Re: Someone's scraping NANOG for phishing purposes again

[Alexander Harrowell]

Interestingly, the phishes are both using NANOG members' names as forged
From: fields, they're also being sent to NANOG people specifically - each
one comes with half a dozen addresses of which usually one or two are
familiar to me as frequent contributors.

On Fri, Feb 10, 2017 at 5:42 PM, Josh Luthman <j...@imaginenetworksllc.com>
wrote:

> Thank you for the notice.
>
> Josh Luthman
> Office: 937-552-2340 <(937)%20552-2340>
> Direct: 937-552-2343 <(937)%20552-2343>
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Feb 10, 2017 12:42 PM, "Alexander Harrowell" <a.harrow...@gmail.com>
> wrote:
>
>> I'm getting suspicious e-mail pretending to come from leading NANOGers.
>> Not
>> the first time this has happened, but you may want to be warned.
>>
>> Yours,
>>
>> Alex Harrowell
>>
>

Someone's scraping NANOG for phishing purposes again

[Alexander Harrowell]

I'm getting suspicious e-mail pretending to come from leading NANOGers. Not
the first time this has happened, but you may want to be warned.

Yours,

Alex Harrowell

Re: Accepting a Virtualized Functions (VNFs) into Corporate IT

[Alexander Harrowell]

This is a really interesting thread; my telco clients are mad keen on
various solutions of this general form. As a rule they would love to
consolidate their various SME and enterprise CPEs down to a single x86 box
that gets configured with VNFs from a central VIM or container pool. But
they'd also love to sell you all your networking out of that box - and one
of the big questions I have is just how many companies would accept "LAN as
a Service". It may be even more difficult for SMEs as the cost of going
back on the deal is higher the less in-house capability you have.

On Tue, Nov 29, 2016 at 8:36 AM, Denis Fondras  wrote:

> > On 28/Nov/16 19:53, Kasper Adel wrote:
> >
> > Hi,
> >
> > Vendor X wants you to run their VNF (Router, Firewall or Whatever) and
> they
> > refuse to give you root access, or any means necessary to do
> 'maintenance'
> > kind of work, whether its applying security updates, or any other similar
> > type of task that is needed for you to integrate the Linux VM into your
> IT
> > eco-system.
> >
> > Would this be an acceptable offering in today's IT from different type of
> > Enterprises (Minux the Googles, Facebooks...etc) ?
> >
>
> As long as the vendor will be held liable for ANY (and I mean it) problem
> that
> could happen on my infrastructure.
>

Re: ATT Mobile Outage San Juan, PR 8+ hours, 1 Million out.

[Alexander Harrowell]

you mean there's an outages.org outage? [sorry]

On Wed, May 4, 2016 at 10:32 PM, Nathan Schrenk  wrote:

> It looks like www.outages.org stopped being updated with outage data in
> January 2013?
>
> Nathan
>
> On Wed, May 4, 2016 at 3:57 PM, Bill Woodcock  wrote:
>
> >
> > > On May 4, 2016, at 4:37 PM, Javier J 
> wrote:
> > >
> > > If there is a better mailing list please let me know.
> >
> > outa...@outages.org
> >
> > -Bill
> >
> >
> >
> >
> >
>

Re: Fiber to the home specialists/consultants?

[Alexander Harrowell]

Diffraction? (i.e. Benoit Felten's company)

http://www.diffractionanalysis.com/services/what-we-do

On Thu, Feb 11, 2016 at 2:28 PM, Fletcher Kittredge 
wrote:

> Since two asked: Tilson 
>
>
> On Wed, Feb 10, 2016 at 8:14 PM, Jeremy Austin  wrote:
>
> > Ditto.
> > On Wed, Feb 10, 2016 at 4:04 PM Daniel Rohan  wrote:
> >
> > > Can anyone point me at a firm that does or consults on FTTH from a
> > > technical *and* business perspective?
> > >
> > > Off-list responses would be appreciated.
> > >
> > > Thanks,
> > >
> > > Dan
> > >
> >
>
>
>
> --
> Fletcher Kittredge
> GWI
> 8 Pomerleau Street
> Biddeford, ME 04005-9457
> 207-602-1134
>

Re: Marriott wifi blocking

[Alexander Harrowell]

On Sat, Oct 4, 2014 at 4:32 AM, Jay Ashworth j...@baylink.com wrote:
 Hugo, I still don't think that you have quite made it to the distinction that 
 we are looking for here.

 In the case of the hotel, we are talking about an access point that connects 
 via 4G to a cellular carrier. An access point that attempts to create its own 
 network for the subscribers devices. A network disjoint from the network 
 provided by the hotel or its contractor.

To put it another way, if you plugged a USB cable into the 4G device
and the other end into a laptop, and a hotel manager appeared with a
big pair of scissors and cut through it, in an effort to make you buy
WLAN service from the hotel, nobody would think this either legal or
reasonable. Why should it be more acceptable because you used radio?
What about IrDA, if you're a technical masochist?


 This is a different case from the circumstance in a business office where 
 equipment is deployed to prevent someone from walking in with an access point 
 /which pretends to be part of the network which the office runs./

 In the latter case, the security hardware is justified in deassociating 
 people from the rogue access point, /because it is pretending to be part of a 
 network it is not authorized to be part of/.

 In the Marriott case, that is not the circumstance. The networks which the 
 deauth probes are being aimed at are networks which are advertising 
 themselves as being /separate from the network operated by the hotel/, and 
 this is the distinction that makes Marriott's behavior is unacceptable.

 (In my opinion; I am NOT a lawyer. If following my advice breaks something, 
 you get to keep both pieces.)

 On October 3, 2014 11:04:08 PM EDT, Hugo Slabbert h...@slabnet.com wrote:
On Fri 2014-Oct-03 19:45:57 -0700, Michael Van Norman m...@ucla.edu
wrote:

On 10/3/14 7:25 PM, Hugo Slabbert h...@slabnet.com wrote:

On Fri 2014-Oct-03 17:21:08 -0700, Michael Van Norman m...@ucla.edu
wrote:

IANAL, but I believe they are.  State laws may also apply (e.g.
California
Code - Section 502).  In California, it is illegal to knowingly and
without permission disrupts or causes the disruption of computer
services
or denies or causes the denial of computer services to an authorized
user
of a computer, computer system, or computer network.  Blocking
access to
somebody's personal hot spot most likely qualifies.

