Re: Security over SONET/SDH
On Mon, Jun 24, 2013 at 9:59 PM, Christopher Morrow wrote: > it's fair to say, I think, that if you want to say something on the > network it's best that you consider: > 1) is the communication something private between you and another party(s) > 2) is the communication going to be seen by other than you + > the-right-other-party(s) > > and probably assume 2 is always going to be the case... So, if 1) is > true then make some way to keep it private: > ssl + checking certs 'properly' (where is dane?) > gpg + good key material security > private-key/shared-key - don't do this, everyone screws this up. SSH + SSHFP + DNSSEC does public/private key pretty well
Re: Security over SONET/SDH
On Mon, Jun 24, 2013 at 10:25 PM, joel jaeggli wrote: > Securing the link layer however is not a replacement for an end to end > solution so just because it's protecting the air interface(s) doesn't really > mean somebody not looking at the traffic elsewhere. it's fair to say, I think, that if you want to say something on the network it's best that you consider: 1) is the communication something private between you and another party(s) 2) is the communication going to be seen by other than you + the-right-other-party(s) and probably assume 2 is always going to be the case... So, if 1) is true then make some way to keep it private: ssl + checking certs 'properly' (where is dane?) gpg + good key material security private-key/shared-key - don't do this, everyone screws this up. -chris
Re: /25's prefixes announced into global routing table?
How do I convince my peers to accept /25's ?? :D -- Michael McConnell WINK Streaming; email: mich...@winkstreaming.com phone: +1 312 281-5433 x 7400 cell: +506 8706-2389 skype: wink-michael web: http://winkstreaming.com On Jun 24, 2013, at 12:53 PM, Patrick W. Gilmore wrote: > On Jun 24, 2013, at 13:29 , Paul Rolland (ポール・ロラン) wrote: >> On Fri, 21 Jun 2013 13:56:02 -0600 Michael McConnell >> wrote: > >>> As the IPv4 space get smaller and smaller, does anyone think we'll see a >>> time when /25's will be accepted for global BGP prefix announcement. The >>> current smallest size is a /24 and generally ok for most people, but the >>> crunch gets tighter, routers continue to have more and more ram will it >>> always be /24 the smallest size? >> >> Well, /25 are already in the routing table. I can even find a few /26 !! >> >> rtr-01.PAR#sh ip b | i /26 >> *>i193.41.227.128/26 >> *>i193.41.227.192/26 >> *>i194.149.243.64/26 > > The question was when will we see /25s in the GLOBAL routing table. Despite > the very un-well defined definition for "global routing table", I'm going to > assuming something similar to the DFZ, or the set of prefixes which is seen > in all (most of?) the transit-free networks[*]. > > Given that definition, there are exactly zero /25s in the GRT (DFZ). And > unlikely to be for a while. Whether "a while" is "next 12 months" or "several > years" is something I am very specifically choosing not to answer. > > -- > TTFN, > patrick > > [*] Don't you hate the term "tier one" these days? It doesn't mean what it > used to mean (i.e. _settlement free_ peering with all other tier one > networks). And given that there are non-transit-free networks with more > [traffic|revenue|customers|$WHATEVER] than some transit free networks, I > prefer to not use the term. >
Re: Security over SONET/SDH
On 6/24/13 1:19 PM, Scott Weeks wrote: joe...@bogus.com wrote: From: joel jaeggli That's why I'm trying to follow up on the original question. Is there something similar the global public can use to secure their connections that is not government designed. This is even more important on microwave shots when security is desired. :: plenty of standardized RF link-layers support strong encryption. Ah, thanks. That comment gave me the the search terms I needed, but I keep seeing sentences like this "Due to the encryption employed in these products, they are export controlled items and are regulated by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce. They may not be exported or shipped for re-export to restricted countries..." wheee! :-) Yes, however note that the actual number of embargoed countries at this point is pretty small, and that if you are in a(n) (US) embargoed country and so inclined you can likely buy such products manufactured in China by Chinese companies. Securing the link layer however is not a replacement for an end to end solution so just because it's protecting the air interface(s) doesn't really mean somebody not looking at the traffic elsewhere. scott
Re: IANA Reference to hopopt as a protocol
* David Edelman > Does anyone have an explanation for the IPv6 hopopt appearing as protocol > value 0 in http://www.iana.org/assignments/protocol-numbers? It's defined in RFC 2460, section 4.3. Which is linked to from the reference column of the page you linked to... Tore
IANA Reference to hopopt as a protocol
Does anyone have an explanation for the IPv6 hopopt appearing as protocol value 0 in http://www.iana.org/assignments/protocol-numbers? --Dave
Re: Security over SONET/SDH
