Re: IPv6 and CDN's

[Jens Link]

Marco Davids via NANOG  writes:

> It turns out that there underlying CDN's with domain names such as
> ‘l-msedge.net’ and ‘trafficmanager.net’ (Microsoft) or 'fastly.net',
> that reside on authoritative name servers that *only* have an IPv4
> address.

Fastly does have IPv6 enabled authoritative DNS server but it looks like
it's not the default.

I ran into this some time ago with deb.debian.org on an IPv6 only Debian
VM with a locally installed resolver. I opened a ticket which was closed
in record time: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961296

After some ranting and shouting it now works but a couple of days
ago I ran in the same problem while trying to install something via
pip. fles.pythonhosted.org is also using fastly. 

> I guess my question is simple: Why?

I'm asking myself the same question.

> Are there good architectural reason for this? Or is it just something
> that is overlooked and forgotten about?

I don't think it was overlooked or forgotten. More along 

"We have always done it this way", "We had problems enabling IPv6 (ages
ago)" or something else you can find on https://ipv6excuses.com/.

Jens
-- 

| Delbrueckstr. 41| 12051 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: Hand held copper Ethernet testers

[Jens Link]

Chris Boyd  writes:

> My old Test-Um Lanscaper died, and I was curious what people liked these
> days. Don’t need throughput testing or anything like that, just basic
> wire map testing, cable ID, cable length, PoE voltage, and DHCP client.
>
> What do y’all like?

Pocketethernet has already been mentioned. I have a https://netool.io/
in my backpack and a rather old (10/100MBit) Fluke Netool lying around
here somewhere. 

Jens
-- 

| Delbrueckstr. 41| 12051 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: Project/Tool to deploy and maintain Edge Servers (VMs) remotely

[Jens Link]

Douglas Fischer  writes:

> I was thinking in use something like reverse ssh and ansible.  But I
> thought that I'm probably reinventing part of the wheel.

If your familiar with ansible:  ansible-pull? 

"pulls playbooks from a VCS repo and executes them for the local host"

https://docs.ansible.com/ansible/2.5/cli/ansible-pull.html

Other tools like e.g. puppet use an agent that querys a central server
on a regluar basis.

Jens
-- 

| Delbrueckstr. 41| 12051 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: Quagga for production?

[Jens Link]

Mark Tinka  writes:

> On 17/Mar/20 19:39, Jens Link wrote:
>
>>
>> Jens, using frr for quite some time now without any problems
>
> IS-IS, per chance?

Sorry, only BGP for now.

Jens
-- 

| Delbrueckstr. 41| 12051 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: WIKI documentation Software?

[Jens Link]

Craig  writes:

> Wanted to ask what WIKI software teams are using to save documentation to / 
> how to's for staff, etc. 

On the wiki side: +1 for dokuwiki

Given that more and more people are automating stuff and this way ending
up git anyway:

Write your doku as markdown, put it into git, generate static web
pages. For people who like editing via a GUI can use gitlab or something
similar.

This approach has some advantages:

- You always have (a more or less) current version of your documentation
  offline
- You can just use grep to find stuff

Jens
-- 

| Delbrueckstr. 41| 12051 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: Quagga for production?

[Jens Link]

Dmitry Sherman  writes:

> Hello,
>
> Anybody working with Quagga for production peering with multiple peers
> and dynamic eBGP/iBGP announcement?

https://frrouting.org/ is a quagga fork and most (all) developers of
quagga mode to frr.

Jens, using frr for quite some time now without any problems
-- 

| Delbrueckstr. 41| 12051 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: CloudFlare D.N.S. Resolvers... (1.1.1.1 & 1.0.0.1)

[Jens Link]

Michael Bullut  writes:

> Hi Ross,
>
> How would you gauge good DNS performance? 

quick and dirty:

jens@screen:~$ dig nanog.org @8.8.8.8 | grep "Query time"
;; Query time: 16 msec
jens@screen:~$ dig nanog.org @1.1.1.1 | grep "Query time"
;; Query time: 3 msec

Jens

Re: IPv6 addressing plan spreadsheet issue

[Jens Link]

Job Snijders  writes:

Hi, 

> I made a list of the IPv6 addresses in my home LAN, but have trouble
> copy+pasting the list into a cloud spreadsheet. My address list is here:
> http://pete.meerval.net/~job/
>
> How do other folks do this? Just administrate things in text files?

If the standard IPAM tool (aka. Excel) can't handle your address plan
maybe it's not the fault of the spreadsheet but the fault of the
protocol.

After almost 3.500 days using IPv6 I decided to turn it of! Nobody uses
it and nobody needs it! I'll to the same with DNSSEC! 

Jens
-- 

| Foelderichstr. 40   | 13595 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: Companies using public IP space owned by others for internal routing

[Jens Link]

Ca By  writes:

> http://jool.mx/en/index.html
>
> Free open source nat64

And the DNS64 part can be done with powerdns (recursor), unbound, bind,
... All OpenSource

Jens
-- 

| Foelderichstr. 40   | 13595 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: Waste will kill ipv6 too

[Jens Link]

Lee Howard  writes:

> I’ve tried several times to come up with a scenario that leads to
> depletion in less than 200 years, and I haven’t managed it. Can you do it?

