by anyone to be news, especially news worth citing on NANOG.
These malformed packets should have matched a mental drop rule, or at the very
least, invoked a 'reputable news source' query.
Or, as our icanhazcheezburger friends would say... I can haz obvious political
agenda?
Nathan Eisenberg, Atlas
and
Internet service providers may voluntarily elect to shut down the sites of
customers involved in these kinds of situations.
Nathan Eisenberg, Atlas Networks
'.
Best Regards,
Nathan Eisenberg
is the risk mitigation for ULA?
Best Regards,
Nathan Eisenberg
of 'software router' and 'appliance' from
OP to see if that's where he was going.
Best Regards,
Nathan Eisenberg
,
Nathan Eisenberg
pfSense has everything: proxy (squid), firewall, bw-management,
captive portal and a very nice web interface for management:
www.pfsense.org
The only thing it doesn't have is IPv6 support (yet). :(
Best Regards,
Nathan Eisenberg
the same uplink.
One is a reality, and one offers disturbing possibilities.
Best Regards,
Nathan Eisenberg
a special carpool lane.
Carrier circuits should never be 'full', unless your definition of 'full' is
50-70%, IMHO. 100% full is a failure of engineering, business planning, and
monitoring. Priority shouldn't be required.
Best Regards,
Nathan Eisenberg
have conducted themselves, find a
response which doesn't violate your own ethics. Otherwise, you look like a
hypocrite throwing a tantrum.
Best Regards,
Nathan Eisenberg
authority if the agent asks for and processes it.
Would you use this SSL daemon, knowing that it had this bug?
I would consider a transit provider who subverted an ARIN revocation to be
disreputable, and seek other sources of transit.
Best Regards,
Nathan Eisenberg
Atlas Networks, LLC
by?
Best Regards,
Nathan Eisenberg
Atlas Networks, LLC
in the same Toronto Registration services report that I
referenced earlier on page 5.
https://www.arin.net/participate/meetings/reports/ARIN_XXV/PDF/Wednesda
y/Nobile_RSD.pdf
John, thank you for the links. Interesting information there!
Best Regards,
Nathan Eisenberg
Atlas Networks, LLC
First of all, I don't want your organization to have ANY policy at all.
Where'd you get your AS number, again?
.e.i).
Why be less extreme? I would rather see moon-routers!
NANO's are encouraged to provide the datasheets for the Cisco 6509's
solar-power module and wideband laser signaling SFPs.
Best Regards,
Nathan Eisenberg
, that's just fine, because statistics/trending/basic resource
alerting/etc are best kept separate from things like OMG one of my
powersupplies is dead!!11one.
Also supports IPMI, which is nice if you have IPMI deployed. :-)
Best Regards,
Nathan Eisenberg
Eisenberg; nanog@nanog.org
Subject: RE: Monitoring Tools
The last time I looked, my main issue with Zabbix was that it required (or
greatly preferred) their proprietary agent on every host. This may have
changed.
-Scott
-Original Message-
From: Nathan Eisenberg [mailto:nat
The only thing you can do to help your users is to provide them with proper
education and to explain them to keep up to date and run the right tools and
not click anywhere they can and that is a mission which is near
impossible.
I thought user education in threat management was long ago
Possibly because that other user is who the customer pays have their content
delivered to?
Customers don't want to deliver their content to search engines? That seems
silly.
http://www.last.fm/robots.txt (Note the final 3 disallow lines...)
For either A, B or C you won't get my business, let alone a combination of
all 3.
*wah!* There is too much FORCE here. :-)
Agreed. Just provide tubes and shut down infected customers until they clean
up. Keep it simple. For content delivery, there are several non-evil ways of
doing
While I would agree in principle, in practice we have little control
over what customers use.
You won't have a good time at Disneyland if you ride Space Mountain in the
unsupported configuration of 'not belted in'. An ISP has no control over what
I set my MTU to, and they won't support me if
Would you object to an ISP model where a content provider could pay to get an
ISP subscriber's package upgraded on a dynamic basis?
Yes - and the reason is extremely simple. There are a lot of ISPs and a lot of
plans. If I'm an entrepreneur looking to build Hulu from the ground up in a
The consumers are saying I want faster, as long as I don't have to pay more.
Content providers are saying, If consumers had faster, I'd be able to invent
'Killer App'. I sure wish the ISPs would upgrade their networks.
