A little bit older one, but bigger - took down the whole internet:
for a small value of whole internet
same for ripe/duke experiment gone bad
randy
i think jan zorz, over in slovenia has developed a good check list with
the gang there which is being used more and more generally in the ripe
region.
randy
Is there any clear understanding of what supporting IPv6 means?
ripe-501 may be helpful, jan zorz's docco enshrined in ripeness and
overwebification.
http://www.ripe.net/ripe/docs/ripe-501
randy
It's perhaps worth noting that there is work in the IETF to
recommend that every prefix originated as part of an anycast cloud
uses a unique origin AS (see
http://tools.ietf.org/html/draft-ietf-grow-unique-origin-as-00). I'm
not personally convinced of the arguments in the draft, but
I might not explain the background clearly and confused people. We're
doing research on multiple origin AS issue, and we want to confirm if
our inference is correct based on history data we collected. For
example, we found several hundreds of prefixes with multiple origins
more than two, some
The good thing about tunnels is people can build them where there's no
proper network
and the result is a network that is broken differently
My Desktop is not able to make any IPv4 socket connections anymore. I
get Protocol not supported. So there are IPv6-only users, already
bitten by no . So that's -1 from me.
i choose to only run decnet ii, and the world should fix my connectivity
problem.
randy
another view might be that netflix's customers are eating the bandwidth
randy
Since a good number of us get paid for delivering bits, isn't this a
good thing?
at layer eight, having a single very large customer can be a source of
unhappy surprises.
randy
why not permit your users to subscribe to shows/instances, stream them
on-demand for viewing later... and leave truly live content
(news/sports/etc) as is, with only the ability to pause/rewind?
how is this different from broadcast tv today though?
for some of us, the thing that is
for some of us, the thing that is wonderful about netflix is the long
tail. my tastes are a sigma or three out.
in all seriousness, if the content was available and you could request
it be streamed to you 'sometime tomorrow' or 'sometime before Friday',
you and the other people like you
http://heartbeat.skype.com/
skype has been microsofted already. small number of users my ass.
probably 7/8 of the users i would see at this time are not on.
randy
Though it's nice to have why would one *need* 100 Mbps at home?
some of us try to get work done from home. and anyone who has worked
and/or lived in a first world country thinks american 'broadband' speeds
are a joke, even for a home network.
randy
i am not learning anything here. well, except maybe that someone who
normally has his head up his butt also had it in the sand.
what's new? how about the operational technical effects, like data from
modeling various resolvers' responses to a large root zone?
randy
Now I'm tempted to be the guy that gets .mail
express that temptation in dollars, and well into two commas.
randy
This discussion was going on this list 10-15 years ago and the numbers
being squabled over were three orders of magnitude lower then they are
today.
and will be discussed again when the numbers are orders of magnitude
greater than they are now. i think we should keep a pointer to this
thread
vrrp?
Can we use same AS to advertise different networks in different location?
We would like to use Seattle as production network and New York as testing
eg:
Seattle: network 66.49.130.0/24
New York: network 67.55.129.0/24 and ipv6 network.
you have not made clear whether ny and sea are
The IETF is run by volunteers. They volunteer because they find
designing protocols to be fun. For the most part, operators are not
entertained by designing network protocols. So, for the most part they
don't partiticpate.
Randy Bush, Editorial zone: Into the Future with the Internet Vendor
Well, you work at Zynga, a company which makes facebook games. Before
that you worked at Nokia, company which makes phones but doesn't run
phone networks. Before that it was Check Point Software, a company
which makes firewalls but doesn't run networks. And before that it was
the University
My focus in this thread is this: how do we help the next teams avoid
the discourtesy and the smackdown that the v6 teams are getting for
not adequately recognizing the ops' issues. These guys should have
been heroes but instead they screwed the pooch and everybody's paying
for it. How do we
I said there is an ops directorate that reviews basically every draft
in front of the iesg.
and this directorate is a group of actual operators?
randy
If you have any questions or concerns please let me know.
we haz spam!
randy
New location means we now get spam on Nanog?
no extra charge :)
i have lived through maintaing decades of mailing lists and do not envy
the nanog mailing list crew and glen over at amsl.
thanks for the hard work, folk.
randy
Thankfully, the current test has been a success. We are going to
stay in
Hooray for testing in production.
we are not dealing with stupid or inexperienced people here. i assume
they tested.
but, like our beloved vendors, they also have a hard time reproducing
the real network in the lab, so
thanks for the hard work, folk.