Self replicating nano bots. Which will be a good thing (probably):

https://xkcd.com/865/

SCNR

Jens
-- 

| Foelderichstr. 40   | 13595 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: Companies using public IP space owned by others for internal routing

[Jens Link]

Matt Hoppes  writes:

> Had a previous employee or I discovered it on the network segment after
> we had some weird routing issues and had to get that cleaned up. I don't
> know why anyone would do that when there is tons of private IP space.

Excuse 1: "We'll never connect to the internet!"

Excuse 2: "It's only temporary!"

Excuse 3: Typo (At some customers customer I found 192.!168 address which
  where apparently a typo but in use for years so nobody wanted
  to change it.) I also know one company who is using (has
  used?) 2001:8db::/48. I suggested to get v6 PI an properly
  implement IPv6 but never heard from them again.

Excuse 4: "We used the addresses from out training material." - I heard
  this story some time ago: A large German government agency
  wanted to implement IP(v4) and the people attended a course
  about this new TCP/IP stuff at $Vendor. The training material
  was prepared by a student who was using his university's /16 as
  an example. 

BTW: Is the Cisco WLC 1.1.1.1 as default address for DHCP?

Jens
-- 

| Foelderichstr. 40   | 13595 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: IEEE OUI regauth (search ?) site

[Jens Link]

Brandon Applegate  writes:

Hi,

> Anyone have any insight on how one can look up an OUI (yes I know about
> oui.txt, but I’m asking about a live query site).

https://www.wireshark.org/tools/oui-lookup.html  ?

Jens
-- 

| Foelderichstr. 40   | 13595 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: Frontier: Blocking port 22 because of illegal files?

[Jens Link]

Stephen Satchell l...@satchell.net writes:

 It's been a while since I did this, but you can select an additional
 port to accept SSH connections.  

That's easy: 

jens@screen:~$ grep Port /etc/ssh/sshd_config  
Port 22
Port 443
 
 Picking the right port to use is an exercise, though, that will depend
 on what other services you are running on your server.

I always have at least one sshd listening on port 443. For all the
hotel, coffee house, customer networks blocking ssh.  

You can even multiplex and run ssh and ssl on the same port:

http://www.rutschle.net/tech/sslh.shtml

Jens
-- 

| Foelderichstr. 40   | 13595 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@jabber.quux.de | ---  | 

Re: Scotland ccTLD?

[Jens Link]

Owen DeLong o...@delong.com writes:

 On Sep 16, 2014, at 8:55 AM, Majdi S. Abbas m...@latt.net wrote:

  su is not available.
 I think it is now, since the break up of the Soviet Union.

A friend told me that .su domains are quite common in windows
environments after the admins discovered that .local is not a good
choice. ;-)

Jens
-- 

| Foelderichstr. 40   | 13595 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@jabber.quux.de | ---  | 

Re: Scotland ccTLD?

[Jens Link]

David Conrad d...@virtualized.org writes:

 A friend told me that .su domains are quite common in windows
 environments after the admins discovered that .local is not a good
 choice. ;-)

 That would be an *exceptionally* bad idea. 

I agree. On the other hand: People pay me to fix network problems,
including DNS. 

Jens
-- 

| Foelderichstr. 40   | 13595 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@jabber.quux.de | ---  | 

Re: It's the end of the world as we know it -- REM

[Jens Link]

Valdis Kletnieks valdis.kletni...@vt.edu writes:

and I feel fine

 I didn't see any mention of this Tony Hain paper:

 http://tndh.net/~tony/ietf/ARIN-runout-projection.pdf

 tl;dr: ARIN predicted to run out of IP space to allocate in August this
 year.

 Are you ready?

Personally? Yes! Customer side? No! Well expect for some.

But at least here in Germany some companies (!= ISPs) noticed this IPv6
thing and now are looking for people to support them. Problem is: They
don't want to pay for it (e.g. less or equal to the usual hourly rate
or any other kind of project).

Two weeks ago: 

We need someone for a two day IPv6 workshop in two weeks!

Yesterday: 

We need someone for a two day IPv6 workshop this week!

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Common operational misconceptions

[Jens Link]

Mark Grigsby m...@pcinw.net writes:

 Speaking in the context of configuring an ipsec tunnel..

Once upon a time: 

Admin: We need Port 50 and Port 51 for the tunnel!
Me:You mean IP protocol 50 and 51?
Admin: It the same! You have no clue!

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Common operational misconceptions

[Jens Link]

Mathias Wolkert t...@netnod.se writes:

 Autoneg. The old timers that don't trust it after a few decades of
 decent code. Or those that lock one side and expect the other to adjust
 to that.

Autoneg is black magic. Doesn't work. You have manually configure duplex
and speed on one side 1!

SCNR

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: common time-management mistake: rack stack

[Jens Link]

Jeff Wheeler j...@inconcepts.biz writes:

 With apologies to Randy, let the CCNAs fight with label makers.

Yeah. And you need do be at last CCNP to switch a module in a router. 

