Re: IPv6 and CDN's
Marco Davids via NANOG writes: > It turns out that there underlying CDN's with domain names such as > ‘l-msedge.net’ and ‘trafficmanager.net’ (Microsoft) or 'fastly.net', > that reside on authoritative name servers that *only* have an IPv4 > address. Fastly does have IPv6 enabled authoritative DNS server but it looks like it's not the default. I ran into this some time ago with deb.debian.org on an IPv6 only Debian VM with a locally installed resolver. I opened a ticket which was closed in record time: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961296 After some ranting and shouting it now works but a couple of days ago I ran in the same problem while trying to install something via pip. fles.pythonhosted.org is also using fastly. > I guess my question is simple: Why? I'm asking myself the same question. > Are there good architectural reason for this? Or is it just something > that is overlooked and forgotten about? I don't think it was overlooked or forgotten. More along "We have always done it this way", "We had problems enabling IPv6 (ages ago)" or something else you can find on https://ipv6excuses.com/. Jens -- | Delbrueckstr. 41| 12051 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@quux.de| --- |
Re: Hand held copper Ethernet testers
Chris Boyd writes: > My old Test-Um Lanscaper died, and I was curious what people liked these > days. Don’t need throughput testing or anything like that, just basic > wire map testing, cable ID, cable length, PoE voltage, and DHCP client. > > What do y’all like? Pocketethernet has already been mentioned. I have a https://netool.io/ in my backpack and a rather old (10/100MBit) Fluke Netool lying around here somewhere. Jens -- | Delbrueckstr. 41| 12051 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@quux.de| --- |
Re: Project/Tool to deploy and maintain Edge Servers (VMs) remotely
Douglas Fischer writes: > I was thinking in use something like reverse ssh and ansible. But I > thought that I'm probably reinventing part of the wheel. If your familiar with ansible: ansible-pull? "pulls playbooks from a VCS repo and executes them for the local host" https://docs.ansible.com/ansible/2.5/cli/ansible-pull.html Other tools like e.g. puppet use an agent that querys a central server on a regluar basis. Jens -- | Delbrueckstr. 41| 12051 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@quux.de| --- |
Re: Quagga for production?
Mark Tinka writes: > On 17/Mar/20 19:39, Jens Link wrote: > >> >> Jens, using frr for quite some time now without any problems > > IS-IS, per chance? Sorry, only BGP for now. Jens -- | Delbrueckstr. 41| 12051 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@quux.de| --- |
Re: WIKI documentation Software?
Craig writes: > Wanted to ask what WIKI software teams are using to save documentation to / > how to's for staff, etc. On the wiki side: +1 for dokuwiki Given that more and more people are automating stuff and this way ending up git anyway: Write your doku as markdown, put it into git, generate static web pages. For people who like editing via a GUI can use gitlab or something similar. This approach has some advantages: - You always have (a more or less) current version of your documentation offline - You can just use grep to find stuff Jens -- | Delbrueckstr. 41| 12051 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@quux.de| --- |
Re: Quagga for production?
Dmitry Sherman writes: > Hello, > > Anybody working with Quagga for production peering with multiple peers > and dynamic eBGP/iBGP announcement? https://frrouting.org/ is a quagga fork and most (all) developers of quagga mode to frr. Jens, using frr for quite some time now without any problems -- | Delbrueckstr. 41| 12051 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@quux.de| --- |
Re: CloudFlare D.N.S. Resolvers... (1.1.1.1 & 1.0.0.1)
Michael Bullut writes: > Hi Ross, > > How would you gauge good DNS performance? quick and dirty: jens@screen:~$ dig nanog.org @8.8.8.8 | grep "Query time" ;; Query time: 16 msec jens@screen:~$ dig nanog.org @1.1.1.1 | grep "Query time" ;; Query time: 3 msec Jens
Re: IPv6 addressing plan spreadsheet issue
Job Snijderswrites: Hi, > I made a list of the IPv6 addresses in my home LAN, but have trouble > copy+pasting the list into a cloud spreadsheet. My address list is here: > http://pete.meerval.net/~job/ > > How do other folks do this? Just administrate things in text files? If the standard IPAM tool (aka. Excel) can't handle your address plan maybe it's not the fault of the spreadsheet but the fault of the protocol. After almost 3.500 days using IPv6 I decided to turn it of! Nobody uses it and nobody needs it! I'll to the same with DNSSEC! Jens -- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@quux.de| --- |
Re: Companies using public IP space owned by others for internal routing
Ca Bywrites: > http://jool.mx/en/index.html > > Free open source nat64 And the DNS64 part can be done with powerdns (recursor), unbound, bind, ... All OpenSource Jens -- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@quux.de| --- |
Re: Waste will kill ipv6 too
