Re: Gaming Consoles and IPv4

2020-09-28 Thread Alan Buxey
not just how it handles IPv4 - these things don't even do proper WiFi
- meaning no happy joy for lots of students on campus where 802.1X
wifi is provisioned

alan


Re: IPv6 Pain Experiment

2019-10-03 Thread Alan Buxey
hi,

> Go ahead and read your v4 address over the phone and then do the same with 
> your v6 address.  Which is easier?  I do understand all about these addresses 
> both being binary underneath ( I've been doing this for over 30 years now).  
> However it is much easier to communicate using four decimal octets.

::1

so much quicker than 127.0.0.1  ;-)

> People generally do not like change and being forced to learn something new.

some people dont... but its called progress.  I'd have to worry about
someone whose only experience is of TCP/IP networking (and only IPv4
at that).  do they also get wobbly when
their data is now on a big broadcast collision domain network after
all those years of moving it to a switched system?

>That is just human nature.  You have to give them a reason to want to do it 
>(more money, better service, less long term cost, etc.).

the ability to communicate to the rest of the growing world where IPv4
addresses just arent there anymore?

>It is hard to make the case to eliminate v4 in use cases where it is working 
>perfectly fine (especially RFC1918 inside an enterprise).

2 things on this. just an internal network? yes, you could say 'why
bother'?   I *could* think about being in that campbut actually,
i'd stick the
security hat on and say, just like I did with wireless

'we dont have any wireless' - oh really? without being in the domain
and having kit that will detect it/trace its source etc how will you
know

int he IPv6 world...if you arent the one controlling it on your
network (and reporting on it) then you will have clients happily
talking to each other
on it, tunnelling it around the place (hello all those TEREDO tunnels)
and being the router for traffic. all the fun with ff02::1 on your
local segment  ;-)

alan


Re: IPv6 Pain Experiment

2019-10-03 Thread Alan Buxey
hi,

the old UK reverse name notation actually comes from some sensible
ideas - firstly from the big-endian processing methods - but also the
most important part of the address
comes first - ideal for global routing decisions early. who cares
about the actual hostname , get to the actual TLD ;-)

anyway, a little unfair as that decision was made before the Internet
domain standard was agreed/established.  hey, competing systems...one
of them usually wins. in this case the
other one did ;-)

as for IPv6, the topic of this thread. having done campus IPv6
deployments, working out addressing schemes, sorting out kit upgrades
(and broken by many 'oh, IPv6 is in a future
release' or 'its on our roadmap' vendor promises) a few things.  it
gives us native end to end on a network that is now too big to handle
that with IPv4 - NAT etc causing all kinds of new
things to be cooked up to ensure things dont break.  deploying it is
trivial-ish (these days) - you have so much choice...and eventually
decent routers doing SLAAC will finally be able to serve
other details such as DNS/time/etc via SLAAC - servers? give them
static addresses...simple ones that dont populate all the last half...

that gets me on to my small annoyance... /64 bit subnet masks for
local networks. really?  ALL of that address space and then throw such
a large range away on subnets commonly populated
with no more than a couple of hundred clients...maybe a few thousand
at worst. what a mistake.

I come from a background where we had IPv4/DECNET/AppleTalk/IPX all
around the place - to be honest, 2 fairly simply IP protocols being
handled/routed has never kept me up at night
and I enjoyed many times of cleaning things up and getting people to
realise what access their systems needed...a quick refresh of access
rules (on hosts and in network kit) and
monitoring ('you monitor that service on its IPV4...why not IPv6' was
said way too many times)

address format? at least you can put :c01d:c0ff:ee and dead:beef etc
in your addresses... as others have said, IPv4 is only a number in a
superficial sense (who HASNT been burnt
by an engineer putting a few 0's into IP address boxes on kit that
forces all fields to be populated?   we had A6 and  mess, things
took a while to iron out and just like
BSD dying, IPv6 deployment (and DNSSEC!) just really hasnt been
'completed' yet. but thats okay, because  I'm still curious why the US
techies didnt just bite the bullet and
got for IPv8  ;-)

alan


Re: Protecting 1Gb Ethernet From Lightning Strikes

2019-08-14 Thread Alan Buxey
hi,

have seen and suffered from same.  nearby strikes can cause enough
surge to fry things.  best solution - air-gaps where possible between
devices (eg fibre to link switches),  surge protectors on ethernet
cables where needed (eg feeds from Access points) - and if the APs
have external antennae
then use lightning arrestors on the coax cables.