Had this request last year. I first thought that some troubleshooting /
configuration was involved but it was just replacing a module.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Common operational misconceptions

[Jens Link]

Leo Bicknell bickn...@ufp.org writes:

 I've repeatedly asked $BIG_COLO_PROVIDERS to offer a vending machine
 in the lobby next to the one with sodas that sold Cat 5, Fiber,
 SFP's, USB sticks, and so on.  

Hmm.

http://gearomat.com/

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: WW: Colo Vending Machine

[Jens Link]

Leo Bicknell bickn...@ufp.org writes:

 USB-Serial adapters.  Preferably selected so they are driverless on
 both OSX and Windows. :)
   ^^^

Wahahahaha There is no such thing. 

I've seen people reinstalling their Windows after trying to use another
USB-Serial adapter. I also have seen people running a Linux VM so they
can use a USB-Serial adapter they borrowed from me.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Common operational misconceptions

[Jens Link]

Owen DeLong o...@delong.com writes:

 1.When the only tool you have is a hammer, you try to mold every problem 
 into a nail.

Ack.

 2.When you only know a procedure for doing something and don't understand 
 the fundamentals
   of why X is supposed to occur at step Y, then when you get result A 
 instead of X, your only options
   are to either continue to step Z and hope everything turns out OK, or, 
 go back to an earlier step
   and hope everything works this time.

But procedures are important. How else can you get enough exper^Widiots
working for little money. Big Macs vs. The Naked Chef is great:

http://www.joelonsoftware.com/articles/fog24.html


 3.Troubleshooting skills are limited to knowing the number of the 
 vendor's help desk.

There are no problems! Can't be. And if there are they hire external
experts. BTDT. Those are well paid jobs.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: WW: Colo Vending Machine

[Jens Link]

Sven Olaf Kamphuis s...@cb3rob.net writes:

 3.5 HD floppies (yes, they're still around ;)

Really? I thought Deutsche Bahn was last company using
them: Unfortunately we can't display reservation information.

Okay, knowing Deutsche Bahn the disks might not be 3,5. ;-)


Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Jens Link]

valdis.kletni...@vt.edu writes:

 Does anybody actually *have* a functional 7 track drive? 

Maybe the people running http://www.cray-cyber.org have one.

(If you ever come to Munich, try to visit this museum.) 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Switching Email

[Jens Link]

William Herrin b...@herrin.us writes:

 Anyone have a list of MUAs that actually support RFC 2369 with
 subscription management widgets in the GUI? Surely someone has written
 one but I can't seem to find any documentation to that effect.

Gnus? 

Jens, Gnus user since 1999 
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Switching Email

[Jens Link]

William Herrin b...@herrin.us writes:

 and you have to read the mail in Microsoft Lookout, interspersed with
 work-oriented messages from your boss and colleagues. With Outlook
 popping new-message-notifications up on the projector while you try to
 give a presentation during a meeting, each containing the sender and
 message subject...

Well I try to avoid Outlook, but even I was able to create some basic
filter rules during my last projekt (where I was forced to use it).

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Looking for an IPv6 naysayer...

[Jens Link]

George Bonser gbon...@seven.com writes:

 In other words, the broadband provider provides a single global IP to
 the always up CPE.  That CPE does DHCP to user stations and hands out
 1918 addresses and NATs them to the single global IP.

Ah there is the misunderstanding. Same her in good old Europe. If you
pay for it you'll get more than one public IP. I though you were talking
about the CPE getting an RFC1918 address and than hand out RFC1918
addresses to the inside as well and (maybe) another instance of NAT
along the way.  

Well yes, there are providers which are already doing this.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Looking for an IPv6 naysayer...

[Jens Link]

Mark Andrews ma...@isc.org writes:

 DS-Lite over 6rd using RFC 1918 / multi-use ISP assigned block
 (I'd love to be able to say class E here) provides a single NAT
 translation for IPv4 and public IPv6.

Okay, it's 10:15 in the morning and I really want a drink know. ;-) 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Strange L2 failure

[Jens Link]

Jack Bates jba...@brightok.net writes:

Hi,

a little late, but just catching up the list.

 Has anyone seen issues with IOS where certain MACs fail?

 54:52:00 (kvm) fails out an old 10mbit port on a 7206 running 12.2
 SRE. I've never seen anything like this. DHCP worked, ARP worked, and
 arp debugging showed responses for arp to the MAC, however, tcpdump on
 the host system 

I had something similar using a Catalyst 3550. Very simple setup:

Host  - Cat3550 - Router

You could see arp-request from the host to the router and arp-replies
from the router using tcpdump, but the arp-replies didn't make it to the
host. No change in the interface counters on the switch either. 

When using a static arp-entry on the host and then ping the router you
could the echo-request and echo-replies there but still no answers. 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Looking for an IPv6 naysayer...

[Jens Link]

Jens Link li...@quux.de writes:

 Okay, it's 10:15 in the morning and I really want a drink know. ;-) 

s/know/now/ 

I think I'll need more coffee.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Looking for an IPv6 naysayer...