Lee Howardwrites: > I’ve tried several times to come up with a scenario that leads to > depletion in less than 200 years, and I haven’t managed it. Can you do it? Self replicating nano bots. Which will be a good thing (probably): https://xkcd.com/865/ SCNR Jens -- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@quux.de| --- |
Re: Companies using public IP space owned by others for internal routing
Matt Hoppeswrites: > Had a previous employee or I discovered it on the network segment after > we had some weird routing issues and had to get that cleaned up. I don't > know why anyone would do that when there is tons of private IP space. Excuse 1: "We'll never connect to the internet!" Excuse 2: "It's only temporary!" Excuse 3: Typo (At some customers customer I found 192.!168 address which where apparently a typo but in use for years so nobody wanted to change it.) I also know one company who is using (has used?) 2001:8db::/48. I suggested to get v6 PI an properly implement IPv6 but never heard from them again. Excuse 4: "We used the addresses from out training material." - I heard this story some time ago: A large German government agency wanted to implement IP(v4) and the people attended a course about this new TCP/IP stuff at $Vendor. The training material was prepared by a student who was using his university's /16 as an example. BTW: Is the Cisco WLC 1.1.1.1 as default address for DHCP? Jens -- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@quux.de| --- |
Re: IEEE OUI regauth (search ?) site
Brandon Applegatewrites: Hi, > Anyone have any insight on how one can look up an OUI (yes I know about > oui.txt, but I’m asking about a live query site). https://www.wireshark.org/tools/oui-lookup.html ? Jens -- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@quux.de| --- |
Re: Frontier: Blocking port 22 because of illegal files?
Stephen Satchell l...@satchell.net writes: It's been a while since I did this, but you can select an additional port to accept SSH connections. That's easy: jens@screen:~$ grep Port /etc/ssh/sshd_config Port 22 Port 443 Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server. I always have at least one sshd listening on port 443. For all the hotel, coffee house, customer networks blocking ssh. You can even multiplex and run ssh and ssl on the same port: http://www.rutschle.net/tech/sslh.shtml Jens -- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@jabber.quux.de | --- |
Re: Scotland ccTLD?
Owen DeLong o...@delong.com writes: On Sep 16, 2014, at 8:55 AM, Majdi S. Abbas m...@latt.net wrote: su is not available. I think it is now, since the break up of the Soviet Union. A friend told me that .su domains are quite common in windows environments after the admins discovered that .local is not a good choice. ;-) Jens -- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@jabber.quux.de | --- |
Re: Scotland ccTLD?
David Conrad d...@virtualized.org writes: A friend told me that .su domains are quite common in windows environments after the admins discovered that .local is not a good choice. ;-) That would be an *exceptionally* bad idea. I agree. On the other hand: People pay me to fix network problems, including DNS. Jens -- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@jabber.quux.de | --- |
Re: It's the end of the world as we know it -- REM
Valdis Kletnieks valdis.kletni...@vt.edu writes: and I feel fine I didn't see any mention of this Tony Hain paper: http://tndh.net/~tony/ietf/ARIN-runout-projection.pdf tl;dr: ARIN predicted to run out of IP space to allocate in August this year. Are you ready? Personally? Yes! Customer side? No! Well expect for some. But at least here in Germany some companies (!= ISPs) noticed this IPv6 thing and now are looking for people to support them. Problem is: They don't want to pay for it (e.g. less or equal to the usual hourly rate or any other kind of project). Two weeks ago: We need someone for a two day IPv6 workshop in two weeks! Yesterday: We need someone for a two day IPv6 workshop this week! Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Common operational misconceptions
Mark Grigsby m...@pcinw.net writes: Speaking in the context of configuring an ipsec tunnel.. Once upon a time: Admin: We need Port 50 and Port 51 for the tunnel! Me:You mean IP protocol 50 and 51? Admin: It the same! You have no clue! Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Common operational misconceptions
Mathias Wolkert t...@netnod.se writes: Autoneg. The old timers that don't trust it after a few decades of decent code. Or those that lock one side and expect the other to adjust to that. Autoneg is black magic. Doesn't work. You have manually configure duplex and speed on one side 1! SCNR Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: common time-management mistake: rack stack
Jeff Wheeler j...@inconcepts.biz writes: With apologies to Randy, let the CCNAs fight with label makers. Yeah. And you need do be at last CCNP to switch a module in a router. Had this request last year. I first thought that some troubleshooting / configuration was involved but it was just replacing a module. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Common operational misconceptions
