RE: Residential CPE suggestions
Thanks to everyone who responded. The picture/spec on this page shows a single SFP, not dual. Hopefully they will come out with something that supports dual SFP. I am looking for something suitable for an active Ethernet fiber-to-X deployment. The Ubiquiti routers don't support dual SFP until you get to the PRO (too bad no Wifi, emailed them. :) Self-quoting here: CRS226-24G-2S from Mikrotik is using a new chipset, supposedly. I suspect that more vendors will be releasing configs like this if the silicon is becoming more prevalent. The thing has SFP+ ports (10G) which is cool, especially at the price point, but overkill. It has 24x gigabit ports which is definitely overkill, so ideally I can find a slimmer switch. :) List price under $300 looks like. This guy fits the bill (port config) more closely but also costs 3x more (faster cpu, more ram, etc). Neat stuff, either way. Deepak
Re: level3 dia egress filtering?
On Monday, May 12, 2014 11:58:20 PM Petter Bruland wrote: We contacted Level3 a few weeks back, and were told that they do not provide any filtering service. I've not been able to confirm this from anyone else, besides the Level3 customer service rep we spoke with. We've received such requests from customers as well, and our policy is we do not implement any kind of filtering, even though it is restricted to just one customer. If the customer is looking for DoS/DDoS Mitigation services, that is something else that can be offered. But as an ISP, filtering in the data plane that is not for the protection of our core's control plane is not our deal. It is not something I'd ask of my IP Transit provider, nor support that they do. Mark. signature.asc Description: This is a digitally signed message part.
Re: Observations of an Internet Middleman (Level3) (was: RIP Network Neutrality)
Shouldn't there be a rule against using RIP in the subject line of a NANOG post? Every time I see that, a shudder goes down *my* spine. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
New Zealand Spy Agency To Vet Network Builds, Provider Staff
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here. This sounds rather... dire (probably not the right word). The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation. http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-network-builds-provider-staff FYI, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -END PGP SIGNATURE-
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
It got a pretty firefight discussion at the NZNOG. None of the ISPs feel comfortable with it, but in avoiding a shoot-the-messenger syndrome they tried to give good feedback to the reps from GCSB who came to talk. Basically, a lot of post-act variations are expected to clarify what changes do and do not have to be notified. There was a lot of bitter humour about calling them at 3am to report BGP failures and ask permission to remediate. On Tue, May 13, 2014 at 3:33 PM, Paul Ferguson fergdawgs...@mykolab.comwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here. This sounds rather... dire (probably not the right word). The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation. http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-network-builds-provider-staff FYI, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -END PGP SIGNATURE-
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 So is there just reluctant acceptance of this law, or is there push-back and plans to repeal, or...? I guess my question is something along the lines of Are people just reluctantly accepting that government surveillance micromanagement of private businesses/networks is a fact of life? I am purposefully making a distinction here between the U.S. CALEA [1] and NSLs [2] and a NZ spy agency getting ...to decide on network equipment procurement and design decisions. The latter seems like a bit of an overreach? - - ferg [1] https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act [2] https://en.wikipedia.org/wiki/National_security_letter On 5/13/2014 6:40 AM, George Michaelson wrote: It got a pretty firefight discussion at the NZNOG. None of the ISPs feel comfortable with it, but in avoiding a shoot-the-messenger syndrome they tried to give good feedback to the reps from GCSB who came to talk. Basically, a lot of post-act variations are expected to clarify what changes do and do not have to be notified. There was a lot of bitter humour about calling them at 3am to report BGP failures and ask permission to remediate. On Tue, May 13, 2014 at 3:33 PM, Paul Ferguson fergdawgs...@mykolab.com mailto:fergdawgs...@mykolab.com wrote: I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here. This sounds rather... dire (probably not the right word). The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation. http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-network-builds-provider-staff FYI, - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNyItUACgkQKJasdVTchbL5GwEAxMtkr0W8oCtLTEdJDcdJHZTw hCGmG1ZTbWdb7NTEnwIA/j4YYMcN/gOQCQfABs1UIYFX30i/SewOkXYDOvfO6ReM =rAdv -END PGP SIGNATURE-
Re: level3 dia egress filtering?