On Mon, Jun 24, 2013 at 10:14:19PM +, Gary Buhrmaster wrote: > On Mon, Jun 24, 2013 at 9:37 PM, Jamie Bowden wrote: > > > Actually, you CAN do that, but you have to apply for ITAR exceptions. EXIM > > is complex and you really want a good legal team who are familiar with it > > hand holding you through it (and on extended retainer going forward...). > > We used to joke that our export control officer was the "designated felon" > (in the case that the process/decision was wrong, that person was the > one going to go to prison (and note the US Govt takes ITAR controls very > very seriously; do not guess, do not even think about guessing; do not > even think that the words in the regs mean what you think they mean)). This is especially true in the case of even civilian crypto gear. Have lawyer(s) with experience in this stuff to bird-dog everything you do. It may seem like a lot of money, until you look at the fines and jail time you may wind up with if you drop a stitch somewhere. Then it all becomes quite reasonable. -- Mike Andrews, W5EGO mi...@mikea.ath.cx Tired old sysadmin
Re: Security over SONET/SDH
On Mon, Jun 24, 2013 at 9:37 PM, Jamie Bowden wrote: > Actually, you CAN do that, but you have to apply for ITAR exceptions. EXIM > is complex and you really want a good legal team who are familiar with it > hand holding you through it (and on extended retainer going forward...). We used to joke that our export control officer was the "designated felon" (in the case that the process/decision was wrong, that person was the one going to go to prison (and note the US Govt takes ITAR controls very very seriously; do not guess, do not even think about guessing; do not even think that the words in the regs mean what you think they mean)). Gary
RE: Security over SONET/SDH
> -Original Message- > From: Scott Weeks [mailto:sur...@mauigateway.com] > joe...@bogus.com wrote: > From: joel jaeggli > > > That's why I'm trying to follow up on the original question. Is > > there something similar the global public can use to secure their > > connections that is not government designed. This is even more > > important on microwave shots when security is desired. > > :: plenty of standardized RF link-layers support strong encryption. > > > > Ah, thanks. That comment gave me the the search terms I needed, > but I keep seeing sentences like this "Due to the encryption > employed in these products, they are export controlled items and > are regulated by the Bureau of Industry and Security (BIS) of the > U.S. Department of Commerce. They may not be exported or shipped > for re-export to restricted countries..." wheee! :-) Actually, you CAN do that, but you have to apply for ITAR exceptions. EXIM is complex and you really want a good legal team who are familiar with it hand holding you through it (and on extended retainer going forward...). Jamie
Re: /25's prefixes announced into global routing table?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 24/06/2013 19:29, Paul Rolland (???) a écrit : > Well, /25 are already in the routing table. I can even find a few > /26 !! So did I : http://lg.ring.nlnog.net/adv/lg02+lg01/ipv4?q=where%20net.len=26 But guess what ? They didn't stop there ! http://lg.ring.nlnog.net/adv/lg02+lg01/ipv4?q=where%20net.len=27 Want some more ? Hey, take some /28 ! http://lg.ring.nlnog.net/adv/lg02+lg01/ipv4?q=where%20net.len=28 And the list goes on... Up to /32 !! http://lg.ring.nlnog.net/adv/lg02+lg01/ipv4?q=where%20net.len=32 Guess you could actually multi-home a /32 now... - -- Jérôme Nicolle +33 6 19 31 27 14 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlHIsfsACgkQbt+nwQamihvQ8gCdFBEmNiK6XJvLy770bFG/nPa0 IwYAn3cWI4rul5eNvW2t944vOgkLhof1 =NCMg -END PGP SIGNATURE-
Re: PDU recommendations
I was wondering if anyone had experience with Geist's outlet monitoring product? I recently started using there basic PDU's and so far so good. But am wondering if anyone has feed back on Geist's outlet monitoring product. Mark Keymer
Re: Security over SONET/SDH
joe...@bogus.com wrote: From: joel jaeggli > That's why I'm trying to follow up on the original question. Is > there something similar the global public can use to secure their > connections that is not government designed. This is even more > important on microwave shots when security is desired. :: plenty of standardized RF link-layers support strong encryption. Ah, thanks. That comment gave me the the search terms I needed, but I keep seeing sentences like this "Due to the encryption employed in these products, they are export controlled items and are regulated by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce. They may not be exported or shipped for re-export to restricted countries..." wheee! :-) scott
Re: PDU recommendations
On Sun, 23 Jun 2013 11:37:43 -0400, shawn wilson wrote: However, I figured I'd see if there was a better brand / specific model recommendations for quality or bang / buck? On Sun, 23 Jun 2013 12:02:27 -0400, Michael Loftis wrote: (knock on wood) nothing in the last 6-7 years has caused an outage. APC's are what I've grown to love... mostly because they're cheap and plentiful (eBay!) The only issue I've had with them is "flash corruption"; sometimes they have to be reprogrammed after a power outage. I'm using metered PDUs so it never effects the servers. But I also have a set of ServerTech dual-feed units. The full monty of DC features. (in fact, what a number of colo providers use.) I've not used them in years, 'tho -- lack of facilities to power them. (the electrician got a little happy cutting out old wiring in the current office and killed the two existing L6-30 drops. everything else is L21-20.)