why main wireless vendors still don't do SFP/SFP+-based APs I don't
know... (would mean only the AP cooks and the edge switch isnt the
victim

alan


Re: Cisco wifi signal fluctuations

2019-07-18 Thread Alan Buxey
hi,

do you have any of the WLC settings on such as dynamic power
assignment (which allows the controller to work out neighbour cell
coverage
and reduce the signal to stop much overlap).  which 5GHz channels are
being used - if you're using those in DFS space then RADAR detection
means that DAC will kick in and the APs will be changing channel
(which of course, means they'll be doing some clear channel assessment
before
coming back.   is the SSID still doing WPA?  If so, any MAC check
failures from a dodgy client will cause the AP to enact counter
measures etc etc
really, I'd suggest turning on much logging for this area/building ,
slap it all into a simple ELK setup (just spin one up from available
docker compose
files if needed) - and then browse the resulting dataset with Kibana
etc to see whats going on.

or go and do a proper wireless survey and fix it from base level up  :)

alan

On Thu, 18 Jul 2019 at 19:46, Vikash Sorout via NANOG  wrote:
>
> On Cisco wifi, we started seeing signal fluctuations since 1-2 months. The 
> only change that was done to change windows user preference from 2.4 GHz 
> Radio to 5 GHz radio through a windows group policy change. But this was done 
> in response to the problem reported by certain users.We have lately 
> discovered that some of the neighboring APs opt for same frequency band at 
> 5.0 GHz and also at 2.4 GHz. Reboot of these APs have not helped to choose 
> different frequency band by these APs.Channel assignment is set to be auto 
> and we cannot change it to static though we are aware of definitive AP 
> positions at all floors in campus. The reason being that the controller 
> serves APAC and we do not know the definite / relative positions of different 
> APs.The wireless survey conducted before (when there was no complaint on 
> wifi) did show presence of co-channel interferences in certain areas, but SNR 
> was seen to be very good in all areas of all the floors.
>
> For skype, we have call drop or call noisy complain from users across the 
> three floors irrespective of if they are connected to wifi or LAN.
>
> We are using Cisco WLC 5520 controller.
>
>
>
> Regards,
> Vikash Sorout
> Hand-phone : +91-9013866229
> Email: vikash_sor...@yahoo.com


Re: QoS for Office365

2019-07-10 Thread Alan Buxey
hi,

use Direct Access PAC file for clients to get the right endpoints.
Apply QoS to that traffic - and use that same PAC file to feed the IP
ranges into your QoS
rules on the firewall/router ?

alan

On Mon, 8 Jul 2019 at 17:15, Joe Yabuki  wrote:
>
> Hi all,
>
> How do you deal with QoS for Office365, since the IPs are subject to changes ?
>
> How can we mark the trafic while keeping the security (I fear the marking 
> based on TCP/UDP Ports since they are not without an additional risk coming 
> from worms/virus using those ports for example, and doing that directly on 
> the PCs doesn't seem to be the best solution) ?
>
> Many thanks,
> Joe


Re: Packetstream - how does this not violate just about every provider's ToS?

2019-04-26 Thread Alan Buxey
hi,

> Just ran into packetstream.io:


Had a quick look but doesn't seem to mention Blockchain at all -
therefore it can't be that good! ;-)

alan


Re: Multicast traffic % in enterprise network ?

