EQUINIX
What's the going rate now a days for a rack within EQUINIX? Cheers Ryan
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
i am not network engineer, but I follow this list to be updated about important news that affect internet stability. NAT is already a problem for things like videogames. You want people to be able to host a multiplayer game, and have his friends to join the game. A free to play MMO may want to make a ban for a bad person permanent, and for this banning a IP is useful, if a whole range of players use a ip, it will be harder to stop these people from disrupting other people fun. Players that can't connect to the other players whine on the forums, and ask the game devs to fix the problem, costing these people money. People that can't connect to other players, for a problem that is not in his side, or under his control, get frustrated. This type of problems are hard to debug for users. The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun. -- -- ℱin del ℳensaje.
Re: Notice: Fradulent RIPE ASNs
On Wed, Jan 16, 2013 at 11:39:14AM -0500, William Herrin wrote: 1. Has SPAMHAUS attempted to feed relevant portions of their knowledge into ARIN's reporting system for fraudulent registrations and, I don't know the answer to that. 2. Understanding that ARIN can only deal with fraudulent registrations, not any other kind of bad-actor behavior, are there improvements to ARIN's process which would help SPAMHAUS and similar organizations feed ARIN actionable knowledge? Yes. All ARIN (public) data should be immediately downloadable in bulk by anyone who wishes to access it. No registration, no limits, no nothing. As I pointed out here a couple of weeks ago (see below), query rate-limiting measures such as RIPE currently employs are not only pointless but counterproductive: the bad guys already have (or can have) the data any time they wish, but the good guys can't. I suggest a daily rsync'able snapshot of the whole enchilada in whatever form(s) is/are appropriate: text, XML, tarball, etc. Of course I was responding to something from RIPE, but this applies everywhere. It's 2013. The bad guys have had the means to easily bypass stuff like this for about a decade, if not longer. It's not only silly to keep pretending they don't, but it's limiting: some of the best techniques we have for spotting not only fraudulent registrations, but other patterns of abuse, work best when given as much data as possible. (It's really quite impressive what you can find with grep, if you have enough data in the right form.) (Incidentally, the same thing is true of all domain registration data. The namespace, like network space, is a public resource, therefore anyone using any of it must be publicly accountable.) Here's what I said at the time, generalize/modify appropriately: Subject: Re: RIPE Database Proxy Service Issues On Wed, Jan 02, 2013 at 05:00:14PM +0100, Axel Pawlik wrote: To prevent the automatic harvesting of personal information (real names, email addresses, phone numbers) from the RIPE Database, there are PERSON and ROLE object query limits defined in the RIPE Database Acceptable Use Policy. This is set at 1,000 PERSON or ROLE objects per IP address per day. Queries that result in more than 1,000 objects with personal data being returned result in that IP address being blocked from carrying out queries for that day. 1. The technical measures you've outlined will not prevent, and have not prevented, anyone from automatically harvesting the entire thing. Anyone who owns or rents, for example, a 2M-member botnet, could easily retrieve the entire database using 1 query per IP address, spread out over a day/week/month/whatever. (Obviously more sophisticated approaches immediately suggest themselves.) Of course a simpler approach might be to buy a copy from someone who already has. I'm not picking on you, particularly: all WHOIS operators need to stop pretending that they can protect their public databases via rate-limiting. They can't. The only thing that they're doing is preventing NON-abusers from acquiring and using bulk data. 2. This presumes that the database is actually a target for abusers. I'm sure for some it is. But as a source, for example, of email addresses, it's a poor one: the number of addresses per thousand records is relatively small and those addresses tend to belong to people with clue, making them rather suboptimal choices for spamming/phishing/etc. Far richer targets are available on a daily basis simply by following the dataloss mailing list et.al. and observing what's been posted on pastebin or equivalent. These not only include many more email addresses, but often names, passwords (encrypted or not), and other personal details. And once again, the simpler approach of purchasing data is available. 3. Of course answering all those queries no doubt imposes significant load. Happily, one of the problems that we seem to have pretty much figured out how to solve is serving up many copies of static content because we have tools like web servers and rsync. So let me suggest that one way to make this much easier on yourselves is to export a (timestamped) static snapshot of the entire database once a day, and let the rest of the Internet mirror the hell out of it. Spreads out the load, drops the pretense that rate-limiting accomplishes anything useful, makes all the data available to everyone equally, and as long as everyone is aware that it's a snapshot and not a real-time answer, would probably suffice for most uses. (It would also come in handy during network events which render your service unreachable/unusable in whole or part, e.g., from certain parts of the world. Slightly-stale data is way better than no data.)
Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)
On 1/16/13 8:36 PM, Shrdlu wrote: On 1/16/2013 9:40 AM, john wrote: I took a look at this site and unfortunately the use of cookies is very ingrained into the code. Removing the requirement breaks all functionality of www.ris.ripe.net and changing the functionality would require a rewrite of the site. Sooner or later, you'll get to a place where you consider a major update, and perhaps then you'll consider emulating NANOG's site. However... just for clarity, i believe that the issues with requiring cookies only affects www.ris.ripe.net and not the entire *.ripe.net site(s). Im not one of the developers however i believe they endeavour to keep the use of cookies to a minimum with current and future development. I was curious, and I went to look at it. Please consider using some other color than lovely amber yellow you've chosen. It's very pretty, and exhausting to look at for any length of time. I'm a HUGE fan of gray scales, and of text. I see that you want a cookie when I want to look at one of the videos, but blocking it doesn't hurt me. Here's where you did something right. The video plays on my (pretty old) Firefox, which has no Flash (hooray!). The cookie stays around for a YEAR (if I let it), and has the following stuff: Name: stat-csrftoken Content: 7f12a95b8e274ab940287407a14fc348 Host: stat.ripe.net Path: / Send For: Any type of connection Expires: Wednesday, January 15, 2014 11:29:34 AM To your credit, you only ask once, but you ought to ask zero times. The site's not bad, but please consider changing the yellow to black. Less beauty, more utility. Thank you for this feedback, i'll pass it onto to the developers. Regards John
Re: How are operators using IRR?