My guess would be that the hotel or other organizations using the
blocking tech would probably just say the users/admin of the rogue
APs
are not authorized users as setting up said AP would probably be in
contravention of the AUP of the hotel/org network.

They can say anything they want, it does not make it legal.

There's no such thing as a rogue AP in this context.  I can run an
access point almost anywhere I want (there are limits established by
the
FCC in some areas) and it does not matter who owns the land
underneath.
They have no authority to decide whether or not my access point is
authorized.  They can certainly refuse to connect me to their wired
network; and they can disconnect me if they decide I am making
inappropriate use of their network -- but they have no legal authority
to
interfere with my wireless transmissions on my own network (be it my
personal hotspot, WiFi router, etc.).  FWIW, the same is true in
almost
all corporate environments as well.

Thanks; I think that's the distinction I was looking for here.  By
spoofing deauth, the org is actively/knowingly participating on *my
network* and causing harm to it without necessarily having proof that
*my network* is in any way attached to *their network*.  The assumption

in the hotel case is likely that the WLANs of the rogue APs they're
targeting are attached to their wired network and are attempts to
extend
that wireless network without authorization (and that's probably
generally a pretty safe assumption), but that doesn't forgive causing
harm to that WLAN.  There's no reason they can't cut off the wired port

of the AP if it is connected to the org's network as that's their
attachment point and their call, but spoofed deauth stuff does seem to
be out of bounds.

I'm not clear on whether it runs afoul of FCC regs as it's not RF
interference directly but rather an (ab)use of higher layer control
mechanisms operating on that spectrum, but it probably does run afoul
of
most thou shalt not harm other networks legislation like the
California example.


/Mike



--
Hugo

 --
 Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: GMail contact - misroute / security issue

[Alexander Harrowell]

Related oddness: if you're British and a GMail user, you either got a
gmail.com username before the lawsuit, or you got a googlemail.com
between the lawsuit and the point when Google and the owner of the
gmail trademark settled, or then you got a gmail.com again.

Google chose to alias googlemail.com and gmail.com addresses so as to
minimise the mess, but this doesn't stop people who have
googlemail.com entering gmail.com (or vice versa) when they set up an
account on www.somewebsi.te, because they are conditioned to use
gmail.com/googlemail.com interchangeably, and then being baffled as to
why firstname.lastn...@googlemail.com (or vice versa)/password1234
doesn't work, because googlemail==gmail and anyway my address is
really firstname.lastn...@gmail.com (or googlemail) - look, I get
email on it, it must be the right one :-)



On Tue, Sep 30, 2014 at 12:17 AM, Jeff Woolsey j...@jlw.com wrote:
 On 09/29/14 10:06, Nicolai wrote:

 Most likely reason: gmail is so common that someone mistypes
 johnsm...@example.com as johnsm...@gmail.com, not paying attention to what
 they're doing. It happens.


 More likely, I think, is that newbies think that email addresses already
 exist for everyone on the planet at firstl...@gmail.com, and they just give
 that when asked (maybe they think it's throwaway and never actually expect
 to get any email there).  I'm in the same boat.   It doesn't bother me all
 that much because gmail is not my primary mail service.  I use it to store
 big stuff that's clogging the mail service I do pay for.  In fact, it can be
 entertaining, as I get usernames and passwords for sites that this guy
 signed up for.  He's also a poker player and has recently tried to enroll at
 an art college.  The latter I could reply to and explain that their
 prospective student is an idiot and should not be accepted, but that's what
 will happen anyway if I don't say anything.

 --
 Jeff Woolsey {woolsey,jlw}@{jlw,jxh}.com first.last@{gmail,jlw}.com
 Spum bad keming.
 Nature abhors a straight antenna, a clean lens, and unused storage capacity.
 Delete! Delete! OK! -Dr. Bronner on disk space management
 Card sorting, Joel. -me, re Solitaire

Re: Richard Bennett, NANOG posting, and Integrity

[Alexander Harrowell]

On Mon, Jul 28, 2014 at 4:52 AM, Matt Palmer mpal...@hezmatt.org wrote:
 On Mon, Jul 28, 2014 at 08:16:36AM +0530, Suresh Ramasubramanian wrote:
  On 28-Jul-2014 8:06 am, Matt Palmer mpal...@hezmatt.org wrote:
  On Sun, Jul 27, 2014 at 05:28:08PM -0700, Richard Bennett wrote:
   It's more plausible that NAACP and LULAC have correctly deduced that
   net neutrality is a de facto subsidy program that transfers money
   from the pockets of the poor and disadvantaged into the pockets of
   super-heavy Internet users and some of the richest and most
   profitable companies in America, the content resellers, on-line
   retailers, and advertising networks.
 
  I've got to say, this is the first time I've heard Verizon and Comcast
  described as poor and disadvantaged.
 
   Recall what happened to entry-level broadband plans in Chile when
   that nation's net neutrality law was just applied: the ISPs who
   provided free broadband starter plans that allowed access to
   Facebook and Wikipedia were required to charge the poor:
 
  [...]
 
   Internet Freedom? Not so much.
 
  I totally agree.  You can't have Internet Freedom when some of the
  richest and most profitable companies in America, the content resellers,
  on-line retailers, and advertising networks, are paying to have eyeballs
  locked into their services.  Far better that users be given an
  opportunity to browse the Internet free of restriction, by providing
  reasonable cost services through robust and healthy competition.
 
  Or is that perhaps not what you meant?

 I think he meant the actual poor people that broadband subsidies and free
 walled garden internet to access only fb and Wikipedia are supposed to
 benefit, but I could be wrong

 I've got a whopping great big privilege that's possibly obscuring my view,
 but I fail to see how only providing access to Facebook and Wikipedia is (a)
 actual *Internet* access, or (b) actually beneficial, in the long run, to
 anyone other than Facebook and Wikipedia.  I suppose it could benefit the
 (no doubt incumbent) telco which is providing the service, since it makes it
 much more difficult for competition to flourish.  I can't see any lasting
 benefit to the end user (or should I say product?).

FYI it's Bharti-Airtel, not an incumbent, but a multinational GSM operator.