Re: Security over SONET/SDH
On 6/24/13 12:55 PM, Scott Weeks wrote: - william.allen.simpson wrote: - And at $189,950 MSRP, obviously every ISP is dashing out the door for a pair for each and every long haul fiber link. ;-) It's the same as buying, say, .nanog... >;-) --- g...@gdt.id.au wrote: From: Glen Turner On 23/06/2013, at 1:21 PM, William Allen Simpson wrote: What security protocols are folks using to protect SONET/SDH? At what speeds? "Excuse me NSA, can I have export approval for one KG-530 SDH encryptor?" What are the odds :-) And how would we know that the "export model" isn't simply providing a more convenient backdoor for the NSA? -- That's why I'm trying to follow up on the original question. Is there something similar the global public can use to secure their connections that is not government designed. This is even more important on microwave shots when security is desired. plenty of standardized RF link-layers support strong encryption. scott
Re: Security over SONET/SDH
- william.allen.simpson wrote: - And at $189,950 MSRP, obviously every ISP is dashing out the door for a pair for each and every long haul fiber link. ;-) It's the same as buying, say, .nanog... >;-) --- g...@gdt.id.au wrote: From: Glen Turner On 23/06/2013, at 1:21 PM, William Allen Simpson wrote: > What security protocols are folks using to protect SONET/SDH? > At what speeds? "Excuse me NSA, can I have export approval for one KG-530 SDH encryptor?" What are the odds :-) And how would we know that the "export model" isn't simply providing a more convenient backdoor for the NSA? -- That's why I'm trying to follow up on the original question. Is there something similar the global public can use to secure their connections that is not government designed. This is even more important on microwave shots when security is desired. scott
Re: PDU recommendations
Oh, absolutely. These would be secured on a separate, private network with very specific access controls. These remote sites are more "branch" than data center. Looking at a very limited amount of equipment (1-2 open telco racks/site). Sent from my iPhone On Jun 24, 2013, at 3:01 PM, Alain Hebert wrote: >Hi, > >Yes. > >They are good. > >Nothing I would deploy in a large data center but for a few racks > they are perfect. > >Beware that they are not built to be connected straight to the > internet =D. > >The management module can reset depending on packet payload and > overall traffic. They should always be behind some sort of firewall > with rules limiting its access. > >PS: Ours are a few years old, I'm sure APC added some sort of > security since then, you may want to look 'em up. > >Happy 24th to all. > > - > Alain Hebertaheb...@pubnix.net > PubNIX Inc. > 50 boul. St-Charles > P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 > > On 06/24/13 14:41, Ryan - Lists wrote: >> Does anyone on list have experience with the APC AP7920 switched rack PDU, >> or any of the horizontal rack mountables with management? We're looking at >> these for our remote sites. >> >> Sent from my iPhone >> >> On Jun 24, 2013, at 6:10 AM, Måns Nilsson wrote: >> >>> Subject: Re: PDU recommendations Date: Sun, Jun 23, 2013 at 09:32:00PM >>> -0400 Quoting shawn wilson (ag4ve...@gmail.com): So, that's not a very good endorsement :) Idk why you'd use a fuse in a PDU. >>> MCB units age. Especially with vibration. A 10A MCB becomes a 9A MCB >>> after some miles. >>> >>> Fuses don't. >>> >>> MCB units are good at protecting people since they trip quickly and >>> aggressively. >>> >>> Fuses tend to linger before blowing, and thus are comparatively bad at >>> protecting >>> people (longer shock) but better at protecting infrastructure (surge >>> and switch-on-transient resistance). >>> >>> -- >>> Måns Nilsson primary/secondary/besserwisser/machina >>> MN-1334-RIPE +46 705 989668 >>> There's a little picture of ED MCMAHON doing BAD THINGS to JOAN RIVERS >>> in a $200,000 MALIBU BEACH HOUSE!! > >