ISPs are saying, Why should we upgrade our networks, nobody is willing to
True net-neutrality means no provider can have a better service than another.
This statement is not true - or at least, I am not convinced of its truth.
True net neutrality means no provider will artificially de-neutralize their
service by introducing destination based priority on congested
It's a matter of viewpoint. It's convenient to talk about net-neutrality when
it's
scoped, but not when we widen the scope. Customer A gets better service than
Customer B because he want to a site that had prioritization. Never mind that
while they fight over the saturated link, Customer C
If your AD domain is a subdomain, like corp.job.com, you can always delegate
the subdomain's name service to the MS DNS servers from the BIND servers. That
way, you don't have to make huge changes to your existing environment.
-Original Message-
From: Tom Mikelson
Devil's Advocate here,
What would you say to ISP A that provided similar speeds as ISP B, but B took
payments from content providers and then provided the service for free?
Gives you the choice, ISP A, which costs, and ISP B, which is free, and most
people wouldn't know the difference.
Vyatta has hardware forwarding? Real hardware forwarding? Where?
Best Regards,
Nathan Eisenberg
-Original Message-
From: Curtis Maurand [mailto:cmaur...@xyonet.com]
Sent: Tuesday, September 28, 2010 5:55 AM
To: Heath Jones
Cc: nanog@nanog.org
Subject: Re: Software-based Border
Doh. Serves me right for posting BEFORE having my coffee.
Though, on reflection was anyone claiming Vyatta didn't have hardware to sell
you?
Best Regards,
Nathan Eisenberg
-Original Message-
From: Heath Jones [mailto:hj1...@gmail.com]
Sent: Tuesday, September 28, 2010 10:11
frequently has different ideas about things.
~Seth
FWIW - 465 is widely deployed as SMTPS, in more than just MS products. I'm
actually quite surprised it's not in the well known ports list.
Best Regards,
Nathan Eisenberg
.
That's not the point. The point is that if your users are using the net
available bandwidth, it's time to add more bandwidth, not to mess with your
users' traffic. 'Dedicated' has nothing to do with it.
Best Regards,
Nathan Eisenberg
There would be several filters for this. Is the person reporting this a known
network operator that people trust or is it some Joe Blow out of nowhere
that nobody has heard of before? That would make a huge difference. Is
the AS assigned to a company that is known to be defunct? That would
Maybe you didn't recognize the original poster, but I did, and I would take
what he had to say at least seriously enough to have a look. His followup
mail, while not giving people the information they wanted (as if it really
matters) did mention that the upstream appears to have cut them off.
Seriously though, I can't think of a topology I've ever encountered where RIP
would have made more sense than OSPF or BGP, or if you're really die-hard,
IS-IS. Let it die...
I was just curious - why would IS-IS be more die-hard than OSPF or iBGP?
Best Regards,
Nathan Eisenberg
Citizen: Hello, police? There is a crate of M-16's and a truckload
of ammunition just sitting here on the corner
Police: That is less than the Army goes through in 3 months ...
*click*
You'd have better luck calling the ATF, they are the ones empowered to
enforce the tax on machine
how many of you are using SPF records? Do you have an opinion on their
use/non use of?
We use SPF on most client domains. On inbound filtering, we add no score for a
lack of SPF record, and we reject mail if the SPF record hardfails. We've seen
it reduce domain-imposter spam. It's not
http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt
Whois traffic has been going through the roof; they
added more proxies in front to support it.
Apparently, there's IP management packages that do
whois queries. It would be good to find out who is
doing it, and talk to ARIN
If it passes SPF we remove a few points of the spam weight.
I would rethink this practice. Many spammers publish SPF valid records these
days precisely because of this.
Nathan
-Original Message-
From: Guerra, Ruben [mailto:ruben.gue...@arrisi.com]
Sent: Wednesday, October 06, 2010 1:47 PM
To: nanog@nanog.org
Subject: RE: Facebook down!! Alert!
Passes Andrew the shotgun... Please kill all FB threads with it. :)
The only thing I noticed being down last
I'm assuming we aren't making jokes here, but 3com.com was created in
1986:
I'm confused. 3com.com would not appear to be entirely numerical. Or maybe
someone spiked my coffee this morning.
Best Regards,
Nathan Eisenberg
I am looking for some vendors that make PtP optical wireless (laser)
gear.