Let's work harder
thanks for volunteering. when will you be flying out to the bay?
randy
Also, where is the reply to header?
still in the garbage, where it belongs
W.R.T. to LISP, in defense of the IETF or the IRTF, i do not believe
the IETF has told the world that LISP is the best fit for the
Internet or solves any specific problem well.
The IETF has never said the Internet Architecture is going to LISP,
and it likely will not / cannot. My
i will not dispute this, not my point. but i have to respect dino and
the lisp fanboys (and, yes, they are all boys) for actually *doing*
something after 30 years of loc/id blah blah blah (as did hip). putting
their, well dino's, code where their mouths were and going way out on a
limb.
[
btw, a litte birdie told me to take another look at
6296 IPv6-to-IPv6 Network Prefix Translation. M. Wasserman, F. Baker.
June 2011. (Format: TXT=73700 bytes) (Status: EXPERIMENTAL)
which also could be considered to be in the loc/id space
randy
I also view RFC6296 as a perpetuation of the clear violation of the
end-to-end principle (i.e., ' . . . functions placed at low levels of
a system may be redundant or of little value when compared with the
cost of providing them at that low level . . .') embodied in the
abomination of NAT/PAT
you want to give ops feedback to the ietf, well ...
i suggest a loc/id session at the next nanog, 20-30 mins each for
LISP
ILNP
6296
where each is explained at an architectural level in some detail with
also a predeterimied list of questions such as how does this address
loc/id separation,
% /usr/local/bin/rsync \
--times \
-v \
rsync2.dnswl.org::dnswl/bind-dnswl.zone \
/var/dns/primary/org.dnswl
opening tcp connection to rsync2.dnswl.org port 873
rsync: failed to connect to rsync2.dnswl.org (85.25.63.16): Operation timed out
(60)
rsync error: error in socket IO
opening tcp connection to rsync2.dnswl.org port 873
rsync: failed to connect to rsync2.dnswl.org (85.25.63.16): Operation
timed out (60)
rsync error: error in socket IO (code 10) at clientserver.c(122)
[Receiver=3.0.8]
any other paying users seeing this or know anything? no response to
not to detract from the seasonal sorbs pissing contest, but in the spirit of
you never notice operations when it works, i wish to thank and congratulate
the folk who moved this mailing list. i seems to just work.
randy
When I send someone on site to do work for me, I don't want to have to
prepare excessive instructions on how to connect their laptop to the
local LAN. I want to say, This switch, this port and then move on to
the actual work I sent them there to do.
when i am allowed, i put up open wireless
The only reason in my opinion to run IS-IS rather than OSPF today is
due to the fact that IS-IS is decoupled from IP making it less
vulnerable to attacks.
how about simpler and more stable?
randy
I am curious if anyone has any experiences positive or negative with
Juniper MX-80s.
they seem to work
Our recent experience with Juniper has not been great both in terms of
new product offerings (SRX) and software bugs in the recent revs of
Junos for the MX platform.
yes, juniper has
I'm curious what other NANOGers have in their home compute centers?
a soekris 5501 running freebsd 8-stable
a mac mini connected to the tee vee
an apple tv connected to the tee vee
i moved all servers and such crap into real racks in real colos over a
decade ago. i don't want that kind of crap
charles skipped what i see as a highly critical question, personal
backup.
my life is on a 13 macbook air, all data, mail back decades (i do not
save all mail), etc. the whole drive is encrypted, my main reason for
moving to lion.
i have two time machine drives, one at home and one i carry on
That's interesting and if true would represent a real change. Can you
list the larger SPs in the US that use OSPF?
att
is-is in ntt, sprint, verizon, ...
randy
I've always wondered if the next cisco/juniper 0 day will be delivered
via a set of exploits delivered via a link posted to NANOG. :) Maybe
I'll do a talk at DEFCON next year about that.
more likely a 'shortened' url. how anyone can click those is beyond me.
randy
more likely a 'shortened' url. how anyone can click those is beyond
me.