Re: PDU recommendations
Heh, I wouldn't dream of putting this type of device on the net - nothing good can come from that. On Jun 24, 2013 3:04 PM, "Alain Hebert" wrote: > Hi, > > Yes. > > They are good. > > Nothing I would deploy in a large data center but for a few racks > they are perfect. > > Beware that they are not built to be connected straight to the > internet =D. > > The management module can reset depending on packet payload and > overall traffic. They should always be behind some sort of firewall > with rules limiting its access. > > PS: Ours are a few years old, I'm sure APC added some sort of > security since then, you may want to look 'em up. > > Happy 24th to all. > > - > Alain Hebertaheb...@pubnix.net > PubNIX Inc. > 50 boul. St-Charles > P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 > > On 06/24/13 14:41, Ryan - Lists wrote: > > Does anyone on list have experience with the APC AP7920 switched rack > PDU, or any of the horizontal rack mountables with management? We're > looking at these for our remote sites. > > > > Sent from my iPhone > > > > On Jun 24, 2013, at 6:10 AM, Måns Nilsson > wrote: > > > >> Subject: Re: PDU recommendations Date: Sun, Jun 23, 2013 at 09:32:00PM > -0400 Quoting shawn wilson (ag4ve...@gmail.com): > >>> So, that's not a very good endorsement :) > >>> > >>> Idk why you'd use a fuse in a PDU. > >> MCB units age. Especially with vibration. A 10A MCB becomes a 9A MCB > after some miles. > >> > >> Fuses don't. > >> > >> MCB units are good at protecting people since they trip quickly and > aggressively. > >> > >> Fuses tend to linger before blowing, and thus are comparatively bad at > protecting > >> people (longer shock) but better at protecting infrastructure (surge > >> and switch-on-transient resistance). > >> > >> -- > >> Måns Nilsson primary/secondary/besserwisser/machina > >> MN-1334-RIPE +46 705 989668 > >> There's a little picture of ED MCMAHON doing BAD THINGS to JOAN RIVERS > >> in a $200,000 MALIBU BEACH HOUSE!! > > > > > > >
Re: PDU recommendations
Hi, Yes. They are good. Nothing I would deploy in a large data center but for a few racks they are perfect. Beware that they are not built to be connected straight to the internet =D. The management module can reset depending on packet payload and overall traffic. They should always be behind some sort of firewall with rules limiting its access. PS: Ours are a few years old, I'm sure APC added some sort of security since then, you may want to look 'em up. Happy 24th to all. - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 On 06/24/13 14:41, Ryan - Lists wrote: > Does anyone on list have experience with the APC AP7920 switched rack PDU, or > any of the horizontal rack mountables with management? We're looking at these > for our remote sites. > > Sent from my iPhone > > On Jun 24, 2013, at 6:10 AM, Måns Nilsson wrote: > >> Subject: Re: PDU recommendations Date: Sun, Jun 23, 2013 at 09:32:00PM -0400 >> Quoting shawn wilson (ag4ve...@gmail.com): >>> So, that's not a very good endorsement :) >>> >>> Idk why you'd use a fuse in a PDU. >> MCB units age. Especially with vibration. A 10A MCB becomes a 9A MCB after >> some miles. >> >> Fuses don't. >> >> MCB units are good at protecting people since they trip quickly and >> aggressively. >> >> Fuses tend to linger before blowing, and thus are comparatively bad at >> protecting >> people (longer shock) but better at protecting infrastructure (surge >> and switch-on-transient resistance). >> >> -- >> Måns Nilsson primary/secondary/besserwisser/machina >> MN-1334-RIPE +46 705 989668 >> There's a little picture of ED MCMAHON doing BAD THINGS to JOAN RIVERS >> in a $200,000 MALIBU BEACH HOUSE!! > >
Re: /25's prefixes announced into global routing table?