Leo Bicknell bickn...@ufp.org writes: I've repeatedly asked $BIG_COLO_PROVIDERS to offer a vending machine in the lobby next to the one with sodas that sold Cat 5, Fiber, SFP's, USB sticks, and so on. Hmm. http://gearomat.com/ Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: WW: Colo Vending Machine
Leo Bicknell bickn...@ufp.org writes: USB-Serial adapters. Preferably selected so they are driverless on both OSX and Windows. :) ^^^ Wahahahaha There is no such thing. I've seen people reinstalling their Windows after trying to use another USB-Serial adapter. I also have seen people running a Linux VM so they can use a USB-Serial adapter they borrowed from me. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Common operational misconceptions
Owen DeLong o...@delong.com writes: 1.When the only tool you have is a hammer, you try to mold every problem into a nail. Ack. 2.When you only know a procedure for doing something and don't understand the fundamentals of why X is supposed to occur at step Y, then when you get result A instead of X, your only options are to either continue to step Z and hope everything turns out OK, or, go back to an earlier step and hope everything works this time. But procedures are important. How else can you get enough exper^Widiots working for little money. Big Macs vs. The Naked Chef is great: http://www.joelonsoftware.com/articles/fog24.html 3.Troubleshooting skills are limited to knowing the number of the vendor's help desk. There are no problems! Can't be. And if there are they hire external experts. BTDT. Those are well paid jobs. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: WW: Colo Vending Machine
Sven Olaf Kamphuis s...@cb3rob.net writes: 3.5 HD floppies (yes, they're still around ;) Really? I thought Deutsche Bahn was last company using them: Unfortunately we can't display reservation information. Okay, knowing Deutsche Bahn the disks might not be 3,5. ;-) Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network
valdis.kletni...@vt.edu writes: Does anybody actually *have* a functional 7 track drive? Maybe the people running http://www.cray-cyber.org have one. (If you ever come to Munich, try to visit this museum.) Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Switching Email
William Herrin b...@herrin.us writes: Anyone have a list of MUAs that actually support RFC 2369 with subscription management widgets in the GUI? Surely someone has written one but I can't seem to find any documentation to that effect. Gnus? Jens, Gnus user since 1999 -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Switching Email
William Herrin b...@herrin.us writes: and you have to read the mail in Microsoft Lookout, interspersed with work-oriented messages from your boss and colleagues. With Outlook popping new-message-notifications up on the projector while you try to give a presentation during a meeting, each containing the sender and message subject... Well I try to avoid Outlook, but even I was able to create some basic filter rules during my last projekt (where I was forced to use it). Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Looking for an IPv6 naysayer...
George Bonser gbon...@seven.com writes: In other words, the broadband provider provides a single global IP to the always up CPE. That CPE does DHCP to user stations and hands out 1918 addresses and NATs them to the single global IP. Ah there is the misunderstanding. Same her in good old Europe. If you pay for it you'll get more than one public IP. I though you were talking about the CPE getting an RFC1918 address and than hand out RFC1918 addresses to the inside as well and (maybe) another instance of NAT along the way. Well yes, there are providers which are already doing this. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Looking for an IPv6 naysayer...
Mark Andrews ma...@isc.org writes: DS-Lite over 6rd using RFC 1918 / multi-use ISP assigned block (I'd love to be able to say class E here) provides a single NAT translation for IPv4 and public IPv6. Okay, it's 10:15 in the morning and I really want a drink know. ;-) Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Strange L2 failure
Jack Bates jba...@brightok.net writes: Hi, a little late, but just catching up the list. Has anyone seen issues with IOS where certain MACs fail? 54:52:00 (kvm) fails out an old 10mbit port on a 7206 running 12.2 SRE. I've never seen anything like this. DHCP worked, ARP worked, and arp debugging showed responses for arp to the MAC, however, tcpdump on the host system I had something similar using a Catalyst 3550. Very simple setup: Host - Cat3550 - Router You could see arp-request from the host to the router and arp-replies from the router using tcpdump, but the arp-replies didn't make it to the host. No change in the interface counters on the switch either. When using a static arp-entry on the host and then ping the router you could the echo-request and echo-replies there but still no answers. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Looking for an IPv6 naysayer...
Jens Link li...@quux.de writes: Okay, it's 10:15 in the morning and I really want a drink know. ;-) s/know/now/ I think I'll need more coffee. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Looking for an IPv6 naysayer...