2013/1/17 ML m...@kenweb.org How are operators using the data available in the various IRRs? Using an example: AS1 is your customer AS1 has AS2, AS3 and AS4 described as customers in an IRR Also assume AS2 has IRR data describing AS1000 and AS2000 as it's customers. Are operators building AS path regexes such as the following automatically from IRR and applying that to your BGP sessions? AS1{1,} AS1{1,} AS2{1,} AS1{1,} AS3{1,} AS1{1,} AS2{1,} AS1000{1,} AS1{1,} AS2{1,} AS2000{1,} I would imagine most operators that are building policy from IRR are building prefix lists to limit what they are accepting. Is this being paired with some AS path filtering? Are operators just traversing an AS-SET as far as it will go and building prefix lists to represent all intended prefixes to be heard on a session regardless of who originates them? Is the possibility of AS1000 hijacking AS2000 prefixes towards AS2 a problem you as the upstream to AS1 need to consider? (Last question assumes AS2 made a mistake and wasn't filtering properly on it's own customers and AS1 is just accepting all prefixes under the cone of AS2) Thanks Hi, I usually build a prefix-list gathering route objects having an origin AS from the customer AS-SET. I know some operators doing AS-PATH filtering and other who don't have anything else than a max-prefix limit on the session. In my previous job, one of my transit provider just had a max-prefix limit of 4k and I was announcing 2K routes. Hopefully we were good enough to not leak any unlegitimate routes on the sessions by misconfiguration. -- Pierre-Yves
Re: NANOG Digest, Vol 60, Issue 54
unsub=scribe please [carl gough] founder and CEO +61 425 266 764 mobsource.com On 17/01/13 11:00 PM, nanog-requ...@nanog.org nanog-requ...@nanog.org wrote: Send NANOG mailing list submissions to nanog@nanog.org To subscribe or unsubscribe via the World Wide Web, visit http://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-requ...@nanog.org You can reach the person managing the list at nanog-ow...@nanog.org When replying, please edit your Subject line so it is more specific than Re: Contents of NANOG digest... Today's Topics: 1. Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6 ( .) 2. Re: Notice: Fradulent RIPE ASNs (Rich Kulawiec) 3. Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) (john) -- Message: 1 Date: Thu, 17 Jan 2013 11:06:54 +0100 From: . oscar.vi...@gmail.com Cc: North American Network Operators' Group nanog@nanog.org Subject: Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6 Message-ID: cacg3zyf65y2khi18n2azezbvarexycubzncga8kipytsdz+...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 i am not network engineer, but I follow this list to be updated about important news that affect internet stability. NAT is already a problem for things like videogames. You want people to be able to host a multiplayer game, and have his friends to join the game. A free to play MMO may want to make a ban for a bad person permanent, and for this banning a IP is useful, if a whole range of players use a ip, it will be harder to stop these people from disrupting other people fun. Players that can't connect to the other players whine on the forums, and ask the game devs to fix the problem, costing these people money. People that can't connect to other players, for a problem that is not in his side, or under his control, get frustrated. This type of problems are hard to debug for users. The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun. -- -- ?in del ?ensaje. -- Message: 2 Date: Thu, 17 Jan 2013 05:33:34 -0500 From: Rich Kulawiec r...@gsp.org To: nanog@nanog.org Subject: Re: Notice: Fradulent RIPE ASNs Message-ID: 20130117103334.ga7...@gsp.org Content-Type: text/plain; charset=us-ascii On Wed, Jan 16, 2013 at 11:39:14AM -0500, William Herrin wrote: 1. Has SPAMHAUS attempted to feed relevant portions of their knowledge into ARIN's reporting system for fraudulent registrations and, I don't know the answer to that. 2. Understanding that ARIN can only deal with fraudulent registrations, not any other kind of bad-actor behavior, are there improvements to ARIN's process which would help SPAMHAUS and similar organizations feed ARIN actionable knowledge? Yes. All ARIN (public) data should be immediately downloadable in bulk by anyone who wishes to access it. No registration, no limits, no nothing. As I pointed out here a couple of weeks ago (see below), query rate-limiting measures such as RIPE currently employs are not only pointless but counterproductive: the bad guys already have (or can have) the data any time they wish, but the good guys can't. I suggest a daily rsync'able snapshot of the whole enchilada in whatever form(s) is/are appropriate: text, XML, tarball, etc. Of course I was responding to something from RIPE, but this applies everywhere. It's 2013. The bad guys have had the means to easily bypass stuff like this for about a decade, if not longer. It's not only silly to keep pretending they don't, but it's limiting: some of the best techniques we have for spotting not only fraudulent registrations, but other patterns of abuse, work best when given as much data as possible. (It's really quite impressive what you can find with grep, if you have enough data in the right form.) (Incidentally, the same thing is true of all domain registration data. The namespace, like network space, is a public resource, therefore anyone using any of it must be publicly accountable.) Here's what I said at the time, generalize/modify appropriately: Subject: Re: RIPE Database Proxy Service Issues On Wed, Jan 02, 2013 at 05:00:14PM +0100, Axel Pawlik wrote: To prevent the automatic harvesting of personal information (real names, email addresses, phone numbers) from the RIPE Database, there are PERSON and ROLE object query limits defined in the RIPE Database Acceptable Use Policy. This is set at 1,000 PERSON or ROLE objects per IP address per day. Queries that result in more than 1,000 objects with personal data being returned result in that IP address being blocked from carrying out queries for that day. 1.
RE: How are operators using IRR?
I have mainly worked at small and medium sized operators and we did not use IRR at all apart from registering our own and customer blocks with the one upstream provider we had (Level3) which required it. We maintained our own databases of customer prefixes tied to other customer information strict prefix lists were generated from. I have rarely seen as path filtering used except with large customers where maintaining strict prefix lists wasn't manageable. Phil From: ML Sent: 1/16/2013 19:57 To: NANOG Subject: How are operators using IRR? How are operators using the data available in the various IRRs? Using an example: AS1 is your customer AS1 has AS2, AS3 and AS4 described as customers in an IRR Also assume AS2 has IRR data describing AS1000 and AS2000 as it's customers. Are operators building AS path regexes such as the following automatically from IRR and applying that to your BGP sessions? AS1{1,} AS1{1,} AS2{1,} AS1{1,} AS3{1,} AS1{1,} AS2{1,} AS1000{1,} AS1{1,} AS2{1,} AS2000{1,} I would imagine most operators that are building policy from IRR are building prefix lists to limit what they are accepting. Is this being paired with some AS path filtering? Are operators just traversing an AS-SET as far as it will go and building prefix lists to represent all intended prefixes to be heard on a session regardless of who originates them? Is the possibility of AS1000 hijacking AS2000 prefixes towards AS2 a problem you as the upstream to AS1 need to consider? (Last question assumes AS2 made a mistake and wasn't filtering properly on it's own customers and AS1 is just accepting all prefixes under the cone of AS2) Thanks
Re: EQUINIX
On 1/17/2013 4:49 AM, Ryan Finnesey wrote: What's the going rate now a days for a rack within EQUINIX? Cheers Ryan I would imagine this varies greatly by market and maybe even suite within the building.