On Jun 24, 2013, at 13:29 , Paul Rolland (ポール・ロラン) wrote: > On Fri, 21 Jun 2013 13:56:02 -0600 Michael McConnell > wrote: >> As the IPv4 space get smaller and smaller, does anyone think we'll see a >> time when /25's will be accepted for global BGP prefix announcement. The >> current smallest size is a /24 and generally ok for most people, but the >> crunch gets tighter, routers continue to have more and more ram will it >> always be /24 the smallest size? > > Well, /25 are already in the routing table. I can even find a few /26 !! > > rtr-01.PAR#sh ip b | i /26 > *>i193.41.227.128/26 > *>i193.41.227.192/26 > *>i194.149.243.64/26 The question was when will we see /25s in the GLOBAL routing table. Despite the very un-well defined definition for "global routing table", I'm going to assuming something similar to the DFZ, or the set of prefixes which is seen in all (most of?) the transit-free networks[*]. Given that definition, there are exactly zero /25s in the GRT (DFZ). And unlikely to be for a while. Whether "a while" is "next 12 months" or "several years" is something I am very specifically choosing not to answer. -- TTFN, patrick [*] Don't you hate the term "tier one" these days? It doesn't mean what it used to mean (i.e. _settlement free_ peering with all other tier one networks). And given that there are non-transit-free networks with more [traffic|revenue|customers|$WHATEVER] than some transit free networks, I prefer to not use the term. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: PDU recommendations
We seem to always get calls from uplogix.. Check them out if you are considering managing pdu's etc. Their gear is pretty stout, and they have good to great support. Sent from my Mobile Device. Original message From: Ryan - Lists Date: 06/24/2013 11:43 AM (GMT-08:00) To: Måns Nilsson Cc: North American Network Operators Group Subject: Re: PDU recommendations Does anyone on list have experience with the APC AP7920 switched rack PDU, or any of the horizontal rack mountables with management? We're looking at these for our remote sites. Sent from my iPhone On Jun 24, 2013, at 6:10 AM, Måns Nilsson wrote: > Subject: Re: PDU recommendations Date: Sun, Jun 23, 2013 at 09:32:00PM -0400 > Quoting shawn wilson (ag4ve...@gmail.com): >> So, that's not a very good endorsement :) >> >> Idk why you'd use a fuse in a PDU. > > MCB units age. Especially with vibration. A 10A MCB becomes a 9A MCB after > some miles. > > Fuses don't. > > MCB units are good at protecting people since they trip quickly and > aggressively. > > Fuses tend to linger before blowing, and thus are comparatively bad at > protecting > people (longer shock) but better at protecting infrastructure (surge > and switch-on-transient resistance). > > -- > Måns Nilsson primary/secondary/besserwisser/machina > MN-1334-RIPE +46 705 989668 > There's a little picture of ED MCMAHON doing BAD THINGS to JOAN RIVERS > in a $200,000 MALIBU BEACH HOUSE!!
Re: PDU recommendations
Does anyone on list have experience with the APC AP7920 switched rack PDU, or any of the horizontal rack mountables with management? We're looking at these for our remote sites. Sent from my iPhone On Jun 24, 2013, at 6:10 AM, Måns Nilsson wrote: > Subject: Re: PDU recommendations Date: Sun, Jun 23, 2013 at 09:32:00PM -0400 > Quoting shawn wilson (ag4ve...@gmail.com): >> So, that's not a very good endorsement :) >> >> Idk why you'd use a fuse in a PDU. > > MCB units age. Especially with vibration. A 10A MCB becomes a 9A MCB after > some miles. > > Fuses don't. > > MCB units are good at protecting people since they trip quickly and > aggressively. > > Fuses tend to linger before blowing, and thus are comparatively bad at > protecting > people (longer shock) but better at protecting infrastructure (surge > and switch-on-transient resistance). > > -- > Måns Nilsson primary/secondary/besserwisser/machina > MN-1334-RIPE +46 705 989668 > There's a little picture of ED MCMAHON doing BAD THINGS to JOAN RIVERS > in a $200,000 MALIBU BEACH HOUSE!!
Re: /25's prefixes announced into global routing table?
I'm not going to even ask or look at who is accepting /26's -jim On Mon, Jun 24, 2013 at 2:29 PM, Paul Rolland wrote: > Hello, > > On Fri, 21 Jun 2013 13:56:02 -0600 > Michael McConnell wrote: > > > As the IPv4 space get smaller and smaller, does anyone think we'll see a > > time when /25's will be accepted for global BGP prefix announcement. The > > current smallest size is a /24 and generally ok for most people, but the > > crunch gets tighter, routers continue to have more and more ram will it > > always be /24 the smallest size? > > Well, /25 are already in the routing table. I can even find a few /26 !! > > rtr-01.PAR#sh ip b | i /26 > *>i193.41.227.128/26 > *>i193.41.227.192/26 > *>i194.149.243.64/26 > > Paul > > -- > TelcoTV Awards 2011 - Witbe winner in "Innovation in Test & Measurement" > > Paul RollandE-Mail : rol(at)witbe.net > CTO - Witbe.net SA Tel. +33 (0)1 47 67 77 77 > Les Collines de l'Arche Fax. +33 (0)1 47 67 77 99 > F-92057 Paris La DefenseRIPE : PR12-RIPE > > LinkedIn : http://www.linkedin.com/in/paulrolland > Skype: rollandpaul > > "I worry about my child and the Internet all the time, even though she's > too young to have logged on yet. Here's what I worry about. I worry that 10 > or 15 years from now, she will come to me and say 'Daddy, where were you > when they took freedom of the press away from the Internet?'" > --Mike Godwin, Electronic Frontier Foundation > > >
Re: /25's prefixes announced into global routing table?