[Jens Link]

Daniel Roesen d...@cluenet.de writes:

 And quite important for residential ISPs of some size: have fun teaching
 your call centers diagnosing double-NAT failure modes.

 NAT444 is a hell I don't want to visit really.

No it's great! It's secure! It's easy to implement! It's the only way to
do it right!

Till the end of the month I'm working for a rather large
enterprise customer and they use NAT, NAT NAT, NAT NAT NAT, and even
even NAT NAT NAT NAT connections for their VPN. They claim that it's
easy. I think it isn't and I relay need to get drunk after
troubleshooting such a problem. So I must be stupid, because NAT is so
*easy*.

On the other hand, when you tell them about IPv6 they say it's to
complicated and that they don't need it.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Looking for an IPv6 naysayer...

[Jens Link]

Scott Helms khe...@ispalliance.net writes:

 IPv6 for some ISPs will be extraordinarily painful because of legacy
 layer 2 gear 

I don't feel sorry for them. We know that IPv6 is coming for how long?
15years? 10year? 5years? Well if you only read the mainstream media you
should have read something about this new Internet thing about two years
ago. And still many people fear IPv6 or think the can still wait for
another couple of years.  

 For ISPs in this circumstance the choice will be CGNAT rather than IPv6
 for a number of years because the cost is much lower and according to
 the vendors selling CGNAT solutions the impact to end users is (almost)
 unnoticeable.

Cost's might be lower but service will be worse. NAT breaks a lot of
applications file sharing will not work properly and running your own
web server at home will not work properly. Well you always get what you
pay for and people will buy any crap if it is cheap enough. 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Top webhosters offering v6 too?

[Jens Link]

Tim Chown t...@ecs.soton.ac.uk writes:

 Which of the big boys are doing it?

Strato in Germany. They offer IPv6 for dedicated server now. I was told
that the implementation for their shared hosting (about one million
domains) is almost finished and that they also offer IPv6 for virtual
servers (problems with the vendor).

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Looking for an IPv6 naysayer...

[Jens Link]

david raistrick dr...@icantclick.org writes:

 And at what point during that time did they have any vendor gear they
 could purchase that -would- support v6?   At -best- during the last 5
 years, but I'd put money on that even today they can't purchase gear
 with adequate v6 support.

Another chicken and egg problem here. Customers have no demand for IPv6,
vendors don't implement it. Vendors don't implement it, customers don't
use it.

Sad but true. Right now I have two TAC request open with Cisco
regarding IPv6 problems on the ASA. Ever tried traceroute to a
dual-stacked or IPv6 only host? ;-)

Jens
BTW: No need to cc me I'm reading the list.
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Looking for an IPv6 naysayer...

[Jens Link]

Jason Bertoch ja...@i6ix.com writes:

 I'm not sure about your part of the world, but the economy has been
 terrible in mine.  Even in a good economy, DSL margins don't afford the
 ability to replace your network every two years.  

Same thing here in Germany. DSL providers fighting for the lowest price
and customers thinking that free service is still too expensive.

 In fact, spending on new gear all but halted for us over the last 6
 years.  While everyone is still figuring out best practices for IPv6
 rollout today, how difficult would it have been to plan and purchase
 the exact equipment that long ago?  

Yeah. But they could have made plans and demanded working equipment from
the vendors. 

 Was the right equipment even available for a production environment?

No, an in some case it is still not available today.

 Not only that, but cheap CPE equipment that supports IPv6 still hardly
 exists today, and all of that will need replacing. 

In Europe: Fritzbox from AVM. Almost all the big vendors have their own
branded version of it. And the latter versions do support IPv6 quite
well. 

 In addition, what about IP phones and the customer that just replaced
 their entire phone system?  Are they going to want to do that all over
 again by the end of the year?

You don't have to replace everything at once. But you have to start
somewhere.

 No, IPv6 rollout is going to be extremely expensive and will likely put
 a number of smaller operations out of business.

I know several smaller ISPs which offer IPV6 for years. Sure the eyeball
providers can hardly beat the cheap prices of the big players. But they
do offer individual and good service. 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Looking for an IPv6 naysayer...

[Jens Link]

George Bonser gbon...@seven.com writes:

 While that is true, it is no worse than the situation right now.  In the
 US, the vast majority of users are already behind a NAT (I would say
 over 90% of them are) so they are already experiencing this breakage.  

I never thought it was that bad. In some 3G/wireless networks in Germany
the providers use NAT and transparent HTTP-proxy. But this is only
wireless. I'm not aware of any DSL or Cable provider NATing their
customers. 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Only 5x IPv4 /8 remaining at IANA

[Jens Link]

Owen DeLong o...@delong.com writes:

 All well and good until some of their customers are on IPv6...
 Then what?

Someone will build an appliance to deal with this problem. ;-) 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Only 5x IPv4 /8 remaining at IANA

[Jens Link]

valdis.kletni...@vt.edu writes:

 Those people are next on my hit list, after we've finally eliminated those
 who still talk about class A/B/C addresses. :)

You are going to kill about 90% of all net-/sysadmins? 