Re: GPS attack vector
On 01/16/2013 08:06 PM, Jay Ashworth wrote: Do you use GPS to provide any mission critical services (like time of day) in your network? Have you already see this? (I hadn't) http://arstechnica.com/security/2012/12/how-to-bring-down-mission-critical-gps-networks-with-2500/ Hi, Jay, Yes, saw this about a month ago. We have a UNAVCO Plate Boundary Observatory station (779) on our site, and it uses a Trimble NetRS. We also use GPS timing locally to generate NTP stratum 1 for our LAN via Agilient/HP Z3816 disciplined receivers, and individual GPS receivers for both of our 26 meter radio telescopes for precision local standard of rest calculations. But as a frequency standard for 10MHz, we only use the output of the frequency locked loops in the Z3816s as references for our Efratom rubidium standard; even cesium clocks have more drift than rubidium ones, and the rubidium is manually locked, and is the master reference for anything that needs a frequency reference; the Z3816's can have significant jitter (well, significant is relative.). Last I checked, the rubidium was 8.5uHz (yes, microHertz) off according to the GPS disciplined 10MHz signal from one of the Z3816s (we use an HP differential counter with a very long gate time to get that measurement precision). It was interesting timing for the release of this paper, as it was around the time tick and tock were rebooted and went all 'Doc Brown' on us. Anyone interested in the vagaries of serious time precision, please reference the 'Time-Nuts' mailing list, and other content, hosted by febo.com.
Re: Netflow Nfsen Server Hardware
Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM: PowerEdge R610 - 2x Intel E5540, 2.53GHz Quad Core Processor 32GB RAM 2x 300gb 10k 2.5 SAS HDD Since netflow processing is generally I/O bound, you may want to invest in 15K drives. Joe
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 17 January 2013 10:06, . oscar.vi...@gmail.com wrote: i am not network engineer, but I follow this list to be updated about important news that affect internet stability. NAT is already a problem for things like videogames. You want people to be able to host a multiplayer game, and have his friends to join the game. A free to play MMO may want to make a ban for a bad person permanent, and for this banning a IP is useful, if a whole range of players use a ip, it will be harder to stop these people from disrupting other people fun. Players that can't connect to the other players whine on the forums, and ask the game devs to fix the problem, costing these people money. People that can't connect to other players, for a problem that is not in his side, or under his control, get frustrated. This type of problems are hard to debug for users. The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun. If you follow this list then you should already know the answer, functional* IPv6 deployments. - Mike *Some ISPs have some very weird ideas that I hope never catch on.
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Thu, 17 Jan 2013, Mike Jones wrote: If you follow this list then you should already know the answer, functional* IPv6 deployments. AND game developers who build IPv6 functionality into their products. Do you hear us, PS3 and Xbox? Oscar, make sure you are telling your favorite game developers that they need to support IPv6 if they want to avoid the NAT mess. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 17 January 2013 15:29, Brandon Ross br...@pobox.com wrote: .. AND game developers who build IPv6 functionality into their products. Do you hear us, PS3 and Xbox? Oscar, make sure you are telling your favorite game developers that they need to support IPv6 if they want to avoid the NAT mess. Ok. I will pass the message. Some of them ( FOSS guys) already did http://ioquake3.org/2008/04/21/ioquake3-now-ipv6-capable/ For most commercial projects it don't have my hopes very high. Most game software development are rushed to release. -- -- ℱin del ℳensaje.
Re: How are operators using IRR?
Hi, Some of the networks close to me, use IRR based AS_PATH and prefix filters at customer-route import. Needless to say that running periodic diffs between what's found in IRR and what's received in RW and discuss the results with customers is a necessary good thing to make sure that what is expected is really happening. (And potentially a means to bump up the quality of the IRR data set.) Cheers, mh Le 17/01/2013 14:14, Phil Bedard a écrit : I have mainly worked at small and medium sized operators and we did not use IRR at all apart from registering our own and customer blocks with the one upstream provider we had (Level3) which required it. We maintained our own databases of customer prefixes tied to other customer information strict prefix lists were generated from. I have rarely seen as path filtering used except with large customers where maintaining strict prefix lists wasn't manageable. Phil From: ML Sent: 1/16/2013 19:57 To: NANOG Subject: How are operators using IRR? How are operators using the data available in the various IRRs? Using an example: AS1 is your customer AS1 has AS2, AS3 and AS4 described as customers in an IRR Also assume AS2 has IRR data describing AS1000 and AS2000 as it's customers. Are operators building AS path regexes such as the following automatically from IRR and applying that to your BGP sessions? AS1{1,} AS1{1,} AS2{1,} AS1{1,} AS3{1,} AS1{1,} AS2{1,} AS1000{1,} AS1{1,} AS2{1,} AS2000{1,} I would imagine most operators that are building policy from IRR are building prefix lists to limit what they are accepting. Is this being paired with some AS path filtering? Are operators just traversing an AS-SET as far as it will go and building prefix lists to represent all intended prefixes to be heard on a session regardless of who originates them? Is the possibility of AS1000 hijacking AS2000 prefixes towards AS2 a problem you as the upstream to AS1 need to consider? (Last question assumes AS2 made a mistake and wasn't filtering properly on it's own customers and AS1 is just accepting all prefixes under the cone of AS2) Thanks
Re: How are operators using IRR?
On Jan 17, 2013, at 9:44 AM, Michael Hallgren m.hallg...@free.fr wrote: Hi, Some of the networks close to me, use IRR based AS_PATH and prefix filters at customer-route import. Needless to say that running periodic diffs between what's found in IRR and what's received in RW and discuss the results with customers is a necessary good thing to make sure that what is expected is really happening. (And potentially a means to bump up the quality of the IRR data set.) Good point... There's some additional information at work in progress here: http://tools.ietf.org/html/draft-grow-irr-routing-policy-considerations-00 If folks have comments, additions, etc.. email authors or g...@ietf.org. -danny
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Thu, Jan 17, 2013 at 5:06 AM, . oscar.vi...@gmail.com wrote: The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun. Free network-based firewall to be installed next month. OPT OUT HERE if you don't want it. It's not a hard problem. There are yet plenty of IPv4 addresses to go around for all the people who actually care whether or not they're behind a NAT. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: EQUINIX
On Thu, Jan 17, 2013 at 8:39 AM, ML m...@kenweb.org wrote: On 1/17/2013 4:49 AM, Ryan Finnesey wrote: What's the going rate now a days for a rack within EQUINIX? Cheers Ryan I would imagine this varies greatly by market and maybe even suite within the building And also power/cooling requirements.