Daniel Roesen d...@cluenet.de writes: And quite important for residential ISPs of some size: have fun teaching your call centers diagnosing double-NAT failure modes. NAT444 is a hell I don't want to visit really. No it's great! It's secure! It's easy to implement! It's the only way to do it right! Till the end of the month I'm working for a rather large enterprise customer and they use NAT, NAT NAT, NAT NAT NAT, and even even NAT NAT NAT NAT connections for their VPN. They claim that it's easy. I think it isn't and I relay need to get drunk after troubleshooting such a problem. So I must be stupid, because NAT is so *easy*. On the other hand, when you tell them about IPv6 they say it's to complicated and that they don't need it. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Looking for an IPv6 naysayer...
Scott Helms khe...@ispalliance.net writes: IPv6 for some ISPs will be extraordinarily painful because of legacy layer 2 gear I don't feel sorry for them. We know that IPv6 is coming for how long? 15years? 10year? 5years? Well if you only read the mainstream media you should have read something about this new Internet thing about two years ago. And still many people fear IPv6 or think the can still wait for another couple of years. For ISPs in this circumstance the choice will be CGNAT rather than IPv6 for a number of years because the cost is much lower and according to the vendors selling CGNAT solutions the impact to end users is (almost) unnoticeable. Cost's might be lower but service will be worse. NAT breaks a lot of applications file sharing will not work properly and running your own web server at home will not work properly. Well you always get what you pay for and people will buy any crap if it is cheap enough. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Top webhosters offering v6 too?
Tim Chown t...@ecs.soton.ac.uk writes: Which of the big boys are doing it? Strato in Germany. They offer IPv6 for dedicated server now. I was told that the implementation for their shared hosting (about one million domains) is almost finished and that they also offer IPv6 for virtual servers (problems with the vendor). Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Looking for an IPv6 naysayer...
david raistrick dr...@icantclick.org writes: And at what point during that time did they have any vendor gear they could purchase that -would- support v6? At -best- during the last 5 years, but I'd put money on that even today they can't purchase gear with adequate v6 support. Another chicken and egg problem here. Customers have no demand for IPv6, vendors don't implement it. Vendors don't implement it, customers don't use it. Sad but true. Right now I have two TAC request open with Cisco regarding IPv6 problems on the ASA. Ever tried traceroute to a dual-stacked or IPv6 only host? ;-) Jens BTW: No need to cc me I'm reading the list. -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Looking for an IPv6 naysayer...
Jason Bertoch ja...@i6ix.com writes: I'm not sure about your part of the world, but the economy has been terrible in mine. Even in a good economy, DSL margins don't afford the ability to replace your network every two years. Same thing here in Germany. DSL providers fighting for the lowest price and customers thinking that free service is still too expensive. In fact, spending on new gear all but halted for us over the last 6 years. While everyone is still figuring out best practices for IPv6 rollout today, how difficult would it have been to plan and purchase the exact equipment that long ago? Yeah. But they could have made plans and demanded working equipment from the vendors. Was the right equipment even available for a production environment? No, an in some case it is still not available today. Not only that, but cheap CPE equipment that supports IPv6 still hardly exists today, and all of that will need replacing. In Europe: Fritzbox from AVM. Almost all the big vendors have their own branded version of it. And the latter versions do support IPv6 quite well. In addition, what about IP phones and the customer that just replaced their entire phone system? Are they going to want to do that all over again by the end of the year? You don't have to replace everything at once. But you have to start somewhere. No, IPv6 rollout is going to be extremely expensive and will likely put a number of smaller operations out of business. I know several smaller ISPs which offer IPV6 for years. Sure the eyeball providers can hardly beat the cheap prices of the big players. But they do offer individual and good service. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Looking for an IPv6 naysayer...