 - Matt

Re: What Net Neutrality should and should not cover

[Alexander Harrowell]

On Sun, May 4, 2014 at 8:25 PM, William Herrin b...@herrin.us wrote:
 On Sun, May 4, 2014 at 2:57 PM, Charles N Wyble char...@thefnf.org wrote:
 On 4/27/2014 3:30 PM, John Levine wrote:
 In a non-stupid world, the cable companies would do video on demand
 through some combination of content caches at the head end or, for
 popular stuff, encrypted midnight downloads to your DVR, and the
 cablecos would split the revenue with content backends like Netflix.


 So why hasn't someone like he or cogent done this?

 Because 30 years later the big content owners still hate VCRs.
 Streaming doesn't bother them so much but they avail themselves of
 every opportunity to say no to the end-user recorded content.

 This is hardly a surprise... A century later they still hate the first
 sale doctrine too and avail themselves of every opportunity to
 undermine it.

This UKNOF presentation gives another reason - the distribution of
demand for content is such that content bundling, i.e. pro-active
push of content to users' machines based on predicted demand, doesn't
provide much benefit compared to historical cache, i.e. caching in
the usual sense.

https://indico.uknof.org.uk/materialDisplay.py?contribId=20materialId=slidesconfId=30


 Regards,
 Bill Herrin


 --
 William D. Herrin  her...@dirtside.com  b...@herrin.us
 3005 Crane Dr. .. Web: http://bill.herrin.us/
 Falls Church, VA 22042-3004

Re: How to fix authentication (was LinkedIn)

[Alexander Harrowell]

On Thursday 21 Jun 2012 04:16:22 Aaron C. de Bruyn wrote:
 On Wed, Jun 20, 2012 at 4:26 PM, Jay Ashworth j...@baylink.com wrote:
  - Original Message -
  From: Leo Bicknell bickn...@ufp.org
  Yes, but you're securing the account to the *client PC* there, not 
to
  the human being; making that Portable Enough for people who use and
  borrow multiple machines is nontrivial.
 
 Or a wizard in your browser/OS/whatever could prompt you to put in a
 'special' USB key and write the identity data there, making it
 portable.  Or like my ssh keys, I have one on my home computer, one on
 my work computer, one on my USB drive, etc...  If I lose my USB key, I
 can revoke the SSH key and still have access from my home computer.
 
 And I'm sure someone would come up with the 'solution' where they
 store the keys for you, but only you have the passphrase...ala
 lastpass.
 
 -A


As far as apps go, loads of them use OAuth and have a browser step in 
their setup.


So this adds precisely one step to the smartphone sync/activation 
process - downloading the key pair from your PC (or if you don't have a 
PC, generating one).


that covers vendor A and most vendor G devices. what about the feature 
phones? - not an issue, no apps to speak of, noOp(). what about 
[person we want to be superior to who is always female for some 
reason]? - well, they all seem to have iPhones now, so *somebody's* 
obviously handholding them through the activation procedure.


obviously vendor A would be tempted to sync this to iCloud...but 
anyway, I repeat the call for a W3C password manager API. SSH would be 
better, but a lot of the intents, actions etc are the same.


signature.asc
Description: This is a digitally signed message part.

Re: Dear Linkedin,

[Alexander Harrowell]

The Cambridge University Computer Lab has had a crack at this question 
in their Technical Report 817 on Web authentication: 
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html


Their conclusion is to use the Mozilla password manager (or close 
analogue, but they like it because it's open source, free, and 
available). Anyway, it's well worth reading.


A question: password managers are obviously a great idea, and password 
manager + synchronisation takes care of multiple devices. However, if 
the passwords themselves are poor, this doesn't help.


As well as a browser vault, we need a Passwords API to let a Web site 
request the creation of a password. You will need:


a MakePassword() action that creates a random, cryptographically strong 
password for the specified domain and specified username, with the 
specified TTL, and registers it in the vault.


a same-domain constraint


an SSL only constraint


a RequestLogin() action, leading to either automatic login or a user 
dialog as desired


a RevokePassword() action, that flushes the existing password and forces 
the creation of a new one. this can be explicitly invoked, for example 
after a security incident, or else activated when a TTL runs out.


a user interface action that permits the user to invoke Revoke on all or 
a subset of the passwords. 


This addresses: making up passwords, not sharing passwords, remembering 
passwords, revoking compromised passwords. 


No, it won't help if the evil maid sprays liquid nitrogen into your 
laptop in suspend mode to render analysis of RAM easier yadda yadda, but 
nothing will*, and if you face that kind of threat, you're operating in 
a different league and passwords are the least of your worries. Because 
you're not using them...are you? 


Also, if the enemy can defeat SSL they can still phish you, but that's 
going to be a very hard one to eliminate entirely, whatever happens. 
(and how many security incidents are like that compared to ones 
involving password compromises?)


Why didn't W3C do this 10 years ago? Kind of amazing, given how common a 
pattern username/password is, that there is no mention of the word here: 
http://www.w3.org/TR/


*you can of course encrypt the disk that contains the password vault, 
but in general, someone with physical access will win.

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: Muni Fiber (was: Re: last mile, regulatory incentives, etc)

[Alexander Harrowell]

On Tue, Mar 27, 2012 at 1:45 AM, William Herrin b...@herrin.us wrote:

 On Mon, Mar 26, 2012 at 8:04 PM, Jacob Broussard
 shadowedstrangerli...@gmail.com wrote:
  Who knows what technology will be like in 5-10 years?  That's the whole
  point of what he was trying to say.  Maybe wireless carriers will use
  visible wavelength lasers to recievers on top of customer's houses for
 all
  we know.  10 years is a LONG time for tech, and anything can happen.


Regarding lasers. I agree that modulating a laser beam to carry information
is a great idea. Perhaps, though, we could direct the beam down some sort
of optical pipe or waveguide to spare ourselves the refractive losses and
keep the pigeons and rain and whatnot out of the Fresnel zone. We might
call it an optical wire or optical fibre or something. no, it'll never
catch on...

Hi Jacob,

 The scientists doing the basic research now know. It's referred to as
 the technology pipeline. When someone says, that's in the pipeline
 they mean that the basic science has been discovered to make something
 possible and now engineers are in the process of figuring out how to
 make it _viable_. The pipeline tends to be 5 to 10 years long, so
 basic science researchers are making the discoveries *now* which will
 be reflected in deployed technologies 10 years from now.