Re: Netflow Nfsen Server Hardware
On Jan 16, 2013, at 4:51 PM, Tim Calvin wrote: Would one of the below configurations be okay to handle such as task? If not, does anyone have any other recommendations. Probably way overkill, but it's best to have excess capacity than not enough. ; From what routing platform(s) are you exporting flow telemetry, at what sampling ratio(s)? --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: EQUINIX
My experience has been that the monthly rack rental fee will be a comparative bargain to basic power and a couple in-building cross connects, which will often more than double the cost. When shopping for any provider, make sure you price out all the options you need in addition to the rack space itself. On Thu, Jan 17, 2013 at 8:04 AM, Rodrick Brown rodrick.br...@gmail.comwrote: On Thu, Jan 17, 2013 at 8:39 AM, ML m...@kenweb.org wrote: On 1/17/2013 4:49 AM, Ryan Finnesey wrote: What's the going rate now a days for a rack within EQUINIX? Cheers Ryan I would imagine this varies greatly by market and maybe even suite within the building And also power/cooling requirements.
Re: Netflow Nfsen Server Hardware
On Thu, Jan 17, 2013 at 9:05 AM, Joe Loiacono jloia...@csc.com wrote: Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM: PowerEdge R610 - 2x Intel E5540, 2.53GHz Quad Core Processor 32GB RAM 2x 300gb 10k 2.5 SAS HDD Since netflow processing is generally I/O bound, you may want to invest in 15K drives. I had suggested off-list that perhaps primary storage as SSD was a better path, is there a reason to not do that? (with some larger storage on spinning-media for historical storage/query).
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 1/17/13 9:54 AM, William Herrin b...@herrin.us wrote: On Thu, Jan 17, 2013 at 5:06 AM, . oscar.vi...@gmail.com wrote: The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun. Free network-based firewall to be installed next month. OPT OUT HERE if you don't want it. I haven't heard anyone talking about carrier-grade firewalls. To make CGN work a little, you have to enable full-cone NAT, which means as long as you're connected to anything on IPv4, anyone can reach you (and for a timeout period after that). And most CGN wireline deployments will have some kind of bulk port assignment, so the same ports always go to the same users. NAT != security, and if you try to make it, you will lose more customers than I predicted. It's not a hard problem. There are yet plenty of IPv4 addresses to go around for all the people who actually care whether or not they're behind a NAT. I doubt that very much, and look forward to your analysis supporting that statement. Lee Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Netflow Nfsen Server Hardware
I agree here with Christopher; A SSD to handle the high IOPS requirements of real time data logging; combined with a scheduled transfer which can move the stored data in a linear large block copy operation to ordinary spindles, would be a cost effective hybrid solution. This of course is assuming the application can handle this separation of data; and I know nothing about Nfsen On Thu, Jan 17, 2013 at 9:01 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Thu, Jan 17, 2013 at 9:05 AM, Joe Loiacono jloia...@csc.com wrote: Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM: PowerEdge R610 - 2x Intel E5540, 2.53GHz Quad Core Processor 32GB RAM 2x 300gb 10k 2.5 SAS HDD Since netflow processing is generally I/O bound, you may want to invest in 15K drives. I had suggested off-list that perhaps primary storage as SSD was a better path, is there a reason to not do that? (with some larger storage on spinning-media for historical storage/query).
Re: Netflow Nfsen Server Hardware
christopher.mor...@gmail.com wrote on 01/17/2013 11:01:06 AM: From: Christopher Morrow morrowc.li...@gmail.com To: Joe Loiacono/USA/CSC@CSC Cc: Tim Calvin tcal...@tlsn.net, nanog@nanog.org nanog@nanog.org Date: 01/17/2013 11:01 AM Subject: Re: Netflow Nfsen Server Hardware Sent by: christopher.mor...@gmail.com On Thu, Jan 17, 2013 at 9:05 AM, Joe Loiacono jloia...@csc.com wrote: Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM: PowerEdge R610 - 2x Intel E5540, 2.53GHz Quad Core Processor 32GB RAM 2x 300gb 10k 2.5 SAS HDD Since netflow processing is generally I/O bound, you may want to invest in 15K drives. I had suggested off-list that perhaps primary storage as SSD was a better path, is there a reason to not do that? (with some larger storage on spinning-media for historical storage/query). Nope, great suggestion. Just a cost consideration ...
Re: Netflow Nfsen Server Hardware
On Thu, Jan 17, 2013 at 11:16 AM, Joe Loiacono jloia...@csc.com wrote: christopher.mor...@gmail.com wrote on 01/17/2013 11:01:06 AM: From: Christopher Morrow morrowc.li...@gmail.com To: Joe Loiacono/USA/CSC@CSC Cc: Tim Calvin tcal...@tlsn.net, nanog@nanog.org nanog@nanog.org Date: 01/17/2013 11:01 AM Subject: Re: Netflow Nfsen Server Hardware Sent by: christopher.mor...@gmail.com On Thu, Jan 17, 2013 at 9:05 AM, Joe Loiacono jloia...@csc.com wrote: Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM: PowerEdge R610 - 2x Intel E5540, 2.53GHz Quad Core Processor 32GB RAM 2x 300gb 10k 2.5 SAS HDD Since netflow processing is generally I/O bound, you may want to invest in 15K drives. I had suggested off-list that perhaps primary storage as SSD was a better path, is there a reason to not do that? (with some larger storage on spinning-media for historical storage/query). Nope, great suggestion. Just a cost consideration ... ah, ok... I figure that even if you were to put in 2 || 3 SSD drives in the 200gb range, one per controller, you'd get maximum throughput for a few days of data at not very much of a premium, then back up / near-line store the data longer term on spinning 2tb or so disks.
Re: Netflow Nfsen Server Hardware
On Thu, 17 Jan 2013, Joe Loiacono wrote: Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM: PowerEdge R610 - 2x Intel E5540, 2.53GHz Quad Core Processor 32GB RAM 2x 300gb 10k 2.5 SAS HDD Since netflow processing is generally I/O bound, you may want to invest in 15K drives. That, and lots of storage for flow data. Even a small network can generate a lot of data. jms
BGPMon.net IPv6 alerts?
We just had a DC move, so I was expecting alerts. The move was 12AM EST on Wednesday and I'm still seeing alerts. Looking at our router and some looking glass sites, we have full tables. Just wondering if this is anything I should be concerned about? Sincerely, Eric Tykwinski
Re: Netflow Nfsen Server Hardware
Better IO controller(H700) with his NVcache will make a great job. Especially if you have more SAS disks and some SSD. For nfdump is much better a big SAS array build from six or more 900GB SAS HDD in RAID 5 (10k 2.5'' disks are good for this task). Pavel On 17.1.2013 17:04, PC wrote: I agree here with Christopher; A SSD to handle the high IOPS requirements of real time data logging; combined with a scheduled transfer which can move the stored data in a linear large block copy operation to ordinary spindles, would be a cost effective hybrid solution. This of course is assuming the application can handle this separation of data; and I know nothing about Nfsen On Thu, Jan 17, 2013 at 9:01 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Thu, Jan 17, 2013 at 9:05 AM, Joe Loiacono jloia...@csc.com wrote: Tim Calvin tcal...@tlsn.net wrote on 01/16/2013 05:51:11 PM: PowerEdge R610 - 2x Intel E5540, 2.53GHz Quad Core Processor 32GB RAM 2x 300gb 10k 2.5 SAS HDD Since netflow processing is generally I/O bound, you may want to invest in 15K drives. I had suggested off-list that perhaps primary storage as SSD was a better path, is there a reason to not do that? (with some larger storage on spinning-media for historical storage/query).