George Bonser gbon...@seven.com writes: While that is true, it is no worse than the situation right now. In the US, the vast majority of users are already behind a NAT (I would say over 90% of them are) so they are already experiencing this breakage. I never thought it was that bad. In some 3G/wireless networks in Germany the providers use NAT and transparent HTTP-proxy. But this is only wireless. I'm not aware of any DSL or Cable provider NATing their customers. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Only 5x IPv4 /8 remaining at IANA
Owen DeLong o...@delong.com writes: All well and good until some of their customers are on IPv6... Then what? Someone will build an appliance to deal with this problem. ;-) Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Only 5x IPv4 /8 remaining at IANA
valdis.kletni...@vt.edu writes: Those people are next on my hit list, after we've finally eliminated those who still talk about class A/B/C addresses. :) You are going to kill about 90% of all net-/sysadmins? SCNR Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Only 5x IPv4 /8 remaining at IANA
valdis.kletni...@vt.edu writes: You are going to kill about 90% of all net-/sysadmins? Do you *really* want somebody working on your network that gets confused by a reference to 213/8 because it's in Class-C space? Don't get me wrong. I like the idea. Especially after the discussion I had with someone this afternoon. And Cisco is still teaching it is *not* an excuse Windows and Linux ifconfig are still using it. Enter a Class-A/B/C address and take a look at the mask they suggest. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Definitive Guide to IPv6 adoption
Dobbins, Roland rdobb...@arbor.net writes: Eric Vyncke's IPv6 security book is definitely worthwhile, http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945 A good companion to Eric's book is Deploying IPv6 Networks http://www.ciscopress.com/bookstore/product.asp?isbn=1587052105 Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Looking Glass
James Bensley jwbens...@gmail.com writes: Hmm, Google says you could use http://www.zebra.org/ to set your box up as a route, and then you can just view the routes from there? Aehm, Zebra is dead. Quagga it the successor. Last change date on zebra.org website is 5 years old. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Other NOGs around the world?
Rogelio scubac...@gmail.com writes: What other network operator groups are there around the world (besides NANOG)? PLNOG, http://www.plnog.pl Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Addressing plan exercise for our IPv6 course
Owen DeLong o...@delong.com writes: for NAT. Enterprises of non-trivial size will likely use RFC4193 (and I fear we will notice PRNG returning 0 very often) and then NAT it to provider provided public IP addresses. Why on earth would you do that? Why not just put the provider-assigned addresses on the interfaces along side the ULA addresses? Using ULA in that manner is horribly kludgy and utterly unnecessary. To state the obvious: People are stupid. This is to facilitate easy and cheap way to change provider. Getting PI address is even harder now, as at least RIPE will verify that you are multihomed, while many enterprises don't intent to be, they just need low cost ability to change operator. Why is that easier/cheaper than changing your RAs to the new provider and letting the old provider addresses time out? Well it's not cheaper but using NAT (and multiple NAT) leads to job security as nobody else will understand the network. BTST. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Addressing plan exercise for our IPv6 course
Saku Ytti s...@ytti.fi writes: RFC4193 + NAT quite simply is what they know and are comfortable with. NAT is *not simple*. NAT adds one more layer of complexity. When using multiple NAT things get worse. In most cases people don't want or need NAT they are just used to it and old habits die hard. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Addressing plan exercise for our IPv6 course
Owen DeLong o...@delong.com writes: You know that, I know that and (hopefully) all people on this list know that. But NAT == security was and still is sold by many people. So is snake oil. Ack, but people are still buying snake oil too. After one of my talks about IPv6 the firewall admins of a company said something like: So we can't use NAT as an excuse anymore and have to configure firewall rules? We don't want this. So how did you answer him? To be honest: I don't remember. I got drunk that evening. ;-) The correct answer is No, you don't have to configure rules, you just need one rule supplied by default which denies anything that doesn't have a corresponding outbound entry in the state table and it works just like NAT without the address mangling. They used NAT as an excuse not to let some applications to the outside. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Addressing plan exercise for our IPv6 course
Owen DeLong o...@delong.com writes: In all reality: 1.NAT has nothing to do with security. Stateful inspection provides security, NAT just mangles addresses. You know that, I know that and (hopefully) all people on this list know that. But NAT == security was and still is sold by many people. Most customers don't know or care what NAT is and wouldn't know the difference between a NAT firewall and a stateful inspection firewall. I Agree. But there are also many people who want to believe in NAT as security feature. After one of my talks about IPv6 the firewall admins of a company said something like: So we can't use NAT as an excuse anymore and have to configure firewall rules? We don't want this. cheers Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Overseas - Latency
Caleb Tennis caleb.ten...@gmail.com writes: I saw this earlier this morning, not sure if it relates to you or not: http://www.telegeography.com/cu/article.php?article_id=33597 Well that's Africa and most unfortunate for all the soccer fans there. jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Overseas - Latency
Rod Beck rod.b...@hiberniaatlantic.com writes: There are several cable systems landing in South Africa. I doubt it will affect television coverage ... TV is not an issue Internet is. At least thats what I read in an article yesterday. According to the article I read many (smaller) providers there have only on connection and another cable connection not ready yet. I found some news here: http://www.techcentral.co.za/tag/seacom/ Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Network Documentation
Tarig Yassin tariq198...@hotmail.com writes: First: *PLEASE* do not start a new thread by replying to a mail an changing the subject. There is something called reference header which allows real mail clients (read: not Outlook or Notes) to do threading. This makes it much easier to read large amounts of mail I am curious as to how others are documenting their network; both visually and configurations. Is there any a software offers a database with web-based front end that can document in a very details. Most people I know use a wiki for documentation and rancid for configuration management. If you want to access your configurations wia web you can use rancid + webcvs. There are also several database based tools for ip address management. Check the list archives for details. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Recommendation in Australia for ISPs to force user security?