Hello, On Fri, 21 Jun 2013 13:56:02 -0600 Michael McConnell wrote: > As the IPv4 space get smaller and smaller, does anyone think we'll see a > time when /25's will be accepted for global BGP prefix announcement. The > current smallest size is a /24 and generally ok for most people, but the > crunch gets tighter, routers continue to have more and more ram will it > always be /24 the smallest size? Well, /25 are already in the routing table. I can even find a few /26 !! rtr-01.PAR#sh ip b | i /26 *>i193.41.227.128/26 *>i193.41.227.192/26 *>i194.149.243.64/26 Paul -- TelcoTV Awards 2011 - Witbe winner in "Innovation in Test & Measurement" Paul RollandE-Mail : rol(at)witbe.net CTO - Witbe.net SA Tel. +33 (0)1 47 67 77 77 Les Collines de l'Arche Fax. +33 (0)1 47 67 77 99 F-92057 Paris La DefenseRIPE : PR12-RIPE LinkedIn : http://www.linkedin.com/in/paulrolland Skype: rollandpaul "I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet?'" --Mike Godwin, Electronic Frontier Foundation signature.asc Description: PGP signature
Re: Yahoo Postmaster
On Fri, Jun 21, 2013 at 2:21 PM, Andy B. wrote: > If there is a YAHOO! Postmaster contact available, can you please > contact me off list? > > I need to investigate a customer's "TS03" listing of a very large > netblock (/16) and I'm afraid regular Yahoo! forms are leading me > nowhere but frustration and no results. > > > Thanks. > > Hi Andy, I'm not a postmaster, but I can probably put you in touch with an appropriate person, Thanks! Matt
Re: Contact at GoGo Internet?
And by "blog", of course I meant "block". Sorry! On Mon, Jun 24, 2013 at 11:30 AM, Matt Simmons < standalone.sysad...@gmail.com> wrote: > For a reason that I'm unable to ascertain, GoGo In-Flight Internet can > route to my university's network blog, but not to my specific college's. > > Does anyone have a contact there that I could reach out to and work to > figure this out with? > > Thanks! > > --Matt Simmons > > > -- > LITTLE GIRL: But which cookie will you eat FIRST? > COOKIE MONSTER: Me think you have misconception of cookie-eating process. > -- LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process.
Contact at GoGo Internet?
For a reason that I'm unable to ascertain, GoGo In-Flight Internet can route to my university's network blog, but not to my specific college's. Does anyone have a contact there that I could reach out to and work to figure this out with? Thanks! --Matt Simmons -- LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process.
Re: /25's prefixes announced into global routing table?
On Jun 22, 2013, at 16:16 , Grzegorz Janoszka wrote: > On 22-06-13 17:30, Owen DeLong wrote: >> Looking at the number of autonomous systems in the IPv6 routing table and >> the total number of routes, it looks like it will shake out somewhere in the >> neighborhood of 3-5 prefixes/ASN. Since there are ~35,000 unique ASNs in the >> IPv4 table, I figured simple multiplication provided as good an estimate as >> any at this early time. > > Deaggregating of IPv4 announcements is done for traffic engineering and > to fight ddoses (just the attacked /24 stops being announced to > internet). I think some people will just copy their v4 habits into v6 > and then we might have explosion of /48's. > I wouldn't be so sure about just 3-5 prefixes/ASN. Not that many people are de-aggregating in anticipation of the DDoS. Temporary de-agg during DDoS is not relevant to discussions on global table sizes. -- TTFN, patrick
RE: Multihop eBGP peering or VPN based eBGP peering
-Original Message- From: Randy Bush [mailto:ra...@psg.com] Sent: Monday, June 24, 2013 2:32 PM To: Adam Vitkovsky Cc: 'John van Oppen'; nanog@nanog.org Subject: Re: Multihop eBGP peering or VPN based eBGP peering >>> route reflectors should be in the data plane, ... >> I believe in modern networks data-plane and control-plane(s) should be >> separated as it provides for great scalability and versatility the >> drawback of course is a more complex system to manage. >more complex systems scale poorly, break easily, and are hard to debug. >oops! all my competitors should have such 'modern networks.' >randy Well in the context of RRs complex systems have virtually endless scalability, they are built with redundancy in mind so they don't break or don't break easily and well as far as the debug goes, I think it's a matter of how well are the Operations educated by the architects. adam
Re: /25's prefixes announced into global routing table?