Re: Intermittent incorrect DNS resolution?
On Wed, Jan 16, 2013 at 8:09 PM, Erik Levinson erik.levin...@uberflip.comwrote: To give an idea of the scale of the problem right now, I'm getting thousands of requests per minute to a new IP vs. about two requests per minute on the equivalent old IP, with over 60% of the latter being Baidu, but also a bit of Googlebot and other random bot and non-bot UAs. It's common for malware to spoof the Googlebot user-agent since they know most webmasters won't block it. You might want to check whether the IPs you're seeing it from are really allocated to us -- if so, I'd be interested in tracking down why we're crawling your old IP. Damian
Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)
[Cookies on stat.ripe.net] On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote: The cookie stays around for a YEAR (if I let it), and has the following stuff: Name: stat-csrftoken Content: 7f12a95b8e274ab940287407a14fc348 [...] To your credit, you only ask once, but you ought to ask zero times. CSRF protection is one of the few valid uses of a cookie. It shouldn't need to be set on every page, though, and it should be cleared immediately after the form submission. It's typically a lot easier in the site code just to set it once and be done with it. By the way, if anyone *does* know of a good and reliable way to prevent CSRF without the need for any cookies or persistent server-side session state, I'd love to know how. Ten minutes with Google hasn't provided any useful information. - Matt
Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)
--- mpal...@hezmatt.org wrote: --- From: Matt Palmer mpal...@hezmatt.org [Cookies on stat.ripe.net] On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote: The cookie stays around for a YEAR (if I let it), and has the following stuff: CSRF protection is one of the few valid uses of a cookie. snip By the way, if anyone *does* know of a good and reliable way to prevent CSRF without the need for any cookies or persistent server-side session state, I'd love to know how. Ten minutes with Google hasn't provided any useful information. - But, if I understand correctly, it only only if you are authenticated can anything bad be made to happen: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user's session cookie, basic auth credentials, IP address, Windows domain credentials, etc. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish this from a legitimate user request. In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website. So, if someone is just looking around, why is the cookie needed? scott
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Thu, Jan 17, 2013 at 11:01 AM, Lee Howard l...@asgard.org wrote: On 1/17/13 9:54 AM, William Herrin b...@herrin.us wrote: On Thu, Jan 17, 2013 at 5:06 AM, . oscar.vi...@gmail.com wrote: The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun. Free network-based firewall to be installed next month. OPT OUT HERE if you don't want it. I haven't heard anyone talking about carrier-grade firewalls. To make CGN work a little, you have to enable full-cone NAT, which means as long as you're connected to anything on IPv4, anyone can reach you (and for a timeout period after that). And most CGN wireline deployments will have some kind of bulk port assignment, so the same ports always go to the same users. NAT != security, and if you try to make it, you will lose more customers than I predicted. Hi Lee, Then it's a firewall that mildly enhances protection by obstructing 90% of the port scanning attacks which happen against your computer. It's a free country so you're welcome to believe that the presence or absence of NAT has no impact on the probability of a given machine being compromised. Of course, you're also welcome to join the flat earth society. As for me, the causative relationship between the rise of the DSL router implementing negligible security except NAT and the fall of port scanning as a credible attack vector seems blatant enough. It's not a hard problem. There are yet plenty of IPv4 addresses to go around for all the people who actually care whether or not they're behind a NAT. I doubt that very much, and look forward to your analysis supporting that statement. If you have the data I'll be happy to crunch it but I'm afraid I'll have to leave the data collection to someone who is paid to do that very exhaustive work. Nevertheless, I'll be happy to document my assumptions and show you where they lead. I assume that fewer than 1 in 10 eyeballs would find Internet service behind a NAT unsatisfactory. Eyeballs are the consumers of content, the modem, cable modem, residential DSL customers. Some few of them are running game servers, web servers, etc. but 9 in 10 are the email, vonage and netflix variety who are basically not impacted by NAT. I assume that 75% or more of the IPv4 addresses which are employed in any use (not sitting idle) are employed by eyeball customers. Verizon Wireless has - remind me - how many /8's compared to, say, Google? If you count from the explosion of interest in the Internet in 1995 to now, it took 18 years to consume all the IPv4 addresses. Call it consumption of 1/18th of the address space per year. From my assumption, 25% of the addresses are consumed by non-eyeball customers who will continue consuming them at 1/(18*4)= 1/72 of the address space per year. Assuming that server ops still need that many addresses when acquiring them is not so close to free. From my assumptions 75% * 0.9 = 67.5% of the addresses are currently consumed by eyeball customers who can convert to NAT. Match the previous paragraph's math at 49/72's of the address space recoverable at some cost that while not trivial is also not exorbitant. Eyeballs were consuming at (1*3)/(18*4)= 3/72's per year but if only 1 in 10 needs a global address that slows to 3/720's. 13/720's per year consumes 490/720's after 37 years. 37 years. So, where am I wrong? Is it more like 1 in 5 customers would cough up an extra $5 rather than use a NAT address? The nearest comparable would be your ratio of dynamic to static IP assignments. Does your data support that being higher than 1 in 10? I'd bet the broad data sets don't. Is the current use pattern more like 50/50 between server users and eyeball users? That'd cut things closer to a decade and a half but what data I've glanced at from CAIDA, ARIN and the like doesn't seem to support a belief that eyeballs aren't the major direct user of IPv4 addresses. Perhaps consumption is accelerating, but a lot of that has been low-key hoarding during the past 5 years or so. Even with accelerating consumption we're still looking at a couple decades before we have to really scrape for IPv4 addresses. Perhaps I fouled the math itself. I've been known to miscarry a 1. All the same, the sky doesn't seem to be falling. