Re: FreeBSD users of 127/8
Subject: FreeBSD users of 127/8 Date: Mon, Nov 22, 2021 at 12:57:43AM -0800 Quoting John Gilmore (g...@toad.com): > If it turns out that FreeBSD usage of 127.1/16 is widespread, and the > above analysis is incorrect or unacceptable to the FreeBSD community, we > would be happy to modify the draft to retain default loopback behavior > on 127.0.0.1/17 rather than 127.0.0.1/16. That would include both > 127.0.x.y and 127.1.x.y as default loopback addresses. treize:~ mansaxel$ sipcalc 127.0.0.1/17 | grep "Network range" Network range - 127.0.0.0 - 127.0.127.255 treize:~ mansaxel$ sipcalc 127.0.0.1/15 | grep "Network range" Network range - 127.0.0.0 - 127.1.255.255 -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 DON'T go!! I'm not HOWARD COSELL!! I know POLISH JOKES ... WAIT!! Don't go!! I AM Howard Cosell! ... And I DON'T know Polish jokes!! signature.asc Description: PGP signature
Re: is ipv6 fast, was silly Redeploying
Subject: Re: is ipv6 fast, was silly Redeploying Date: Mon, Nov 22, 2021 at 02:04:55AM +0900 Quoting Masataka Ohta (mo...@necom830.hpcl.titech.ac.jp): > Mergers of entities having an IP address range is a primary reason > of entities having multiple address ranges. As IPv6 was > developed a lot later than IPv4, it has not suffered from > mergers so much yet. Yes. You are completely correct. But, those entities usually have one v6 prefix each. And multiple v4 ones. Because they've required more addresses. Not everyone are Apple, "hp"[0] or MIT, where initial allocation still is mostly sufficient. (I believe MIT handed some back too) Instead they had to ask repeated times for smaller and smaller chunks of addresses. (Now they're buying them for prices that may well be motivating people to come up with crazy schemes of reusing reserved addresses.. ) In contrast, the v6 allocations are mostly sufficient. Even for sprawling businesses. In the end, if they merge with another company, each merger brings one (1) more net, not a flock of v4 /24's. Your reasoning is correct, but the size of the math matters more. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 Content: 80% POLYESTER, 20% DACRONi ... The waitress's UNIFORM sheds TARTAR SAUCE like an 8" by 10" GLOSSY ... [0] The real Hewlett-Packard made test equipment. What calls itself "hp" today is just another IT company. signature.asc Description: PGP signature
Re: Redploying most of 127/8 as unicast public
Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, 2021 at 10:47:10PM -0500 Quoting Joe Maimon (jmai...@jmaimon.com): > layer in front of these classes of devices or that they will be > deployed|developed with sufficient/equivalent security without that layer is > not nearly as re-assuring. The inside/outside paradigm inherent in the reasoning of "NAT is a good, big part of my firewall" crowd is woefully inadequate to describe and counter the threats of today. The techniques to get past uni-reachability (The NATted client can ask the net, but not in reverse) are many and advanced. Since there is a somewhat inflated belief of the efficiency of the unroutability paradigm, once inside, the rules tend to be relaxed. It might very well be so that the resultant protection level will be better once you realise you can't trust the net to not deliver packets to you. Also, I much prefer writing firewall rules where the IP addresses don't change in-flight. Less to screw up. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 Of course, you UNDERSTAND about the PLAIDS in the SPIN CYCLE -- signature.asc Description: PGP signature
Re: Class D addresses? was: Redploying most of 127/8 as unicast public
Subject: Re: Class D addresses? was: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, 2021 at 11:51:24AM -0800 Quoting William Herrin (b...@herrin.us): > Multicast is not the same as broadcast and yes, it's a thing. Mainly > it's a thing confined to the local broadcast domain but in that scope > it's quite widely used. All the heavy lifting in video production via IP is done over multicast. Mostly, it is internal to one organisation, and the 239/8 (RFC2365) block is being used, but routing multi-gbit RTP flows over multicast is a thing where I work. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 YOU!! Give me the CUTEST, PINKEST, most charming little VICTORIAN DOLLHOUSE you can find!! An make it SNAPPY!! signature.asc Description: PGP signature
Re: Redploying most of 127/8 as unicast public
Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, 2021 at 09:15:24PM + Quoting Matthew Walster (matt...@walster.org): > > Why should we burden ourselves with this cumbersome and painful, useless > > layer of abstraction that is "port forwarding", when the choice of > > universal reachability is around the corner? > > Because it's a REALLY bad idea to have unmanaged devices reachable from the > open internet. Dial-out, not dial-in. You need a firewall. You need a way > of punching holes in that firewall for services you explicitly allow, be > that manually through an interface, or temporarily via an automated system > like upnp/nat-pmp. It's like you did not read the next part. > > If people can set a port forward up, they can click "allow" in a > > routing-based firewall interface. Only it is better, because one can > > have several parallel services using well-known ports. Sometimes (most > > of the time) the protocol spec has no option to change port either, > > making port forwarding futile anyway. (the let's have a TXT record bunch > > at it again, purposefully ignoring SRV since its inception.) > > > > It's not always people. Lots of games, lots of telephony things, services > like Syncthing... They all open firewall holes (yes, NAT is a firewall) to > allow inbound connections for specific conditions, like "this protocol and > port combination". You obviously read it. Now I'm confused. > You are not. I'm glad my internet connected light bulbs are controlled by > the Australian firm that manufactures them and the American firm that has a > surveillance device in my kitchen listening for the immortal words "turn on > the living room lights", rather than Billy* from Doncaster who's looking > for something funny to do after losing at CS:GO again and happens to have > found a list of IP addresses of known vulnerable devices accessible from > the internet. ( I'd rather not have my lighting in the cloud. But I'm strange like that. ) Routing and allowing traffic are choices. Only that people with unusable non-unique addresses don't get to make those choices. One can probably find quantitative research stating that letting people handle their IT security makes for less secure systems, and from that standpoint argue that they don't deserve the choice. To me, that is elitist and condescending (And I oughta know condescending, I'm quite good at it.) and I think we could do better. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 I want another RE-WRITE on my CEASAR SALAD!! signature.asc Description: PGP signature
Re: Redploying most of 127/8 as unicast public
Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, 2021 at 09:04:38PM +0900 Quoting Masataka Ohta (mo...@necom830.hpcl.titech.ac.jp): > It merely means IPv6 is not deployable with the real reason. IPv6 is deployable. It is deployed. You are fundamentally in error. Any conclusions stemming from the false statement "IPv6 is not deployable" are thus false. While your statements on ports being a part of the address might hold some value in a world where there is no alternative they are simply too limited in a world with practically unlimited addresses. > After finding that, I, as a theorist, totally abandoned IPv6. You gave up, based on false conclusions. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 ... I want a COLOR T.V. and a VIBRATING BED!!! signature.asc Description: PGP signature
Re: Redploying most of 127/8 as unicast public
Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, 2021 at 11:16:59AM + Quoting Matthew Walster (matt...@walster.org): > The "real" reason we have IPv4 around is that it works. It works in our present context, good enough that the pain of moving looks bad to many people. This is Ohta-san's argument too. > 3. IPv6 "port forwarding" isn't really an easy thing -- people are not used > to each machine having a global address. This is the problem in a nutshell. After 27 years of destroying the E2E model on the internet, people do not anymore understand how IP (regardless of version) was supposed to work; any node to any node. Why should we burden ourselves with this cumbersome and painful, useless layer of abstraction that is "port forwarding", when the choice of universal reachability is around the corner? If people can set a port forward up, they can click "allow" in a routing-based firewall interface. Only it is better, because one can have several parallel services using well-known ports. Sometimes (most of the time) the protocol spec has no option to change port either, making port forwarding futile anyway. (the let's have a TXT record bunch at it again, purposefully ignoring SRV since its inception.) I guess juggling our pains differently is what we are doing here. What is unthinkable to one is quite OK to someone else. (But I am right) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 We just joined the civil hair patrol! signature.asc Description: PGP signature
Re: Redploying most of 127/8 as unicast public
Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, 2021 at 10:26:33AM +0900 Quoting Masataka Ohta (mo...@necom830.hpcl.titech.ac.jp): > > We cope, > > because a lot of technical debt is amassed in corporate and ISP / > > access provider networks that won't change. > > Sounds like abstract nonsense. No, it is the real reason that we still have v4 around. > > We don't cope because NAT is > > good. Hardly a workday goes past without me thinking "If I could address > > this computer uniquely I'd go home earlier and with less grey hair". > > The reality is that application servers only need globally unique > and stable IP+Ports. > > You can address application servers with them. If, and that is a big IF, they're designed for that. Hint: They're not, and I'm required to deploy technology compatible with older systems and systems outside my control. It would be far easier for me if I could continue with the original assumption -- IP addresses are identifiers. I know you will immediately state that if I change everything else except the IP addressing scheme at 32 bits plus 16 bits of port space (which in and of itself is a change; granted more so in terms of service location), I will be fine. But I only want to change the addressing layer. The rest works fine. And is a bigger mess to alter to your idea. > > We must do better. > > As IPv6 is worse than IPv4 with NAT, feel free to propose a new > network protocol. In your application, that assertion on worseness might be true. In my, where I value the E2E principle higher, no, I think it is not. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 I used to be a FUNDAMENTALIST, but then I heard about the HIGH RADIATION LEVELS and bought an ENCYCLOPEDIA!! signature.asc Description: PGP signature
Re: Redploying most of 127/8 as unicast public
Subject: Re: Redploying most of 127/8 as unicast public Date: Fri, Nov 19, 2021 at 09:04:59PM +0900 Quoting Masataka Ohta (mo...@necom830.hpcl.titech.ac.jp): > Mans Nilsson wrote: > > > The essence of an IP address is that it is unique. The larger the network > > area is that recognizes it as unique, the better it is. > > With proper layering, network addresses including IP ones, certainly, > uniquely identify *hosts*. > > However, with proper layering, *applications* only require uniqueness > of IP+Port, which is enough for the worldwide IPv4 network. > > As a result, NAT won the battle against IPv6. > > IPv6 addresses are free but useless. With all due respect, you think about networks. I use and build networks. And my experience is that IP+port is not enough. We cope, because a lot of technical debt is amassed in corporate and ISP / access provider networks that won't change. We don't cope because NAT is good. Hardly a workday goes past without me thinking "If I could address this computer uniquely I'd go home earlier and with less grey hair". We must do better. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 Do you have exactly what I want in a plaid poindexter bar bat?? signature.asc Description: PGP signature
Re: Redploying most of 127/8 as unicast public
Subject: Re: Redploying most of 127/8 as unicast public Date: Fri, Nov 19, 2021 at 12:26:23PM -0800 Quoting John Gilmore (g...@toad.com): > =?utf-8?B?TcOlbnM=?= Nilsson wrote: > > The only viable future is to convert [to IPv6]. This is not > > group-think, it is simple math. > > OK. And in the long run, we are all dead. That is not group-think, it > is simple math. Yet that's not a good argument for deciding not to > improve our lives today. Nor to fail to improve them for tomorrow, > in case we live til then. The math is true today. Most people now have more devices than they have IP addresses. (And reachability should be choice, not shortage consequence) Increasing the available address space by at most a few percent at the price of a flag day is not a good return. (unless you are in a position to profit from the shortage, at which point all these crutch proposals look irresistible if not from a technical standpoint) Increasing the address space 79228162514264337593543950336 times at the price of rolling software upgrades that actually mostly are done (I haven't bought or commissioned non-v6 gear for 15 years now), even if there's a lot left to turn on and configure, is a slightly better proposition. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 MY income is ALL disposable! signature.asc Description: PGP signature
Re: Redploying most of 127/8 as unicast public
Subject: Re: Redploying most of 127/8 as unicast public Date: Thu, Nov 18, 2021 at 01:46:04PM -0800 Quoting William Herrin (b...@herrin.us): > > The detractors for this proposal and those like it make the core claim > that we shouldn't take the long view improving IPv4 because IPv6 is > going to replace it any day now. Each day that passes with the end of > IPv4 still not in sight demonstrates how very wrong that strategy is. Aw, come on. There is noone (except naive ones in power) who expect this to happen immediately. We all knew there would be a transition period. The "improvement" part was CIDR. And a very good one it is at that -- it sort of sets the standard as to what an improvement should be to count. 6,25% new addresses from Net 240 is not an improvement in that regard, and neither would the much smaller contribution from Net 127 be. Both are no more than holding paper money on the deck of the Titanic. The essence of an IP address is that it is unique. The larger the network area is that recognizes it as unique, the better it is. That's why RFC 1918 is free and useless. We all know this. The only viable future is to convert. This is not group-think, it is simple math. > If there's a change we can make to a standard now which will result in > IPv4 being better 20 years from now, we should make it. We should hope > that we never need the result because IPv6 takes over the world but we > should make the change anyway. Because hedging our bets is what > responsible people do. You are proposing a deal involving paper money you have on your person to your fellow passengers on the Titanic; that is the essence of your proposed bet hedging. Having studied the market for IPv4, it is a no- brainer to realise the driving force behind all these schemes. Delaying the inevitable is just going to make some people richer, to the detriment of others. I see no reason to support that. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 Yow! It's a hole all the way to downtown Burbank! signature.asc Description: PGP signature
Re: Telecommunications network drafting software
Subject: Re: Telecommunications network drafting software Date: Wed, Sep 01, 2021 at 03:26:08PM -0400 Quoting Eric Kuhnke (eric.kuh...@gmail.com): > For logical diagrams of networks, on MacOS, I recommend Omnigraffle. OmniGraffle is what Visio would be if Visio was cool, looked good and didn't hate its users. Only drawback -- to some -- is that it's OS X only. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 ... I think I'd better go back to my DESK and toy with a few common MISAPPREHENSIONS ... signature.asc Description: PGP signature
Re: telia selling carrier ops to polhem infra
Subject: Re: telia selling carrier ops to polhem infra Date: Tue, Oct 06, 2020 at 03:28:57PM + Quoting James Breeden (ja...@arenalgroup.co): > Still smells Swedish to me. Probably will end up with a different name, but > other than that I don't see much changing. Sounds more like a spinoff than > acquisition. I is, Polhem is wholly owned by a few of the large public pension funds in Sweden. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 I want to dress you up as TALLULAH BANKHEAD and cover you with VASELINE and WHEAT THINS ... signature.asc Description: PGP signature
Re: Request comment: list of IPs to block outbound
Subject: Re: Request comment: list of IPs to block outbound Date: Tue, Oct 22, 2019 at 11:11:27PM -0600 Quoting Grant Taylor via NANOG (nanog@nanog.org): > On 10/22/19 10:54 PM, Måns Nilsson wrote: > > It is just more RFC1918 space, a /10 unwisely spent on stalling IPv6 > > deployment. > > My understanding is that RFC 6598 — Shared Address Space — is *EXPLICITLY* > /not/ a part of RFC 1918 — Private Internet (Space). And I do mean > /explicitly/. I understand the reasoning. I appreciate the need. I just do not agree with the conclusion to waste a /10 on beating a dead horse. A /24 would have been more appropriate way of moving the cost of ipv6 non-deployment to those responsible. (put in RFC timescale, 6598 is 3000+ RFCen later than the v6 specification. That is a few human-years. There are no excuses for non-compliance except cheapness.) Easing the operation of CGN at scale serves no purpose except stalling necessary change. It is like installing an electric blanket to cure the chill from bed-wetting. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 I'm a nuclear submarine under the polar ice cap and I need a Kleenex!