Joel Jaeggli joe...@bogus.com writes: not sure how they propose to enforce that, instrumentation approaches that look inside the home gateway have a non-trivial falsh positive rate and you've got a lot more hosts than ip addresses. Well you force your users to install some software to control that you have a current anti virus and a firewall in place. This software will only run for certain versions of Windows and will have quite a lot of CVE entrys. I will never get access to such a network. I don't use anti virus and I don't have a firewall on my Laptop (by default I'm only running sshd and if I need a (t)ftpd I start it manually). Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: List of a useful tools for network architects
Pavel Dimow paveldi...@gmail.com writes: Hi, I am wondering what tools you consider most valuable when designing big network from scratch or perform a migration? White board and a digital camera to document the drawings. Pen and paper are also a very important tool. For example I would like to know is there a tool that will perform basic sanity checks like network equipment without redundant link or without link at all... Well there is my head and a couple of years experience. ;-) I know that the one who design a network have to consider all this issues but some automatic check will save some time for sure... Discuss your design with others. There is always more than one way to design a network. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Literatur hint needed
Matthias Flittner matthias.flitt...@de-cix.net writes: Hi Folks, I'm searching an fundamental book about how to (inter)connect two networks. It should be about how to connect your business network in a secure and reliable way to the internet. The book should contain some theoretical basics and common used practices. Focus is how to design such an network transfer point. The Illustrated Network: How TCP/IP Works in a Modern Network (ISBN-13: 978-0123745415) should cover this topic. cheers, Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Monitoring Tool
Thorsten Dahm t.d...@resolution.de writes: The usual suspects in the open source world would be nagios, cacti, mrtg, netflow, ... There is no tool called netflow. ;-) To collect and analyze netflow data I'd recommend nfdump.sf.net and nfsen.sf.net as open source solution. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: 1slash8 pollution
Tom bifr...@minions.com writes: DHCPACK from 1.2.1.3 Perhaps someone should mention this to the hotel? :) I've senn DHCPACK from 1.1.1.1 I was told it's the default value of a Cisco WLAN Controller. There are more things broken in most hotel WLANs. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: IP Address Management Tool
D C cassel...@gmail.com writes: I am looking for a better way to manage IP addresses. I am currently using an excel spreadsheet, but this is becoming cumbersome as more and more addresses are being added. Does anyone have any recommendations? Somebody recommended http://sourceforge.net/projects/haci/ recently, haven't time to try it. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: looking glass
Randy Bush ra...@psg.com writes: is there a decent looking glass package that does not fill my machine with trash? Haven't tried it but what about RANCID? http://www.shrubbery.net/rancid/man/lg_intro.1.html Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Rate of growth on IPv6 not fast enough?
John Levine jo...@iecc.com writes: I'm not saying that NAT is wonderful, but my experience, in which day to day stuff all works fine, is utterly different from the doom and disaster routinely predicted here. Ever tried too troubleshoot networks which where using multiple NAT? Every time I have to I'll have the urge to get really drunk afterwards. And when ISPs start using NAT for their customers, there will be more problems leading to more support calls. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
John R. Levine jo...@iecc.com writes: Did you run any services? Of course not, it's consumer DSL. I run services on my server which is somewhere else and tunnel in via ssh which, of course, works fine through NAT. Take a look at all those small SOHO storage boxes. They all offer web and FTP services and they all support something like dyndns. Customers want these features and are using these features. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Books for the NOC guys...