2018-08-10 Thread Alan Buxey
when i was last on a proper working multicast-enabled UK university
network, could pick up the BBC streams (TV and radio) using VLC  :)

alan


Re: Proving Gig Speed

2018-07-17 Thread Alan Buxey
hi,

another prediction would be that your internet connection (and most devices
in house) connected by 5G - maybe with some local
WiFi - 802.11ax - if theres still spectrum left after the LTE groups have
taken it all for aforementioned 5G purposes...

legacy devices, still around for another decade or more can have some
2.4GHz connectivity - that ISM band is troublesome to repurpose
thanks to all the medical and video senders etc. big old wild west there...


alan


Re: Application or Software to detect or Block unmanaged swicthes

2018-06-08 Thread Alan Buxey
as already said - this can be covered with adequate processes and
management (even so far as, not doing your job right? time
for HR...). however, there are many ways to ensure that random ports arent
doing anything other than what they should be doing - most of these
are L2 security features - port-security, BPDUGAURD, default vlan pruning,
along with other protections such as DHCP snooping etc.

however, if its the network team doing this - then they could just turn
those things off anyway - so you need to also ensure all
managed switch configs have their configs audited and checked - grabbed by
SNMP and checked/audited against known template etc etc.
if a switch cannot be audited then disconnect its uplink. but then your
end users/customers no longer have connections - which is why its
really down to management processes.  WHY are they doing this? there could
be other reasons why due process isnt being followed
other than eg incompetence, malice,  laziness etc

alan


Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

2018-05-15 Thread Alan Buxey
real ones send such formulae as LaTeX attachments - where their recipients
can have a simple plugin to view/display it inline (then save to
edit/modify etc).
HTML is horrible for formula...but at least I guess a little better than MS
Word.

alan


Re: Catalyst 4500 listening on TCP 6154 on all interfaces

2018-05-09 Thread Alan Buxey
hi,

thank-you Dario for your input and response from Cisco PSIRT - very
useful and welcome.

alan


Re: Remote power cycle recommendations

2018-04-28 Thread Alan Buxey
+1 for the APC kit  :)

alan


Re: China Showdown Huawei vs ZTE

2018-04-26 Thread Alan Buxey
https://www.theregister.co.uk/2018/04/26/hyperoptics_zte_routers/

yet another ZTE issue . :(

alan


Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Alan Buxey
thats probably a key part of the experiment - to find locations and
systems where 1.1.1.1 is trashed.

it should be routable and its about time that vendors stopped messing
around in that space - hopefully this is
one of the sticks that prods people to start to behave - at which
point 1.0.0.0/8 will regain value too and can be used by APNIC
for other requirements.


as for those berating addresses used for experiments - there are MANY
networking experiments going on out there , the Internet itself
derives from one big ongoing experiment...and some would even say it
IS still an experiment.

alan

On 2 April 2018 at 17:04, John R. Levine  wrote:
>> This looks like a willy-waving exercise by Cloudflare coming up with the
>> lowest
>> quad-digit IP. They must have known that this would cause routing issues,
>> and
>> now suddenly it's our responsibility to make significant changes to live
>> infrastructures just so they can continue to look clever with the IP
>> address.
>
>
> Perhaps we can ask APNIC what the experiment is.  They surely know that
> 1.1.1.1 is messed up so I doubt that Matt expects every coffee shop in the
> world to bend to his will.
>
> Regards,
> John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for
> Dummies",
> Please consider the environment before reading this e-mail. https://jl.ly


Re: Yet another Quadruple DNS?

2018-03-29 Thread Alan Buxey
exactly.

intercept/inject? why. an ISP can just run its own standard DNS
servers on 8.8.8.8 and 8.8.4.4 and point
their customers to those - they own their routing space, they can just
route to those locallyso anyone thinking they
can avoid their ISP by choosing some other addresses are mistaken
the only way to avoid is through encrypted lookups
to a known/trusted/and signed endpoint etc


Re: Wi-Fi Analyzer

2017-12-29 Thread Alan Buxey
Scout Aircheck G2 is quite nifty - but a lot of tools out there are
only just a little bit above what you can do with a decent Android
phone (one with 802.11a/b/g/n/ac chipset) and
WiFiAnalyzer !  :)

alan


Re: Alternatives to ISE?

2017-12-03 Thread Alan Buxey
if you're already slurping the commercial koolaid (support contracts,
someone to blame etc etc) - then Aruba Clearpass?

(otherwise local homebrew with FreeRADIUS core or PacketFence as
FOSSOTS ;-) )

alan


Re: OSPF Monitoring Tool

2017-12-02 Thread Alan Buxey
Commercial, or free?  For commercial route explorer should do the job, for
free, run eg quagga or such with relevant actions on logs.

alan


Re: Moving fibre trunks: interruptions?