Le 22/06/2013 00:27, Jakob Heitz a écrit : > There are techniques to fix that. For example, Simple Virtual Aggregation > http://tools.ietf.org/html/rfc6769 The principle behind this RFC is that RAM (RIB) is cheap, CAM (FIB) is not. But it's mostly intended for SDN developpments. You need a full RIB on every (current - non SDN) BGP speakers in only one scenario : beeing a transit provider. If you're not, there's no point in keeping (and least to install) all routes. But let's say you have enough RAM to store a very large de-aggregated RIB, and a smaller TCAM. The best path selection takes place in RIB, and selected best path can be installed as long as you have free space in CAM. Let's compress (agregate) the table prior to installation, by creating agregates over adjacent prefixes having only the same next-hop and origin AS, and you may fit a virtual-full-view, perfectly matching your routing policy, with far less physical routes to install. This will probably not be backported to "obsolete" routers, but it would be natural to operate in such manners for an SDN control plane. It *could* be deployed on older hardware using some customized BGP speakers : use a software BGP speaker as a route-server / route-reflector, get all your eBGP peers to hook to this speaker instead of your ASBRs, and have the controller apply dynamic compression to the route table (dynamic meaning it has to be a localy optimized agregate different for every routers in your network) and feed it to your ASBRs through iBGP. There would be different levels of agregation : destructive or not, matching the exact policy or cutting some slack to fit in smaller TCAMs. For instance, having AS paths in the local RIB in your ASBRs is required for netflow/ipfix AS agregates. You may not care about AS beeing too far from your network, thus generating agregates over multiple adjacent prefixes originating form different AS is not an issue : if you agregate every prefixes matching the same 3-4 (deduplicated) AS in the path, let's use the last as origin, and agregate all the adjacent blocks in a signle prefix, as long as your best-path selection concluded in using the same next-hop for all of them. If you want a more agressive compression, then you may decide not to fully respect the routing policy, and agregate over a minor block (let's say a few /24 have a different next hop than their common less-specific /12), discard the specificity and enjoy shooting /24s off your CAM. If such a software existed (it's not yet available AFAIK, I wrote some code to try the concept but it's still far from beeing usable), you may actually run a real network with less than 30k route entries in your CAM... -- Jérôme Nicolle +33 6 19 31 27 14
Re: Network diagnostics for the end user
+1. It's especially helpful for wireless troubleshooting in a campus environment. You can get a lot of info from the AP, but tend not to know what the client is seeing and it's great for catching transient events (oh, whenever the elevator goes by...) Eric On Jun 22, 2013, at 12:29 AM, "Carlos M. Martinez" wrote: > May sound silly, but in another life I faced a similar problem and by > hosting local SpeedTest.net servers in our network we could fend off > many of these calls. > > But I guess it will depend on your customers, whether they take it or not. > > cheers, > > ~Carlos > > On 6/20/13 9:45 PM, Jeffrey Ollie wrote: >> Are there any tools out there that we could give to our end users to help >> diagnose network problems? We get a lot of "the Internet is slow" support >> calls and it would be helpful if we had something that would run on the end >> user's computer and help characterize the problem. We have central >> monitoring system of course but that doesn't always give a complete >> picture, as the problem could always be on the end user's computer - slow >> hard drive, not enough memory, wrong name servers, etc. >
Re: IPv6 adoption in the past few days
> there is massive increase in IPv6 adoption (from 1.5% to 1.7%) in the > past few days. luckily i had my seatbelt fastened randy
Re: Multihop eBGP peering or VPN based eBGP peering
>> route reflectors should be in the data plane, ... > I believe in modern networks data-plane and control-plane(s) should be > separated as it provides for great scalability and versatility the > drawback of course is a more complex system to manage. more complex systems scale poorly, break easily, and are hard to debug. oops! all my competitors should have such 'modern networks.' randy
RE: Multihop eBGP peering or VPN based eBGP peering
> route reflectors should be in the data plane, ... I believe in modern networks data-plane and control-plane(s) should be separated as it provides for great scalability and versatility the drawback of course is a more complex system to manage. adam
Re: /25's prefixes announced into global routing table?
Daniel Suchy wrote: >> There are techniques to fix that. For example, Simple Virtual Aggregation >> http://tools.ietf.org/html/rfc6769 > I'm not sure, if hardware vendors will implement something like this. I > expect they'll sell you router with larger hardware FIB instead. As the RFC says: Some routers in an Autonomous System (AS) announce an aggregate (the VA prefix) in addition to the routes they already announce. it assumes some routers in the AS have unaggregated routing table entries. Thus, even within the AS, the RFC is not very effective. The RFC, either, does not help to reduce the number of routing table entries exchanged between adjacent ASes. Masataka Ohta
Re: /25's prefixes announced into global routing table?