I would personally look at leaving Level 3 over that kind of response. I consider it basic service to throw a 1 line acl on an interface temporarily in exceptional circumstances. Transit guys can argue if they wish, but it won't change my expectations as a customer. Eventually I'll find a carrier that will offer reasonable service. I know it's why I kept UUnet back in the day, and dropped all my other providers at the time. Heck ATT even blackholed our traffic with a static null, so we were broken even after depeering for several hours until we could find someone who knew what a route was via their support. -Blake On Tue, May 13, 2014 at 4:02 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Monday, May 12, 2014 11:58:20 PM Petter Bruland wrote: We contacted Level3 a few weeks back, and were told that they do not provide any filtering service. I've not been able to confirm this from anyone else, besides the Level3 customer service rep we spoke with. We've received such requests from customers as well, and our policy is we do not implement any kind of filtering, even though it is restricted to just one customer. If the customer is looking for DoS/DDoS Mitigation services, that is something else that can be offered. But as an ISP, filtering in the data plane that is not for the protection of our core's control plane is not our deal. It is not something I'd ask of my IP Transit provider, nor support that they do. Mark.
Re: level3 dia egress filtering?
You can't really have your cake, and eat it too. If this is a deal breaker for anyone, getting it in writing within the contract should be the most basic of steps to undertake. Asking beforehand will also actually let you know who will and won't do this, thus avoid surprises like these altogether. Otherwise, as Mark mentioned, they're entirely within the contractual agreement. On 5/13/2014 午後 10:51, Blake Dunlap wrote: I would personally look at leaving Level 3 over that kind of response. I consider it basic service to throw a 1 line acl on an interface temporarily in exceptional circumstances. Transit guys can argue if they wish, but it won't change my expectations as a customer. Eventually I'll find a carrier that will offer reasonable service. I know it's why I kept UUnet back in the day, and dropped all my other providers at the time. Heck ATT even blackholed our traffic with a static null, so we were broken even after depeering for several hours until we could find someone who knew what a route was via their support. -Blake On Tue, May 13, 2014 at 4:02 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Monday, May 12, 2014 11:58:20 PM Petter Bruland wrote: We contacted Level3 a few weeks back, and were told that they do not provide any filtering service. I've not been able to confirm this from anyone else, besides the Level3 customer service rep we spoke with. We've received such requests from customers as well, and our policy is we do not implement any kind of filtering, even though it is restricted to just one customer. If the customer is looking for DoS/DDoS Mitigation services, that is something else that can be offered. But as an ISP, filtering in the data plane that is not for the protection of our core's control plane is not our deal. It is not something I'd ask of my IP Transit provider, nor support that they do. Mark.
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
I can't speak to that Paul. I attended NZNOG as a guest, I'm from Australia. Others will have to say how the NZ industry is approaching this, I'd get it wrong if I tried! -G On Tue, May 13, 2014 at 3:49 PM, Paul Ferguson fergdawgs...@mykolab.comwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 So is there just reluctant acceptance of this law, or is there push-back and plans to repeal, or...? I guess my question is something along the lines of Are people just reluctantly accepting that government surveillance micromanagement of private businesses/networks is a fact of life? I am purposefully making a distinction here between the U.S. CALEA [1] and NSLs [2] and a NZ spy agency getting ...to decide on network equipment procurement and design decisions. The latter seems like a bit of an overreach? - - ferg [1] https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act [2] https://en.wikipedia.org/wiki/National_security_letter On 5/13/2014 6:40 AM, George Michaelson wrote: It got a pretty firefight discussion at the NZNOG. None of the ISPs feel comfortable with it, but in avoiding a shoot-the-messenger syndrome they tried to give good feedback to the reps from GCSB who came to talk. Basically, a lot of post-act variations are expected to clarify what changes do and do not have to be notified. There was a lot of bitter humour about calling them at 3am to report BGP failures and ask permission to remediate. On Tue, May 13, 2014 at 3:33 PM, Paul Ferguson fergdawgs...@mykolab.com mailto:fergdawgs...@mykolab.com wrote: I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here. This sounds rather... dire (probably not the right word). The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation. http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-network-builds-provider-staff FYI, - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNyItUACgkQKJasdVTchbL5GwEAxMtkr0W8oCtLTEdJDcdJHZTw hCGmG1ZTbWdb7NTEnwIA/j4YYMcN/gOQCQfABs1UIYFX30i/SewOkXYDOvfO6ReM =rAdv -END PGP SIGNATURE-
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
On Tuesday, May 13, 2014 03:49:09 PM Paul Ferguson wrote: I am purposefully making a distinction here between the U.S. CALEA [1] and NSLs [2] and a NZ spy agency getting ...to decide on network equipment procurement and design decisions. The latter seems like a bit of an overreach? I have to agree. Telling me what to buy - that's another realm, even for me... Mark. signature.asc Description: This is a digitally signed message part.
Re: level3 dia egress filtering?