2017-09-14 Thread Alan Buxey
i'm sure theres plenty of aerial in europe. usually carried on e.g.
the top messenger cable on pylons   - given i've attended talks about
the issues of fixing such fibre after storms in Scotland :)

On 1 September 2017 at 20:52, Rod Beck  wrote:
> I don't think there is virtually any aerial in Europe. So given the cost 
> difference why is virtually all fiber buried on this side of the Atlantic?
>
>
> 
> From: NANOG  on behalf of Jared Mauch 
> 
> Sent: Friday, September 1, 2017 9:37 PM
> To: Michael Loftis
> Cc: Nanog@nanog.org
> Subject: Re: Moving fibre trunks: interruptions?
>
>
>
>> On Sep 1, 2017, at 3:32 PM, Michael Loftis  wrote:
>>
>> If it is in the railroad RoW they may be restricted to daylight working
>> only. Check with your provider or OSP crew.
>>
>
>
> Yup.  Railroad work is complex just because you have to coordinate with the 
> railroad owner and they have to be onsite for all work.  The cost of going 
> underground vs aerial is also astronomical in many cases.
>
> - Jared


RE: SNMP syslocation field for GPS coordinates, and use with automation tools

2016-12-09 Thread Alan Buxey
Yes. But don’t just put in coordinates... Put in other details and use a 
standard separator 


alan


Re: Spitballing IoT Security

2016-10-29 Thread Alan Buxey
Hi,

Hi,

>Put it another way: you bring home a NEST and the first thing you the
>expert might do is read the net to figure out which ports to open.  Are
>you really going to not open those ports?

Put onto its own isolated vlan with only internet access.  Unfortunately no 
basic routers that are for the home come with such a setup by default.  That's 
the first big win. 

alan


Re: Spitballing IoT Security

2016-10-27 Thread Alan Buxey
Hi,


>At which point the 3GS was almost 5 years old (having originally been
>released in June 2009) and had been already superseded by the iPhone 4,
>4S, 5 and 5S/5C.

But the release of and presence of those phones does not make the older phone 
suddenly stop working.  As noted,  the phone might be obsolete to those people 
hungering for the latest tech but as a phone and web client etc it still works 
fine. and will continue doing so whilst the battery is okay. ... and then,  
with no updates it can be the next attack vector 

Which is the point.  These things stay out there...like those winXP boxes.  
There are 2 choices

1) manufacturers are responsible for the devices.  No longer caring for them?  
Recall them.  Compensate the users. 

2) stronger obsolescence.  eg kill switch/firmware tombstoning/network 
connectivity function ending timebomb

as a user of lots of legacy tech i find either option bad :/

alan


Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Alan Buxey
hi,

>From: NANOG  on behalf of Mike Hammett 
>
>Sent: 27 September 2016 16:30
>Cc: nanog@nanog.org
>Subject: Re: Krebs on Security booted off Akamai network after DDoS attack 
>proves pricey
>
>You must not support end users.


haha...i read that wrong. I read it as a command, rather than an observation! 
;-)


alan


Re: Don't press the big red buttom on the wall!

2016-08-29 Thread Alan Buxey
>“Unfortunately because it was human >error we weren’t prepared for it,” 
>Holmes said.

"But it's elementary!" Watson retorted 

:)

alan


Re: Cisco 2 factor authentication

2016-06-26 Thread Alan Buxey
As per other statements of such seen elsewhere online, do you have examples or 
code which will allow the recovery of passwords in a radius exchange? Yes,  the 
shared secret mechanism is widely stated as 'weak' but actively attacked?  

alan


Re: mrtg alternative

2016-03-23 Thread Alan Buxey
+1 for Statseeker. Ease of use etc (price depends on eg site size etc). Can do 
lots on just one mid server unlike some other bloaty solutions out there.  But 
we also still use MRTG for some local bespoke measurements 

PS you can get a free Eval of statseeker. Obnote, don't work for them just a 
fairly happy customer

alan


Re: Equipment Supporting 2.5gbps and 5gbps

2016-01-28 Thread Alan Buxey
Um.  You don't have an option for old copper plants. This stuff gives you 
2.5gig or 5gig on cat5/cat5e (depending on distance). 