Re: Request comment: list of IPs to block outbound
Subject: Re: Request comment: list of IPs to block outbound Date: Sun, Oct 13, 2019 at 09:24:39AM -0700 Quoting William Herrin (b...@herrin.us): > > > 100.64.0.0/10 Private network Shared address space[3] for > > communications between a service > > provider and its subscribers > > when using a carrier-grade NAT. > > > > This space is set aside for your ISP to use. like RFC1918 but for ISPs. It > is not specifically CGNAT. Unless you are an ISP using this space, you > should not block destinations in this space. I have a hard time finding text that prohibits me from running machines on 100.64/10 addresses inside my network. It is just more RFC1918 space, a /10 unwisely spent on stalling IPv6 deployment. /Måns, guilty. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 It's OKAY -- I'm an INTELLECTUAL, too. signature.asc Description: PGP signature
Re: IPAM recommendations
Subject: IPAM recommendations Date: Thu, Sep 05, 2019 at 05:35:19PM +0900 Quoting Mehmet Akcin (meh...@akcin.net): > Looking for IPAM recommendations, preferably open source, API is a plus > (almost must, almost..). 40-50K IPs to be managed. nipap infoblox if you are an enterprise needing AD herding and got too much cash. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 I had pancake makeup for brunch! signature.asc Description: PGP signature
Re: OT: Tech bag
Subject: Re: OT: Tech bag Date: Mon, Aug 05, 2019 at 01:07:23PM -0700 Quoting Aaron Russo (aru...@pixar.com): > I have been really happy with my Tom Bihn Brain Bag (https://tombihn.com). > I carry a 15in and 13in laptop along with a snake charmer accessory for all > my cables. If you loosen the straps there’s plenty of room to also stuff a > jacket AND a small to medium sized UPS parcel if need be. The Brain Bag continues to serve me well, after some 10 years. Definitely seconded. As EDC it holds all I need, and works for a short trip, too. For serious install work, (bordering on truck roll) I end up carrying a fiber measurement/maintenance box (a small Peli-style case) and my leather tool case. Anything described with the phrase " distinctive standard issue cases, produced for over half a century." immediately creates desire. https://www.canford.co.uk/Products/16-389_TOOLMARK-TOOL-CASE-No.6-Brown-with-handles -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 Do you guys know we just passed thru a BLACK HOLE in space? signature.asc Description: PGP signature
Re: Protecting 1Gb Ethernet From Lightning Strikes
Subject: Re: Protecting 1Gb Ethernet From Lightning Strikes Date: Wed, Aug 14, 2019 at 02:01:01PM +0200 Quoting Bjørn Mork (bj...@mork.no): > Måns Nilsson writes: > > > /Måns, has 6 pairs 9/125 between garage and house at home. > > Now you made me worry that my single OM4 pair to the garden shed might > be insufficient ;-) I have but one comment: "Friends don't let friends run multimode." -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 Yow! I'm having a quadrophonic sensation of two winos alone in a steel mill! signature.asc Description: PGP signature
Re: Protecting 1Gb Ethernet From Lightning Strikes
Subject: Protecting 1Gb Ethernet From Lightning Strikes Date: Tue, Aug 13, 2019 at 02:22:12PM -0400 Quoting Javier J (jav...@advancedmachines.us): > I'm working with a client site that has been hit twice, very close by > lightening. > > I did lots of electrical work/upgrades/grounding but now I want to focus on > protecting Ethernet connections between core switching/other devices that > can't be migrated to fiber optic. If lightning comes so close that it will break things inside the same facility because they are connected by structured cabling, two things typically have failed; * The building as such is not adequately protected. * There exist too large potential differences within the electrical system inside the building. For #1, telecoms regulations on site grounding and protection give good, albeit expensive advice. The most important part is that all cabling enter the facility with its screens at common potential. The reason is that most blown equipment comes from in-ground potential difference between different cables. (I've poured shattered IC's out of a poor ADSL router after such a strike. ) If that potential difference is cancelled upon entry in the facility by bonding all grounds the risk is minimised. For #2, it is mostly solved by fixing #1, but it is proper to fix it by mesh-connecting grounds on all equipment together. If there is a 10mm^2 (around AWG7) bonding conductor parallel to the 0,14mm^2 (AWG25) drain wire in the foil screen, which way will the current take? Do note that star grounds are popular, but they're impossible to maintain and typically don't work at high frequiencies, which will lessen their efficiency against fast-rising transients. Mesh grounds are better at conducting high frequencies and are easier to maintain. Having several power utility feeds into same facility will of course exacerbate the problem, which is one of the reasons it is illegal in Sweden. If you need to cross between two buildings, copper should be rejected. Fiber is so much better. And pays for itself immediately upon first strike survived. /Måns, has 6 pairs 9/125 between garage and house at home. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 I feel partially hydrogenated! signature.asc Description: PGP signature
Re: Time and Timing Servers
Subject: Re: Time and Timing Servers Date: Thu, Jul 11, 2019 at 09:11:13PM +0200 Quoting Karsten Elfenbein (karsten.elfenb...@gmail.com): > I think you are referencing their chip scale atomic clocks. Which are very > frequency stable. But still need phase alignment. (Mobile UPS anyone?) This is not a new problem. http://www.leapsecond.com/hpj/v15n11/ Fascinating reading. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 YOW!! Now I understand advanced MICROBIOLOGY and th' new TAX REFORM laws!! signature.asc Description: PGP signature
Re: Time and Timing Servers
Subject: Re: Time and Timing Servers Date: Thu, Jul 11, 2019 at 10:23:41AM -0500 Quoting Mike Hammett (na...@ics-il.net): > I'll look into Meinberg. Meinberg are nice people with good hardware. They can do 2048KHz from GPS and other timing signals, for instance. Then again, some router vendors do that in boxes you need anyway. As long as the controlling clock is PTP. > I recent thread mentioned high-sensitivity receivers often allow GPS to work > inside. Obviously "inside" has a lot of definitions. Indeed. Colo buildings rarely are on the forgiving side of "inside". In Sweden, most older central offices are built to some degree of bomb proofness (certainly not safe from direct hit) , with some 10mm of steel in shutters for all windows, etc. GPS fares not well there. > I will need this facility for the TDM timing signals. It's a central office, > not a datacenter. Then you're concerned with frequency and phase to ITU-T G.812, I suspect. Unless this is your "central central" office, in which case you need G.811. > I don't know that Internet-based NTP would be accurate enough for the timing > signals that I need. Maybe, maybe not. The current trend in today's large frequency/phase consumers, ie. mobile, is to run PTP over backhaul. Well behaved NTP _could_ make it, I suspect, given a good enough clock in the facility, but PTP will definitely work, assuming you have transmission and hardware capable of doing it. "Capable" here, means dark fibre or WDM is required together with routers and switches that can act as boundaries in PTP sense. If you rent MPLS or are using plain Internet infrastructure, it becomes a lot more complicated. There are frequency/phase transmission solutions (mostly broadcast related) that easily can transfer your central central cæsium clock frequency to another site using reasonable-quality IP transport, but those are neither cheap nor fire-and-forget. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 I'm gliding over a NUCLEAR WASTE DUMP near ATLANTA, Georgia!! signature.asc Description: PGP signature
Re: SFP supplier in Europe?
Subject: SFP supplier in Europe? Date: Thu, Apr 04, 2019 at 10:09:15PM +0200 Quoting nanog-...@mail.com (nanog-...@mail.com): > Hello NANOG, > > Could somebody recommend an SFP supplier in Europe with a warehouse in the EU > and fast shipping? I need to pick up some 80km Bidi SFPs and I'd prefer to > use a supplier has and will keep stock locally. With the caveats discussed in the thread taken into consideration, I'd pitch in that both FS and FlexOptix have proven useful to me. Flex got me a very specific coding (Siemens SDH gear compatible) in no time, and FS are -- for stocked items -- hard to beat on price and shipping time. Both being inside EU means zero hassle with customs which is important. (Poor Brits, what have they done to themselves?) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 Are we on STRIKE yet? signature.asc Description: PGP signature
Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking
Subject: Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Date: Thu, Feb 28, 2019 at 08:47:19AM + Quoting Mike Meredith (mike.mered...@port.ac.uk): > On 27 Feb 2019 13:07:09 -0500, "John Levine" may have > written: > > The IETF one says that nobody used type 99, and some of the few > > implementations we saw were broken, so we deprecated it. > > And just after I'd finished adding in all the SPF records too, so I had to > turn around and take all them out again immediately after. You did not have to. I still have them in. (As well as TXT records that almost look like them, but mostly are there to tickle parser bugs. ) I still get queries for SPF. Obviously "TXT as RRtype for SPF data" is a failure and needs to be re-deprecated. (No, I'm joking, but I wish I wasn't.) Type-squatting is bad for the Internet, and should be discouraged. And, Carthago should be destroyed. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 Yow! Now I get to think about all the BAD THINGS I did to a BOWLING BALL when I was in JUNIOR HIGH SCHOOL! signature.asc Description: PGP signature
Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking
Subject: Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Date: Wed, Feb 27, 2019 at 07:59:49PM -0800 Quoting Seth Mattinen (se...@rollernet.us): > On 2/27/19 7:02 PM, b...@theworld.com wrote: > > I have proposed many times to just move domain WHOIS data into a new > > RRTYPE and let whoever owns the domain put in that whatever they want, > > including (and perhaps most usefully for many) just a URL for further > > detail. > > > We kind of have that with RP records. But does anyone do it? I do, as preserver of strange RRtypes people try to deprecate. dig @primary.se besserwisser.org AXFR | awk '\ /^;/ { next; }; /besserwisser.org/ { types[$4]++; }; END { for ( RRTYPE in types ) { count++; printf "%s\t%d\n", RRTYPE, types[RRTYPE]; }; printf "Total:\t%d rrtypes in zone\n", count; };' NS 5 21 DNSKEY 3 SPF 1 A 28 NSEC62 AFSDB 3 RP 1 MX 2 CNAME 9 SOA 2 RRSIG 147 TXT 6 SSHFP 14 SRV 20 DS 4 Total: 16 rrtypes in zone (Yes, there's a bug there, but the end figure is correct.) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 TONY RANDALL! Is YOUR life a PATIO of FUN?? signature.asc Description: PGP signature
Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking
Subject: Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Date: Wed, Feb 27, 2019 at 01:07:09PM -0500 Quoting John Levine (jo...@iecc.com): > In article <20190227161327.ga27...@besserwisser.org> you write: > >that is RFC 7208.[0] > > >[0] This document tries to deprecate RRTYPE 99 for SPF. By stating that > >only TXT records can be trusted. ... > > This must be a very different RFC 7208 from the one that the IETF published. > > The IETF one says that nobody used type 99, and some of the few > implementations > we saw were broken, so we deprecated it. We will never agree on that. Because I think you were, and are, wrong. Mostly out of eagerness and lack of patience. I'm fairly certain you think I have no idea what I'm talking about. But, to rehash, a little less subtle: My point was that the general state of criminal ignorance about the finer nuances of DNS is so wide spread that around 2038 we'll have an abstraction layer entirely built out of mile-long CNAME chains, because nobody remembers any other record type. CNAMEs we tried to forget too, replacing them with something out of the olde annals of Compuserve, but since the golden standard of resiliency and load balancing is a chain of them pointing into a bookstore's spare servers, we really can't do without them. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 Don't worry, nobody really LISTENS to lectures in MOSCOW, either! ... FRENCH, HISTORY, ADVANCED CALCULUS, COMPUTER PROGRAMMING, BLACK STUDIES, SOCIOBIOLOGY! ... Are there any QUESTIONS?? signature.asc Description: PGP signature
Re: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking
Subject: RE: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Date: Wed, Feb 27, 2019 at 10:17:22AM -0500 Quoting Eric Tykwinski (eric-l...@truenet.com): > > Nah, you know, that won't happen any time soon. Mozilla is busy doing > > other, more important things, like streaming all of the users' DNS queries > > to Cloudflare, etc. The plain old security doesn't count anymore. > > > > -- > > Töma > > This was sort of discussed awhile ago: > Adam Langley: > https://www.imperialviolet.org/2015/01/17/notdane.html Calling TXT or DANE non-standard is a remarkable statement. Smells of the deeply flawed reasoning that brought us the festering pile of defaitism that is RFC 7208.[0] As I wrote a few messages upthread, the user can not expect the network to be trustworthy, and still, we who run the network would very much like their business. So, what we must constantly strive for is maximum transparency, carrying as much of the Internet experienc, good or bad, to the end user. Or, more terse: "Middleboxes are bad for you." -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 I demand IMPUNITY! [0] This document tries to deprecate RRTYPE 99 for SPF. By stating that only TXT records can be trusted. Apparently, it is possible to decide on the fly which RRtypes are possible to query for, depending on the argument. signature.asc Description: PGP signature
Re: A Deep Dive on the Recent Widespread DNS Hijacking
Subject: Re: A Deep Dive on the Recent Widespread DNS Hijacking Date: Mon, Feb 25, 2019 at 05:04:39PM +1100 Quoting Mark Andrews (ma...@isc.org): > I would also note that a organisation can deploy RFC 5011 for their own > zones and have their own equipment use DNSKEYs managed > using RFC 5011 for their own zones. This isolates the organisation’s > equipment from the parent zone’s management practices. > > I would also note that you can configure validating resolvers to expect > secure responses for parts of the namespace and to reject > insecure responses even when they validate as insecure. One thing that immediately struck me upon reading the Krebs post was that people got owned by having to downgrade the end-to-end model of the Internet into Proxy-land. A hotel wifi. Probably only challenged by "Free Wifi" in other spaces in its ability to demolish the Internet as thought out and envisioned. We can conclude in two different directions here; * We need to work on making the Internet more transparent to applications, and thus increasing security. * We're all doomed anyway. DNSSEC is useless. Pick whichever you like. Our children will judge us. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 My EARS are GONE!! signature.asc Description: PGP signature
Re: How are you configuring BFD timers?