I recall an Agilent Technologies presentation from a couple of years back
that demonstrated that historically, the great majority of incremental
capacity on cellular networks was accounted for by cell subdivision. Better
air interfaces help, more spectrum helps, but as the maximum system
throughput is roughly defined by (spectral efficiency * spectrum)* number
of cells (assuming an even traffic distribution and no intercell
interference or re-use overhead, for the sake of a finger exercise),
nothing beats more cells.


As a result, the Wireless Pony will only save you if you can find a 10GigE
Backhaul Pony to service the extra cells. After a certain degree of
density, you'd need almost as much fibre (and more to the point, trench
mileage) to service a couple of small cells per street as you would to
*pass the houses in the street with fibre*.


One of the great things FTTH gets you is a really awesome backhaul network
for us cell heads. One of the reasons we were able to roll out 3G in the
first place was that DSL got deployed and you could provision on two or a
dozen DSL lines for a cell site.


You can't have wireless without backhaul (barring implausible discoveries
in fundamental mesh network theory). Most wireless capacity comes from cell
subdivision. Subdivision demands more backhaul.


 There is *nothing* promising in the pipeline for wireless tech that
 has any real chance of leading to a wide scale replacement for fiber
 optic cable. *Nothing.* Which means that in 10 years, wireless will be
 better, faster and cheaper but it won't have made significant inroads
 replacing fiber to the home and business.

 20 years is a long time. 10 years, not so much. Even for the long
 times, we can find the future by examining the past. The duration of
 use of the predecessor technology (twisted pair) was about 50 years
 ubiquitously deployed to homes. From that we can make an educated
 guess about the current one (fiber). Fiber to the home started about
 10 years ago leaving about 40 more before something better might
 replace it.

 Regards,
 Bill Herrin



 --
 William D. Herrin  her...@dirtside.com  b...@herrin.us
 3005 Crane Dr. .. Web: http://bill.herrin.us/
 Falls Church, VA 22042-3004

L3 consequences of WLAN offload in cellular networks (was - endless DHCPv6 thread)

[Alexander Harrowell]

In the DHCP v6 thread, there was some discussion of 
mobility and its IP layer consequences. As various people 
pointed out, cellular networks basically handle this in the 
RAN (Radio Access Network) and therefore at layer 2, 
transparently (well, as much as things ever are) for IP 
purposes. It therefore shouldn't be a problem. 

However, as one contributor pointed out, more and more 
cellular operators are migrating traffic onto WLAN for 
various reasons, notably:

1) Spectrum - it's unlicensed, i.e. free
2) Capex - the equipment is cheaper
3) Capacity - it's a cheap way of providing high speed
4) Signalling load - it gets rid of the signalling traffic 
associated with detaching and attaching devices from the 
core network. This is especially important in view of some 
smartphones' behaviour.

Of course much of the signalling is associated with the 
Mobility Management features, and getting rid of it by 
punting everything to WLAN implies that you lose the 
benefits of this.

That suggests that if you're going to do this on a big 
scale you need to implement Mobile IP or else keep 
backhauling traffic from the WLAN access points to the 
cellular core network (GAN/Iu interface), which has obvious 
effects on the economics of the whole idea.

Alternatively, you can work on the assumption that the WLAN 
is solely for nomadic use rather than true mobility, but a 
lot of devices will prefer the WLAN whenever possible.

Thoughts/experiences?



-- 
The only thing worse than e-mail disclaimers...is people 
who send e-mail to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: Dynamic (changing) IPv6 prefix delegation

[Alexander Harrowell]

On Monday 21 Nov 2011 20:27:55 Owen DeLong wrote:
 I suspect that mDNS/Rendezvous will become much more widespread in
 the IPv6 household and will become the primary service discovery
 mechanism. It actually works quite well and is relatively resilient to 
 either frequent renumbering or the ill-advised use of ULA.

A while ago there was some discussion of wouldn't 
mDNS/Rendezvous/Bonjour that doesn't suck be nice? on the list. I for 
one agree with Owen that it's important for a whole lot of things and 
will get more so in trying to deliver the promises of IPv6. (If you want 
network everywhere you probably need zero-configuration everywhere, 
and the network that's everywhere is IP.)

I also think it's an underestimated contribution to the success of Apple 
in the iDevice era, much as network people tend to hate it.

So perhaps we could identify what it is about mDNS service discovery 
that we hate and what could be improved.

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: Nxdomain redirect revenue

[Alexander Harrowell]

On Sunday 25 Sep 2011 23:37:20 Nick Hilliard wrote:
 On 25/09/2011 12:39, Alexander Harrowell wrote:
  I think a special mention should go to hardware vendors who adopt 
this 
  dreadful practice in network equipment. I recently encountered an 
  enterprise-grade WLAN router from vendor D that has the horrible 
habit 
 
 It is not libellous to associate a vendor's real name with calmly 
stated
 matters of objective fact concerning their products.
 
 I'd be interested to know the particular model that you're referring 
to
 here - like you, to put it on a list of kit that I will never buy.
 
 Re: enterprise-grade - did you mean this as a compliment or an 
insult?
 
 Nick
 

It's D-Link, if you hadn't guessed, and it's the DIR series.

Regarding enterprise, these devices are not service provider kit but 
they're not under-the-TV-set either, and our use-case is basically 
typical of a branch-office set up. In which the DIR works really well, 
if it didn't do demented things with DNS.

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: Nxdomain redirect revenue

[Alexander Harrowell]

On Sunday 25 Sep 2011 04:09:22 Jimmy Hess wrote:
 On Sat, Sep 24, 2011 at 8:33 PM, Cameron Byrne cb.li...@gmail.com 
wrote:
  Just an fyi for anyone who has a marketing person dreaming up a big 
nxdomain
  redirect business cases, the stats are actually very very poor... it 
does
  not make much money at all.
  It is very important to ask the redirect partners about yields... 
meaning,
  you may find that less than 5% of nxdomain redirects can be actually 
served
 
 Not to take any position on there being a business case  for
 NXDOMAIN redirect,
 or not butthe percentage of NXdomain redirects that actually
 serve ads  isn't too important.
 It's absolute numbers that matter,  even if it's  just 1% of
 NXDOMAINS by percent.
 