If you can do 10g you really shouldn't be carrying about this stuff.  In the 
optical world just jump to using 10Gig (where you can)

alan


Re: Binge On! - get your umbrellas out, stuff's hitting the fan.

2016-01-10 Thread Alan Buxey
For the sake of security of all internet connected hosts - especially in this 
new era of even more IOT junk , security updates,  firmware and new OS updates 
should be granted libre data rates so that users who keep their devices updated 
are not penalised. 

as for carriers pipes...will, if multicast was seriously taken up then eg OS 
updates could be streamed out on regular updates 

alan


Re: Binge On! - get your umbrellas out, stuff's hitting the fan.

2016-01-09 Thread Alan Buxey
You're assuming that people are only using phones with their SIM - those that 
use a mifi dongle and thus view content on a tablet or laptop will notice

We could rate limit traffic from YouTube to 1.5mbps and let the adaptive 
streaming knock the steam to 480p bit our users with 100mbit connections might 
wonder why they cannot view 720p or 1080p - and why spicy they view such 
content - its like putting back the web and online video services 5 years.  
Where does it stop?  320x240 ?

Bulk data and background update processes are things that could possibly by 
throttled - after all,  that's pretty much what QoS does.  Most of my phone 
data is google play software updates and on woes phone ios and itunes store 
updates - it doesn't matter if the update ticks along in the background. Audio 
and video need to be good.

alan


Re: announcement of freerouter

2015-12-26 Thread Alan Buxey
>RouterOS is an existing product by MikroTik

Yes but this was an announcement about freerouter. If RouterOS has an 
announcement to make they can send their own email ;)

alan


Re: MACsec to edge hosts

2015-12-23 Thread Alan Buxey
The host has to support it... I've only seen the cisco anyconnect client add 
such support to the host 

alan


RE: Nat

2015-12-21 Thread Alan Buxey
I'm surprised that noone of the home wifi router folk haven't cornered the 
market on that one in terms of client separation.  Most people don't need the 
devices to talk to each other so by default all ports on different VLANs .. 
192.168.0-8.x etc

Internet of things security out of the box. Web interface to change port 
membership for those that DO need inter device access

Or maybe there are such defaults out there from some suppliers i'm not familiar 
with? :)

alan


Re: Advance notice - H-root address change on December 1, 2015

2015-11-16 Thread Alan Buxey
No.  CentOS follows RedHat.  They backport fixes to older versions rather than 
put the new version out.  It appears that have aversion to new feature and just 
want to put the fixes onto the older versions.  So that 9.9.4 probably has 60% 
of the changes that the diff of 9.9.4 has to 9.9.8 . This action confuses most. 

alan


Re: EyeBall View

2015-10-26 Thread Alan Buxey
Indeed.  They just need more places across the world hosting Anchors  :)

alan


Re: EyeBall View

2015-10-26 Thread Alan Buxey
What,  like RIPE NCC ? :)

alan


Re: The spam is real

2015-10-26 Thread Alan Buxey
There's also probably a large number of people gnashing their teeth that all of 
these compromised sites have been so readily identified by a very basic spam 
scam. A massive waste of opportunity for real black hats

alan


Re: Why is NANOG not being blacklisted like any other provider that sent 500 spam messages in 3 days?

2015-10-26 Thread Alan Buxey
I was looking out for the sub-Reddit thread ;)

alan


RE: Static IPs

2015-10-19 Thread Alan Buxey
Aye. It was an amusing anecdote/joke about their poor wording/pitch. I didn't 
see it as some sales thingguess others are having a stressful day or got 
out of bed the wrong side today :/

alan


Re: RIPE atlas probes

2015-10-06 Thread Alan Buxey
'should have largely the same vantage point ...'

That's *exactly* one of the functions of these probes. It's very interesting 
what they can find out.  Never assume (you know the rest of that...)

alan


Re: Inexpensive probes for automated bandwidth testing purposes

2015-10-04 Thread Alan Buxey
One of the small microPC solutions. Depending on what you want to test (eg 
bandwidth) you may find platforms like raspberrypi too limited. Intel NUC or 
LIVA platforms? 

https://www.perfsonar.net/deploy/hardware-selection/low-cost-hardware/

alan


Re: Recent trouble with QUIC?