On Tuesday, May 13, 2014 03:51:56 PM Blake Dunlap wrote: I would personally look at leaving Level 3 over that kind of response. I consider it basic service to throw a 1 line acl on an interface temporarily in exceptional circumstances. Transit guys can argue if they wish, but it won't change my expectations as a customer. Eventually I'll find a carrier that will offer reasonable service. I suppose the question then becomes your and the ISP's interpretation of exceptional circumstances. Mark. signature.asc Description: This is a digitally signed message part.
NANOG 61 hotel
The Hyatt appears to have filled up. :( Anyone have alternate hotel recommendations? -- Jon Lewis, MCP :) | I route | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: NANOG 61 hotel
On Tue 2014-May-13 10:32:48 -0400, Jon Lewis jle...@lewis.org wrote: The Hyatt appears to have filled up. :( Anyone have alternate hotel recommendations? I put together a list when I was making my pitch to go down: ! --- ! Westin Bellevue http://www.starwoodhotels.com/westin/rates/rate.html?propertyID=1555 - $280/room/night ! ! Marriot Bellevue (Courtyard Seattle Bellevue/Downtown) http://www.marriott.com/hotels/travel/bvudt-courtyard-seattle-bellevue-downtown/ - $269/room/night ! ! Silver Cloud Inn http://www.silvercloud.com/bellevuedowntown/ - $229/room/night - 2 Queens/room ! ! La Residence Suite Hotel http://www.bellevuelodging.com/ - $169/room/night - 2x Queens - couple of blocks away These are all within 5-10 minutes walk of the Hyatt, IIRC and if Google Maps can be trusted. Rates at some of them seem a little different from when I looked before, e.g. the Westin now read as $303/night whereas e.g. Silver Cloud shows a single king room at $189/night. -- Jon Lewis, MCP :) | I route | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_ -- Hugo signature.asc Description: Digital signature
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
Yep… If I had infrastructure in NZ, that would be enough to cause me to remove it. Owen On May 13, 2014, at 6:33 AM, Paul Ferguson fergdawgs...@mykolab.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here. This sounds rather... dire (probably not the right word). The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation. http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-network-builds-provider-staff FYI, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -END PGP SIGNATURE-
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
Don't get me wrong, I'm not a fan of this. But at least they did it in the open, unlike the NSA (where you live). -- TTFN, patrick On May 13, 2014, at 12:12 , Owen DeLong o...@delong.com wrote: Yep… If I had infrastructure in NZ, that would be enough to cause me to remove it. Owen On May 13, 2014, at 6:33 AM, Paul Ferguson fergdawgs...@mykolab.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here. This sounds rather... dire (probably not the right word). The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation. http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-network-builds-provider-staff FYI, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -END PGP SIGNATURE-
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
I live in the USA and have not been forced to register with the government as a network operator or have them vet my staff. On 5/13/2014 11:34 AM, Patrick W. Gilmore wrote: Don't get me wrong, I'm not a fan of this. But at least they did it in the open, unlike the NSA (where you live). -- Aaron Wendel Chief Technical Officer Wholesale Internet, Inc. (AS 32097) (816)550-9030 http://www.wholesaleinternet.com
This is me venting.... OVH/lvl3
Almost a week of this now.. OVH/lvl3 at dal-1-6k. Thank you sir may I have another.. http://weathermap.ovh.net/usa
FYI: Unbreakable VPN using Vyatta/VyOS -HOW TO-
Hi all! We wrote TIPS memo about the Basic Idea for inter-cloud networking using Virtual Router (a.k.a Brocade Vyatta vRotuer and VyOS) with High Availability Concept. Please enjoy it if you interest in ;-) Unbreakable VPN using Vyatta/VyOS -HOW TO- http://slidesha.re/1lryGVU Best Regards, -- SAKURA Internet Inc. / Senior Researcher Naoto MATSUMOTO n-matsum...@sakura.ad.jp SAKURA Internet Research Center http://research.sakura.ad.jp/
CERT and ISO 27001
Hi, I'm searching a service/company doing continuos review of security alerts for various tools, software and hardware (Apache, PHP, Cisco IOS, Juniper JunOS, Netapp Ontap, etc ...). I think the right way is to use a CERT offering commercial services with daily notifications about a list of specifics choosen subjects. I found some companies with a commercial CERT offering this services: Lexsi, XMCO, Intrinsec. Do you know or use a service link this ? We need this for our implementation of ISO 27001 standard. Thank you in advance. Regards, -- Guillaume
