and 5 routers that seem to be doing independent NAT.  Two of them
are mine, then the other 3 are of the ISP, to whom I connect through
802.11g, and it generally works just fine; traceroute on the final
hosts shows 5 first hops being in various separate 192.168.0.0/16 and
10.0.0.0/8 networks.


Is the output of traceroute you reference above what you base your 
supposition on that you are behind multiple NATs?  Or do you have some 
other information indicating so?


--
Brandon Ross  Yahoo  AIM:  BrandonNRoss
+1-404-635-6667ICQ:  2269442
Schedule a meeting:  https://doodle.com/brossSkype:  brandonross

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Joe Maimon]

Owen DeLong wrote:


And this is where you run off the rails… You are assuming that NAT today
and CGN provide similar functionality from an end-user perspective.


To the extent that CGN functions like the clueless linksys daisy-chain, 
then yes it does.


The reality is that they do not. CGN is a substantially more degraded
form of internet access than current traditional per-site NAT.

1.  The end-site does not control the NAT box.


The vast majority of end site today either do not control the NAT box or 
do not know how to control the NAT box.



2.  UPnP and NAT-PMP do NOT work through CGN.


And without this wondrous technology, nothing works behind a NAT! 
Whatever did we do before the invention and mass adoption of UPnP and 
NAT-PMP!




3.  There is no other provision in most CGNs to allow for inbound
connection trickery that allows many of today's applications to
function in spite of NAT.


Clearly we have run out of trickery as multiple layers of NAT stumps 
even the finest of our tricksters.


We will have to wait and see on this one. There is a complex interaction 
between protocol development, application deployment, cpe technology and 
user behavior all influenced by the NAT reality we are all witness to.


Will this interaction adopt and adapt CGN? Clearly your opinion is not, 
but its only an opinion.




Wireless has - remind me - how many /8's compared to, say, Google?


Are you sure that 75% of VZW's IP addresses are assigned to end-customer
devices? I am not.


No, actually, I believe what he said is that OF the Addresses ASSIGNED 
to devices, 75% are end-customers.


Far more are likely not in use by any specific device at any given point 
in time.


And what else exactly would VZW  be doing with those addresses? Running 
more servers and infrastructure then wireless clients to use them?




First, it's more like 1/100 customers that are not already behind NAT
of some form, so your 37 years drops to 0.37 years (a little more than
4 months).


Rather disingenuous of you. We are not addressing some form of nat. We 
are addressing the specific form of CGN. Of which far fewer then 1/100 
customers are behind.


How about much simpler math. Assume 75% IP in any provider organization 
are for subscribers. Assume an average 5-10 subscribers per CGN IP.


Clearly, that organization's subscriber growth will be limited by CGN 
technology, not by address scarcity.




This seems very disruptive and rather heavy on the overhead for a 4-month
stop-gap.


 Owen



Think locally for a bit. Addresses are not instantaneously fungible 
across the internet. Any provider who can pull this off will have far 
more then a 4-month stop-gap. They may even have enough to peddle on the 
market.


Joe

Re: For those who may use a projector in the NOC

[Michael Painter]

- Original Message - 
  From: Eric Adler 
  To: Michael Painter 
  Cc: nanog@nanog.org 
  Sent: Thursday, January 17, 2013 4:19 PM
  Subject: Re: For those who may use a projector in the NOC


  This appears to be an Epson / 3LCD marketing campaign.  

  whois shows an admin contact at wintergroup.net.  wintergroup.net (on http) 
is the home to a marketing agency, their client links below include Epson and 
3LCD; clicking 3LCD brings up a still image showing this page.  Searching for 
3LCD finds this Epson page: 
http://global.epson.com/innovation/projection_technology/3LCD_technology/. 
http://3lcd.com/ has a very familiar 'feel' as well... and has an admin 
contact at Seiko Epson Corporation


  I won't get into display theory on this list (feel free to contact me if you 
want to discuss such)

  - Eric Adler
  Broadcast Engineer

Yes, I was taken in by the adoption of CLO by the Society for Information 
Display http://www.sid.org/About.aspx 
It's so easy to drop thousands into a projector based on the specs. and end up 
with a shitty picture, so I think the CLO spec will help,
Whole thing is being debated here: 
http://www.avsforum.com/t/1451895/epson-color-light-output-demo-at-ces-2013 
--Michael

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Owen DeLong]

Sent from my iPad

On Jan 17, 2013, at 6:58 PM, Joe Maimon jmai...@ttec.com wrote:

 
 
 Owen DeLong wrote:
 
 And this is where you run off the rails… You are assuming that NAT today
 and CGN provide similar functionality from an end-user perspective.
 
 To the extent that CGN functions like the clueless linksys daisy-chain, then 
 yes it does.

Right, but it that extent is very limited.

 
 The reality is that they do not. CGN is a substantially more degraded
 form of internet access than current traditional per-site NAT.
 
 1.The end-site does not control the NAT box.
 