 The rest of the 99% are referred to as noise  and aren't relevant
 for justifying or failing
 to justify.
 
 The important number is   at what frequency the _average_  user will
 encounter the redirect
 while they are surfing.If a sufficient proportion of their users
 see the ads at a sufficient rate,
 then they will probably justify whatever cost they have for the ad 
serving.
 
 When they are doing this crappy stuff like  redirecting google.com DNS
  to intercept
 search requests;  I have little doubt that they are able to inject
 sufficient volume of ads to
 make some sort of  business case  behind thehijacking evilness.
 
 
 Regards,
 
 --
 -JH

I think a special mention should go to hardware vendors who adopt this 
dreadful practice in network equipment. I recently encountered an 
enterprise-grade WLAN router from vendor D that has the horrible habit 
of intercepting some % of queries to its local DNS cache resolver and 
forwarding to an affiliate Yahoo! search page, lousy with ads, under 
vendor D's control.


This includes things like www.google.co.uk. I don't manage this device 
and therefore have opened a ticket with those who do to get them to turn 
the damn thing off, while in the meantime adding *.[vendor D]search.com 
127.0.0.1 to my /etc/hosts.


I must admit to being tempted to fault it with something heavy in 
order to force its replacement:-)


But if anyone from vendor-D is on the list: congratulations, you've 
managed to invent a network device that is by definition untrustworthy, 
and I will never buy anything from your company.



-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Alexander Harrowell]

On Saturday 17 Sep 2011 22:37:46 Randy Bush wrote:
 one to post overly aggressive defensive messages on nanog

I am not convinced that Mr. Bush is best placed to comment on this 
particular issue.

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: CGN and CDN (was Re: what about the users re: NAT444 or ?)

[Alexander Harrowell]

On Friday 09 Sep 2011 16:25:35 valdis.kletni...@vt.edu wrote:
 On Fri, 09 Sep 2011 11:09:38 EDT, Jean-
francois.tremblay...@videotron.com said:
 
  A very interesting point. In order to save precious CGN resources, 
  it would not be surprising to see some ISPs asking CDNs to provide 
  a private/non-routed behind-CGN leg for local CDN nodes. 
  

The actual problem here is that everyone assumes it'll be donkey's years 
before every last web server in the world is on IPv6.

If you're a CDN, though, you can solve this problem for your own network 
right now by deploying IPv6! Akamai says that you need 650 AS to cover 
90% of Internet traffic. I propose that effort getting content networks 
to go dual stack is better used than effort used to work around NAT444.

Further, if making your hosting network IPv6 is hard, the answer is 
surely to give the job to a CDN operator with v6 clue. I actually rather 
think CDNs are an important way of getting content onto the IPv6 
Internet.

In my view CDNing (and its sister, application acceleration) is so 
important to delivering the heavy video and complex web apps that 
dominate the modern Internet that this should be a killer. 

Still, breaking the BBC, Hulu, Level(3), Akamai, Limelight, and Google's 
video services will probably reduce your transit and backhaul bills 
significantly. Can't say it'll help with customer retention.


  For this to work, the CGN users would probably have a different 
  set of DNS servers (arguably also with a private/non-routed
  leg) or some other way to differentiate these CGN clients. Lots 
  of fun in the future debugging that.
 
 Especially once you have 10 or 15 CDNs doing this, all of which have 
different
 rules of engagement. Akamai requires us to do X, Hulu wants Y, Foobar 
wants Y
 and specifically NOT-X... ;)
 
 And then Cogent will get into another peering spat and :)
 
 
 

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

[Alexander Harrowell]

On Wednesday 07 Sep 2011 17:17:10 Network IP Dog wrote:
 FYI!!!
 
 
http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee
 ms_all_diginotar_certificates_untrust.html
 
 Google and Mozilla have also updated their browsers to block all 
DigiNotar
 certificates, while Apple has been silent on the issue, a emblematic 
zombie
 response!
 
 Cheers. 
 


It would be really nice if the folk at Twitter would fix their images 
servers (i.e si*.twimg.com) to use a non-evil CA (i.e. not Comodo or 
DigiNotar or Bubba Gump's Bait, Firearms  Crypto Verification). Not 
that user pics are a great loss, but if you use 
Tweetdeck/Seesmic/whatever, the constant SSL cert warnings from dozens-
to-hundreds of user pics are noisy.


This is trivial whining on my part but it is operational.

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: Do Not Complicate Routing Security with Voodoo Economics

[Alexander Harrowell]

On Monday 05 Sep 2011 15:53:38 Owen DeLong wrote:
 This is true in terms of whether you care or not, but, if one just 
looks at whether it changes the content of the FIB or not, changing 
which arbitrary tie breaker you use likely changes the contents of the 
FIB in at least some cases.
 
 The key point is that if you are to secure a previously unsecured 
database such as the routing table, you will inherently be changing the 
contents of said database, or, your security isn't actually 
accomplishing anything.

This is true and should probably be considered a universal law. If the 
introduction of security precautions to a system does not change the 
system, the security precautions are ineffective. 

This is based on the principle that people and systems are imperfect, so 
it is extremely unlikely that there are no bad actors or wildlife in the 
pre-security state, and further that false-positive results are 
inevitable. It has the corollary that introducing security precautions 
is invariably costly, and therefore that you must consider the security 
gain relative to the inevitable costs before deciding to do so.

This is of course an intellectually difficult problem. With regard to 
BGP, the security gain is not so much determined by how bad the problem 
is now, as by how bad it could potentially be if someone took it into 
their heads to tear up the rules and declare war. The answer is very, 
very bad indeed which is why we're having this discussion.

It also reminds me of J.K. Galbraith's notion of the bezzle - at any 
time, there is an inventory of undiscovered embezzlement in the economy. 
Before it is discovered, both the fraudster and his or her victim 
believe themselves to possess the money that has been stolen - there is 
a net increase in psychic wealth, in JKG's words. In times of 
prosperity, the bezzle grows, and in times of recession, it shrinks.

There is a bezzle of indeterminate size in the routing table, but we 
won't find out how big it is until we audit it (i.e. deploy SBGP). Some 
of it will just be randomness - misconfigurations and errors - but some 
of it will be enemy action.


-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: DDoS - CoD?