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Nevertheless, I'll be happy to document my assumptions and show you where they lead. I assume that fewer than 1 in 10 eyeballs would find Internet service behind a NAT unsatisfactory. Eyeballs are the consumers of content, the modem, cable modem, residential DSL customers. And this is where you run off the rails… You are assuming that NAT today and CGN provide similar functionality from an end-user perspective. The reality is that they do not. CGN is a substantially more degraded form of internet access than current traditional per-site NAT. 1. The end-site does not control the NAT box. 2. UPnP and NAT-PMP do NOT work through CGN. 3. There is no other provision in most CGNs to allow for inbound connection trickery that allows many of today's applications to function in spite of NAT. Some few of them are running game servers, web servers, etc. but 9 in 10 are the email, voyage and netflix variety who are basically not impacted by NAT. Vonage will, in most cases fail through CGN as will Skype, Xbox-360, and many of the other IM clients. I assume that 75% or more of the IPv4 addresses which are employed in any use (not sitting idle) are employed by eyeball customers. Verizon Wireless has - remind me - how many /8's compared to, say, Google? Are you sure that 75% of VZW's IP addresses are assigned to end-customer devices? I am not. If you count from the explosion of interest in the Internet in 1995 to now, it took 18 years to consume all the IPv4 addresses. Call it consumption of 1/18th of the address space per year. I'll leave the obvious math error in this assumption as an exercise for the reader. From my assumption, 25% of the addresses are consumed by non-eyeball customers who will continue consuming them at 1/(18*4)= 1/72 of the address space per year. Assuming that server ops still need that many addresses when acquiring them is not so close to free. This assumption ignores non-customer use of addresses which, while minor, is not insignificant. From my assumptions 75% * 0.9 = 67.5% of the addresses are currently consumed by eyeball customers who can convert to NAT. Match the previous paragraph's math at 49/72's of the address space recoverable at some cost that while not trivial is also not exorbitant. This makes a rather absurd assumption that the majority of those eyeball addresses are not already assigned to eyeball NAT pools. This is the second place where your assumptions run wildly off the rails IMHO. Eyeballs were consuming at (1*3)/(18*4)= 3/72's per year but if only 1 in 10 needs a global address that slows to 3/720's. While the math works, it would be a lot more clear to say 1/4 * 3/18 = 3/72. 13/720's per year consumes 490/720's after 37 years. 37 years. So, where am I wrong? Is it more like 1 in 5 customers would cough up an extra $5 rather than use a NAT address? The nearest comparable would be your ratio of dynamic to static IP assignments. Does your data support that being higher than 1 in 10? I'd bet the broad data sets don't. First, it's more like 1/100 customers that are not already behind NAT of some form, so your 37 years drops to 0.37 years (a little more than 4 months). This seems very disruptive and rather heavy on the overhead for a 4-month stop-gap. Owen
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 1/17/2013 6:50 PM, Owen DeLong wrote: Vonage will, in most cases fail through CGN as will Skype, Xbox-360, and many of the other IM clients. Not sure about Vonage, but Skype, Xbox, and just about everything else imaginable (other than hosting a server) works just fine over NAT with default-deny inbound here, and we have several thousand students in the dorms that bang the heck out of those services. Most applications have adapted to the SOHO NATing router that is prevalent today on broadband internet. And if it didn't work, believe me, I'd hear about it :) Jeff
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
I'll agree there, as developers have built in some tricks to work around NAT issues. But in reality doing away with NAT is a much better alternative for the long haul. So you are both right, but I'll side with Owen when doing network deployments as to ease my future headaches. Sent from my iPhone On Jan 17, 2013, at 7:30 PM, Jeff Kell jeff-k...@utc.edu wrote: On 1/17/2013 6:50 PM, Owen DeLong wrote: Vonage will, in most cases fail through CGN as will Skype, Xbox-360, and many of the other IM clients. Not sure about Vonage, but Skype, Xbox, and just about everything else imaginable (other than hosting a server) works just fine over NAT with default-deny inbound here, and we have several thousand students in the dorms that bang the heck out of those services. Most applications have adapted to the SOHO NATing router that is prevalent today on broadband internet. And if it didn't work, believe me, I'd hear about it :) Jeff
For those who may use a projector in the NOC
http://www.colorlightoutput.com/
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Jan 17, 2013, at 4:30 PM, Jeff Kell jeff-k...@utc.edu wrote: On 1/17/2013 6:50 PM, Owen DeLong wrote: Vonage will, in most cases fail through CGN as will Skype, Xbox-360, and many of the other IM clients. Not sure about Vonage, but Skype, Xbox, and just about everything else imaginable (other than hosting a server) works just fine over NAT with default-deny inbound here, and we have several thousand students in the dorms that bang the heck out of those services. Most applications have adapted to the SOHO NATing router that is prevalent today on broadband internet. And if it didn't work, believe me, I'd hear about it :) NAT yes. NAT + NAT (NAT444 or CGN which is what we are talking about here), not so much. Owen
Re: Intermittent incorrect DNS resolution?
Thanks Damian. I see four requests with Google UAs from actual Google IPs, 66.249.73.45 and 66.249.73.17 (PTR and rwhois seem yours for both), in a period of 30 minutes (compared to over 80 per minute on the new IPs). This is pretty low, so I'm not too worried. Baidu is the main culprit now; there's little other traffic. In fact, we're getting no traffic from Baidu on the new IPs, only to the old ones. I've already e-mailed their spider help e-mail, but it's fallen on deaf ears. Erik -Original Message- From: Damian Menscher dam...@google.com Sent: Thursday, January 17, 2013 1:58pm To: Erik Levinson erik.levin...@uberflip.com Cc: NANOG mailing list nanog@nanog.org Subject: Re: Intermittent incorrect DNS resolution? On Wed, Jan 16, 2013 at 8:09 PM, Erik Levinson erik.levin...@uberflip.comwrote: To give an idea of the scale of the problem right now, I'm getting thousands of requests per minute to a new IP vs. about two requests per minute on the equivalent old IP, with over 60% of the latter being Baidu, but also a bit of Googlebot and other random bot and non-bot UAs. It's common for malware to spoof the Googlebot user-agent since they know most webmasters won't block it. You might want to check whether the IPs you're seeing it from are really allocated to us -- if so, I'd be interested in tracking down why we're crawling your old IP. Damian
Re: Intermittent incorrect DNS resolution?