--On 22 mars 2018 23:45:16 +0200 Saku Ytti <s...@ytti.fi> wrote: > On 22 March 2018 at 22:41, Måns Nilsson <mansa...@besserwisser.org> > wrote: > >> Subject: Re: How are you configuring BFD timers? Date: Wed, Mar 21, 2018 >> at 04:24:47PM + Quoting Job Snijders (j...@instituut.net): >>> Silly question perhaps, but why would you do BFD on dark fiber? >> >> Because Ethernet lacks the PRDI that real WAN protocols have. > > Indeed, RFI on ethernet is rather modern addition, turning 20 this year. (You just reminded me I've been doing some sort of WAN network ops for about 20 years.) That does indeed solve the problem for dark fibre, and those lucky WDM systems that actually reflect input status to output. Not always true, I'm afraid (just look at the Ethernet switch mid-span that Thomas Bellman wrote about; a fitting metaphor for all "ethernet-over-other.." models..). Ethernet still regards "no frames seen on the yellow coax" as an opportunity to send traffic rather than an error, if we're talking old things ;-). BFD solves that, and it is worthwhile to have one setup regardless of technology, if possible. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 CHUBBY CHECKER just had a CHICKEN SANDWICH in downtown DULUTH! pgpL9ZcdjvFO7.pgp Description: PGP signature
Re: How are you configuring BFD timers?
Subject: Re: How are you configuring BFD timers? Date: Wed, Mar 21, 2018 at 04:24:47PM + Quoting Job Snijders (j...@instituut.net): > Silly question perhaps, but why would you do BFD on dark fiber? Because Ethernet lacks the PRDI that real WAN protocols have. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 If I am elected no one will ever have to do their laundry again! PS: Don't get me wrong. I'm all for Ethernet, it is cheap (or perhaps, SDH/SONET line cards were artificially expensive) and it makes networks faster more often, by virtue of interface cheapness. But one really needs to tack about half the signalling from SDH onto Ethernet (here, BFD) to get some predictability from it. Which is OK, it was made for NFS and Telnet on a LAN. It does really well considering that. signature.asc Description: PGP signature
Re: listserv hosed? [Was: Fwd: nanog.org mailing list memberships reminder]
Subject: Re: listserv hosed? [Was: Fwd: nanog.org mailing list memberships reminder] Date: Fri, Feb 02, 2018 at 04:04:54PM -0500 Quoting valdis.kletni...@vt.edu (valdis.kletni...@vt.edu): > And you have reason to think that it *still* does things that way, 17 years > later? I honestly do not know, but I'd suspect so. More of a hunch than anything else, though. It *was* very fast back then, though. Today, not so much of a competitive edge. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 Hold the MAYO & pass the COSMIC AWARENESS ... signature.asc Description: PGP signature
Re: listserv hosed? [Was: Fwd: nanog.org mailing list memberships reminder]
Subject: Re: listserv hosed? [Was: Fwd: nanog.org mailing list memberships reminder] Date: Fri, Feb 02, 2018 at 06:30:20AM -0500 Quoting Rich Kulawiec (r...@gsp.org): > > 1. It's not a listserv. It's a mailing list. ListServ is obsolete, > expensive, closed-source garbage software used exclusively by people > who don't know any better and like to waste their money. Butbutbut! A VM/370 app that still does all internal processing in EBCDIC, even on POSIX OSes[0], with almost-ascii config files, and that ran very well on VMS? What is there not to love? /Måns, former sysop at SEGATE.SUNET.SE -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 What's the MATTER Sid? ... Is your BEVERAGE unsatisfactory? [0] Eric Thomas, mr LISTSERV himself, told me this when we were migrating that large LISTSERV one dark night 17 years ago. signature.asc Description: PGP signature
Re: IPv6 migration steps for mid-scale isp
Subject: Re: IPv6 migration steps for mid-scale isp Date: Wed, Sep 20, 2017 at 12:04:45PM -0300 Quoting Owen DeLong (o...@delong.com): > > iBGP is scalable, you can introduce router reflectors to avoid full mesh > > peering between PE routers – and the sky if your limit! > > I think in general most serious networks consider this a question of OSPF > vs. ISIS for IGP and BGP is the only choice for EGP. > > I find it interesting that you don’t even mention ISIS in your discussion. > > I don’t know of any substantial networks running EIGRP these days. I’m not > saying they don’t exist, but they are certainly rare exceptions. The fact that we'll be running dual-stack for perhaps another decade and that there are no 36-hour days available makes the choice very simple; IS-IS is my preferred choice. One routing instance less. But, I'd rather limit the IS-IS scope to "links and loopbacks" -- there is no need to have link-state flooding for a customer network that will always be originated from one specific access router. iBGP is much more appropriate for that. As long as I'll have one working path up to that router I can rely on BGP to tell me where the network is. The key is the time domain. If the topology is likely to be changing slowly (customer moves premises or commissions new connection), use BGP to signal it. If the topology is potentially unstable, i.e. subject to backhoes and similar, use IS-IS. Oh, by the way; I concur with Owen: EIGRP is not done. I've stumbled on it once the last decade, and it was a PABX network engineer who insisted. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 Am I in GRADUATE SCHOOL yet? signature.asc Description: PGP signature
Re: Virtual or Remote Peering
Subject: Re: Virtual or Remote Peering Date: Wed, Aug 16, 2017 at 08:02:47AM -0500 Quoting Mike Hammett (na...@ics-il.net): >>> How well does this service work? I understand it usually involves >>> point-to-multipoint Switched Ethernet with VLANs and resold IX ports. >>> Sounds like a service for ISP that would like to peer, but have relatively >>> small volumes for peering purposes or lopsided volumes. >> Its like buying regular ip-transit, but worse. > That seems to be a rather lopsided opinion. You get connections to other operators over an unreliable path that you have no control over, and the opportunities to keep traffic local are limited. Adding to that, it is all your fault since your provider does not do L3 and can claim a very passive rôle in the process. Like transit, but worse. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 YOW!! The land of the rising SONY!! signature.asc Description: PGP signature
Re: Dyn DDoS this AM?
Subject: Re: Dyn DDoS this AM? Date: Sat, Oct 22, 2016 at 01:37:09AM +0200 Quoting Niels Bakker (ni...@bakker.net): > * mansa...@besserwisser.org (Måns Nilsson) [Sat 22 Oct 2016, 01:27 CEST]: > >Also, do not fall in the "short TTL for service agility" trap. > > Several CDNs, Akamai among them, do use short TTLs for this exact reason. > Server load is constantly monitored and taken into account when crafting DNS > replies. But the problem is that this trashes caching, and DNS does not work without caches. At least not if you want it to survive when the going gets tough. If we're going to solve this we need to innovate beyond the pathetic CNAME chains that todays managed DNS services make us use, and get truly distributed load-balancing decision-making (which only will work if you give it sensible data; a single CNAME is not sensible data) all the way out in the client application. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Well, I'm INVISIBLE AGAIN ... I might as well pay a visit to the LADIES ROOM ... signature.asc Description: Digital signature
Re: Dyn DDoS this AM?
Subject: Re: Dyn DDoS this AM? Date: Sat, Oct 22, 2016 at 01:19:24AM +0200 Quoting Niels Bakker (niels=na...@bakker.net): > The point of outsourcing DNS isn't just availability of static hostnames, > it's the added services delivered, like returning different answers based on > source of the question, even monitoring your infrastructure (or it reporting > load into the DNS management system). > > That is very hard to replicate with two DNS providers. Surely, it must be better to use a singular service that is provably easy to take out. The advantages are overwhelming. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Yow! Are we wet yet? signature.asc Description: Digital signature
Re: Dyn DDoS this AM?
Subject: Re: Dyn DDoS this AM? Date: Fri, Oct 21, 2016 at 03:21:20PM -0700 Quoting David Birdsong (da...@imgix.com): > On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush <ra...@psg.com> wrote: > > > anyone who relies on a single dns provider is just asking for stuff such > > as this. > > > > randy > > I'd love to hear how others are handling the overhead of managing two dns > providers. Every time we brainstorm on it, we see it as blackhole of eng > effort WRT to keeping them in sync and and then waiting for TTLs to cut an > entire delegation over. The fault is giving up the primary for an API connection. Sure, it is tempting. We do, however, need to push the "application-integrated" DNS vendors harder. They need to give their customers more choice in how the DNS is populated. They also very much need to let people with above-mentioned "application-integrated" needs add third party DNS providers in the mix. This diversity capability is what makes DNS resilient. Monocultures have suboptimal survivability in the long run. Adding DNS providers when you control the primary is completely painless. With EDNS0 there's lots of room for insanely large NS RRSETs. Also, do not fall in the "short TTL for service agility" trap. Besides, what Randy wrote. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Hold the MAYO & pass the COSMIC AWARENESS ... signature.asc Description: Digital signature
Re: Cost-effectivenesss of highly-accurate clocks for NTP
Subject: Re: Cost-effectivenesss of highly-accurate clocks for NTP Date: Sun, May 15, 2016 at 03:21:02PM + Quoting Mel Beckman (m...@beckman.org): > The upshot is that there are many real-world situations where expensive clock > discipline is needed. But IT isn't, I don't think, one of them, with the > exception of private SONET networks (fast disappearing in the face of metro > Ethernet). Pro audio is moving to Ethernet (they talk about it, Ethernet, as either "RJ45" or "Internet"...) and sometimes even to IP in a fairly rapid pace. If you think the IP implementations in IoT devices are naîve, wait until you've seen what passes for broadcast quality network engineering. Shoving digital audio samples in raw Ethernet frames is at least 20 years old, but the last perhaps 5 years has seen some progress in actually using IP to carry audio streams. (this is close-to-realtime audio, not file transfers, btw.) A lot of audio is sent using codecs like Opus, with SIP as signalling. That works quite nicely. We've got a smartphone app to do that, for instance. But, this is all mostly floating in terms of absolute sampling frequency. Digital audio needs a clock to work. In the simple home stereo case, this is taken care of by listening to the pace samples arrive at, and using that. But as soon as you are mixing two sources, they need to be in tune. Something needs to decide what to use as master. In the smartphone case, we simply buffer some 20-100ms of audio and start playing back, using our own clock. Then we hope the interview is over before the buffer is overflowing or drained. Which mostly works. Inside facilities, when we use the SIP-signalled streams, we usually can rely on a separate clock distribution. In our specific case, we've bought country-wide clock distribution that gives us the same sample clock in all facilities. (Digital TV is mostly built as single frequency networks, which requires syntonous (at least) transmitters. Thus, it today is quite easy to find providers of frequency in the broadcast business.) Now, the Audio Engineering Society has published AES67 which in essence is multichannel, multicast RTP audio (L48 mediatype, ie. linear 48KHz 24-bit) synchronized by PTP, also multicast. Now, bear in mind that I wrote _synchronized_, not _syntonized_. Up to now, the only thing that mattered to keep track of was frequency. Since one of the big reasons for AES67 is distributing sound to several different loudspeakers that can be heard by one listener simultaneously, the prime example being a stereo pair of active loudspeakers with one network jack on each, _phase_ matters, as well as absolute time. (Mostly, telco synchronization mentions absolute time as phase.) This application requires absolute time, since a mono sound in our stereo example needs to play back _at the same time_ from both speakers. Or it ceases to be a mono sound, instead becoming a sound that is offset in the soundstage by delaying it. Most classical stereo recordings are mono in terms of level, but not in terms of the time domain; since they derive all spatial info from time, not gain. Like we humans do. The usual test case is to buy a PTP-aware switch, a PTP Grand Master, steered by and build a small LAN, test that Vendor A and Vendor B can send audio between themselves via this simple network and call it a day. That is a nice lab setup. Also very far from what needs to be built in order to solve the actual production cases. But, to try to return to "relevant for NANOG", there are actual products requiring microsecond precision being sold. And used. And we've found that those products don't have a very good holdover. On ranty days I usually accuse them of having hotglued an Ethernet adapter onto the old TDM-based audio devices and sent them out to customers with a prayer and instructions to build an overengineered network to make certain that PTP always is delivered with zero IPDV. A lot of strange things are getting network connectors these days. Not all of them are content with a http connection to some cloud provider. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 The PILLSBURY DOUGHBOY is CRYING for an END to BURT REYNOLDS movies!! signature.asc Description: Digital signature
Re: Top-shelf resilience (Re: Why the US Government has so many data centers)
Subject: Top-shelf resilience (Re: Why the US Government has so many data centers) Date: Tue, Mar 22, 2016 at 07:59:24PM + Quoting Jay R. Ashworth (j...@baylink.com): > > This seems like a good time to mention my favorite example of such a thing. > > In the Navy, originally, and it ended up in a few other places, there was > invented the concept of a 'battleshort', or 'battleshunt', depending on whom > you're talking to. I've built one, sort of. In an outdoor broadcasting vehicle. See, in order to get a working grounding scheme, the PDU in the bus gets to serve as power source for a lot of things that might find themselves outside, in climate. 200VDC feeds in triaxial cables to cameras, for instance. (this was before cameras were connected with singlemode fiber, but after the era of the multicore "shower handle" connectors) All this was of course built for some exposure to the elements but not for drenching. During setup, it was decided to protect people with a GFCI breaker on the main three-phase bus in the bus[0][1], but once setup, people were not really supposed to gefingerpoken the thingamaboobs, so in the interest of reliability a bypass was created for the GFCI breaker. This had to be built in-house, since no electrical contractor even wanted to contemplate it. So we did. /Måns, ex-builder of analog broadcast facilities. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 First, I'm going to give you all the ANSWERS to today's test ... So just plug in your SONY WALKMANS and relax!! [0] Pun not intended but carefully kept once discovered. [1] This is (continental) Europe, where we are not afraid of 405VAC three-phase mains. Tesla was European. Edison was born to American parents. signature.asc Description: Digital signature
Re: junkmailers take the day off....?