SCNR

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Only 5x IPv4 /8 remaining at IANA

[Jens Link]

valdis.kletni...@vt.edu writes:

 You are going to kill about 90% of all net-/sysadmins? 

 Do you *really* want somebody working on your network that gets confused by a
 reference to 213/8 because it's in Class-C space?  

Don't get me wrong. I like the idea. Especially after the discussion I had
with someone this afternoon.

 And Cisco is still teaching it is *not* an excuse 

Windows and Linux ifconfig are still using it. Enter a Class-A/B/C
address and take a look at the mask they suggest.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Definitive Guide to IPv6 adoption

[Jens Link]

Dobbins, Roland rdobb...@arbor.net writes:

 Eric Vyncke's IPv6 security book is definitely worthwhile, 

 http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945

A good companion to Eric's book is Deploying IPv6 Networks 

http://www.ciscopress.com/bookstore/product.asp?isbn=1587052105

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Looking Glass

[Jens Link]

James Bensley jwbens...@gmail.com writes:

 Hmm, Google says you could use http://www.zebra.org/ to set your box
 up as a route, and then you can just view the routes from there?

Aehm, Zebra is dead. Quagga it the successor. 

Last change date on zebra.org website is 5 years old.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Other NOGs around the world?

[Jens Link]

Rogelio scubac...@gmail.com writes:

 What other network operator groups are there around the world (besides 
 NANOG)?

PLNOG, http://www.plnog.pl

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Addressing plan exercise for our IPv6 course

[Jens Link]

Owen DeLong o...@delong.com writes:

 for NAT. Enterprises of non-trivial size will likely use RFC4193 (and I
 fear we will notice PRNG returning 0 very often) and then NAT it to
 provider provided public IP addresses. 

 Why on earth would you do that? Why not just put the provider-assigned
 addresses on the interfaces along side the ULA addresses? Using ULA
 in that manner is horribly kludgy and utterly unnecessary.

To state the obvious: People are stupid. 

 This is to facilitate easy and cheap way to change provider. Getting PI
 address is even harder now, as at least RIPE will verify that you are
 multihomed, while many enterprises don't intent to be, they just need low
 cost ability to change operator.
 
 Why is that easier/cheaper than changing your RAs to the new provider and
 letting the old provider addresses time out?

Well it's not cheaper but using NAT (and multiple NAT) leads to job
security as nobody else will understand the network. BTST.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Addressing plan exercise for our IPv6 course

[Jens Link]

Saku Ytti s...@ytti.fi writes:

 RFC4193 + NAT quite simply is what they know and are comfortable with. 

NAT is *not simple*. NAT adds one more layer of complexity. When
using multiple NAT things get worse. 

In most cases people don't want or need NAT they are just used to it and
old habits die hard.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Addressing plan exercise for our IPv6 course

[Jens Link]

Owen DeLong o...@delong.com writes:

 You know that, I know that and (hopefully) all people on this list know
 that. But NAT == security was and still is sold by many people. 
 
 So is snake oil.

Ack, but people are still buying snake oil too.

 After one of my talks about IPv6 the firewall admins of a company said
 something like: So we can't use NAT as an excuse anymore and have to
 configure firewall rules? We don't want this.
 
 So how did you answer him?

To be honest: I don't remember. I got drunk that evening. ;-) 

 The correct answer is No, you don't have to configure rules, you just need
 one rule supplied by default which denies anything that doesn't have a
 corresponding outbound entry in the state table and it works just like NAT
 without the address mangling.

They used NAT as an excuse not to let some applications to the
outside. 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Addressing plan exercise for our IPv6 course

[Jens Link]

Owen DeLong o...@delong.com writes:

 In all reality:

 1.NAT has nothing to do with security. Stateful inspection provides
   security, NAT just mangles addresses.

You know that, I know that and (hopefully) all people on this list know
that. But NAT == security was and still is sold by many people. 

 Most customers don't know or care what NAT is and wouldn't know the
 difference between a NAT firewall and a stateful inspection firewall.

I Agree. But there are also many people who want to believe in NAT as
security feature.

After one of my talks about IPv6 the firewall admins of a company said
something like: So we can't use NAT as an excuse anymore and have to
configure firewall rules? We don't want this.

cheers

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Overseas - Latency

[Jens Link]

Caleb Tennis caleb.ten...@gmail.com writes:

 I saw this earlier this morning, not sure if it relates to you or not:

 http://www.telegeography.com/cu/article.php?article_id=33597

Well that's Africa and most unfortunate for all the soccer fans
there. 

jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Overseas - Latency

[Jens Link]

Rod Beck rod.b...@hiberniaatlantic.com writes:

 There are several cable systems landing in South Africa. I doubt it will 
 affect
 television coverage ...

TV is not an issue Internet is. At least thats what I read in an
article yesterday. According to the article I read many (smaller)
providers there have only on connection and another cable connection
not ready yet. 

I found some news here: http://www.techcentral.co.za/tag/seacom/

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Network Documentation

[Jens Link]

Tarig Yassin tariq198...@hotmail.com writes:

First: *PLEASE* do not start a new thread by replying to a mail an
changing the subject. There is something called reference header which
allows real mail clients (read: not Outlook or Notes) to do
threading. This makes it much easier to read large amounts of mail

 I am curious as to how others are documenting their network; both
 visually and configurations.