I'm curious what your objection is.
i have no assurance that a shortened url does not lead to a malicious
site. also your privacy issue, but that is secondary.
you really have no idea what you're going to receive when
I really do not want 18 months of research to vanish.
a fool and his data are soon parted
-- monty williams, a co-worker about 1990
What would you rather rely on at 3am in the morning when things are
breaking? Someone who has just learned IS-IS or someone who already
has good experience with OSPF?
what would you rather rely on at three in the morning when things are
breaking, someone who has just learned OSPF or someone
i am told that the following session has been accepted for the nanog
agenda.
A Comparison of Approaches to Loc/ID, Routing Scaling, and the
Universe
Abstract:
This session looks at and contrasts:
LISP (Dino Farinacci)
ILNP (Saleem Bhatti)
RFC 6296 (Fred Baker)
o Trust model (how much trust is put in whom so that connectivity works)
o How much state where
o Security implications (where are the weak links, vectors for attack)
o Traffic engineering (ingress and egress) features
o Session survivability on rerouting (manual and due to outages)
-
John Curran appears to be completely open to constructive suggestions
very well phrased
unfortunately it is a long way to results, with very high variance
randy
Subject:Urgent hurricane alert
Date: Fri, 26 Aug 2011 14:55:15 -0400
From: borowitzreport.com a...@borowitzreport.com
To: z...@psg.com
Internet Outages from Hurricane Could Force People to Interact with
Other People, Officials Warn
FEMA: Prepare for Unwanted Eye
i do not support getting paid for community service. a primrose path.
randy
How is that getting paid?
you're kidding, right?
Don't know if you've ever done Habitat for Humanity
no. i teach in the poor countries. i pay my way.
To bring it closer to home - we give our presenters a free admission -
should we also stop that?
i am ambivalent. i think there is
On the flip side of this, many of our employers donate our time that
they are paying us for in order for us to serve NANOG with nary a
benefit. If you take just committee calls for the PC alone, this is
48 hours a year - a workweek. Perhaps they should feel that this
donation nets them
For context in this discussion, how many times have you personally
accepted free registration in return for presenting?
btw, i do not remember a meeting where being comped as an SC member or a
speaker affected whether i would attend or not.
[ and no, senator mccarthy, i am not now nor have i
The SC did not receive comp registration any time while I was serving
on it.
aha! sorry. my memory is not what it used to be.
I do feel the need to suggest that Dorian/Randy are on the mark here,
most of these people would pay anyways.
as i said, if nanog has the funds, i would support
relationships, that providers prefer customers over peers (in fact, a
number of global Tier-1 providers have preferred peers for decades), and
that relationships are valley free, which also has significant
exceptions. Yet these invalid assumptions may underpin the simulation
results.
---
Randy Bush ra
the previous paper is flawed and if the findings where true you would
wonder how anyone ever created a viable online business.
to me honest, what set me off was
http://transition.fcc.gov/pshs/advisory/csric3/wg-descriptions_v1
describing, among others, a routing working group of an fcc
the previous paper is flawed and if the findings where true you would
wonder how anyone ever created a viable online business.
to me honest, what set me off was
http://transition.fcc.gov/pshs/advisory/csric3/wg-descriptions_v1
describing, among others, a routing working group of an
I have worked for more then one transit free network, and have work
with people from (most) of the rest, we always prefer cust over peer,
every time.
again, more than one of the world's largest providers prefer peers. and
even if they wanted to change, it would be horribly anti-pola to the
As one of the co-chairs of this working group, I'd like to chime in to
clarify the purpose of this group. Our goal is to assemble a group of
vendors and operators (not publish or perish academics) to discuss and
recommend effective strategies for incremental deployment of security
solutions
While I can think of some corner cases for this, ie you have a
satellite down link from one provider and fiber to anther. I expect
this is not the norm for most networks/customers.
what is it you do not understand about more than one of the world's
largest providers? not in corner cases, but
Because routing to peers as a policy instead of customer as a matter
of policy, outside of corner cases make logical sence.
welcome to the internet, it does not always make logical sense at first
glance.
the myth in academia that customers are always preferred over peers
comes from about '96
In a typical DS-Lite deployment you won't be using NAT444. One of the
key advantages of DS-Lite (and A+P, I believe) is that there's only one
level of NAT between the end user and the public internet.
yep. and in ds-lite that nat is in the core, so you talk to comcast's
lawyers when you need
I'm going to have to deploy NAT444 with dual-stack real soon now.