Subject: Re: junkmailers take the day off? Date: Sun, Mar 20, 2016 at 01:50:31AM + Quoting Mel Beckman (m...@beckman.org): > I'm seeing the same thing. Weird. > > -mel via cell > > > On Mar 19, 2016, at 6:29 PM, Mike <mike-na...@tiedyenetworks.com> wrote: > > > > Hi, > > > >This is not a complaint, but today seems to be a major disturbance in > > the force...my junkmail load seems to be WAAA down today, like they all > > are out at the beach or something... some major botnet get shutdown or > > something??? A large portion of the Swedish newspaper web sites were hit with a fairly large attack yesterday evening MET, around 1830UTC. Perhaps the keyword is "retasked". Fwiw, I also saw a decline in my spamcount. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 VICARIOUSLY experience some reason to LIVE!! signature.asc Description: Digital signature
Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it
Subject: Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it Date: Wed, Jan 27, 2016 at 05:36:13PM -0800 Quoting Owen DeLong (o...@delong.com): > > > On Jan 27, 2016, at 14:43 , Måns Nilsson <mansa...@besserwisser.org> wrote: > > > > Subject: Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane > > Electric - and how to solve it Date: Fri, Jan 22, 2016 at 12:28:01PM + > > Quoting Brandon Butterworth (bran...@rd.bbc.co.uk): > > > >> tier 1 seems consistent with Cogents refusal. > > > > one does not become a tier 1 by refusing to peer. an actual tier 1 will > > of course most of the time refuse settlement-free interconnection with > > smaller actors to protect their revenue stream, but the traffic volumes > > and short settlement-free paths to large parts of the Internet are what > > make them a tier-1. > > I disagree with this last part. So do I, actually. I was just reporting what Tier-1 operators might feel be good for business. Not that I believe that they're right. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 On SECOND thought, maybe I'll heat up some BAKED BEANS and watch REGIS PHILBIN ... It's GREAT to be ALIVE!! signature.asc Description: Digital signature
Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it
Subject: Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it Date: Fri, Jan 22, 2016 at 12:28:01PM + Quoting Brandon Butterworth (bran...@rd.bbc.co.uk): > tier 1 seems consistent with Cogents refusal. one does not become a tier 1 by refusing to peer. an actual tier 1 will of course most of the time refuse settlement-free interconnection with smaller actors to protect their revenue stream, but the traffic volumes and short settlement-free paths to large parts of the Internet are what make them a tier-1. do you hear me, medium-sized swedish isp full of clued people but with a serious case of peering reality distorsion? -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Can you MAIL a BEAN CAKE? signature.asc Description: Digital signature
Re: IGP choice
Subject: IGP choice Date: Thu, Oct 22, 2015 at 06:57:01PM +0200 Quoting marcel.durega...@yahoo.fr (marcel.durega...@yahoo.fr): > Hi everyone, > > Anybody from Yahoo to share experience on IGP choice ? > IS-IS vs OSPF, why did you switch from one to the other, for what reason ? > Same question could apply to other ISP, I'd like to heard some international > ISP/carriers design choice, please. We use IS-IS in our network mostly because I was around when a bunch of NREN switched to IS-IS some 15 years ago, and it stuck. It is, as has been noted, mostly a matter of preference, but there is one or two technical arguments for IS-IS that tip the scales for me; - One IGP for both v6 and v4. Mostly interesting if you are running a lot of traffic outside VRFen. But nevertheless a good thing to keep v6 and v4 in sync. - No leakage. Not many external peers speak IS-IS on their peering interfaces, so chances are that even if I do, nothing will fall over. This of course also applies to access interfaces, where my hosts won't even have an OSI stack and thus won't try to process the frames. The argument for OSPF mostly is that there are several FOSS OSPF dæmons for Posixly machines, making it a good choice for things like anycast name servers or similar. We do run it for precisely this setup. Do read the presentation Vijay Gill made and that people keep pointing to. It is a very good account of how to purge OSPF in favour of IS-IS. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I'm also pre-POURED pre-MEDITATED and pre-RAPHAELITE!! signature.asc Description: Digital signature
Re: How to wish you hadn't forced ipv6 adoption (was "How to force rapid ipv6 adoption")
Subject: How to wish you hadn't forced ipv6 adoption (was "How to force rapid ipv6 adoption") Date: Thu, Oct 01, 2015 at 11:06:34PM -0400 Quoting Rob McEwen (r...@invaluement.com): > > I welcome IPv6 adoption in the near future in all but one area: the sending > IPs of valid mail servers. Those need to stay IPv4 for as long as reasonably > possible. > Using the link-level address to distinguish between good and bad email content was always daunting at best. Thanks for pointing out that this flawed behaviour must cease. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Why is it that when you DIE, you can't take your HOME ENTERTAINMENT CENTER with you?? signature.asc Description: Digital signature
Re: REMINDER: LEAP SECOND
Subject: REMINDER: LEAP SECOND Date: Fri, Jun 19, 2015 at 01:06:22PM -0400 Quoting Jay Ashworth (j...@baylink.com): The IERS will be adding a second to time again on my birthday; This time around there are a number of Vendor C devices that will fail in spectacular ways if not upgraded with a pretty new release -- Nexus and ASR1K being the two most interesting among those I've reviewed. http://www.cisco.com/web/about/doing_business/leap-second.html#~ProductInformation -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I'd like some JUNK FOOD ... and then I want to be ALONE -- signature.asc Description: Digital signature
Re: Enterprise network as an ISP with a single huge customer
Subject: Enterprise network as an ISP with a single huge customer Date: Fri, Jun 12, 2015 at 08:08:29PM +0300 Quoting Stepan Kucherenko (t...@megagroup.ru): Hello, I'm sure lots of you work for big enterprises, and some of you work for biggest of them. How many of you architect your network as an ISP, with that enterprise as the biggest customer ? Office networks in l3vpn, VPLS/EVPN on top of your own network for DCI, etc ? Or is it usually just a single IGP domain with no unnecessary bells and whistles ? We do at $dayjob (public service radio station network). We try to stay away from the TE side of MPLS, but the other knobs are in pretty much use. A lot of our newer uses for the network are realtime audio in hi-fi quality. Latency is our enemy, and so we don't do TCP, we skip retransmits, buffers to be able to wait for a late packet are so short it rarely matters, etc. That means a lot of prioritisation being done. It is easier in our isp-type network. As a very distributed company (in meatspace, but at the same time very unified in infrastructure) we sure need the flexibility. Doing this on usual VLAN/routing would not fly very well. A lot of the devices we run aren't really fit for living with other networked devices, especially those devices fondled by Users. We usually just push them in another VRF. Do you think one approach is better than the other ? If so, why ? I'd love to have a single flat routing domain. But I do not think it works with the kind of legacy stuff (some of it brand new...) we run. I understand that it usually comes down to specific circumstances and most likely scale but I'd still love to hear about your experience. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Concentrate on th'cute, li'l CARTOON GUYS! Remember the SERIAL NUMBERS!! Follow the WHIPPLE AVE. EXIT!! Have a FREE PEPSI!! Turn LEFT at th'HOLIDAY INN!! JOIN the CREDIT WORLD!! MAKE me an OFFER!!! signature.asc Description: Digital signature
Re: most accurate geo-IP source to build country-based access lists
Subject: most accurate geo-IP source to build country-based access lists Date: Mon, Jun 08, 2015 at 05:11:15PM +0300 Quoting Martin T (m4rtn...@gmail.com): Are there any other possibilities to geolocate IPv4 addresses with higher accuracy? There are three levels of untruth: (in increasing order of falseness) 1. No, mom, I did not eat the pie. 2. There are no Russian soldiers in Crimea 3. IP Geolocation -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 GOOD-NIGHT, everybody ... Now I have to go administer FIRST-AID to my pet LEISURE SUIT!! signature.asc Description: Digital signature
Re: AWS Elastic IP architecture
Subject: Re: AWS Elastic IP architecture Date: Thu, Jun 04, 2015 at 01:16:03PM -0400 Quoting Christopher Morrow (morrowc.li...@gmail.com): On Thu, Jun 4, 2015 at 5:11 AM, Owen DeLong o...@delong.com wrote: I’d argue that SSH is several thousand, not a few hundred. In any case, I suppose you can make the argument that only a few people are trying to access their home network resources remotely other than via some sort of proxy/rendezvous service. However, I would argue that such services exist solely to provide a workaround for the deficiencies in the network introduced by NAT. Get rid of the stupid NAT and you no longer need such services. This is an interesting argument/point, but if you remove the rendevous service then how do you find the thing in your house? now the user has to manage DNS, or the service in question has to manage a dns entry for the customer, right? Or something. you'll be moving the (some of the) pain from 'nat' to 'dns' (or more generally naming and identification). I think though that in a better world, a service related to the thing you want to prod from outside would manage this stuff for you. Possibly. It's important (I think) to not simplify the discussion as: Oh, with ipv6 magic happens! because there are still problems and design things to overcome even with unhindered end-to-end connectivity. You have successfully demonstrated that users will need some locating service. More so with the cure-all IPv6; because remembering hex is hard for People(tm). You have, however, not shown that all the possible ways of building a locating service that become available once the end-points are uniquely reachable (and thus, as long as we're OK with finding just the right host, identifyable) present an equal level of suckage. I believe that while the work indeed can be daunting for a sufficiently pessimal selection of users, the situation so improves (if we look at simplicity of protocol design and resulting fragility) when the end-points can ignore any middleboxes that the net result, measured as inconvenicence imposed on a standard End User, will improve. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Why is everything made of Lycra Spandex? signature.asc Description: Digital signature
Re: BGP in the Washngton Post
Subject: BGP in the Washngton Post Date: Mon, Jun 01, 2015 at 09:24:33AM -0400 Quoting William Herrin (b...@herrin.us): Interesting story about BGP and security in the Washington Post today: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/ sort of dissappointed they did not quote randy using only lower case. looks weird. once past that, good comment. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Isn't this my STOP?! signature.asc Description: Digital signature
Re: Verizon Policy Statement on Net Neutrality
Subject: Re: Verizon Policy Statement on Net Neutrality Date: Fri, Feb 27, 2015 at 05:25:41PM -0600 Quoting Jack Bates (jba...@paradoxnetworks.net): On 2/27/2015 5:09 PM, Måns Nilsson wrote: What people want, at least once thay have tasted it, is optical last mile. And not that PON shit. The real stuff or bust. Yeah. Then they complain when a tornado wipes out their power and they can't make a phone call. Given the state of the partially deregulated phone system and people tending to depend on DECT phones, that is a non-dividing issue, in a lot of cases. Me, I keep a landline with a rotary phone. It's hard to get DSL in some places in the country. Fiber? ha! The current state of the affairs in rural / semi-rural USA is not the standard we should strive for. Focusing too hard on the limitations appearing as inherent to the casual observer will choke developement. We can look at that techno-echonomical situation and use it as a starting point, but nothing else. (were I more of an entreprenour I'd look at no DSL available as a golden opportunity to get lots of fibre customers. Not replacing copper but augmenting it also solves the distress problem. That or a 12V battery to power the Ethernet converter and the ATA Box.) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Well, I'm a classic ANAL RETENTIVE!! And I'm looking for a way to VICARIOUSLY experience some reason to LIVE!! signature.asc Description: Digital signature
Re: Verizon Policy Statement on Net Neutrality
Subject: Re: Verizon Policy Statement on Net Neutrality Date: Fri, Feb 27, 2015 at 01:49:04PM -0600 Quoting Jack Bates (jba...@paradoxnetworks.net): snip Ideally, I suspect that most people would prefer a more variable approach, allowing for the complete frequency spectrum for upload and download and any combination in between. What people want, at least once thay have tasted it, is optical last mile. And not that PON shit. The real stuff or bust. Let's be honest, it would be nice to utilize wasted download frequency to send something quicker. Any access technology with less than 1Gbit symmetrical bandwidth is 20th century. Doing greenfield with that is plainly stupid. There is business to be made from smaller upgrades to copper that is in place, but as soon as you dig (or set new poles in the ground), fiber is the only real alternative. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I like your SNOOPY POSTER!! signature.asc Description: Digital signature
Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment
Subject: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Date: Mon, Feb 23, 2015 at 10:02:44AM -0500 Quoting Eric Germann (ekgerm...@cctec.com): Currently engaged on a project where they’re building out a VPC infrastructure for hosted applications. snip Thoughts and thanks in advance. using the wasted /10 for this is pretty much equal to using RFC1918 space. IPv6 was invented to do this right. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 It's NO USE ... I've gone to CLUB MED!! signature.asc Description: Digital signature
Re: v6 deagg
Subject: Re: v6 deagg Date: Sat, Feb 21, 2015 at 01:48:48PM +0100 Quoting Sander Steffann (san...@steffann.nl): However, apparently there is no such process or intention available from the RIR in question (RIPE), short of explicitly asking for that specific prefix. So you asked to grow the /48 to a /47? Was it accepted? Or did you want the RIR to automatically grow your first assignment when you request a second one without you having to ask? So far have just discussed it with my LIR, but will reinit this. Of course this does not help every case, but supporting aggregation where possible certainly ought to be in-scope for most policy-making bodies in this area. Then please take this to the appropriate policy-making body: address-policy...@ripe.net :-) Considering this as well. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 ... this must be what it's like to be a COLLEGE GRADUATE!! signature.asc Description: Digital signature
Re: v6 deagg
Subject: Re: v6 deagg Date: Fri, Feb 20, 2015 at 10:42:03AM +0100 Quoting Mikael Abrahamsson (swm...@swm.pp.se): From a technical point of view, I have little interest in my router handling the fact that an office at the other side of the planet shut down their router, and learning this via DFZ. I'm working at one of those organisations who have a /48 and am announcing it into DFZ. We have a situation where I might have another site with separate connectivity to the DFZ (but there is internal networking) which would entitle me to another /48 according to RIR rules. I did ask my LIR whether there is any thought given to the possibility of getting the next higher prefix, thus creating a /47. They did understand the why perfectly well, of course. However, apparently there is no such process or intention available from the RIR in question (RIPE), short of explicitly asking for that specific prefix. Of course this does not help every case, but supporting aggregation where possible certainly ought to be in-scope for most policy-making bodies in this area. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I'm wearing PAMPERS!! signature.asc Description: Digital signature
Re: draft-ietf-mpls-ldp-ipv6-16
Subject: draft-ietf-mpls-ldp-ipv6-16 Date: Thu, Feb 19, 2015 at 11:06:40AM -0500 Quoting Tim Durack (tdur...@gmail.com): I notice draft-ietf-mpls-ldp-ipv6-16 was posted February 11, 2015. What is the chance of getting working code this decade? I would quite like to play with this new fangled IPv6 widget... (Okay, I'd like to stop using IPv4 for infrastructure. LDP is the last piece for me.) One of the vendors has promised v6 ldp this year (as in 2015). Given the interesting bugs that surfaced when we tried a couple years ago, well, I'm at least breathing shallowly. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I'm having a BIG BANG THEORY!! signature.asc Description: Digital signature
Re: How our young colleagues are being educated....