 Is there any a software offers a database with web-based front end that
 can document in a very details.

Most people I know use a wiki for documentation and rancid for
configuration management. If you want to access your configurations wia
web you can use rancid + webcvs. 

There are also several database based tools for ip address
management. Check the list archives for details.  

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Recommendation in Australia for ISPs to force user security?

[Jens Link]

Joel Jaeggli joe...@bogus.com writes:

 not sure how they propose to enforce that, instrumentation approaches
 that look inside the home gateway have a non-trivial falsh positive rate
 and you've got a lot more hosts than ip addresses.

Well you force your users to install some software to control that you
have a current anti virus and a firewall in place. This software will
only run for certain versions of Windows and will have quite a lot of
CVE entrys. 

I will never get access to such a network. I don't use anti virus and I
don't have a firewall on my Laptop (by default I'm only running sshd and
if I need a (t)ftpd I start it manually).

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: List of a useful tools for network architects

[Jens Link]

Pavel Dimow paveldi...@gmail.com writes:

 Hi,

 I am wondering what tools you consider most valuable when designing big
 network from scratch or perform a migration? 

White board and a digital camera to document the drawings. Pen and paper
are also a very important tool. 

 For example I would like to know is there a tool that will perform
 basic sanity checks like network equipment without redundant link or
 without link at all...

Well there is my head and a couple of years experience. ;-)

 I know that the one who design a network have to consider all this
 issues but some automatic check will save some time for sure...

Discuss your design with others. There is always more than one way to
design a network.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Literatur hint needed

[Jens Link]

Matthias Flittner matthias.flitt...@de-cix.net writes:

 Hi Folks,

 I'm searching an fundamental book about how to (inter)connect two
 networks. It should be about how to connect your business network in a
 secure and reliable way to the internet. The book should contain some
 theoretical basics and common used practices. Focus is how to design such
 an network transfer point.

The Illustrated Network: How TCP/IP Works in a Modern Network
(ISBN-13: 978-0123745415) should cover this topic.

cheers,

Jens 
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Monitoring Tool

[Jens Link]

Thorsten Dahm t.d...@resolution.de writes:

 The usual suspects in the open source world would be nagios, cacti,
 mrtg, netflow, ... 

There is no tool called netflow. ;-)  To collect and analyze netflow
data I'd recommend nfdump.sf.net and nfsen.sf.net as open source
solution.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: 1slash8 pollution

[Jens Link]

Tom bifr...@minions.com writes:

 DHCPACK from 1.2.1.3

 Perhaps someone should mention this to the hotel? :)

I've senn DHCPACK from 1.1.1.1 I was told it's the default value of a
Cisco WLAN Controller. There are more things broken in most hotel
WLANs. 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: IP Address Management Tool

[Jens Link]

D C cassel...@gmail.com writes:

 I am looking for a better way to manage IP addresses.  I am currently using
 an excel spreadsheet, but this is becoming cumbersome as more and more
 addresses are being added.  Does anyone have any recommendations?

Somebody recommended http://sourceforge.net/projects/haci/ recently,
haven't time to try it.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: looking glass

[Jens Link]

Randy Bush ra...@psg.com writes:

 is there a decent looking glass package that does not fill my machine
 with trash?

Haven't tried it but what about RANCID?

http://www.shrubbery.net/rancid/man/lg_intro.1.html

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Rate of growth on IPv6 not fast enough?

[Jens Link]

John Levine jo...@iecc.com writes:

 I'm not saying that NAT is wonderful, but my experience, in which day
 to day stuff all works fine, is utterly different from the doom and
 disaster routinely predicted here.

Ever tried too troubleshoot networks which where using multiple NAT?
Every time I have to I'll have the urge to get really drunk afterwards. 

And when ISPs start using NAT for their customers, there will be more
problems leading to more support calls. 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Jens Link]

John R. Levine jo...@iecc.com writes:

 Did you run any services?

 Of course not, it's consumer DSL.  I run services on my server which is
 somewhere else and tunnel in via ssh which, of course, works fine
 through NAT.

Take a look at all those small SOHO storage boxes. They all offer web
and FTP services and they all support something like dyndns. Customers
want these features and are using these features. 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Books for the NOC guys...

[Jens Link]

Robert E. Seastrom r...@seastrom.com writes:

 So, what are you having your up-and-coming NOC staff read?

http://www.amazon.com/Illustrated-Network-Modern-Kaufmann-Metworking/dp/0123745411/

I think it's quite good and covers many modern topics. One drawback:
It mentions ethereal and not wireshark. At the time of writing ethereal
must have been dead for about 2 years.

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Home CPE choice

[Jens Link]

Charles N Wyble char...@knownelement.com writes:

 Should one get a real cisco router? The 877 or something? 

871 works very well here. You may find on heap on eBay. But *don't* get
an 861. Last time i checked there was no IOS with IPv6 support for this
model. 