Re: Observations of an Internet Middleman (Level3) (was: RIP Network Neutrality)
It could be worse! Somebody might have thrown a 'v1' in there, too, Joel! Sent from my iPhone On May 13, 2014, at 8:08, Joel M Snyder joel.sny...@opus1.com wrote: Shouldn't there be a rule against using RIP in the subject line of a NANOG post? Every time I see that, a shudder goes down *my* spine. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: This is me venting.... OVH/lvl3
On 5/12/2014 20:25, Mr. Queue wrote: Almost a week of this now.. OVH/lvl3 at dal-1-6k. Thank you sir may I have another.. http://weathermap.ovh.net/usa Looks fine. -- staticsafe https://asininetech.com
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
I didn’t see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures. Owen On May 13, 2014, at 9:34 AM, Patrick W. Gilmore patr...@ianai.net wrote: Don't get me wrong, I'm not a fan of this. But at least they did it in the open, unlike the NSA (where you live). -- TTFN, patrick On May 13, 2014, at 12:12 , Owen DeLong o...@delong.com wrote: Yep… If I had infrastructure in NZ, that would be enough to cause me to remove it. Owen On May 13, 2014, at 6:33 AM, Paul Ferguson fergdawgs...@mykolab.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here. This sounds rather... dire (probably not the right word). The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation. http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-network-builds-provider-staff FYI, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -END PGP SIGNATURE-
Re: Observations of an Internet Middleman (Level3) (was: RIP Network Neutrality)
On 13 May 2014, at 14:17, coy.h...@coyhile.com wrote: It could be worse! Somebody might have thrown a 'v1' in there, too, Joel! Well - just imagine that network without mask. On public list. Horrible. Thankfully, we have civilization stuff, so nothing like that couldn’t have had happened. -- There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about. John von Neumann |http://lukasz.bromirski.net signature.asc Description: Message signed with OpenPGP using GPGMail
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
On 13/05/14 19:01, Owen DeLong wrote: I didn’t see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures. Because they didn't (don't) need to...? Tom
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
Exactly. They just broke in and left a trail of open doors behind. Again, not saying either is good, just saying at least NZ is being above board. -- TTFN, patrick On May 13, 2014, at 14:01 , Owen DeLong o...@delong.com wrote: I didn’t see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures. Owen On May 13, 2014, at 9:34 AM, Patrick W. Gilmore patr...@ianai.net wrote: Don't get me wrong, I'm not a fan of this. But at least they did it in the open, unlike the NSA (where you live). -- TTFN, patrick On May 13, 2014, at 12:12 , Owen DeLong o...@delong.com wrote: Yep… If I had infrastructure in NZ, that would be enough to cause me to remove it. Owen On May 13, 2014, at 6:33 AM, Paul Ferguson fergdawgs...@mykolab.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here. This sounds rather... dire (probably not the right word). The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation. http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-network-builds-provider-staff FYI, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -END PGP SIGNATURE-
RE: New Zealand Spy Agency To Vet Network Builds, Provider Staff
To: Paul Ferguson Cc: NANOG Subject: Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff I can't speak to that Paul. I attended NZNOG as a guest, I'm from Australia. Others will have to say how the NZ industry is approaching this, I'd get it wrong if I tried! The industry in New Zealand is responding with Nobody listened to us and we have no damn choice but to do what the government orders us to do. The general public is completely unaware of what has just happened and as long as there is still beer in the fridge and the game on TV they don't seem to give much of a toss.
RE: New Zealand Spy Agency To Vet Network Builds, Provider Staff
Cc: NANOG list Subject: Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff I didn't see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures. Owen Try to get approval to land a submarine cable onto US soil using Huawei DWDM kit and then come back to us.