Subject: Re: How our young colleagues are being educated Date: Fri, Dec 26, 2014 at 02:56:40AM -0500 Quoting William Herrin (b...@herrin.us): In the real world you often assign a /32 to a loopback address on each router and make all of the serial interfaces borrow that address (ip unnumbered in Cisco parlance) which wastes no addresses. Why would you want to waste 79228162514264337593543950336 addresses on a loopback? More seriously, why does this discussion only briefly mention IPv6? Every client comes with it (aggressvely) enabled -- it is there despite the fat / happy parts of the networking community sitting on their legacy space and laughing at Asia. I've had, as mentioned earlier, a cisco graduate as intern and then colleague for a year now. He's a fast learner, and that was needed. No v6. Not much MPLS. No ISIS. Barely eBGP. No iBGP, especially not in conjunction with a link-state IGP. Lots of RIP, Flame Delay and EIGRP. There are two problems; * The academic community is either outdated or married to a vendor-specific course -- and that marriage is not very academic, IMNSHO. Academia must be vendor agnostic. * The vendor courses are too enterprisey, and an outdated enterprise at that. There is no course in running a sensible chunk of the Internet. And this in a world where the largest innovation the last 5 years is abstraction (as in virtualisation and to some extent SDN). Not in protocols. Should be reasonably easy to keep up. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 So this is what it feels like to be potato salad signature.asc Description: Digital signature
Re: How our young colleagues are being educated....
Subject: Re: How our young colleagues are being educated Date: Wed, Dec 24, 2014 at 11:40:48AM -0500 Quoting Scott Morris (s...@emanon.com): Now, as a side, one problem that I often have with various academic-based courses is that the people who teach them often don¹t have enough real-world experience (or not current anyway) in order to pass along any benefit in that matter. There are many things that need to be addressed at this level within the higher-education arena, and I¹m sure it¹s not just related to networking subjects! When I did teaching, it was as an employee hired to do network ops first and academic stuff a definite second. I'm still not qualified to even apply to the courses I taught, but I did get nice evaluations; simply because what we taught was very connected to the NREN we ran. Thus we could pick examples from Actual Reality and make the binary - hex conversions relevant. I'm thinking that network operations and design today is a field much like workshop toolroom knowledge was back before CAD/CAM; there is a solid and long scientific backing to what is done, in materials science, maths, etc; the machines used are products from elevated precision and experience centres, but still, you can't get them to do anything useful without a well balanced theoretical background coupled to solid hands-on experience. The rookie and the engineer from the construction dept. will both need training to be useful and non-lethal in that environment, even if the engineer can design a successful lathe. The rôle of network courses in academia, then, is a lot like looking out for the programmer with the soldering iron. People who know how things ought to work in theory are quite likely to be dangerous in practice. (and don't get me started on studio sound engineers in live sound...) It might be though, that I've simply been watching Keith Fenner on Youtube too many late nights. (That is a recommendation, btw.) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Uh-oh!! I forgot to submit to COMPULSORY URINALYSIS! signature.asc Description: Digital signature
Re: How our young colleagues are being educated....
Subject: How our young colleagues are being educated Date: Mon, Dec 22, 2014 at 04:13:42AM -0500 Quoting Javier J (jav...@advancedmachines.us): Dear NANOG Members, It has come to my attention, that higher learning institutions in North America are doing our young future colleagues a disservice. Yes. Although, as long as they don't teach people that _every_ router does NAT, we'll be fine. Are colleges teaching what an RFC is? Are colleges teaching what IPv6 is? At the university I taught, yes. But that is in Europe, on the Royal Institute of Technology in Stockholm, Sweden, for 3rd year in a MsC programme in EE, Physics or CS. I am seeing similar cluelessness at smaller proto-universities in Sweden, where they have bought a branded course. Lots of Flame Delay. And EIGRP. Branded course. Our trainee that came out of that did prove to be highly trainable, though. What about unicast and multicast? I confirmed with one student half way through their studies that they were not properly taught how DNS works, and had no clue what the term “root servers” meant. Multicast, check. DNS, check. Am I crazy? Am I ranting? Doesn't this need to be addressed? …..and if not by us, then by whom? How can we fix this? People who enter academentia in networking, especially to teach at rural colleges, tend to freeze in time and stick to whatever fad was in when they were young. Especially ATM is popular, since it has, for all its uselessness, a nice theoretical undercarriage and stands on the shoulders of decades of telco style Warum einfach wenns auch kompliziert geht? (you will have to translate that yourself, it's German and describes engineering well) In Sweden, universities (where tuition is 0 for all citizens and can be made 0 for all citizens of the EU) the universities have a third task besides undergraduate production and research, and that is to interact with greater society. The key to good education that fulfils the needs of society is to ensure the interaction is two-way. Each course, get a industry lecturer in for at least one lecture. This, if chosen well, will make it impossible to teach Flame Delay in 2014. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 We have DIFFERENT amounts of HAIR -- signature.asc Description: Digital signature
Re: Phasing out of telco TDM Backbones (was: Phasing out of copper)
Subject: Phasing out of telco TDM Backbones (was: Phasing out of copper) Date: Sun, Nov 30, 2014 at 12:09:40AM -0500 Quoting Jay Ashworth (j...@baylink.com): - Original Message - From: Måns Nilsson mansa...@besserwisser.org Maintaining copper plant is expensive. It will be retired as soon as buy-in on FTTH is high enough. Telia Sonera is doing it in Sweden, so the trend is global. (OTOH, in Sweden, young people moving out from their parents, if they can find somewhere to rent, usually only get a fixed connection for Internet access. Telephony is all mobile.) Absolutely: maintaining analog copper last-mile is expensive. But let us not conflate being ok with telcos replacing analog copper last-mile with being ok with telcos replacing PCM with VoIP, especially in trunking applications, and *especially* using non-dedicated backbones, as these are the directions the RBOCs appear to be going in, and those are much less acceptable ideas than the former. Sadly enough, those man-centuries need to be reread in the light of the fact that today, you can not buy most of those connections anymore. Voice circuits are almost entirely trunked on IP; and the telcos fight to decommission the carrier formats. From 2014-12-31, you can't keep your 128kbit ISDN anymore in Sweden. This is a big issue for me, since I work with radio broadcasting. There, 128kbit ISDN is a very common way to do remote broadcasting from sports or similar events. We've been frantically buying and building a new network to replace these circuits, and have built a quite nice system on top of IP. The old ISDN codec phones (essentially small pro mixer + A/D converter + MPEG codec + ISDN terminal) are being replaced by similar-looking specialised SIP phones sporting much higher sound quality. If the network permits (and, on those sites where we expect to do live music, it does permit so) we can do 48KHz 24bit uncompressed stereo -- which is around 2,6 Mbit without protection by FEC. Since the voice circuit is mostly being replaced by the Skype/FaceTime call, this is not only a special observation; it is, I believe, a general case. Our challenge thus lies not in preserving circuit-switching, but instead in building an open, standards-based voice infrastructure on top of IP. Viewed in that light, Skype and FaceTime are failures. I'm not certain their owners see it that way. /Måns, who *really* would like to have STM-64 frames instead of TenGig Ethernet for his long lines. Switched Ethernet is herded chaos. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 ANN JILLIAN'S HAIR makes LONI ANDERSON'S HAIR look like RICARDO MONTALBAN'S HAIR! signature.asc Description: Digital signature
Re: Phasing out of copper
Subject: Phasing out of copper Date: Fri, Nov 28, 2014 at 10:46:03AM -0500 Quoting Jean-Francois Mezei (jfmezei_na...@vaxination.ca): Currently in the midst of a CRTC policy hearing in Canada on future of competition in ISPs. Incumbents claim they have no plans to retire their copper plant after deploying FTTP/FTTH. (strategically to convince regulator that keeping ISPs on copper is fine and no need to let them access FTTP). Maintaining copper plant is expensive. It will be retired as soon as buy-in on FTTH is high enough. Telia Sonera is doing it in Sweden, so the trend is global. (OTOH, in Sweden, young people moving out from their parents, if they can find somewhere to rent, usually only get a fixed connection for Internet access. Telephony is all mobile.) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Four thousand different MAGNATES, MOGULS NABOBS are romping in my gothic solarium!! signature.asc Description: Digital signature
Re: Linux: concerns over systemd adoption and Debian's decision to switch
Subject: Re: Linux: concerns over systemd adoption and Debian's decision to switch Date: Tue, Oct 21, 2014 at 01:44:17PM -0700 Quoting Eric Brunner-Williams (brun...@nic-naa.net): systemd is insanity. see also smit. (assumption, we're talking about AIX smit here) smit is transparent, comprehensible and automatable, not to mention bypass-able. My wife, who is running an impressive AIX farm at her place of work, tells me that (and I've done it myself) F4 is the key to escape. systemd is hellspawn crap compared to this. I'm really concerned because I run complicated process control software on Linux and this software is shipped by Vendors who believe in if there is a support contract for the OS, all is well fairy tales. This leaves you having to buy DeadRat licenses, unless you can convince them that Centos is functionally equivalent. Time to ask for BSD ports, I think. Linux will be unusable very soon. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 WHOA!! Ken and Barbie are having TOO MUCH FUN!! It must be the NEGATIVE IONS!! signature.asc Description: Digital signature
Re: IPv6 Default Allocation - What size allocation for Loopback Address
Subject: Re: IPv6 Default Allocation - What size allocation for Loopback Address Date: Sat, Oct 11, 2014 at 05:41:43AM + Quoting Faisal Imtiaz (fai...@snappytelecom.net): A follow up question on this topic.. For Router Loopback Address what is wisdom in allocating a /64 vs /128 ? (the BCOP document suggests this, but does not offer any explanation or merits of one over the other). I use a /128 -- these addresses are going to be used de-aggregated in the IGP only; outside they are part of your aggregated allocation. Then again; I'm using /127 on links. Just because it is a tad easier to do dual-stack on the scripts that build the config. And, I get to have all my links in 2001:0db8:f00:feed:dada::/80 :-) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I'm thinking about DIGITAL READ-OUT systems and computer-generated IMAGE FORMATIONS ... signature.asc Description: Digital signature
Re: Scotland ccTLD?