 My current home router is a cisco 1841. I keep my 6mbps DSL line pretty
 much saturated all the time. Often times my wife will be watching Hulu
 in the living room, I'll be streaming music and running torrents
 (granted I have tuned my Azures client fairly well) all at the same time
 and it's a good experience.  

If it's working stick to it. ;-)

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Home CPE choice

[Jens Link]

Charles N Wyble char...@knownelement.com writes:

 Have you tried pfsense, or do you find the built in
 functionality/configuration system to be sufficient? 

AFAIK IPv6 is not supported via the GUI, but everything else is okay.
   
Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Posting from freebie E-mail Accounts

[Jens Link]

jim deleskie deles...@gmail.com writes:

Hi,

 I'm betting more then a few of use free mail accts to keep this separate
 from our work mail.  

As a positive side effect there are fewer Out of Office replies when
people use different accounts for normal work mail and mailing lists. 

 If your really having that much issue, config your mail server to drop
 it yourself or unsub

Or use a decent mail client which allows scoring and / or kill files. 

cheers,

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: Finding content in your job title

[Jens Link]

Steve Bertrand st...@ibctech.ca writes:

 For instance, I like to present myself as a 'network engineer'. I have
 never taken formal education, don't hold any certifications (well, since
 2001), and can't necessarily prove my worth.

Hey, network engineer is good. Some time back someone gave me the title 
senior executioner security engineer. They even send a document to a
customer with this title. 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: IPv6 in Education Question

[Jens Link]

Todd Christell tchrist...@springnet.net writes:

 So Im giving an introductory talk on IPv6 for a state wide conference
 for tech coordinators for education.  I have the usual catechism of
 reasons/advantages from the network side but was wondering if there were
 any good education specific applications of v6.  My major goal is to
 help them understand the situation so that they can make use of the base
 of educators in our state to help spread the work about IPv6.

It's not a question of if but when IPv6 will be used on large scale in
the interned. So, form the educational side it's beneficial if students
learn about IPv6. 

So much for the theory 

I did quite a number of presentations on IPv6 some of them in at
university in Germany (not as some official talk but some user group /
some students asked me too). Some quotes: 

We don't' have time for this.

Well our network equipment is 14 years old, we don't have a budget for
 new stuff.

We'll implement IPv6 in 13 years, it's when my colleague retires.

/me: Cool. You have IPv6.
Professor: I configured the tunnel myself. Our network people don't this the
topic.

Jens
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: Network Naming Conventions

[Jens Link]

Bill Stewart nonobvi...@gmail.com writes:

 - Tolkien characters (one of the reasons for DNS was that too many
 people wanted to name their machine frodo or mozart.)

Diskworld characters are also quite common.

For my own systems I use names of single malts.

cheers

Je 'typing on Bowmore' ns
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: IP4 Space

[Jens Link]

Owen DeLong o...@delong.com writes:

 denial
 anger
 bargaining
 depression
 acceptance--- My dual-stacked network and I are here.

So am I. But most IT people I talk to are still at the denial phase. And
there is not much one can do about it. 

Jens, 566 days to go
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: IP4 Space

[Jens Link]

Owen DeLong o...@delong.com writes:

 I spend much of my time talking to groups of people about this.  I
 have managed to get several members of such groups from denial to
 bargaining and sometimes eve depression in a single session.

I did several presentations about IPv6 basics myself and there was very
positive feedback but those people had already in interest in IPv6.

I always quote an admin form a big German university: We'll start with
IPv6 in 13 years. It's when my colleague retires.

 On rare occasion, acceptance even starts to set in.

Thats true. I did one presentation, had a two hour train ride
with someone from the audience and a couple of days later I got an
email from him that his company network is running IPv6.

But this is one person from a couple of hundred.

 I think it is getting better and continuing to talk about it will help.

Thats also true and I'm looking forward to this weekend when I once again
will try to tell people why they should learn IPv6 now.

Jens
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: Ticket/Asset Managment system

[Jens Link]

Brandon Grant bran...@momentous.ca writes:

 Also, I am hoping to find a tool that can tie in with SNMP software so
 I can have tickets auto-generated for certain types of SNMP traps or
 polling failures.

Do it the other way round: Use something like Nagios, Zabbix or Icinga
for monitoring and if a fault is detected let the monitoring system 
send a message to your ticket system. 

Jens
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: Using /31 for router links

[Jens Link]

Florian Weimer f...@deneb.enyo.de writes:

 Bad.  For some systems, such tricks work to some degree only due to
 lack of input validation, and you get failures down the road (ARP
 ceases to work, packet filters are not applied properly and other
 fun).

I never had any problems using Cisco to Cisco, Linux to Linux or Cisco
to Linux using /31. Only problem I encountered was when a Linux based
router was replaced by a Windows box (please don't ask). 

cheers

Jens
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: Using /31 for router links

[Jens Link]

Chris Costa cco...@cenic.org writes:

 We recently did a backbone router upgrade and the vendor surprisingly
 didn't support /31's.  

Mind dropping a name?

Jens
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: Foundry CLI manual?

[Jens Link]

Richard A Steenbergen r...@e-gerbil.net writes:

 Ironically enough the manuals themselves are accessable without a login,
 but the list of manuals is not. 