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
On May 13, 2014, at 17:47 , Tony Wicks t...@wicks.co.nz wrote: Cc: NANOG list Subject: Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff I didn't see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures. Owen Try to get approval to land a submarine cable onto US soil using Huawei DWDM kit and then come back to us. Hey, now, that's not fair. The NSA is just doing what any large player who dominates their space does - try to block out the competition! Copy/pasting from a friend of mine (he can out himself if he likes): http://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden - But while American companies were being warned away from supposedly untrustworthy Chinese routers, foreign organisations would have been well advised to beware of American-made ones. A June 2010 report from the head of the NSA's Access and Target Development department is shockingly explicit. The NSA routinely receives or intercepts routers, servers, and other computer network devices being exported from the US before they are delivered to the international customers. - The agency then implants backdoor surveillance tools, repackages the devices with a factory seal, and sends them on. The NSA thus gains access to entire networks and all their users. The document gleefully observes that some SIGINT tradecraft is very hands-on (literally!). - Eventually, the implanted device connects back to the NSA. The report continues: In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure. This call back provided us access to further exploit the device and survey the network. - It is quite possible that Chinese firms are implanting surveillance mechanisms in their network devices. But the US is certainly doing the same. - Warning the world about Chinese surveillance could have been one of the motives behind the US government's claims that Chinese devices cannot be trusted. But an equally important motive seems to have been preventing Chinese devices from supplanting American-made ones, which would have limited the NSA's own reach. In other words, Chinese routers and servers represent not only economic competition but also surveillance competition. Makes you proud to be an UH-mer-e-kan, dunnit? -- TTFN, patrick
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
On May 13, 2014, at 4:52 PM, Patrick W. Gilmore patr...@ianai.net wrote: - Warning the world about Chinese surveillance could have been one of the motives behind the US government's claims that Chinese devices cannot be trusted. But an equally important motive seems to have been preventing Chinese devices from supplanting American-made ones, which would have limited the NSA's own reach. In other words, Chinese routers and servers represent not only economic competition but also surveillance competition. Case in point on Sprint/Softbank merger http://www.theverge.com/2013/3/28/4155714/us-wants-sprint-softbank-deal-to-avoid-chinese-network-equipment/in/3252625 Should we as a community look at Open Hardware when we start to lose trust in vendors and governments? Can we make boards/ASIC/FPGA commodity enough to scale? Zaid signature.asc Description: Message signed with OpenPGP using GPGMail
Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
On May 13, 2014, at 6:24 PM, Zaid Ali Kahn z...@zaidali.com wrote: Case in point on Sprint/Softbank merger http://www.theverge.com/2013/3/28/4155714/us-wants-sprint-softbank-deal-to-avoid-chinese-network-equipment/in/3252625 Any such deal would also be subject to CFIUS and mandatory 5-year reviews as well. If you think your PII isn’t shared with the Government as part of this, your blinders are on. - Jared
IPAM DDI Software, Subscriber Management, CMDB and Per Customer VLANs
I would like recommendations on the following software/hardware elements required to run an access network. Assume you are building a greenfield network using a combination of access technologies such as DSL, GPON, AE, and WiFi. IPAM / DDI Solution: Needs full support for IPv6, Customer VLANs, RFC 1918, VRF, Overlapping Address Space, integration with DNS, DNSSEC, Integration with DHCP, and integration with ARIN. Looks like there are both open source and commercial solutions available according to old NANOG posts. Which cater to service providers? Who are the leaders in this space? Does anyone have experience with dealing with multiple vendors? Subscriber Management/BRAS/BNG: Redback was the big player back in the day, but I believe they are no longer. Juniper has their Subscriber Management feature pack on their MX routers, and Cisco has their Broadband Network Gateway on their ASR routers. Besides these two vendors I am not sure what other solutions are out there. I believe both of these solutions communicate upstream to external radius servers and DHCP servers. Is anyone using Subscriber Management, or is there another way of doing it? CMDB: A centralized database to keep track of all assets within the network would be nice. I would assume this would need to tie in with the IPAM solution and billing systems. I would also like to hear thoughts on the per customer VLAN model. Most of the whitepapers recommend a per customer VLAN for greenfield networks, but that seems like a management and documentation nightmare. The systems described above must be able to manage and maintain per customer VLANs in an automated fashion for this approach to work and scale. If you had your choice starting from the ground up how would you deploy an access network today?
Re: Observations of an Internet Middleman (Level3) (was: RIP Network Neutrality
--As of May 12, 2014 3:02:28 PM +0200, Nick Hilliard is alleged to have said: On 10/05/2014 22:34, Randy Bush wrote: imiho think vi hart has it down simply and understandable by a lay person. http://vihart.com/net-neutrality-in-the-us-now-what/. my friends in last mile providers disagree. i take that as a good sign. Vi's analogy is wrong on a subtle but important point. In the analogy, the delivery company needs to get a bunch of new trucks to handle the delivery but as the customer is paying for each delivery instances, the delivery company's costs are covered by increased end-user charges. In the net neutrality debate, the last mile service providers are in a position where they need to upgrade their access networks, but the end-user pricing is not necessarily keeping pace. --As for the rest, it is mine. So the fact that the USA has higher prices than many other countries, for slower service, and those prices are rising (mine went up three times in the past year, including them starting to charge rent for a cable modem I bought when I signed up, for the same service) doesn't mean anything? Or the fact that they are one of the most profitable market segments in the country? They have the money. They have the ability to get more money. *They see no reason to spend money making customers happy.* They can make more profit without it. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---