Upon further investigation, in this particular Google case, it seems to be a customer's CNAME to a record of theirs which is an actual A record to our old IP, contrary to our instructions (we tell everyone to CNAME us, so we can change IPs as we wish, which we've done for the first time this year). So there is no Google problem. -Original Message- From: Erik Levinson erik.levin...@uberflip.com Sent: Thursday, January 17, 2013 8:42pm To: Damian Menscher dam...@google.com Cc: NANOG mailing list nanog@nanog.org Subject: Re: Intermittent incorrect DNS resolution? Thanks Damian. I see four requests with Google UAs from actual Google IPs, 66.249.73.45 and 66.249.73.17 (PTR and rwhois seem yours for both), in a period of 30 minutes (compared to over 80 per minute on the new IPs). This is pretty low, so I'm not too worried. Baidu is the main culprit now; there's little other traffic. In fact, we're getting no traffic from Baidu on the new IPs, only to the old ones. I've already e-mailed their spider help e-mail, but it's fallen on deaf ears. Erik -Original Message- From: Damian Menscher dam...@google.com Sent: Thursday, January 17, 2013 1:58pm To: Erik Levinson erik.levin...@uberflip.com Cc: NANOG mailing list nanog@nanog.org Subject: Re: Intermittent incorrect DNS resolution? On Wed, Jan 16, 2013 at 8:09 PM, Erik Levinson erik.levin...@uberflip.comwrote: To give an idea of the scale of the problem right now, I'm getting thousands of requests per minute to a new IP vs. about two requests per minute on the equivalent old IP, with over 60% of the latter being Baidu, but also a bit of Googlebot and other random bot and non-bot UAs. It's common for malware to spoof the Googlebot user-agent since they know most webmasters won't block it. You might want to check whether the IPs you're seeing it from are really allocated to us -- if so, I'd be interested in tracking down why we're crawling your old IP. Damian
Re: For those who may use a projector in the NOC
This appears to be an Epson / 3LCD marketing campaign. whois shows an admin contact at wintergroup.net. wintergroup.net (on http) is the home to a marketing agency, their client links below include Epson and 3LCD; clicking 3LCD brings up a still image showing this page. Searching for 3LCD finds this Epson page: http://global.epson.com/innovation/projection_technology/3LCD_technology/. http://3lcd.com/ has a very familiar 'feel' as well... and has an admin contact at Seiko Epson Corporation I won't get into display theory on this list (feel free to contact me if you want to discuss such) - Eric Adler Broadcast Engineer
Re: For those who may use a projector in the NOC
On 18 January 2013 02:19, Eric Adler eapt...@gmail.com wrote: This appears to be an Epson / 3LCD marketing campaign. whois shows an admin contact at wintergroup.net. wintergroup.net (on http) is the home to a marketing agency, their client links below include Epson and 3LCD; clicking 3LCD brings up a still image showing this page. Searching for 3LCD finds this Epson page: http://global.epson.com/innovation/projection_technology/3LCD_technology/. http://3lcd.com/ has a very familiar 'feel' as well... and has an admin contact at Seiko Epson Corporation I won't get into display theory on this list (feel free to contact me if you want to discuss such) - Eric Adler Broadcast Engineer The only thing I can think relevant regarding projector/monitors in a NOC situation would be general eye strain issues, which should be taken in to account in the same way as keyboard/chair positioning etc by whoever is responsible for health and safety. Anything beyond eye strain is probably just getting in to colour reproduction discussions which are largely irrelivant in a NOC. I for example have all my monitors set to a lower colour temperature and dimmed as much as feasable, colour reproduction is terrible but great for avoiding eye strain. I switch back to reasonably normal settings for watching videos and films etc, but during normal NOC operation I doubt the colour accuracy needs to be able to distinguish more than than green/yellow/red (with maybe some shades between). - Mike
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 17 January 2013 17:17, Owen DeLong o...@delong.com wrote: On Jan 17, 2013, at 4:30 PM, Jeff Kell jeff-k...@utc.edu wrote: On 1/17/2013 6:50 PM, Owen DeLong wrote: Vonage will, in most cases fail through CGN as will Skype, Xbox-360, and many of the other IM clients. Not sure about Vonage, but Skype, Xbox, and just about everything else imaginable (other than hosting a server) works just fine over NAT with default-deny inbound here, and we have several thousand students in the dorms that bang the heck out of those services. Most applications have adapted to the SOHO NATing router that is prevalent today on broadband internet. And if it didn't work, believe me, I'd hear about it :) NAT yes. NAT + NAT (NAT444 or CGN which is what we are talking about here), not so much. Owen Once you are doing NAT and your immediate gateway does not supports UPnP, what's the difference if it's NAT44 or NAT444? I'm currently using NAT44, with at least two layers of 802.11g WiFi and 5 routers that seem to be doing independent NAT. Two of them are mine, then the other 3 are of the ISP, to whom I connect through 802.11g, and it generally works just fine; traceroute on the final hosts shows 5 first hops being in various separate 192.168.0.0/16 and 10.0.0.0/8 networks. iChat works. SIP works, too (for both incoming and outgoing voice call). Even ssh connections stay alive for more than 24h with a mere 240s keepalive setting. IPv6 is obviously the solution, but I think CGN poses more technological and legal problems for the carriers as opposed to their clients or the general-purpose non-server non-p2p application developers. CGN breaks the internet, but it doesn't break non-p2p VoIP at all whatsoever. C.
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On Thu, 17 Jan 2013, Constantine A. Murenin wrote: I'm currently using NAT44, with at least two layers of 802.11g WiFi and 5 routers that seem to be doing independent NAT. Two of them are mine, then the other 3 are of the ISP, to whom I connect through 802.11g, and it generally works just fine; traceroute on the final hosts shows 5 first hops being in various separate 192.168.0.0/16 and 10.0.0.0/8 networks. Is the output of traceroute you reference above what you base your supposition on that you are behind multiple NATs? Or do you have some other information indicating so? -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Owen DeLong wrote: And this is where you run off the rails… You are assuming that NAT today and CGN provide similar functionality from an end-user perspective. To the extent that CGN functions like the clueless linksys daisy-chain, then yes it does. The reality is that they do not. CGN is a substantially more degraded form of internet access than current traditional per-site NAT. 1. The end-site does not control the NAT box. The vast majority of end site today either do not control the NAT box or do not know how to control the NAT box. 2. UPnP and NAT-PMP do NOT work through CGN. And without this wondrous technology, nothing works behind a NAT! Whatever did we do before the invention and mass adoption of UPnP and NAT-PMP! 3. There is no other provision in most CGNs to allow for inbound connection trickery that allows many of today's applications to function in spite of NAT. Clearly we have run out of trickery as multiple layers of NAT stumps even the finest of our tricksters. We will have to wait and see on this one. There is a complex interaction between protocol development, application deployment, cpe technology and user behavior all influenced by the NAT reality we are all witness to. Will this interaction adopt and adapt CGN? Clearly your opinion is not, but its only an opinion. Wireless has - remind me - how many /8's compared to, say, Google? Are you sure that 75% of VZW's IP addresses are assigned to end-customer devices? I am not. No, actually, I believe what he said is that OF the Addresses ASSIGNED to devices, 75% are end-customers. Far more are likely not in use by any specific device at any given point in time. And what else exactly would VZW be doing with those addresses? Running more servers and infrastructure then wireless clients to use them? First, it's more like 1/100 customers that are not already behind NAT of some form, so your 37 years drops to 0.37 years (a little more than 4 months). Rather disingenuous of you. We are not addressing some form of nat. We are addressing the specific form of CGN. Of which far fewer then 1/100 customers are behind. How about much simpler math. Assume 75% IP in any provider organization are for subscribers. Assume an average 5-10 subscribers per CGN IP. Clearly, that organization's subscriber growth will be limited by CGN technology, not by address scarcity. This seems very disruptive and rather heavy on the overhead for a 4-month stop-gap. Owen Think locally for a bit. Addresses are not instantaneously fungible across the internet. Any provider who can pull this off will have far more then a 4-month stop-gap. They may even have enough to peddle on the market. Joe