[Alexander Harrowell]

On Tuesday 06 Sep 2011 09:14:26 Greg Chalmers wrote:
 Could be legitimate CoD servers responding to a spoofed query?

My first thought looking at the packet dump. Interesting that some poor 
sap's hotmail address is embedded in it.

 How much
 traffic are you talking about out of curiosity?
 
 Regards
 Greg
 
 
 On Tue, Sep 6, 2011 at 6:03 PM, BH li...@blackhat.bz wrote:
 
  On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
   I've seen DDoS traffic on UDP/80 as far back as 2002
  Hi Roland,
 
  I should be a bit more clear sorry, I too have frequently seen 
attacks
  on 80/udp but mainly as a source (eg. compromised hosting accounts)
  rather than the destination. I didn't in the past do a packet 
capture,
  but I lookes at a couple of scripts and the data was usually randm 
or
  just AA etc. The thing that perplexed me is why it appears to be
  Call of Duty data more than anything...
 
  Thanks
 
 
 

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

RE: NANOGers home data centers - What's in your closet?

[Alexander Harrowell]

Eric Krichbaum e...@telic.us wrote:

I have a 12 pack of single mode run between wiring closets upstairs and
downstairs.  Only one server running feeding media to my xbmc's
everywhere
but quite a bit on gig.  Nothing overly noisy unless you have your head
in
the closets.

Eric


Anyone got experience with XBMC and similar linux media centre tools running on 
tablet or netbook class hardware? I like the idea of using a couple of el 
cheapo Android tablets with decent external speakers as music/video/TV/phone 
terminals, getting content from a NAS box and perhaps phone from a * server.

Roku etc. are far, far too expensive for what they do.

Alternatively, Eric, what are your XBMCs running on? 

-Original Message-
From: Steven Bellovin [mailto:s...@cs.columbia.edu] 
Sent: Friday, August 12, 2011 9:59 PM
To: Joe Greco
Cc: nanog@nanog.org; Jeff Johnstone
Subject: Re: NANOGers home data centers - What's in your closet?


On Aug 12, 2011, at 10:17 39PM, Joe Greco wrote:

 What nobody wired their abode with fiber ?
 
 Am i the only one here
 
 I ran a bunch of fiber from the telco rack to the server rack to 
 reduce the risk of damage to expensive servers ...  it's likely to be

 meaningless but it is just a little extra precaution.  The server
rack 
 is at least a little bit isolated from everything else.
 
That's overkill.  I have very little in the house except what's needed
to
support ordinary client machines for everyone in the house.  That means
GigE
to several locations, some of which have small GigE switches of their
own.
For example, my wife's computer is colocated with a network-connected
color
printer/scanner/fax.  The basement location has a WiFi access point,
the
home backup server (though lately, I've started using a colo machine
for
that), etc.  For me -- two generations of laptops (one as backup for
the
other), and a Mac Mini as backup desktop.  Then there's another access
point, a BW laser printer, etc.  But anything noisy?  Nope.


   --Steve Bellovin, http://www.cs.columbia.edu/~smb


-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Communications networks will be closed down

[Alexander Harrowell]

http://blogs.ft.com/westminster/2011/08/uk-riots-david-cameron-
announces-his-prescription/

I feel this is operational or at least potentially so.

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: IPv6 end user addressing

[Alexander Harrowell]

On Monday 08 Aug 2011 22:00:52 Owen DeLong wrote:
 
 On Aug 8, 2011, at 7:12 AM, Mohacsi Janos wrote:
 
  
  
  On Mon, 8 Aug 2011, valdis.kletni...@vt.edu wrote:
  
  On Mon, 08 Aug 2011 10:15:17 +0200, Mohacsi Janos said:
  
  - Home users - they usually don't know what is subnet. Setting up
  different subnets in their SOHO router can be difficult. Usually 
the
  simple 1 subnet for every device is enough for them. Separating 
some
  devices into  a separate subnets is usually enough for the most
  sophisticated home users. If  not then he can opt for business 
service
  
  You don't want to make the assumption that just because Joe Sixpack 
doesn't
  know what a subnet is, that Joe Sixpack's CPE doesn't know either.
  
  And remember that if it's 3 hops from one end of Joe Sixpack's 
internal net to
  the other, you're gonna burn a few bits to support heirarchical 
routing so you
  don't need a routing protocol. So if Joe's exterior-facing CPU gets 
handed a
  /56 by the provider, and it hands each device it sees a /60 in case 
it's a
  device that routes too, it can only support 14 devices.  And if one 
of the
  
  more exactly 16 routing devices. You don't have to count the all 0 
and all 1 as reserved maybe each deeice can see /57 or /58 or 
/59 depending of capabilities your devices
  
  I think daisy chaining of CPE routers is bad idea - as probably done 
in several IPv4 home networks. Why would you build several hierarchy 
into you network if it is unnecessary?
  
  
 I can see things like wanting to have an entertainment systems network 
that is fronted
 by a router with additional networks for each entertainment system 
fronted by their
 own router, segmentation of various appliance networks with possibly 
an appliance
 front-end router, etc.
 
 There are lots of possibilities we haven't thought of here yet. 
Limiting end-users
 to /56 or worse will only stifle the innovation that will help us 
identify the possibilities.
 For this, if no other reason, (and I cite the limitations under which 
we have begun
 to frame our assumptions about how the internet works as a result of 
NAT as an
 example), I think we should avoid preserving this cultural 
conditioning in IPv6.
 
 
 Owen
 
 


Thinking about the CPE thread, isn't this a case for bridging as a 
feature in end-user devices? If Joe's media-centre box etc would bridge 
its downstream ports to the upstream port, the devices on them could 
just get an address, whether by DHCPv6 from the CPE router's delegation 
or by SLAAC, and then register in local DNS or more likely do multicast-
DNS so they could find each other. 


And then it really doesn't matter; everything gets its address, nothing 
is NATted, every address is mapped to a meaningful hostname.


Perhaps you'd need more aggregation and routing in the glorious one-IP-
per-nanite-and-Facebook-fridges future, but that's for another day once 
we've got fusion and a rational system of government out of the way:-) 
Joe's network as described isn't big enough or clever enough to need 
multiple routers. It's just a small LAN and it's only Joe's weirdness in 
using a $500 Roku as a $5 hank of cat5e and a $20 4-port switch that 
prevents it from being so.