Any reason you want an optical wavelength link, rather than a 23, 38, 60 or
80Ghz Microwave link?
Best Regards,
Nathan Eisenberg
Stateless autoconfig works very well, It would be just perfect if the
network boundary was configurable (like say /64 if you really want it,
or
/80 - /96 for the rest of us)
Why do you feel it's a poor decision to assign /64's to individual LANs?
Best Regards,
Nathan Eisenberg
http://www.arlnow.com/2010/10/27/nsf-building-evacuated-in-ballston-
after-apparent-lightning-strike/
lightning strike - electrical fire
-Dave
At the science foundation. Nature has a sense of irony.
My guess is that the millions of residential users will be less and
less enthused with (pure) PA each time they change service providers...
That claim seems to be unsupported by current experience. Please elaborate.
Nathan
Been unexpectedly gone for the weekend, apologies for the delay. Wow,
can subjects get hijacked quickly here. I think it happened within one or two
emails. It was just for weekend fun anyway...
So... You tossed a cow into a pool (that you knew was) filled with piranhas,
waited a few days,
If you think peering points are the middle portion of the internet that all
packets have to traverse, then this thread is beyond hope.
-- Niels.
Making sweeping generalizations at thin air is fun!
This statement could be easily true, just as it could be easily false.
Nathan
Would a mail-op from id.apple.com please contact me off-list?
1. They absolutly refuse to delagate rDNS authority for a /24 2. I was told
they do not do static routes when I asked if I could have my /24 circuit
converted to a /30 and have the remaining subnets routed to my end of /30.
Their suggested meathod is to put a router running proxy arp in
This came up in another thread yesterday or today, and I just got the
solicitation mailer for Clearwire's WiMAX service in Tampa Bay, which they
call 4G, though the ITU disagrees.
The AUP is here: http://www.clear.com/legal/aup
I cannot strongly enough discourage you from using their
Factoid: we outnumber the pigs by 1000 to 1. Even if only 1% of us
were
to go out and shoot a pig, we would still outnumber them 10 to 1! We
*CAN* win -- wake up, people!
Dude.
As someone who was personally connected to this
(http://www.komonews.com/news/local/78088192.html), and this,
The cloud is a failure. Too easy to get it down.
I guess wikileaks returning to dedicated hosting proofs that.
No, it just proves that organizational decisions are made by human beings that
have values. Whether or not those values are 'right' isn't the point - the
point is that the
In a cloud hosting environment, you typically don't know where your
data and servers are, and thus you don't know what legal and political
pressures they may be subject to. If that means that in practice you
are subject to the combination of any pressure that can be applied to
any one of the
All that said, the whole issue of 'local content' is going to continue to
rage on
for years to come. Getting the content closer to the end user is going to be
a
key to reducing costs for the long-tail providers to homes and businesses.
Should it be incumbent on the CDNs to pay for colo at
I'd be interested to see what comments nanogers have on this piece. I'm not
well enough read to critically evaluate the guy's assertions.
I'm not familiar with a GPON system that provides gigabit to every subscriber
under 'high congestion'.I do know of FTTN systems that can provide a lot
-Original Message-
From: Ryan Finnesey [mailto:ryan.finne...@harrierinvestments.com]
Sent: Friday, December 24, 2010 11:36 PM
To: nanog@nanog.org
Subject: Hotel Internet?
Is anyone within the group providing Internet access to Hotels? It
seems most of this market is controlled by
There
appears to be zero interest in their business model to accommodate the
enterprise.
In my own personal experience, there appears to be zero interest in their
business model to accommodate the CUSTOMER.
They go on and on about how their frequency-space gives them a competitive
And yet blaster type worms are less common now, and I still get the
occasional reinfection reported where a computer shop installs XP pre-patch
with a public IP. A simple stateful firewall or NAT router would stop that and
allow them to finish patching the OS. There is always a new attack
you do nullroutes, you also implement a change control policy
which screens commands for approval before making configuration changes upon
which your public declarations, and your reputation as a decent operator, rely.
Nathan Eisenberg
You can get a CLEAR WiMAX fixed modem with static IP address for $50
(USD) monthly, or less if you opt for the low-bandwidth plan.
I wouldn't dare rely on something of that nature for a lifeline connection.