Robert E. Seastrom r...@seastrom.com writes: So, what are you having your up-and-coming NOC staff read? http://www.amazon.com/Illustrated-Network-Modern-Kaufmann-Metworking/dp/0123745411/ I think it's quite good and covers many modern topics. One drawback: It mentions ethereal and not wireshark. At the time of writing ethereal must have been dead for about 2 years. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Home CPE choice
Charles N Wyble char...@knownelement.com writes: Should one get a real cisco router? The 877 or something? 871 works very well here. You may find on heap on eBay. But *don't* get an 861. Last time i checked there was no IOS with IPv6 support for this model. My current home router is a cisco 1841. I keep my 6mbps DSL line pretty much saturated all the time. Often times my wife will be watching Hulu in the living room, I'll be streaming music and running torrents (granted I have tuned my Azures client fairly well) all at the same time and it's a good experience. If it's working stick to it. ;-) Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Home CPE choice
Charles N Wyble char...@knownelement.com writes: Have you tried pfsense, or do you find the built in functionality/configuration system to be sufficient? AFAIK IPv6 is not supported via the GUI, but everything else is okay. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Posting from freebie E-mail Accounts
jim deleskie deles...@gmail.com writes: Hi, I'm betting more then a few of use free mail accts to keep this separate from our work mail. As a positive side effect there are fewer Out of Office replies when people use different accounts for normal work mail and mailing lists. If your really having that much issue, config your mail server to drop it yourself or unsub Or use a decent mail client which allows scoring and / or kill files. cheers, Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Finding content in your job title
Steve Bertrand st...@ibctech.ca writes: For instance, I like to present myself as a 'network engineer'. I have never taken formal education, don't hold any certifications (well, since 2001), and can't necessarily prove my worth. Hey, network engineer is good. Some time back someone gave me the title senior executioner security engineer. They even send a document to a customer with this title. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: IPv6 in Education Question
Todd Christell tchrist...@springnet.net writes: So Im giving an introductory talk on IPv6 for a state wide conference for tech coordinators for education. I have the usual catechism of reasons/advantages from the network side but was wondering if there were any good education specific applications of v6. My major goal is to help them understand the situation so that they can make use of the base of educators in our state to help spread the work about IPv6. It's not a question of if but when IPv6 will be used on large scale in the interned. So, form the educational side it's beneficial if students learn about IPv6. So much for the theory I did quite a number of presentations on IPv6 some of them in at university in Germany (not as some official talk but some user group / some students asked me too). Some quotes: We don't' have time for this. Well our network equipment is 14 years old, we don't have a budget for new stuff. We'll implement IPv6 in 13 years, it's when my colleague retires. /me: Cool. You have IPv6. Professor: I configured the tunnel myself. Our network people don't this the topic. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Network Naming Conventions
Bill Stewart nonobvi...@gmail.com writes: - Tolkien characters (one of the reasons for DNS was that too many people wanted to name their machine frodo or mozart.) Diskworld characters are also quite common. For my own systems I use names of single malts. cheers Je 'typing on Bowmore' ns -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: IP4 Space
Owen DeLong o...@delong.com writes: denial anger bargaining depression acceptance--- My dual-stacked network and I are here. So am I. But most IT people I talk to are still at the denial phase. And there is not much one can do about it. Jens, 566 days to go -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: IP4 Space
Owen DeLong o...@delong.com writes: I spend much of my time talking to groups of people about this. I have managed to get several members of such groups from denial to bargaining and sometimes eve depression in a single session. I did several presentations about IPv6 basics myself and there was very positive feedback but those people had already in interest in IPv6. I always quote an admin form a big German university: We'll start with IPv6 in 13 years. It's when my colleague retires. On rare occasion, acceptance even starts to set in. Thats true. I did one presentation, had a two hour train ride with someone from the audience and a couple of days later I got an email from him that his company network is running IPv6. But this is one person from a couple of hundred. I think it is getting better and continuing to talk about it will help. Thats also true and I'm looking forward to this weekend when I once again will try to tell people why they should learn IPv6 now. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Ticket/Asset Managment system
Brandon Grant bran...@momentous.ca writes: Also, I am hoping to find a tool that can tie in with SNMP software so I can have tickets auto-generated for certain types of SNMP traps or polling failures. Do it the other way round: Use something like Nagios, Zabbix or Icinga for monitoring and if a fault is detected let the monitoring system send a message to your ticket system. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Using /31 for router links
Florian Weimer f...@deneb.enyo.de writes: Bad. For some systems, such tricks work to some degree only due to lack of input validation, and you get failures down the road (ARP ceases to work, packet filters are not applied properly and other fun). I never had any problems using Cisco to Cisco, Linux to Linux or Cisco to Linux using /31. Only problem I encountered was when a Linux based router was replaced by a Windows box (please don't ask). cheers Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Using /31 for router links
Chris Costa cco...@cenic.org writes: We recently did a backbone router upgrade and the vendor surprisingly didn't support /31's. Mind dropping a name? Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Foundry CLI manual?