2015-09-27 Thread Alan Buxey
Yes.  Next gen firewalls stop that kind of game  ;)

alan


Re: Ear protection

2015-09-26 Thread Alan Buxey
Great summary of the thread


No-one using remote control robots with video feed etc for working in these 
environments then?  Plans to?  ;)

alan


Re: Extraneous "legal" babble--and my reaction to it.

2015-09-09 Thread Alan Buxey
>It's just text at the bottom of your email.

1 often a very large amount of text - in this case the legalese was something 
like 10x longer than the comment! 
2 its pointless. Its not enforceable and doesn't mean anything.  

Shall i put a chapter of war and peace at the end of my emails?  You could just 
ignore it.   ;)

alan


RE: Windows 10 Release

2015-07-29 Thread Alan Buxey
'QoS problems are to be expected' . Uh?
Don't you put QoS into place just to ensure that the minimum bandwidth you need 
to ensure critical services (such that your voice traffic is not impeded for 
example) are NOT affected across your WAN links when there are big globs of 
data banging around?

Surely,  If anything,  this is the one case and time when the QoS deployment 
effort can be shown to have value (obviously the policies would already have 
been validated against saturated links as part of sign off)

alan


Re: Hotels/Airports with IPv6

2015-07-10 Thread Alan Buxey
2 mbit is still more than 32 bit  ;)

alan


Re: Hotels/Airports with IPv6

2015-07-09 Thread Alan Buxey

No. They should just ask, with the best geek intonation, whether this
place still is stuck with 32-bit Internet

I'm sure they'd gladly report that their Internet is 24 mbit and not just 32 
bit 
;)

alan


Re: Any Verizon datacenter techs about?

2015-06-26 Thread Alan Buxey
There was signing of NDAs

Which you obviously read and follow to the letter ;)

alan


Re: REMINDER: LEAP SECOND

2015-06-22 Thread Alan Buxey
I do feel sorry for you unix/linux users having a problem in year 2038 
fortunately I get another ~ 8 years... my Amiga
gets its first big problem in 2046 ;-)

http://web.archive.org/web/19981203142814/http://www.amiga.com/092098-y2k.html

alan

PS if i get to see the 2078 issue I'll be old enough to fuss about other things 
than a 2 digit date display..and I'm sure if I'm around until 7 February, 2114, 
06:28:16 I'll have more to worry about than an old Amiga finally reaching the 
end of its useful life...unless its actually driving my life support system! ;-)

Re: Android (lack of) support for DHCPv6

2015-06-09 Thread Alan Buxey
'We plan to use DHCPv6 rather than SLAAC for a variety of reasons'

Care to elaborate on the reasons?  Due to client support we have both.  In fact 
we had SLAAC for many years and just 2 years ago we added DHCPv6 ..that was to 
ensure fuller client support (since windows and OSX amongst others started to 
support it) but also because of the ongoing slowness of our kit supporting the 
growing list of SLAAC extensions to provide DNS/NTP etc values :/

dual-stack since 2001. HE 'sage' ;)

alan


Re: eBay is looking for network heavies...

2015-06-09 Thread Alan Buxey
'Don't learn by heart that which you can look up.'  apart from enough 
basics to get you up and connected so that you CAN look things up!  ;)

There's a whole debate about the education system and learning things by rote 
that can be looked up.  In many sectors you have reference tomes. ..some MUST 
be reviewed before doing any work. I think there are some key advantages to 
knowing things when in the field BEFORE you then see the rest of the day go by 
while troubleshooting.  You have to know eg the basics of OSPF to know what to 
look up when an adjacency doesn't come up. ..to be in 'the right ballpark' as 
they say :)

alan


Re: WiFi courses/vendors recommendation

2015-06-03 Thread Alan Buxey
+1 for CWNP courses.  The CWNA and CWDP cover RF quite well too you'll pick 
up most of what's needed. ..imho most of the vendor specific courses only 
benefit is to tell you how to manage their control plane.  Which button to 
click on the interface etc ;)

alan