Re: For those who may use a projector in the NOC
- Original Message - From: Eric Adler To: Michael Painter Cc: nanog@nanog.org Sent: Thursday, January 17, 2013 4:19 PM Subject: Re: For those who may use a projector in the NOC This appears to be an Epson / 3LCD marketing campaign. whois shows an admin contact at wintergroup.net. wintergroup.net (on http) is the home to a marketing agency, their client links below include Epson and 3LCD; clicking 3LCD brings up a still image showing this page. Searching for 3LCD finds this Epson page: http://global.epson.com/innovation/projection_technology/3LCD_technology/. http://3lcd.com/ has a very familiar 'feel' as well... and has an admin contact at Seiko Epson Corporation I won't get into display theory on this list (feel free to contact me if you want to discuss such) - Eric Adler Broadcast Engineer Yes, I was taken in by the adoption of CLO by the Society for Information Display http://www.sid.org/About.aspx It's so easy to drop thousands into a projector based on the specs. and end up with a shitty picture, so I think the CLO spec will help, Whole thing is being debated here: http://www.avsforum.com/t/1451895/epson-color-light-output-demo-at-ces-2013 --Michael
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
Sent from my iPad On Jan 17, 2013, at 6:58 PM, Joe Maimon jmai...@ttec.com wrote: Owen DeLong wrote: And this is where you run off the rails… You are assuming that NAT today and CGN provide similar functionality from an end-user perspective. To the extent that CGN functions like the clueless linksys daisy-chain, then yes it does. Right, but it that extent is very limited. The reality is that they do not. CGN is a substantially more degraded form of internet access than current traditional per-site NAT. 1.The end-site does not control the NAT box. The vast majority of end site today either do not control the NAT box or do not know how to control the NAT box. Bzzt... They may not actively control it through an administrative interface, but, there is not some other administrator actively disabling functionality they care about. 2.UPnP and NAT-PMP do NOT work through CGN. And without this wondrous technology, nothing works behind a NAT! Whatever did we do before the invention and mass adoption of UPnP and NAT-PMP! Many things that users depend on and like do not work without it. Those things did not work/did not exist much before UPnP/NAT-PMP. That is the reason UPnP and NAT-PMP were developed and gained such wide acceptance so quickly. Prior to that, some popular applications also received customized ALGs implemented in most NAT boxes. 3.There is no other provision in most CGNs to allow for inbound connection trickery that allows many of today's applications to function in spite of NAT. Clearly we have run out of trickery as multiple layers of NAT stumps even the finest of our tricksters. Yes, we can dedicate thousands more developer hours to making yet more extensions to code to work around yet more NAT and maybe make it sort of kind of work almost as poorly as it does now. Or we could pour a fraction of those developer hours into implementing IPv6 in those same applications and have the problem solved in perpetuity. We will have to wait and see on this one. There is a complex interaction between protocol development, application deployment, cpe technology and user behavior all influenced by the NAT reality we are all witness to. Yep. The trick is figuring out how to educate developers so that we can get OFF the damn NAT merry-go-round. NAT at this point has become the internet equivalent of charging $2 more than you pay on your credit card each month and wondering why the bill never shrinks. Will this interaction adopt and adapt CGN? Clearly your opinion is not, but its only an opinion. Actually, I'm more afraid that it will for some time to come. Results of continuing to do so: 1. Applications cost more. 2. Applications become progressively even more fragile and more poorly implemented that the current state of affairs. 3. Security goes even more out the window than it already has because there will be even less ability to identify the source of malicious conduct than there is today. 4. Routers cost more. 5. Router software continues to become more complex and more fragile and even more poorly implemented than the current state of the average home gateway while not actually adding any new functionality, just continuing to escalate the arms race to stay where we are in the face of an ever worsening NAT environment. 6. Performance continues to degrade on the alter of ever more layers of translation, obfuscation, hackery, workarounds, etc. My hope is that we will realize at some point that this is a badly loosing proposition, but, my fear is that we will actually find ways to make it work and worse yet, dedicate resources to doing so. IMHO, having it fail miserably is the best case scenario. The alternatives are far worse. Wireless has - remind me - how many /8's compared to, say, Google? Are you sure that 75% of VZW's IP addresses are assigned to end-customer devices? I am not. No, actually, I believe what he said is that OF the Addresses ASSIGNED to devices, 75% are end-customers. Even that is a statistic of which I am unconvinced without better evidence. Far more are likely not in use by any specific device at any given point in time. Sure, but let's go with the modified statement you give above. That assumes that VZW's entire network infrastructure, including billing systems, backhaul, provisioning, helpdesk, call centers, offices, servers, etc. all adds up to less than 1/4 of the total devices connected to their network. I highly doubt it. And what else exactly would VZW be doing with those addresses? Running more servers and infrastructure then wireless clients to use them? I'd believe 50% or maybe even 65%, but 75% stretches credibility. See above for a partial list of the various things I expect they are doing with those addresses. First, it's more like 1/100 customers that are not already behind NAT of some form, so your 37 years drops to 0.37 years (a little
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
I hate to break it to you guys more of the larger providers in NA are implementing CGNAT in the next 6 to 18 months. Especially the mobile carriers. I have agreed long ago that mobile is the one place where CGN will go mostly unnoticed. First of all, most mobiles have been behind some form of CGN for a long time. Second, hardly anyone expects real internet access through their mobile in NA to actually be fully functional to begin with. It's always been somewhat broken and everyone is used to that. Breaking it a little bit more will probably make no difference whatsoever. I can already count on VZW to disable, block, or degrade to uselessness any attempt at a VOIP call or VIDEO conference other than through the built-in applications where the phone manufacturer and the carrier have come to some agreement and built in hooks to make it sort of work. I can also count on VZW to do nasty things to my DNS requests (ever try turning on DNSSEC validation on a handset? I don't recommend it.) When I was on SPRINT, they were slightly worse. On my iPAD via ATT, it's much worse. Mobile carriers in North America are an ever increasing quagmire where one has to attempt to locate the one that sucks least for the duration of your next contract. Let's focus more on CGN via CMTS, GPON, or DSL system. That's where the real pain will be felt by the subscribers. Owen