Outch. Personally I don't like when company's hides documentation or
require me to register (or even get a support contract) to read the
documentation. On the other hand there are several vendor that are very
forthcoming vendors that even send you test equipment for free. 

Guess which company's I'm recommending to customers.

cheers

Jens
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: Breaking the internet (hotels, guestnet style)

[Jens Link]

Owen DeLong o...@delong.com writes:

 I expect my connections to my mail server to actually reach my mail
 server.  I use TLS and SMTP AUTH as well as IMAP/SSL.  Many of the just
 works settings in question break these things badly.

One of my customers has an appliance for his WLAN guest access access
which filters out  records. :-( 

j...@bowmore:~$ dig  www.quux.de @8.8.8.8 +short
j...@bowmore:~$ 

Jens
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Jens Link]

Jorge Amodio jmamo...@gmail.com writes:

 I guess Cisco's 800's are out of the Consumer Grade price range, but
 any comments about v6 support on them and how they compare with other
 options.

Once you find the right IOS version they are working great. ;-) 

I had to upgrade my router @home in order to use IPv6 on the wireless
lan. Interface configuration wasn't accepting any ipv6 commands. 

cheers 

Jens
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Jens Link]

Brandon Ewing nicot...@warningg.com writes:

 Can you comment on what version you got it to work on?  I haven't futzed
 with it much, but with 12.4(24)T2, you can't put an ipv6 address directly on
 the wireless subinterface.  I tried putting it on a BVI interface, but 
 didn't have much luck.

Version 12.4(20)T1 works

interface Dot11Radio0
 !
 ipv6 address 2001:db8:9F6B:2::1/64
 ipv6 enable
 ipv6 nd prefix 2001:db8:9F6B:2::/64

cheers

Jens
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: Simple Change Management Tracking

[Jens Link]

Paul Stewart pstew...@nexicomgroup.net writes:

 Thanks - we're not really looking for so much a ticketing system as more
 of a change management approval system I guess.  

Thats why I suggested OTRS only after RT was mentioned. CheckPoint R70.1
has something like this build in but it's only for Check Point and there
is (IMHO) a lot of functionality missing. And it's rather slow.

cheers

Jens
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: ISP customer assignments

[Jens Link]

Brian Johnson bjohn...@drtel.com writes:

 So a customer with a single PC hooked up to their broad-band connection
 would be given 2^64 addresses?

 I realize that this is future proofing, but OMG! That’s the IPv4
 Internet^2 for a single device!

Most people will have more than one device. And there is no NAT as you
know it from IPv4 (and hopefully there never will be. I had to
troubleshoot a NAT related problem today and it wasn't fun.[1])

And I want more than one network I want to have a firewall between my
fridge and my file server.

 Am I still seeing/reading/understanding this correctly?

RFC 3177 suggest a /48. 

Forget about IPv4 when assigning IPv6 Networks to customers. Think big an
take a one size fits all(most) customers approach. Assign a /48 or /56 to
your customers and they will never ask you about additional IPs
again. This make Documentation relay easy. ;-)

cheers 

Jens

[1] Everybody who claims that NAT is easy should have his or her head
examined.
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: Opensource or Low Cost NMS for Server Hardware / Application Monitoring

[Jens Link]

Matthew Huff mh...@ox.com writes:

 Nagios  http://www.nagios.org

http://www.icinga.org/ - a (very current) fork of Nagios 

http://software.uninett.no/stager/ - another netflow tool

http://nedi.ch -  For those with larger campus networks

http://nipper.titania.co.uk/ - audit tool for different network devices

and syslog-ng, rsyslog, ...

BTW: Why do you hijack a thread to start a new mail instead of actually
writing a new mail? It's not a nice think to do. Ok, those people who
think their group ware clients is a mail client will never notice, but
there are still some people using real mail clients. :-( I don't think
that my GNUS or my MTA added all the references to your mail.

cheers

Jens
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: generic attack on Cisco routers

[Jens Link]

Steven M. Bellovin s...@cs.columbia.edu writes:

 http://www.theregister.co.uk/2009/01/05/cisco_router_hijacking/

There's also a video of the talk at 25c3: 

ftp://ftp.ccc.de/congress/25c3/video_h264_720x576/25c3-2816-en-cisco_ios_attack_and_defense.mp4

cheers,

Jens
-- 
-
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264 |
| http://www.quux.de | http://blog.quux.de   | jabber: jensl...@guug.de |
-

Re: Gigabit Linux Routers

[Jens Link]

Chris ch...@ghostbusters.co.uk writes:

 I'm hoping someone can offer some advice on suitable hardware and kernel
 tweaks for using Linux as a router running bgpd via Quagga.

There was a talk Towards 10Gb/s open-source routing at this years
Linux-Kongress in Hamburg.  Here are th slides:

http://data.guug.de/slides/lk2008/10G_preso_lk2008.pdf

cheers 

Jens
-- 
Berlin, Germany | http://www.quux.de | jabber: jensl...@guug.de
s...@guug Berlin: http://www.guug.de/lokal/berlin/index.html