 The vast majority of end site today either do not control the NAT box or do 
 not know how to control the NAT box.
 

Bzzt... They may not actively control it through an administrative interface, 
but, there is not some other administrator actively disabling functionality 
they care about.

 2.UPnP and NAT-PMP do NOT work through CGN.
 
 And without this wondrous technology, nothing works behind a NAT! Whatever 
 did we do before the invention and mass adoption of UPnP and NAT-PMP!

Many things that users depend on and like do not work without it. Those things 
did not work/did not exist much before UPnP/NAT-PMP. That is the reason UPnP 
and NAT-PMP were developed and gained such wide acceptance so quickly. Prior to 
that, some popular applications also received customized ALGs implemented in 
most NAT boxes.

 3.There is no other provision in most CGNs to allow for inbound
connection trickery that allows many of today's applications to
function in spite of NAT.
 
 Clearly we have run out of trickery as multiple layers of NAT stumps even the 
 finest of our tricksters.

Yes, we can dedicate thousands more developer hours to making yet more 
extensions to code to work around yet more NAT and maybe make it sort of kind 
of work almost as poorly as it does now. Or we could pour a fraction of those 
developer hours into implementing IPv6 in those same applications and have the 
problem solved in perpetuity.

 We will have to wait and see on this one. There is a complex interaction 
 between protocol development, application deployment, cpe technology and user 
 behavior all influenced by the NAT reality we are all witness to.

Yep. The trick is figuring out how to educate developers so that we can get OFF 
the damn NAT merry-go-round. NAT at this point has become the internet 
equivalent of charging $2 more than you pay on your credit card each month and 
wondering why the bill never shrinks.

 Will this interaction adopt and adapt CGN? Clearly your opinion is not, but 
 its only an opinion.

Actually, I'm more afraid that it will for some time to come. Results of 
continuing to do so:

1. Applications cost more.
2. Applications become progressively even more fragile and more poorly 
implemented that the current state of affairs.
3. Security goes even more out the window than it already has because there 
will be even less ability to identify the source of malicious conduct than 
there is today.
4. Routers cost more.
5. Router software continues to become more complex and more fragile and even 
more poorly implemented than the current state of the average home gateway 
while not actually adding any new functionality, just continuing to escalate 
the arms race to stay where we are in the face of an ever worsening NAT 
environment.
6. Performance continues to degrade on the alter of ever more layers of 
translation, obfuscation, hackery, workarounds, etc.

My hope is that we will realize at some point that this is a badly loosing 
proposition, but, my fear is that we will actually find ways to make it work 
and worse yet, dedicate resources to doing so.

IMHO, having it fail miserably is the best case scenario. The alternatives are 
far worse.

 Wireless has - remind me - how many /8's compared to, say, Google?
 
 Are you sure that 75% of VZW's IP addresses are assigned to end-customer
 devices? I am not.
 
 No, actually, I believe what he said is that OF the Addresses ASSIGNED to 
 devices, 75% are end-customers.

Even that is a statistic of which I am unconvinced without better evidence.

 Far more are likely not in use by any specific device at any given point in 
 time.

Sure, but let's go with the modified statement you give above.

That assumes that VZW's entire network infrastructure, including billing 
systems, backhaul, provisioning, helpdesk, call centers, offices, servers, etc. 
all adds up to less than 1/4 of the
total devices connected to their network.

I highly doubt it.

 And what else exactly would VZW  be doing with those addresses? Running more 
 servers and infrastructure then wireless clients to use them?

I'd believe 50% or maybe even 65%, but 75% stretches credibility. See above for 
a partial list of the various things I expect they are doing with those 
addresses.

 First, it's more like 1/100 customers that are not already behind NAT
 of some form, so your 37 years drops to 0.37 years (a little 

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Owen DeLong]

 
 I hate to break it to you guys more of the larger providers in NA are 
 implementing CGNAT in the next 6 to 18 months. Especially the mobile carriers.


I have agreed long ago that mobile is the one place where CGN will go mostly 
unnoticed. First of all, most mobiles have been behind some form of CGN for a 
long time. Second, hardly anyone expects real internet access through their 
mobile in NA to actually be fully functional to begin with. It's always been 
somewhat broken and everyone is used to that. Breaking it a little bit more 
will probably make no difference whatsoever.

I can already count on VZW to disable, block, or degrade to uselessness any 
attempt at a VOIP call or VIDEO conference other than through the built-in 
applications where the phone manufacturer and the carrier have come to some 
agreement and built in hooks to make it sort of work. I can also count on VZW 
to do nasty things to my DNS requests (ever try turning on DNSSEC validation on 
a handset? I don't recommend it.)

When I was on SPRINT, they were slightly worse. On my iPAD via ATT, it's much 
worse.

Mobile carriers in North America are an ever increasing quagmire where one has 
to attempt to locate the one that sucks least for the duration of your next 
contract.

Let's focus more on CGN via CMTS, GPON, or DSL system. That's where the real 
pain will be felt by the subscribers.

Owen