Richard A Steenbergen r...@e-gerbil.net writes: Ironically enough the manuals themselves are accessable without a login, but the list of manuals is not. Outch. Personally I don't like when company's hides documentation or require me to register (or even get a support contract) to read the documentation. On the other hand there are several vendor that are very forthcoming vendors that even send you test equipment for free. Guess which company's I'm recommending to customers. cheers Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Breaking the internet (hotels, guestnet style)
Owen DeLong o...@delong.com writes: I expect my connections to my mail server to actually reach my mail server. I use TLS and SMTP AUTH as well as IMAP/SSL. Many of the just works settings in question break these things badly. One of my customers has an appliance for his WLAN guest access access which filters out records. :-( j...@bowmore:~$ dig www.quux.de @8.8.8.8 +short j...@bowmore:~$ Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Jorge Amodio jmamo...@gmail.com writes: I guess Cisco's 800's are out of the Consumer Grade price range, but any comments about v6 support on them and how they compare with other options. Once you find the right IOS version they are working great. ;-) I had to upgrade my router @home in order to use IPv6 on the wireless lan. Interface configuration wasn't accepting any ipv6 commands. cheers Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Brandon Ewing nicot...@warningg.com writes: Can you comment on what version you got it to work on? I haven't futzed with it much, but with 12.4(24)T2, you can't put an ipv6 address directly on the wireless subinterface. I tried putting it on a BVI interface, but didn't have much luck. Version 12.4(20)T1 works interface Dot11Radio0 ! ipv6 address 2001:db8:9F6B:2::1/64 ipv6 enable ipv6 nd prefix 2001:db8:9F6B:2::/64 cheers Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Simple Change Management Tracking
Paul Stewart pstew...@nexicomgroup.net writes: Thanks - we're not really looking for so much a ticketing system as more of a change management approval system I guess. Thats why I suggested OTRS only after RT was mentioned. CheckPoint R70.1 has something like this build in but it's only for Check Point and there is (IMHO) a lot of functionality missing. And it's rather slow. cheers Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: ISP customer assignments
Brian Johnson bjohn...@drtel.com writes: So a customer with a single PC hooked up to their broad-band connection would be given 2^64 addresses? I realize that this is future proofing, but OMG! That’s the IPv4 Internet^2 for a single device! Most people will have more than one device. And there is no NAT as you know it from IPv4 (and hopefully there never will be. I had to troubleshoot a NAT related problem today and it wasn't fun.[1]) And I want more than one network I want to have a firewall between my fridge and my file server. Am I still seeing/reading/understanding this correctly? RFC 3177 suggest a /48. Forget about IPv4 when assigning IPv6 Networks to customers. Think big an take a one size fits all(most) customers approach. Assign a /48 or /56 to your customers and they will never ask you about additional IPs again. This make Documentation relay easy. ;-) cheers Jens [1] Everybody who claims that NAT is easy should have his or her head examined. -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Opensource or Low Cost NMS for Server Hardware / Application Monitoring
Matthew Huff mh...@ox.com writes: Nagios http://www.nagios.org http://www.icinga.org/ - a (very current) fork of Nagios http://software.uninett.no/stager/ - another netflow tool http://nedi.ch - For those with larger campus networks http://nipper.titania.co.uk/ - audit tool for different network devices and syslog-ng, rsyslog, ... BTW: Why do you hijack a thread to start a new mail instead of actually writing a new mail? It's not a nice think to do. Ok, those people who think their group ware clients is a mail client will never notice, but there are still some people using real mail clients. :-( I don't think that my GNUS or my MTA added all the references to your mail. cheers Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: generic attack on Cisco routers
Steven M. Bellovin s...@cs.columbia.edu writes: http://www.theregister.co.uk/2009/01/05/cisco_router_hijacking/ There's also a video of the talk at 25c3: ftp://ftp.ccc.de/congress/25c3/video_h264_720x576/25c3-2816-en-cisco_ios_attack_and_defense.mp4 cheers, Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
Re: Gigabit Linux Routers
Chris ch...@ghostbusters.co.uk writes: I'm hoping someone can offer some advice on suitable hardware and kernel tweaks for using Linux as a router running bgpd via Quagga. There was a talk Towards 10Gb/s open-source routing at this years Linux-Kongress in Hamburg. Here are th slides: http://data.guug.de/slides/lk2008/10G_preso_lk2008.pdf cheers Jens -- Berlin, Germany | http://www.quux.de | jabber: jensl...@guug.de s...@guug Berlin: http://www.guug.de/lokal/berlin/index.html