Not all problems should be solved by routing - but a list full of 
router people is inherently likely to try to solve all its problems 
with more routers and routing.
-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: IPv6 end user addressing

[Alexander Harrowell]

On Wednesday 10 Aug 2011 14:57:54 Jeroen Massar wrote:
 PS: the more power to your kids if they can sniff the network for your
 'adult content', decode it, and then actually watch it 

Indeed; I'd be more interested in making sure that, say, you can 
efficiently multicast the live footy to two different screens in the 
house, and things work automatically so they get used. 

I think we're operating on radically different Bayesian priors here and 
I wonder if a European/American issue is involved.

(PS, can you buy a switch that will do production grade IPv6, i.e. with 
things like RA guard, and not do IGMP-snooping?)


-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: Ready For A Good Laugh

[Alexander Harrowell]

On Friday 10 Jun 2011 05:31:44 Michael Painter wrote:
 Jimi Thompson wrote:
  Now I'm going to go off on you people - What kind of crack are you people
  smoking?  
 
 The same stuff they're smoking over at PayPal.
 Some genius decided to send out E-mails which said:
 Hello name removed,
 
 It looks like you may be using an outdated browser with known security 
 issues. 
 
 Help keep your computer and your PayPal account protected by updating your 
browser today.
 
 and included a link (different from what was represented).
 Even magaged to fool the folks at sp...@paypal.com 
 11 pages of wtf? at:
 https://www.paypal-community.com/t5/Fraud-phishing-and-spoof/New-scam/td-
p/273626
 


PayPal has been doing this for as long as I've been a member. They are terrible 
ones for sending out e-mails to teach you to type passwords into the spam.
-- 
The only thing worse than e-mail disclaimers...is people who send e-mail to 
lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: IPv6 SEO implecations?

[Alexander Harrowell]

On Tuesday 29 Mar 2011 17:54:27 Wil Schultz wrote:
 On Mar 29, 2011, at 3:51 AM, Franck Martin wrote:
 
 
 And here's a breakdown of which user agents are seen on which ip, as you can 
see the user-agent doesn't exactly match IP range. 
 
 Googlebot-Image/1.0

 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html); 

 DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; 
+http://www.google.com/bot.html)

 SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 
UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; 
+http://www.google.com/bot.html)

Interesting that there are Googlebot mobile devices! Perhaps user-experience 
testing of some kind? Googlers? Or IPv6 testing of the devices themselves? 
Although those user strings are indicative of not very recent, non-Android 
phones.

Would be interesting to see the percentages of traffic by each user agent.
-- 
The only thing worse than e-mail disclaimers...is people who send e-mail to 
lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: DWDM Metro Access Design

[Alexander Harrowell]

What's the constraint that rules out using SONET or something similar, which is 
designed to give you a robust ring topology? I think it's probably quite 
important to know whether that's really, absolutely out of the question, or 
whether it's a possibility to relax that in favour of a less painful higher 
layer solution.

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail to 
lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: IPv6? Why, you are the first one to ask for it!

[Alexander Harrowell]

On Wednesday 02 March 2011 03:03:22 JC Dill wrote:
 
 I *love* using Bozo filters.  Anytime you can trick companies into 
 revealing their true colors, you are a step ahead in the game.
 
 jc
 

AKA the Brown MM gambit.

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail to 
lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: Leasing of space via non-connectivity providers

[Alexander Harrowell]

There are major GSM-land wireless operators who provide service to devices like 
Novatel's line of pocket-size WLAN hotspots. 

You can just buy one and stick a SIM in it, but some of the ops offer them as 
part of a business user package. I hope that means they get a proper IP or more 
handed out from the SGSN, as otherwise this would be a true orgy of NAT.

(Top posting on mobile)

Jack Bates jba...@brightok.net wrote:

On 2/10/2011 9:11 PM, Jared Mauch wrote:
 I was explaining to my wife today how it felt like the nanog list
went to 3x the typical mail volume recently with all the IPv6 stuff
this month.  Why the pro-IPv6 crowd was happy, the anti-IPv6 crowd is
groaning (including those that truly despise the whole thing, etc..)

I was having fun discussing with my wife how ARIN stuff ended up on 
NANOG, NANOG stuff ended up on PPML, and I've been listening and 
participating in debates concerning IPv6 and CGN (apparently BEHAVE WG 
adopted CGN over LSN) on 4 different mailing lists.

To be honest, though. I'm pro-IPv6, but I'm not happy. Anyone who is 
happy doesn't care about those innocent people who are ignorant of what

is going on and why.

 I honestly think that the LSN situations won't be as bad as some of
us think.  The big carriers have already been doing some flavor of this
with their cellular/data networks.  Doing this on some of the consumer
networks will likely not be that much pain.  Obviously the pain will
vary per subscriber/home.

snip lots of good stuff I agree with
 IPv4 is dead in my opinion.  Not dead as in useless, but to the
point where I don't think there is value in spending a lot of time
worrying about the v4 side of the world when so much needs to be fixed
in IPv6 land.
Service requirements in cellular networks are considerably different 
than wireline. Apparently, most cell customers don't hook a CPE router 
into their cell network and play their game consoles over it, along
with 
many other situations. This actually means that most often, they are 
running a single stage NAT44 LSN (which still breaks stuff, but most of

the things it would break aren't normally transiting the cellular
networks).

snip more good stuff I agree with

I agree. However, because the largest networks and corporations decided

(and some still do) to wait until the last moment to deal with IPv6, we

will have to deal with IPv4 in much worse conditions. I know that there

are large cellular networks which use DoD bogons behind huge LSN 
implementations. I know that some networks apparently aren't happy with

using DoD bogons and would like to waste even more space. The best 
solution for such a case (and to solve all arguments on the matter) is 
to secure assurances on the bogons so that they can be safely used.




Jack

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: IPv6 mistakes, was: Re: Looking for an IPv6 naysayer...