you may want to review the presentations from last week's apnic meeting
in busan. real mesurements. sufficiently scary that people who were
heavily pushing nat444 for the last two years suddenly started to say
it was not me who
Can we really push an IPv6 agenda for CDN's when IPv6 routing at high
backend levels is still not complete? I certainly don't have the
'clout' to push that, but full routing between Cogent and HE needs to be
fixed.
if you are worried about full v4 or v6 or v8-juice routing between
cogent
When you need to pile up this amount of trickery to make something
work, it's probably high time for letting the thing die :-)
You could say the same thing about NAT44 from the very start!
many of us did
randy
But Gregory is right, you cannot really trust anybody completely. Even
the larger and more respectable commercial organisations will be
unable to resist insert intel organisation here when they ask for
dodgy certs so they can intercept something..
No, as soon as you have somebody who is not
with dane, i trust whoever runs dns for citibank to identify the cert
for citibank. this seems much more reasonable than other approaches,
though i admit to not having dived deeply into them all.
If the root DNS keys were compromised in an all DNS rooted world...
unhappiness would ensue in
as eliot pointed out, to defeat dane as currently written, you would
have to compromise dnssec at the same time as you compromised the CA at
the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to
CA trust.
Yes, I saw that. It also drives up complexity too and makes you wonder
http://www.overpromisesunderdelivers.net/
amazingly professional. not.
but lead contestant for pathetic jealousy post of the year
I hate to beat/stab a dead horsey, but I found this by happenstance:
https://www.arin.net/resources/whoisrws/whois_diff.html
which describes some of the differences between RWS output and
traditional output.
For the scripty-minded folks out there:
$ wget -O - -q
Someone laying that restful whois to rest or at least maintaining
the old whois in parallel would be great.
Lots and lots of scripts to go spammer hunting using regexps to find
all the netblocks assigned to a spammer had to be rewritten :(
when you have a monopoly, you do not have the
If you have a particular suggestion for changing whois, please
feel free to submit it.
simple. don't.
if you want to do something new, don't call it whois.
randy
One approach would be the use of an option flag on the query to obtain
the new hierarchical output No flag = no output change. Would that
suffice?
how to do something new is best discussed by folk who want or need
something new, the folk with skin in the game. so, though i have an
opinion
One approach would be the use of an option flag on the query to obtain
the new hierarchical output No flag = no output change. Would that
suffice?
how to do something new is best discussed by folk who want or need
something new, the folk with skin in the game. so, though i have an
Saying NANOG = ARIN is like saying Middle East = Terrorist. That kind
of generalization is never useful. ARIN is one of many non-Government
organizations that make decisions regarding the Internet.
As for your reference to Obama-style I'm not sure if you're trying
to pay homage to, or
As an ISP, ARIN will not give you any space if you are new. You have
to already have an equivalent amount of space from another provider.
does arin *really* still have that amazing barrier to market entry?
arin claims to be a shining example of industry self-governance. to me,
this barrier to
As an ISP, ARIN will not give you any space if you are new. You have to
already have an equivalent amount of space from another provider. I
think it is really stupid, and encourages wasting IP space, but that is
what the current policy is.
If you go to ARIN, day one, and ask for address
People have been bleating about routing tables sizes for years and
everything has been fine. You could argue that the bleating has helped
keep the size down of course, perhaps it has.
guy walks into a psychiatrist's office waving a newspaper. shrink
asks why are you waving that newspaper?
As an ISP, ARIN will not give you any space if you are new. You
have to already have an equivalent amount of space from another
provider.
does arin *really* still have that amazing barrier to market
entry?
Yes. If you want PI space, you have to start off with PA space,
utilize it, and then
One more reason we can all do ourselves a favor by moving to ipv6,
remove the number scarcity issue and associated baggage of begging for
numbers
silly hope. we created monopoly organizations. this kind of thing is
self-perpetuating.
randy
I have absolutely no doubt that there are sufficient folks
participating in NANOG to get nearly any policy desired
through the ARIN policy process. To the extent that folks
don't care to learn the current policies and participate in
the policy development process, they end up
I have absolutely no doubt that there are sufficient folks
participating in NANOG to get nearly any policy desired
through the ARIN policy process. To the extent that folks
don't care to learn the current policies and participate in
the policy development process, they end up
Strange... You seem to overcome it well enough to join in the
discussion on PPML, but not to actual propose changes to policy.
i believe you are mistaken. i am not knowingly a subscriber to ppml,
and am not, to the best of my knowledge, participating in any
discussion(s) there.
a search of
One more reason we can all do ourselves a favor by moving to ipv6,
remove the number scarcity issue and associated baggage of begging for
numbers
silly hope. we created monopoly organizations. this kind of thing is
self-perpetuating.