I'd spring for the extra $30/mo. It's expensive, but there ain't nothin' like
a
Even if every RIR gets to 3 /12s in 50 years, that's still only 15/512ths of
the
initial /3 delegated to unicast space by IETF. There are 6+ more /3s remaining
in the IETF pool.
That's good news - we need to make sure we have a /3 for both the Moon and Mars
colonies. ;)
Nathan
We've learned to pick our fights, and this isn't one of them.
--
Dan White
The most effective mechanism I've seen for explaining the problem is latency
and VOIP. Set up an artificially latency-ridden, high bandwidth connection,
then connect to a PBX using a softphone. One call is
Here's an updated list:
http://www.bgpmon.net/egypt-routes-jan31-2011.txt
Some decent opportunities for route aggregation in that list...
I've had trouble finding any technical reason not to use it.
What is important to you about having QA and Corporate use separate AS numbers?
Does using the same AS number result in a reduction of separation?
Nathan
Still, that is a considerable number of bits we'll have left when the dust
settles and the RIR allocation rate drastically slows.
Like it did for IPv4? ;)
-Nathan
Sure. Bet you ten bucks that no hotel in North America offers IPv6 this year
in the wifi they provide to customers. (Conference networks don't
count.)
John -
I happen to know with absolute certainty that the above statement is false.
But I'd be happy to take your money! :-)
Nathan
Right. That works great in an environment where the regulators require that
every telco pay Neustar to maintain the LNP databases, and send all the
updates promptly when a number is ported or disconnected.
The telcos pay Neustar $300 million a year to run the database. I'm sure
they'd be
according to the
vendors selling CGNAT solutions the impact to end users is (almost)
unnoticeable.
And according to a used car salesman, this here pickup truck was only gently
driven by a little old lady to the shop once a week. There's going to be a lot
of snake oil in the next couple
Most IPv4 space is unused anyway, but it's not being reclaimed much despite
that. (How many IP addresses does the US federal government need? Few
people would think ~ 10 /8s. Especially since many of them aren't even lit
up.)
What do you mean, lit up? You mean they're not in the routing
I have yet to see a broadband provider that configures a network so
that
individual nodes in the home network get global IPs.
On the residential properties that $EMPLOYER provides triple play to, the nodes
behind each CPE can maintain up to 5 leases. And there are a few homes that
actually
The problem with this is that both ARES and RACES hams have gotten there
first (orange lights and strobes flashing) and are now engaged in small-arms
fire over who gets to set their repeater up. You're now hiding under your
vehicle. What is your next move?
Larger-arms fire?
Does anyone know who to ping at Microsoft about their teredo platform? Their
relay(s) doesn't/don't seem to have reachability to some bits of IPv6 space.
Nathan
Some provider woes:
FAX over VOIP is a PITA. I've not yet seen an ATA or softswitch that handled
it reliably.
E911 for mobile devices sucks. Regulations, and the E911 system, do not seem
to have the flexibility for handling this in a seamless way.
Call routing (on a more global scale)
Odd - do the phones just randomly egress from different IPs in the pool if you
don't? Is this perhaps a too-long registration interval issue? Short
registration timers seem to deal with keeping the state table appeased on most
firewalls. Any chance the NAT device has some god-forsaken ALG
What everyone is actually *selling* commercially, except for cable
providers, is *not* VoIP; it's a subset of that: VoN; Voice Over
Internet;
where the IP transport *goes over the public internet*, and through
whatever exchange points may be necessary to get from you to the
provider.
This
And I fully expect that to be done at some point or another. Country
takes the entire 32bit address space for itself. You want to serve
that
country? Fine, apply for an allocation out of their /0 and route to it
over v6.
What happens when countries are formed from secession? Does one
I doubt it will get better. Lots are into nickle and dime'ing for
everyone to get an extra buck. Look at wireless, they charge for x
Mega/giga bits per month from your hand help device (phone). Oh you
want to tether, that will be more? Say what? Bits are bits but somehow
tethered bits are
Would someone from Google please contact me offlist? You're geolocating some
of $DAYJOB's IP space to the Netherlands, and I'm not sure how to fix it.
Sadly, very few of my $DAYJOB's customers in Seattle are fluent in Dutch.
(If there's an obvious form somewhere to fix this, and I missed it,
Why is native IPv6 needed? I'd have thought a tunnel would be fine, too.