Subject: Re: Scotland ccTLD? Date: Tue, Sep 16, 2014 at 10:09:27AM -0700 Quoting Doug Barton (do...@dougbarton.us): A better question is why is SU still in the root? Since the rebels in eastern Ukraine have been reported to call their intimidation police НКВД[0] I suppose the rest of the apparat that was Soviet Union will return shortly. Better keep SU in the root just in case. On a more on-topic note, there are several domains still in use under SU. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 The entire CHINESE WOMEN'S VOLLEYBALL TEAM all share ONE personality -- and have since BIRTH!! [0] https://en.wikipedia.org/wiki/Donetsk_People's_Republic#Sectarian_attacks signature.asc Description: Digital signature
Re: So Philip Smith / Geoff Huston's CIDR report becomes worth a good hard look today
Subject: Re: So Philip Smith / Geoff Huston's CIDR report becomes worth a good hard look today Date: Wed, Aug 13, 2014 at 11:27:46AM -0700 Quoting Merike Kaeo (mer...@doubleshotsecurity.com): B: they *did* know about the issue, but convincing management to spend the cash to buy hardware that doesn't suck was hard, because everything is working fine at the moment -- some folk needed things to fail spectacularity to be able to justify shelling out the $$$ ( yes, they could recard the TCAM, but they are using this as an excuse to get some real gear)… Oh yeah, I'd bet this is also the case. Just like in 'security' related issues…. This is why test crash was introduced. http://markmail.org/message/tu46ecy272o3stvp /Måns, just rebooted. (with a new carving already configured) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Thousands of days of civilians ... have produced a ... feeling for the aesthetic modules -- signature.asc Description: Digital signature
Re: So Philip Smith / Geoff Huston's CIDR report becomes worth a good hard look today
Subject: So Philip Smith / Geoff Huston's CIDR report becomes worth a good hard look today Date: Tue, Aug 12, 2014 at 09:40:55PM +0530 Quoting Suresh Ramasubramanian (ops.li...@gmail.com): 512K routes, here we come. Lots of TCAM based routers suddenly become really expensive doorstops. We had a planned outage yesterday 2300 UTC to perform the operation Hank mentions. Alas, around 0850UTC the table went critical and we had to do an emergency reboot. Well, the good part is that all 10G line cards survived, and we're back in operation. The new routers are bought or in the investment plan for this year. Just need to wait until it's time for our vendors fiscal year end race... -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Am I accompanied by a PARENT or GUARDIAN? signature.asc Description: Digital signature
Re: Muni Fiber and Politics
Subject: Re: Muni Fiber and Politics Date: Sun, Aug 03, 2014 at 05:11:09AM +0200 Quoting Mark Tinka (mark.ti...@seacom.mu): On Sunday, August 03, 2014 01:31:17 AM Måns Nilsson wrote: Oh, yes, there is. Multicast? IPv6? Both CAN be done, but probably won't. I'm talking about the opportunities large bandwidth presents, non-technical issues aside. Certainly, IPv6 and Multicast have a place on a 1Gbps link into the customer's home. Unless I misunderstand what you're trying to say... My point is that involving active electronics on a link lease may limit the ways that link can be used and that there is a very high probability -- guesstimated from current unbundling infrastructure landscape -- that there will be severe constraints in services possible to provide if you as provider aren't lighting the path yourself. The constraints multiply with every OSI layer that is included in the unbundling offer, of course. A typical Swedish example is the solution with a communications operator -- a separate entity that owns and operates a layer 2 environment over which several different providers can sell IP connectivity. In most, if not all, cases in Sweden, the provisioning and management systems installed simply do not have any idea of an IPv6 address. Shortsighted? Yes, but driven by bad decisions and market needs NOW. (FSVO NOW that is embarrasingly recent...) A PITA to upgrade? Yes, of course, and the incentives aren't there, because the communications operator is a monopoly, so if you want to sell connections, you have to use them. The limits imposed on unbundled infrastructure are at the core 100% business-related; and as long as they are present, there must be regulated access to passive infrastructure, perhaps even including things like ducting/manholes/etc. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I'm shaving!! I'M SHAVING!! signature.asc Description: Digital signature
Re: Muni Fiber and Politics
Subject: Re: Muni Fiber and Politics Date: Fri, Aug 01, 2014 at 07:40:50AM +0200 Quoting Mark Tinka (mark.ti...@seacom.mu): On Thursday, July 31, 2014 02:01:28 PM Måns Nilsson wrote: It is better, both for the customer and the provider. If the provider is able to deliver 1Gbps to every home (either on copper or fibre) with little to no uplink oversubscription (think 44x customer-facing Gig-E ports + 4x 10Gbps uplink ports), essentially, there is no limit to what services a provider and its partners can offer to its customers. Oh, yes, there is. Multicast? IPv6? Both CAN be done, but probably won't. Dark fibre to CO is the only way to be sure. As long as that is possible, perhaps mandated by regulation, there's no major issue with providing a packaged service. In the end, though, if we get the quality of Internet access up to sensible levels (today minimum of a /56 and 100Mbit symmetric and no stupid peering wars ;-) there are few reasons not to bundle L1-L3. However, given the nature of monopolies and their tendency to underperform and overcharge, that is an optimisation dream... -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Hello. Just walk along and try NOT to think about your INTESTINES being almost FORTY YARDS LONG!! signature.asc Description: Digital signature
Re: Muni Fiber and Politics
Subject: Re: Muni Fiber and Politics Date: Wed, Jul 30, 2014 at 06:56:40PM -0500 Quoting Leo Bicknell (bickn...@ufp.org): On Jul 30, 2014, at 1:47 AM, Mark Tinka mark.ti...@seacom.mu wrote: Symmetrical would be tough to do unless you're doing Active- E. I'm an outlier in my thinking, but I believe the best world would be where the muni offered L1 fiber, and leased access to it on a non-discrimatory basis. That would necessitate an Active-E solution since L1 would not have things like GPON splitters in it, but it enables things like buying a dark fiber pair from your home to your business, and lighting it with your own optics. That to me is a huge win. It also means future upgrades are unencumbered. Want to run 10GE? 100GE? 50x100GE WDM? Please do. You leased a dark fiber. If the muni has gear (even just splitters) in the path they will gatekeeper upgrades. It may be a smidge more expensive up front, but in the long run I think it will be cheaper, more reliable, and most importantly hugely more flexible. GPON is basically unheard of in Sweden. All fiber access is either copper to a switch in the basement/similar in multi-tenant houses or direct pairs to CO. Some middle solutions exist where there's a rugged switch in a pole or roadside cabinet, but they are exceptions. I think the Amsterdam buildout is similar. It is better, both for the customer and the provider. The only loser is a potential third party acting as comms provider on L1, possibly L2. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 DON'T go!! I'm not HOWARD COSELL!! I know POLISH JOKES ... WAIT!! Don't go!! I AM Howard Cosell! ... And I DON'T know Polish jokes!! signature.asc Description: Digital signature
Re: Shared Transition Space VS. BGP Next Hop [was: Re: Best practices IPv4/IPv6 BGP (dual stack)]
Subject: Shared Transition Space VS. BGP Next Hop [was: Re: Best practices IPv4/IPv6 BGP (dual stack)] Date: Fri, May 02, 2014 at 03:58:42PM -0600 Quoting Chris Grundemann (cgrundem...@gmail.com): Would you expound a bit on what you mean here? I don't quite follow but I am very interested to understand the issue. The fact that you need v4 space to build a MPLS backbone is a very good reason to not waste a /10 on CGN crap. Ideally, we would have a solution where an entire MPLS infrastructure could be built without v4 space, demoting v4 to a legacy application inside a VRF, but the MPLS standards wg seems content with status quo. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I wish I was a sex-starved manicurist found dead in the Bronx!! signature.asc Description: Digital signature
Re: Best practices IPv4/IPv6 BGP (dual stack)
Subject: Best practices IPv4/IPv6 BGP (dual stack) Date: Fri, May 02, 2014 at 07:44:33PM + Quoting Deepak Jain (dee...@ai.net): Between peering routers on a dual-stacked network, is it considered best practices to have two BGP sessions (one for v4 and one for v6) between them? Or is it better to put v4 in the v6 session or v6 in the v4 session? Like others, yes, two sessions, v6 over v6 and v4 over v4. only the native AF is active. According to docs, obviously all of these are supported and if both sides are dual stacked, even the next-hops don't need to be overwritten. It works, but might produce interesting side effects. I've had to resort to it when peering between different IOS versions; but that might have been the result of fat-fingering as well. Is there any community-approach to best practices here? Any FIB weirdness (e.g. IPv4 routes suddenly start sucking up IPv6 TCAM space, etc) that results with one solution over the other? If having MPLS bgp peers over v6 carrying vpnv4 routes all sorts of strange things can happen. There is no standard for it; so one should not expect it to work. But the failure modes are interesting; I've had the next-hop for a v6-carried vpnv4 peering be the first 32 bits of the v6 next-hop, interpreted as a v4 address.. It only works if there is a v4 route to that made-up address. This is a field where v4 next-hops are essential to make things work. rantIn that context, allocating 100.64.0.0/10 to CGN was especially un-clever... /rant -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Xerox your lunch and file it under sex offenders! signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Mon, Mar 31, 2014 at 12:17:19AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net): On Mar 30, 2014, at 16:40 , Måns Nilsson mansa...@besserwisser.org wrote: Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net): On Mar 29, 2014, at 3:15, Måns Nilsson mansa...@besserwisser.org wrote: Quoting John R. Levine (jo...@iecc.com): Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you. I will not debate with people who resort to humiliation techniques when questioned. I will not argue whether you were humiliated as that is something only you can decide. The puny attempt at master suppression technique[0] was identified as such and countermeasures were launched. No damage done. I was serious. Your reaction .. well, I shouldn't say anything more lest you call me puny again. (What were you saying about humiliation techniques? Glad to see you would never be hypocritical.) My apologies. I was not refering to your statement -- if that was not clear I should most certainly have written more clearly. However, John was still factually correct. No big deal, lots of people are humiliated by facts. Although I admit I didn't find the quote above terribly humiliating myself. You have a point. Further, I do not debate the truth in the statement. My personal email system IS small -- I did even state that -- but that does not mean I do not run larger systems for others, nor does it mean that the general public should dismiss my ideas and only listen to people who brag about their acquaintances. There are other much more compelling reasons not to do as I say. You misunderstand. Or perhaps I did? I read John's statement to be in reference to your stance, i.e. running without spam filters. Not that your server is small. I read you handle no big amount of e-mail and I know people who do and therefore you should STFU and not bother us with your silly ideas about following standards in Johns message, and while that might seen like one of many interpretations of what was written, it is an interpretation I hope to be not so far out on the insulted fringe so as to be silly. John can clarify if he likes. But either way, running without spam filters is beyond unusual these days. Indeed. My personal server is run with very few filters, all of which REJECT or accept and send to a box I read. I have no spam folder. So while I am not as far down the tail as you are, I am definitely out of the mainstream. The only reason I mention that is so you don't go researching for another reason to identify my comments as anything except exactly what they say. Oh, I'm not hoping to pick a fight. Bad move to pick fights with people that function as mediators. Also, realize that John has already done more to stop spam in his career then you and your thousand closest friends ever will. (E.g. Look up abuse.net.) Again not humiliation, just a fact. Feel free to plonk me as well. I won't be humiliated. :-) I won't. There is a clear divide between politely pointing out facts and abusing facts to tell people that their opinion does not matter. And, for the record, I do not support spamming in any form. But the mitigation techniques MUST NOT impose undue constraints on the legitimate use of e-mail, even when it is not vetted by passing it through big insecure monitored US webmail providers. I like your use of MUST. However, I think you'll find your definition of undue and most of the rest of the Internet's is vastly different. I'm fully aware of that. The clear separation between network and application that is at the core of IP is easily compromised by the best intentions. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I selected E5 ... but I didn't hear Sam the Sham and the Pharoahs! signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net): Composed on a virtual keyboard, please forgive typos. On Mar 29, 2014, at 3:15, Måns Nilsson mansa...@besserwisser.org wrote: Quoting John R. Levine (jo...@iecc.com): Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you. I will not debate with people who resort to humiliation techniques when questioned. I will not argue whether you were humiliated as that is something only you can decide. The puny attempt at master suppression technique[0] was identified as such and countermeasures were launched. No damage done. However, John was still factually correct. No big deal, lots of people are humiliated by facts. Although I admit I didn't find the quote above terribly humiliating myself. You have a point. Further, I do not debate the truth in the statement. My personal email system IS small -- I did even state that -- but that does not mean I do not run larger systems for others, nor does it mean that the general public should dismiss my ideas and only listen to people who brag about their acquaintances. There are other much more compelling reasons not to do as I say. Also, realize that John has already done more to stop spam in his career then you and your thousand closest friends ever will. (E.g. Look up abuse.net.) Again not humiliation, just a fact. Feel free to plonk me as well. I won't be humiliated. :-) I won't. There is a clear divide between politely pointing out facts and abusing facts to tell people that their opinion does not matter. And, for the record, I do not support spamming in any form. But the mitigation techniques MUST NOT impose undue constraints on the legitimate use of e-mail, even when it is not vetted by passing it through big insecure monitored US webmail providers. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Vote for ME -- I'm well-tapered, half-cocked, ill-conceived and TAX-DEFERRED! [0] http://en.wikipedia.org/wiki/Master_suppression_techniques signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Thu, Mar 27, 2014 at 10:32:42AM -0400 Quoting John R. Levine (jo...@iecc.com): Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you. I will not debate with people who resort to humiliation techniques when questioned. PLONK -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I feel like a wet parking meter on Darvon! signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Wed, Mar 26, 2014 at 03:35:48PM -0400 Quoting John R. Levine (jo...@iecc.com): It must be nice to live in world where there is so little spam and other mail abuse that you don't have to do any of the anti-abuse things that real providers in the real world have to do. What is a real provider? And what in the email specifications tells us that the email needs and solutions of any one individual, as long as they are following protocol (which I'm quite convinced Mark is) are unreal? A real provider is one that provides mail for real users, as opposed to someone who plays RFC language lawyer games. I only have a few dozen users, but I can assure you I use a whole lot of different filtering approaches including DNSBLs to keep my users' mailboxes usable. Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- the necessity to stick to protocol is not under debate) I must say it's pretty amusing that someone who works for the organization that published the original DNSBL seems to be ranting against them. The ability to change ones mind when circumstances change is usually seen as advantageous. Why not here? -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 This is a NO-FRILLS flight -- hold th' CANADIAN BACON!! signature.asc Description: Digital signature
Re: why IPv6 isn't ready for prime time, SMTP edition
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Tue, Mar 25, 2014 at 10:45:00PM -0400 Quoting John R. Levine (jo...@iecc.com): None of this is REQUIRED. It is forced on people by a cartel of email providers. It must be nice to live in world where there is so little spam and other mail abuse that you don't have to do any of the anti-abuse things that real providers in the real world have to do. What is a real provider? And what in the email specifications tells us that the email needs and solutions of any one individual, as long as they are following protocol (which I'm quite convinced Mark is) are unreal? There are scalability issues that single out the mega-class providers as something special. But those are no reason to go around debating the realness of other email handling organisations. Also, the accept/reject policies of email recipients are subject to individual evaluation and implementation at each MX host. Attempts at describing the state of email as other than that are false and should be discarded[0]. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Content: 80% POLYESTER, 20% DACRONi ... The waitress's UNIFORM sheds TARTAR SAUCE like an 8 by 10 GLOSSY ... [0] I'm sorry for the wording here, I just had to recall a paraphrased instruction from when Sweden had a psyops defence organisation. Varje meddelande om att motståndet skall uppges är falskt. signature.asc Description: Digital signature
Re: SIP on FTTH systems
Subject: SIP on FTTH systems Date: Wed, Feb 05, 2014 at 11:52:51PM -0500 Quoting Jean-Francois Mezei (jfmezei_na...@vaxination.ca): Quick question: I am thinking in a possible wholesale FTTH environment operated by a telco where the end user is connected to ISP-X via PPPoE. ONTs have built-in ATAs that can provide POTS service to a house and do SIP/VoIP over the fibre with QoS system to ensure VoIP traffic gets through. In a scenario where the data PPPoE connection is done by an external router, what are the options to operate the VoIP service so that - VoIP still uses the special lane on the GPON with QoS - VoIP gets IP from ISP-X and traffic flow via ISP-X so that telco is not involved in routing such traffic or allocating an IP address ? Or, one could make sure everything has a globally unique IP address and is using reasonably secured communications. The downside is that one then can't defend the existence of those empire-building middleboxes. It is not the telco way, so is of course unthinkable. Like anything beyond WAP was on cell phones a decade ago. Warum soll man es einfach machen, wenn man es so schön komplizieren kann? (Why make things simple when you can build them so beautifully complicated?) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 We are now enjoying total mutual interaction in an imaginary hot tub ... signature.asc Description: Digital signature
Re: Pad 1310nm cross-connects?