John Levine wrote: > I realize it's not quite that simple due to issues of longer prefixes > taking precedence over shorter ones, but it is my impression that > there's a lot of sloppiness. 16M /24 is just a cheap 16M entry SRAM. However, 16M /32 means 4G entry SRAM or 16M entry CAM. 16M entry with /40 or /48 prefix means 16M entry CAM, which is hard, which is why IPv6 is hard. Masataka Ohta
Re: PDU recommendations
Subject: Re: PDU recommendations Date: Sun, Jun 23, 2013 at 09:32:00PM -0400 Quoting shawn wilson (ag4ve...@gmail.com): > So, that's not a very good endorsement :) > > Idk why you'd use a fuse in a PDU. MCB units age. Especially with vibration. A 10A MCB becomes a 9A MCB after some miles. Fuses don't. MCB units are good at protecting people since they trip quickly and aggressively. Fuses tend to linger before blowing, and thus are comparatively bad at protecting people (longer shock) but better at protecting infrastructure (surge and switch-on-transient resistance). -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 There's a little picture of ED MCMAHON doing BAD THINGS to JOAN RIVERS in a $200,000 MALIBU BEACH HOUSE!! signature.asc Description: Digital signature
Re: Google news down
Mobile page works fine via the same comcast circuit as previously mentioned On Mon, Jun 24, 2013 at 12:37 AM, Joly MacFie wrote: > Maybe they are adjusting in preparation for Aug 1. > > > http://techcrunch.com/2013/06/21/google-makes-google-news-in-germany-opt-in-only-to-avoid-paying-fees-under-new-copyright-law/ > > On Mon, Jun 24, 2013 at 2:54 AM, Warren Bailey > wrote: > > Seems to be isolated to the mobile site, if anyone finds it of interest. > > > > > > Sent from my Mobile Device. > > > > > > Original message > > From: Warren Bailey > > Date: 06/23/2013 11:48 PM (GMT-08:00) > > To: nanog@nanog.org > > Subject: Google news down > > > > > > Does anyone happen to know what's going on with Google news? Getting an > xml parse error for all responses (not well formed) to anything google news > related. > > > > NSA taking down google news or something? > > > > > > Sent from my Mobile Device. > > > > -- > --- > Joly MacFie 218 565 9365 Skype:punkcast > WWWhatsup NYC - http://wwwhatsup.com > http://pinstand.com - http://punkcast.com > VP (Admin) - ISOC-NY - http://isoc-ny.org > -- > - > >
Re: /25's prefixes announced into global routing table?
Hi, From public routing data we can see a total of 2,419 /25s prefixes announced from at least one of the monitors active in RIPE RIS and RouteViews. None of the /25s are actually advertised by all these monitors i.e. the /25s reach some but not all the ASes which take part in these projects. The actual distribution of how many unique routing tables sampled contain the /25s is the following: http://visibility.it.uc3m.es/len25_distro.html (out of the approx. 140 collectors that have a "full" routing table). The top 5 ASes that are originating the most /25s are: AS 11427: 462 /25s AS 4766: 273 /25s AS 45400: 109 /25s AS 14065: 82 /25s AS 3549: 57 /25s If you are interested in limited visibility prefixes, i.e., prefixes that are distributed to some but not all the "full" routing tables at the interdomain level, you can find more at http://visibility.it.uc3m.es/ and https://labs.ripe.net/Members/andra_lutu/the-bgp-visibility-scanner Best regards, Andra On 06/22/2013 12:00 AM, nanog-requ...@nanog.org wrote: Date: Fri, 21 Jun 2013 13:56:02 -0600 From: Michael McConnell To: North American Network Operators Group Subject: /25's prefixes announced into global routing table? Hello all, As the IPv4 space get smaller and smaller, does anyone think we'll see a time when /25's will be accepted for global BGP prefix announcement. The current smallest size is a /24 and generally ok for most people, but the crunch gets tighter, routers continue to have more and more ram will it always be /24 the smallest size? Cheers, Mike
Re: Google news down
Maybe they are adjusting in preparation for Aug 1. http://techcrunch.com/2013/06/21/google-makes-google-news-in-germany-opt-in-only-to-avoid-paying-fees-under-new-copyright-law/ On Mon, Jun 24, 2013 at 2:54 AM, Warren Bailey wrote: > Seems to be isolated to the mobile site, if anyone finds it of interest. > > > Sent from my Mobile Device. > > > Original message > From: Warren Bailey > Date: 06/23/2013 11:48 PM (GMT-08:00) > To: nanog@nanog.org > Subject: Google news down > > > Does anyone happen to know what's going on with Google news? Getting an xml > parse error for all responses (not well formed) to anything google news > related. > > NSA taking down google news or something? > > > Sent from my Mobile Device. -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -- -