Randy - If you wish to propose an alternative which
rick adams was right. this could be done very minimally with some
software and maybe six to ten folk to back it up.
gedanken experiment. instead of frelling up whois, printing comic
books, and playing weenie regulators, design and describe an rir with a
sign on the door which says internet
From: Randy Bush ra...@psg.com
Subject: Re: [arin-ppml] NAT444 rumors (was Re: Looking for an IPv6
naysayer...)
Date: February 21, 2011 9:00:50 PM EST
To: Dan Wing dw...@cisco.com
Cc: 'NANOG list' nanog@nanog.org, 'ARIN-PPML List' arin-p...@arin.net
http://tools.ietf.org/html
From: Randy Bush ra...@psg.com
Subject: Re: [arin-ppml] NAT444 rumors (was Re: Looking for an IPv6
naysayer...)
Date: February 21, 2011 9:00:50 PM EST
To: Dan Wing dw...@cisco.com
Cc: 'NANOG list' nanog@nanog.org, 'ARIN-PPML List' arin-p...@arin.net
http://tools.ietf.org/html
one to post overly aggressive defensive messages on nanog
I am not convinced that Mr. Bush is best placed to comment on this
particular issue.
you seem to have a problem differentiating defense from offense. i
recommend you not play chess. :)
randy
one to post overly aggressive defensive messages on nanog
I am not convinced that Mr. Bush is best placed to comment on this
particular issue.
you seem to have a problem differentiating defense from offense. i
recommend you not play chess. :)
Randy is perfectly right in expressing his
I'm told of others that have bought legacy IPv4 prefixes with no
intention of updating whois at this time - no desire to enter into a
relationship with ARIN and be subjected to existing policy, for
instance.
so your point is that your friends at depository.com will be attractive
to ip address
I can ping on point to point
I have BGP up and running
When I try to pass traffic over the link my clients are unable to pass
any meanigful traffic asn browsing is impossible.
mtu? try various size pings.
filters?
randy
All transfer requests which meet the policies get approved and
updated in the registry. ARIN does turn down transfer requests
which don't meet policy, and this potential is often understood
and covered in proposed sale documents for IP address blocks.
would you be willing to describe what
1) One IP connection via a T-1. Second IP connection via GRE tunnel
carried on first.
2) One IP connection via a T-1 that doesn't have transit, only peering
with providers B and C. IP connections via two GRE tunnels to providers
B and C.
3) One IP connection via MPLS over T-1. Second
http://ibm-1401.info/
A few (dozen) years ago, I was treated to a interesting demonstration
where a coworker poured an oily fluid containing tiny metallic flakes
on a patch of tape. The bits on the tape could be clearly seen by
the naked eye, and could be decoded (ever so slowly!) using a
peval()
while we still lived on the farm, two vallies away was gordon, who ran a
dairy farm, milked, and delivered around coos and curry counties twice a
week. he told of deciding to go down to the big city, san francisco.
so he put good clothes on and packed a suitcase and headed south (a long
day
A nominating committee's essential function is to ensure that a
minimum number of qualified, vetted individuals are placed on the
slate of candidates for election.
it should ensure that folk who are not *technically* qualified, e.g. not
members, not human people, ... are not on the slate.
One scenario that i can think of when somebody might run the 2 protocols
ISIS and OSPF together for a brief period is when the admin is migrating
from one IGP to the other. This, i understand never happens in steady
state. The only time this can happen is if an AS gets merged into another
AS
Folks could, at least theoretically, use ISIS or OSPF multi instance/multi
topology extensions to support IPv4 and IPv6 topologies. This way they
would only need to run a single protocol and thereby requiring expertise in
handling only one protocol.
and, as is-is supports 4 and 6, why do you
we really should not be putting huawei kit into the backbone, there
might be backdoors where they can spy on our traffic
oh
well, so much for that
randy
901 - 1000 of 2129 matches
Mail list logo