Subject: Re: Pad 1310nm cross-connects? Date: Sun, Oct 20, 2013 at 07:21:42AM +0200 Quoting Måns Nilsson (mansa...@besserwisser.org): Subject: Pad 1310nm cross-connects? Date: Sat, Oct 19, 2013 at 07:33:19PM -0700 Quoting Chris Costa (ccosta92...@gmail.com): What are the opinions/views on attenuating short, 1310nm LR cross-connects. Assume 20m cable length and utilizing the same vendor optics on each side of the link. Considering the LR transmit spec doesn't exceed the receiver's high threshold value do you pad the receiver closer to the median RX range to avoid potential receiver burnout over time, or just leave it un-padded? LR usually needs padding in that scenario, IMHO. This also My apologies. I was thinking not of 10km / 20km class optics but the 80-100km stuff. There, padding is quite necessary in short-range setups. For 10/20km stuff, I, too, have run lots of 2m patch cords directly between linecards without harm. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 One FISHWICH coming up!! Courtesy conversions: (km-miles, km- miles, metres/100 - feet) 10/1.6 6.2500 80/1.6 50. 200/(2.54*12) 6.56167979002624671916 signature.asc Description: Digital signature
Re: Pad 1310nm cross-connects?
Subject: Pad 1310nm cross-connects? Date: Sat, Oct 19, 2013 at 07:33:19PM -0700 Quoting Chris Costa (ccosta92...@gmail.com): What are the opinions/views on attenuating short, 1310nm LR cross-connects. Assume 20m cable length and utilizing the same vendor optics on each side of the link. Considering the LR transmit spec doesn't exceed the receiver's high threshold value do you pad the receiver closer to the median RX range to avoid potential receiver burnout over time, or just leave it un-padded? LR usually needs padding in that scenario, IMHO. This also applies to MMR interconnects or other premises / campus situations. 5 or 10dB depending on patching quality -- sometimes up to 15. The value is best determined by measuring the signal. Then compare the measurement with the line card / SFP datasheet and determine the amount of padding necessary. As you write, the damage from overload is gradual, so simply trusting it works is quite bad for longevity reasons. Not all line cards and / or optical modules report the input signal level, so a good meter sometimes is necessary. Get a good level meter, and a reasonably good light source for testing and calibration purposes. I'm happy with our purchase of SMLP4-4[0] from AFL Noyes. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Pardon me, but do you know what it means to be TRULY ONE with your BOOTH! [0] http://www.aflglobal.com/Products/Test-and-Inspection/Loss-Test-sets/SMLP4-4_Single-mode_Multimode_Loss_Test_Kits.aspx signature.asc Description: Digital signature
Re: minimum IPv6 announcement size
Subject: Re: minimum IPv6 announcement size Date: Tue, Sep 24, 2013 at 08:00:44AM -1000 Quoting Randy Bush (ra...@psg.com): I am running a network that is operating on multiple sites and currently rolling out our IPv6 on the perimeter level. Having to get our /48 allocation from our RIR excuse, but which rir handed out a /48 under which policy? Any of them? % Information related to '2001:67c:d8::/48' inet6num: 2001:67c:d8::/48 netname:SR-V6 descr: Sveriges Radio AB country:SE org:ORG-SR18-RIPE admin-c:MN1334-RIPE admin-c:LEW3-RIPE tech-c: MN1334-RIPE tech-c: LEW3-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-lower: RIPE-NCC-END-MNT mnt-by: SR-MNT mnt-routes: SR-MNT mnt-domains:SR-MNT source: RIPE # Filtered -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Now, let's SEND OUT for QUICHE!! signature.asc Description: Digital signature
Re: minimum IPv6 announcement size
Subject: Re: minimum IPv6 announcement size Date: Wed, Sep 25, 2013 at 11:10:52AM +0800 Quoting Nathanael C. Cariaga (nccari...@stluke.com.ph): Hi, I raised actually this concern during our IP resource application. On a personal note, I think /48 IPv6 allocation is more than enough for our organization to use for at least the next 5-10 years assuming that this can be farmed out to our multiple sites. What makes this complicated for us is that we are operating on a multiple sites (geographically) with each site is doing multi-homing and having a /48 in each site would be very big waste of IP resources. If you've got island networks w/o links between you SHOULD request a /48 per site. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Pardon me, but do you know what it means to be TRULY ONE with your BOOTH! signature.asc Description: Digital signature
Re: Leap Second
Subject: Leap Second Date: Tue, Jul 02, 2013 at 10:23:58AM -0400 Quoting Todd S (t...@borked.ca): We found we got leap seconds added on some systems over the weekend. There were no leap seconds planned ( http://www.usno.navy.mil/USNO/earth-orientation/leap-second-announcement), however some of our systems got one. We run our own s2/s3/s4 system, with only the s2s going to the Internet. We have about 20 servers defined there, but looking through the logs, I can't figure out which one(s) may have been advertising the leap second. I went through all our systems on Friday and Saturday to check for the leap bit, but had nothing, so it must have come out on Sunday. Anyone else run in to this, or have any further intel about servers that advertised the leap second? We did get an advisory from Infoblox about a bug in NTP servers based on open source NTP that would do just that. For Infoblox NIOS there was a hotfix, and Symmetricom also has a patch out. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I think my career is ruined! signature.asc Description: Digital signature
Re: SixXS Contact
Subject: Re: SixXS Contact Date: Thu, Jun 27, 2013 at 09:43:19PM +0200 Quoting Måns Nilsson (mansa...@besserwisser.org): Personally, even though I'm on the same IRC channel as one of the admins and could have all support I want, I went with HE. Zero trouble. Excellent service. I'm peering with them at work, as does my colo provider, så have great connectivity. And, in v6, renumbering is easy (RIGHT? ;) so swapping providers is no pain. Now, Owen, where's my T-shirt? ;-) Apparently I'm not on the same IRC channel as an admin anymore: Just let me state that the day after I quit working with SIXXS I got myself a HE tunnel -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 The FALAFEL SANDWICH lands on my HEAD and I become a VEGETARIAN ... signature.asc Description: Digital signature
Re: SixXS Contact
Subject: Re: SixXS Contact Date: Thu, Jun 27, 2013 at 10:47:51AM -0400 Quoting Anthony Williams (alby.willi...@verizon.com): Can I piggy back on that inquiry and request a reset of my ISK points after committing a faux pas with respect to going negative from down v6 tunnels and deleting. Now to create a new tunnel I need positive ISK points and I'm stilling at -10 with no way to boost my numbers. :( Reset Points: AWJ11-SIXXS Oh Pretty please w/sugar on top. :) Personally, even though I'm on the same IRC channel as one of the admins and could have all support I want, I went with HE. Zero trouble. Excellent service. I'm peering with them at work, as does my colo provider, så have great connectivity. And, in v6, renumbering is easy (RIGHT? ;) so swapping providers is no pain. Now, Owen, where's my T-shirt? ;-) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 If Robert Di Niro assassinates Walter Slezak, will Jodie Foster marry Bonzo?? signature.asc Description: Digital signature
Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]
Subject: Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH] Date: Tue, Jun 25, 2013 at 10:38:30AM -0400 Quoting Christopher Morrow (morrowc.li...@gmail.com): It's potentially a lot simpler than that: http://en.wikipedia.org/wiki/Operation_Ivy_Bells this involved, I think, just intuiting signals from the nearfield effects of the cable, no? 'drop a large sensor ontop-of/next-to the cable, win!' IVY BELLS (USN is / was an ALL-CAPS org, right?) was a copper era project, and it did use EMI tapping (TEMPEST) to get to the traffic without tampering with the cable. Having gotten that cleared, I'd argue that if you're on speaking terms with the cable operator, it is much easier to use a full-spectrum monitor port on the WDM system. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Your CHEEKS sit like twin NECTARINES above a MOUTH that knows no BOUNDS -- signature.asc Description: Digital signature
Re: PDU recommendations
Subject: Re: PDU recommendations Date: Sun, Jun 23, 2013 at 09:32:00PM -0400 Quoting shawn wilson (ag4ve...@gmail.com): So, that's not a very good endorsement :) Idk why you'd use a fuse in a PDU. MCB units age. Especially with vibration. A 10A MCB becomes a 9A MCB after some miles. Fuses don't. MCB units are good at protecting people since they trip quickly and aggressively. Fuses tend to linger before blowing, and thus are comparatively bad at protecting people (longer shock) but better at protecting infrastructure (surge and switch-on-transient resistance). -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 There's a little picture of ED MCMAHON doing BAD THINGS to JOAN RIVERS in a $200,000 MALIBU BEACH HOUSE!! signature.asc Description: Digital signature
Re: Prism continued
Subject: Re: Prism continued Date: Wed, Jun 12, 2013 at 05:13:45PM -0700 Quoting Scott Weeks (sur...@mauigateway.com): or cat /var/log/router.log | egrep -v 'term1|term2|term3' | less Surely you mean egrep -v 'term1|term2|term3' /var/log/router.log | less (http://partmaps.org/era/unix/award.html) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 While you're chewing, think of STEVEN SPIELBERG'S bank account ... his will have the same effect as two STARCH BLOCKERS! signature.asc Description: Digital signature
Re: PRISM: NSA/FBI Internet data mining project
Subject: Re: PRISM: NSA/FBI Internet data mining project Date: Fri, Jun 07, 2013 at 12:25:35AM -0500 Quoting jamie rishaw (j...@arpa.com): tinfoilhat Just wait until we find out dark and lit private fiber is getting vampired. /tinfoilhat I'm not even assuming it, I'm convinced. In Sweden, we have a law, that makes what NSA/FBI did illegal while at the same time legalising, after some scrutiny, the practice of tapping traffic that passes Sweden and is not both originated by and destined to Swedes. . We're pretty good at selling transit abroad. Eastward. Go figure. Combine that with our NSA buddy, the FRA (http://www.fra.se) actively attempting to hire WDM experience and there is enough circumstantial data that I'm convinced it's being done. Also, what agencies like NSA, GCHQ and FRA have done for ages is listening to a broad spectrum of RF data with their aerials. Moving it into fiber is just keeping pace with the technology. Another historical fact is that the FRA has its roots in a extremely successful wiretapping operation in WW2, where the German teleprinter traffic between Norway (occupied) and Germany was passed on leased lines through western Sweden. Cross-border wiretap. In conclusion; I'm convinced. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I'm having an emotional outburst!! signature.asc Description: Digital signature
Re: Dear NANOG Gods
Subject: Re: Dear NANOG Gods Date: Tue, May 21, 2013 at 02:56:22PM -0400 Quoting Joe Abley (jab...@hopcount.ca): The last time we had to ship a number of (Dell, actually) boxes from ICANN in LA we bought some flight cases that we could rack the servers into. Our thought was to go for reusable, rather than one-off (and we had doubts about the state of the boxes upon arrival if they weren't securely packed; a flight case with 19 rails inside seemed like a good bet). If survivability is important, I like CP Cases: http://www.cpcases.com/prodrange.asp?prodrangeid=15typeid=3 More expensive than SKB, but they bounce when dropped. And preserve the stuff inside. One probably should opt for removing PSU and drives if shipping is expected to be very rough. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 What a COINCIDENCE! I'm an authorized SNOOTS OF THE STARS dealer!! signature.asc Description: Digital signature
Re: ISIS and OSPF together
Subject: ISIS and OSPF together Date: Sun, May 12, 2013 at 02:11:37PM +0530 Quoting Glen Kent (glen.k...@gmail.com): Hi, I would like to understand the scenarios wherein the service provider/network admin might run both ISIS and OSPF together inside their network. Is this something that really happens out there? Indeed; one of the more sane situations might be to have say anycast name servers or full-service resolvers in the network and having them talk OSPF to the first hop router. ISIS daemons on PC operating systems are scarce, working ones hardly exist. It is clear, though, that the path forward is ISIS; most people I've spoken to roll it out (in greenfield/forklift situations) or migrate to it. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I always have fun because I'm out of my mind!!! signature.asc Description: Digital signature
Re: RFC 1149