I believe the concern is that the higher latency of a tunnel would impact SEO
rankings.
I would be getting ipv6 connectivity, adding an unknown record such as
ipv6 or www6; but not www, and do as many comparative ipv4 vs
ipv6 tracerouts from as many route servers as possible. Then you will have the
data you need to actually make an informed decision rather than just guessing
-
then if you ever get calls from the POTS DID, you know that you have the
original problem, plus you know that the connection to the SIP gateway is down.
Nathan Eisenberg
And this is why the prudent home admin runs a firewall device he or she can
trust, and has a default deny rule in place even for outgoing connections.
- Matt
The prudent home admin has a default deny rule for outgoing HTTP to port 80? I
doubt it.
Subscribe from your personal account.
+1
An important feature lacking for now as far as I know is content/web
filtering especially for corporates wishing to block inappropriate/time
wasting content like facebook. Addition of this would place it a par
with the best like Sonicwall and Fortinet.
At a previous employer, we utilized a
I meant config sync, not state sync.
I have multiple deployments of the config synchronization working just fine. :)
Please contact me off-list.
It was pointed out to me that 'k12.fl.us' is not an organization, but rather a
container. Clarification - I'm looking for a security contact from
broward.k12.fl.us
Nathan Eisenberg
-Original Message-
From: Nathan Eisenberg
Sent: Thursday, November 10, 2011 2:07 PM
To: NANOG list
-Original Message-
From: Nathan Eisenberg
Sent: Thursday, November 10, 2011 2:07 PM
To: NANOG list
Subject: Security Contact from k12.fl.us
Please contact me off-list.
-Original Message-
From: Nathan Eisenberg
Sent: Thursday, November 10, 2011 2:15 PM
To: NANOG
Look at the number that are refusing to make generous prefix
allocations
to residential end users and limiting them to /56, /60, or even worse,
/64.
Owen,
What does Joe Sixpack do at home with a /48 that he cannot do with a /56 or a
/60?
Nathan
What does Joe Sixpack do at home with a /48 that he cannot do with a
/56 or a /60?
Flexibility. With dhcpv6 prefix delegation, you are going to want
devices
to be able to request (at least) /60s for further delegation (and
better yet
/56s to allow them to delegate /60s with further
://tools.ietf.org/html/rfc6164
Nathan Eisenberg
easier to move on. In any
case, do the research and testing, and make sure that at least your own
deployments have rational addressing policies (whatever you determine that
might be).
Nathan Eisenberg
be argued that
hammers are weapons; therefore, we should call on Home Depot to stop carrying
these deadly instruments with all due alacrity - or at least have governments
step in and create licensing programs for hand tools.
Nathan Eisenberg
.
Nathan Eisenberg
Say a
coder gets confused when /tmp fills up and being unaware of this thing
called a search engine and instead will virtually cry help my puter
b0rked, I stuck! and vice versa.
Hah! In my experience, this phenomenon is not unique to coders, sysadmins, or
any other specialization. People
I think the idea that food, shelter etc. are human rights is absurd.
Doesn't that imply that someone must provide those things for me?
What
if they don't want to? Does that mean they are forced to? Which would
be a violation of their human rights.
There are those who think that it's a
There are no such rights. Each positive right is somebody else's obligation.
Being forced to feed, clothe, and house somebody else is called slavery. So is
providing Internet access, TV, or whatever else. Doesn't matter if this
slavery
is part-time, the principle remains the same -- some
Racktables seems pretty decent, and it's open source. Seems to still be alive,
too!
http://racktables.org/demo.php
-Original Message-
From: Josh Baird [mailto:joshba...@gmail.com]
Sent: Friday, January 13, 2012 2:20 PM
To: Shahab Vahabzadeh
Cc: nanog@nanog.org
Subject: Re: IP
Ubiquiti's Unifi products are decent, and have *MUCH* improved since their
original release (amazing what you can do with better code!). In the original
release, you had to have a management server running on the same L2 network as
the Aps - they've moved the management to a L3 model so you
Making APs as low power and local as possible is good advice
^ Ignoring this advice is one of the biggest mistakes people make. They think
Oh, I'll just drown out the noise, but the problem is almost never how well
the clients can see the AP - it's the AP seeing the clients. It's hard to
.
Nathan Eisenberg
1 - 100 of 145 matches
Mail list logo