Subject: Re: RFC 1149 Date: Wed, Apr 03, 2013 at 02:59:47PM -0400 Quoting Jay Ashworth (j...@baylink.com): George Herbert george.herb...@gmail.com wrote: In europe? He probably was thinking of a Volvo 245... I don't /think/ Andy was over there that far back. that far back? The 245 still rolls, and probably will, for another 30 years. /Måns, drove 245 in youth. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 The SAME WAVE keeps coming in and COLLAPSING like a rayon MUU-MUU ... signature.asc Description: Digital signature
Re: Open Resolver Problems
Subject: Re: Open Resolver Problems Date: Tue, Apr 02, 2013 at 05:25:53AM +0200 Quoting Mikael Abrahamsson (swm...@swm.pp.se): On Tue, 2 Apr 2013, Måns Nilsson wrote: What percentage of the SOHO NAT boxes actually are full-service resolvers? I was under the impression that most were mere forwarders; just pushing queries on toward the DHCP'd full service resolvers of the ISP. What does that help? They can still be amplifiers, it's just that now the ISP resolver will see the resolving load as well. But, yes, of course. Nobody would be so stupid so ast o accept queries on the WAN side and answer them? Would they? /innocent -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 My vaseline is RUNNING... signature.asc Description: Digital signature
Re: Open Resolver Problems
Subject: Re: Open Resolver Problems Date: Mon, Apr 01, 2013 at 10:21:42PM +0200 Quoting Niels Bakker (niels=na...@bakker.net): * patr...@ianai.net (Patrick W. Gilmore) [Mon 01 Apr 2013, 18:18 CEST]: Of course, since users shouldn't be using off-net name servers anyway, this isn't really a problem! :) You're joking, right? Should they also use only the telco-approved search engine, via the telco-hosted portal? Far too many (perhaps not Patrick) in this thread are not joking. Laughter gets stuck in my throat, as we say in Sweden. Having proper Internet access is more and more a privilege for the Internet gentry that are clued and able to pay for a box in a colo or similar. The unwashed masses are left with broadband We can't call it Internet because there are a few raving graybeards that claim they invented it and intended it to be two-way instead of stuffing .flv down peoples facebook-viewing devices while also supplanting cable TV with demand streaming. /rant What percentage of the SOHO NAT boxes actually are full-service resolvers? I was under the impression that most were mere forwarders; just pushing queries on toward the DHCP'd full service resolvers of the ISP. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Everywhere I look I see NEGATIVITY and ASPHALT ... signature.asc Description: Digital signature
Re: Open Resolver Problems
Subject: Re: Open Resolver Problems Date: Mon, Mar 25, 2013 at 12:45:40PM -0400 Quoting Joe Abley (jab...@hopcount.ca): DNS servers (recursive and authoritative-only) are the low-hanging fruit du jour. I agree that there are many other effective amplifiers, and that even maximum DNS hygiene will not make the wider problem go away. A quick note on your final comment, though: whilst adaptive response rate limiting (so-called RRL) is fast developing into an effective mitigation for reflection attacks against authority-only servers, there is far less experience with traffic patterns or the effects of rate-limiting (using RRL or anything else) on recursive servers. The best advice for operation of recursive servers remains restrict access to legitimate clients, not apply rate-limiting. Twice agree. I try to have ::1 as resolver on my server machines that are in a position to be used, and only accept queries on ::1. Takes care of access control nicely. For auth servers, those serving DNSSEC records are especially attractive as amplifiers. At the moment, I'd have a hard time defending unrestricted query rates on auth servers if they serve DNSSEC. I've successfully applied the Redbarn patches to my BIND, and I expect the NSD rate-control to be of similar quality, or better. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 BELA LUGOSI is my co-pilot ... signature.asc Description: Digital signature
Re: Visio-fu
Subject: Visio-fu Date: Mon, Feb 25, 2013 at 08:20:34PM + Quoting Warren Bailey (wbai...@satelliteintelligencegroup.com): All, I have been searching our beloved internet endlessly for months on information regarding Visio technique. Does anyone have a good resource(s) for advanced visio drawings, or more to the point a good place for high quality connectors? There is some great quality work out there, this is something I found just a little while ago http://www.parallels.com/r/upload/figure2-1.gif This may not be a visio drawing (do not have any background on it), but I would really dig some resources that you guys out there may or may not use. The cables in that drawing look fantastic to me, so I would really appreciate any guidance you all have in helping me improve my output. I'd just quit beating the rotting carcass of Visio into producing anything not appalling and go with OmniGraffle instead. http://www.omnigroup.com/products/omnigraffle/ -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 DON'T go!! I'm not HOWARD COSELL!! I know POLISH JOKES ... WAIT!! Don't go!! I AM Howard Cosell! ... And I DON'T know Polish jokes!! signature.asc Description: Digital signature
Re: 10 Mbit/s problem in your network
Subject: Re: 10 Mbit/s problem in your network Date: Sun, Feb 10, 2013 at 05:07:49PM +0100 Quoting JP Velders (j...@veldersjes.net): Not to be pedantic, but The Last Mile Cache will actually help you to solve this problem, with a local cache server at the hotel. And as a business traveller I want to have the ISP or Hotel cache (aka be able to read and for others to be found!) my possibly very sensitive corporate documents exactly _why_ ? A VPN or SSH session (which is what most hotel guests traveling for work will do) won't cache at all well, so this is a very bad idea. Might improve some things, but not the really important ones. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Thousands of days of civilians ... have produced a ... feeling for the aesthetic modules -- signature.asc Description: Digital signature
Re: IPV6 in enterprise best practices/white papaers
Subject: Re: IPV6 in enterprise best practices/white papaers Date: Mon, Jan 28, 2013 at 08:45:39PM +0400 Quoting Mukom Akong T. (mukom.ta...@gmail.com): On Mon, Jan 28, 2013 at 7:27 PM, Eugeniu Patrascu eu...@imacandi.netwrote: I thought about running pure IPv6 inside and do 6to4, but it's too much of a headache, Does an L2 switch really care about IPv6? (except for stuff like DHCPv6 snooping, etc?) For management it does care. NO ipv4 is NO ipv4. As in not even management addresses. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Will the third world war keep Bosom Buddies off the air? signature.asc Description: Digital signature
Re: IPV6 in enterprise best practices/white papaers
Subject: Re: IPV6 in enterprise best practices/white papaers Date: Sun, Jan 27, 2013 at 10:01:04AM -0800 Quoting joel jaeggli (joe...@bogus.com): Tunning dekstop operating systems is not the scalable side of enterprise network deployment. No problem if it is a deployment. If it is the usual chaos, yeah, then there is a problem. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I'm encased in the lining of a pure pork sausage!! signature.asc Description: Digital signature
Re: IPV6 in enterprise best practices/white papaers
Subject: Re: IPV6 in enterprise best practices/white papaers Date: Sun, Jan 27, 2013 at 12:31:37PM -0500 Quoting William Herrin (b...@herrin.us): Right. On a each local machine you can often override the default behavior. That default dynamically kicks in for all machines as soon as there's an IPv6 router on the LAN. Configurable? Sort of. Realistic solution to the cited problem? Not in your wildest dreams. Well, I'm doing a careful, slow rollout of v6 in an enterprise. Things like this can be herded so as to be way below the threshold of noticeable for 99% of the users. The only quirk we've found is a LAN that first got v6 and then lost it (long story of IOS upgrades enforcing sanity and breaking hackish deployments). Clients on other segments were a bit upset. That's right, blame the applications for the defective API. After all, any skilled application programmer can work around the problem, given sufficiently long experience with IPv6. IMNSHO, the API is not as defective as you might think. The idea was to replace v4. If we cling to v4, what is going to happen? (Well, ask just about any ISP except HE and a few others, they can tell how it feels to cling to v4 and go LALALALALALALACANTHEARYOU when customers ask for v6) The happy eyeballs fix is of course convenient, but only necessary when the network is so broken for v6 that you should not have turned RA on.. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 How do you explain Wayne Newton's POWER over millions? It's th' MOUSTACHE ... Have you ever noticed th' way it radiates SINCERITY, HONESTY WARMTH? It's a MOUSTACHE you want to take HOME and introduce to NANCY SINATRA! signature.asc Description: Digital signature
Re: [SHAME] Spam Rats
Subject: Re: [SHAME] Spam Rats Date: Thu, Jan 10, 2013 at 03:50:37PM +1100 Quoting Mark Andrews (ma...@isc.org): In message 50ee471c.7010...@utc.edu, Jeff Kell writes: Can you wildcard it? No point. address - name - address doesn't work with wildcards. OTOH, if the requirement is must have PTR and/or organisation fwd domain name should show up in PTR RDATA then wildcards have a place. And yes, BIND loads and answers, as expected. *.4.4.3.0.5.a.0.0.8.b.d.0.1.0.0.2.ip6.arpa. PTR a.node.on.vlan344.namn.se. ...will work just fine, for instance. I did it for a 200+ segment LAN party, couple years ago. And as is usual with wildcards, if you do need to insert a real record, it will take over just as expected. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 The FALAFEL SANDWICH lands on my HEAD and I become a VEGETARIAN ... signature.asc Description: Digital signature
Re: Any enterprise operators very happy with their MPLS providers?
Subject: Any enterprise operators very happy with their MPLS providers? Date: Wed, Dec 05, 2012 at 02:14:25PM + Quoting McCall, Gabriel (gabriel.mcc...@thyssenkrupp.com): I'm getting ready to prepare an RFP for our next generation WAN, and would like feedback from anyone else who has 100+ MPLS nodes on their quality of account service and technical performance. My current landscape includes ATT, Sprint, and Verizon. I'm almost completely happy with Sprint- they're about in the A- range. ATT is muddling along at about a C, and Verizon is a solid F. I've heard very good things from some CenturyLink customers and will definitely include them in the bidder list- is anyone else doing a very good job for you? We did a survey around 2008-9 in Sweden and concluded that the risk of large hysteresis IPDV and Q-in-Q outweighed the attractiveness (mainly price) of running on top of somebody elses MPLS. A major contributing factor was, and is, also that we ourselves are running MPLS for our logical separation needs, and that we predicted and got a lot of real-time critical RTP streams on the internal WAN. We bought Gigabit Ethernet compatible channels over mainly dark fiber or WDM and included text in the call for tender about not even trying to offer MPLS-based L2.. This was done under EU Public call for tender legislation, which was a challenge. We are quite happy, and slashed our old inflated price for relatively small SDH links by a lot. If, OTOH, you are not a very distributed radio company trying to do RTP in 48kHz 24-bit linear stereo over internal WAN, using multicast, you might be fine with a MPLS offering... -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I have a VISION! It's a RANCID double-FISHWICH on an ENRICHED BUN!! signature.asc Description: Digital signature
Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....
Subject: Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications Date: Thu, Nov 29, 2012 at 09:55:19AM -0500 Quoting William Herrin (b...@herrin.us): On Thu, Nov 29, 2012 at 9:01 AM, Ray Soucy r...@maine.edu wrote: You should store IPv6 as a pair of 64-bit integers. While PHP lacks the function set to do this on its own, it's not very difficult to do. Hi Ray, I have to disagree. In your SQL database you should store addresses as a fixed length character string containing a zero-padded hexadecimal representation of the IPv4 or IPv6 address with A through F forced to the consistent case of your choice. Expand :: and optionally strip the colons entirely. If you want to store a block of addresses, store it as two character strings: start and end of the range. No, you are both worng. The answer is simple and practical: Use a database that has a modern IP adress database type. Like Postgres. Its IP-adress data types understand and parse both adress strings and network strings (and, of course -- a network with the proper netmask set might be interpreted like a host.) The 32-bit integer trick might, just might make do for IPv4, but a proper data type is so much simpler to use. non-technical ranting part Also, stepping away from MySQL or Oracle makes Larry less powerful. /non-technical ranting part -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I am covered with pure vegetable oil and I am writing a best seller! signature.asc Description: Digital signature