[Alexander Harrowell]

On Friday 11 February 2011 15:00:57 Scott Helms wrote:
 While Facebook working over IPv6 will be a big deal you won't get all of 
 their traffic since a significant fraction of that traffic is from 
 mobile devices which are going to take much longer than PCs to get to 
 using IPv6 in large numbers.  Also, Netflix is even more problematic 
 since the bulk of their traffic, and the fastest growing segment as 
 well, is coming from Xboxes, Tivos, other gaming consoles, and  TVs with 
 enough embedded brains to talk directly.  Those devices will also 
 seriously lag behind PCs in IPv6 support

Recommendation: if you're doing some sort of under-the-TV device, if it does 
6to4 or some other kind of IPv6 tunnelling (like Apple Airports), colocate your 
relay/vpn host/tunnel exit points with content CDN servers rather than sending 
everything via your head office location.

If you're snooping on the traffic, you can always configure the nodes to do 
that:-{0
-- 
The only thing worse than e-mail disclaimers...is people who send e-mail to 
lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: Connectivity status for Egypt

[Alexander Harrowell]

On Friday 28 January 2011 20:36:30 George Bonser wrote:
  -Original Message-
  From: Jake Khuon [mailto:kh...@neebu.net]
  Sent: Friday, January 28, 2011 12:07 PM
  To: Patrick W. Gilmore
  Cc: NANOG list
  Subject: Re: Connectivity status for Egypt
  
  On Fri, 2011-01-28 at 11:27 -0500, Patrick W. Gilmore wrote:
   I think it does not matter.  Censorship is censorship.  (So much for
  
  routing around it.)
 
 I think it would be pretty hard to actually cut off communications when the
 telephone system is still working.  You can move a lot of email by dialup
 UUCP if you wanted to.
 
 I am guessing that satellite internet still works and landline dialup to a
 modem outside the country still works.  And there's always static routes
 :)


International dial-out is a good point, especially these days when 
international 
voice isn't wildly expensive any more. Does anyone have a source for dialup 
pools like that?


Personally, I suspect that it's probably more important to cut off internal 
comms. Especially as the TV and media people are pretty good at bringing their 
own satellite connectivity. Which is more worrying, someone updating their 
wordpress.com blog, or the same person texting everyone they know to show up 
outside State TV at 1700 hours and bring a bag of bricks? A lot of the 
fbk/twt/whatever activity, and all the really politically important fraction of 
it, is just that - but going through either externally located servers or 
externally-owned ones.


I wonder if anyone's working on a mesh or p-t-p radio app that runs on a 
smartphone?


-- 
The only thing worse than e-mail disclaimers...is people who send e-mail to 
lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: Connectivity status for Egypt

[Alexander Harrowell]

On Friday 28 January 2011 21:22:55 Christopher Morrow wrote:
 On Fri, Jan 28, 2011 at 4:18 PM, Christopher Morrow
 
 morrowc.li...@gmail.com wrote:
  On Fri, Jan 28, 2011 at 3:51 PM, Alastair Johnson a...@sneep.net wrote:
  For instance, our corporate WAN links into Cairo are still up (UUNET
  PIP).
  
  cough that's the MCI PIP/cough...
 
 probably the .EG parts of that PIP are provided on a partner network
 still ... I don't think they have build of their own gear into the
 country, and there's a high likelihood that if state-security sees
 'forbidden' traffic on those links they'll request traffic shutdown on
 that network as well.
 
 If you operate a network in the affected country I'm sure you'll have
 to comply with LEA demands...
 
 -chris

It's ironic that in 1991, the Soviet coup leaders had the international voice 
gateway shut down but left the Internet link up (who cares about some weird 
thing eggheads chat over?), but now, dictators in trouble pull all the BGP 
announcements but leave the PSTN up. Who cares about some old thing your mother 
uses?


Not impressed by US journalists asking why the WH press secretary can't order 
Vodafone to turn their GSM net back on, though. 1) it's not them who would have 
to say no to the nice man from Central State Security with his electric shock 
baton, 2) VF.eg is half-owned by the Egyptian government...

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail to 
lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re:

[Alexander Harrowell]

On Monday 13 December 2010 17:02:59 Atticus wrote:
 Cc

I presume this is some sort of spam-test?

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail to 
lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: On the control of the Internet.

[Alexander Harrowell]

I'll bet that is a political statement, against list rules. Larry is currently 
making up a really high percentage of list traffic and this is beginning to 
annoy.
L
Larry Sheldon larryshel...@cox.net wrote:

On 6/13/2010 15:54, Joe Greco wrote:

 If we want to be pedantic, Sony this year announced that it is shutting
 down its production of floppy disks by next year.  Of course, the choice
 of floppy disk is irrelevant, and I'm guessing you know it.  If your
 devices are more comfortable with CD-ROM or USB MicroSD readers, then by
 all means.

I certainly hoped that that was the case, but not very long ago I read a
current Emergency Recovery Plan that depended on 9-track 1600BPI round
reel tapes in a shop that had not had a drive like that for ten years.


 Long before NANOG, there was actually a time that some of us hauled
 around things like USENET on magnetic media, because it was simply the
 highest bandwidth yet cheapest method to haul large amounts of data
 around the city, back when a Telebit Trailblazer was still vaguely able
 to cope with a USENET feed - and for a little while thereafter.

Wide Band Truck was a major component of plans long ago.

And I wish I had a nickel for every round-real tape in Anvil case I
escorted through airports.

 If your network has been so thoroughly taken over that you cannot hope
 to get a file from a computer that does have a floppy over to your DNS
 server, you have Much Bigger Problems to begin with...

And that is the issue I was trying to raise.

 Our monitoring systems are definitely able to detect when connectivity 
 goes away.  What happens if and when that happens is generally left up
 to a human to decide.  The sorts of brokenness that one might potentially
 discover if the government were to corrupt connectivity is much more
 complex than simple on/off; I feel comfortable saying that the best plan
 is to have diversity of resources and some in-depth knowledge, since that
 also serves normal engineering needs well.

I'll bet you think The Stimulus created jobs.

-- 
Somebody should have said:
A democracy is two wolves and a lamb voting on what to have for dinner.

Freedom under a constitutional republic is a well armed lamb contesting
the vote.

Requiescas in pace o email
Ex turpi causa non oritur actio
Eppure si rinfresca

ICBM Targeting Information:  http://tinyurl.com/4sqczs
http://tinyurl.com/7tp8ml

   


-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: Nato warns of strike against cyber attackers

[Alexander Harrowell]

This would appear to be political in nature and therefore not operational, 
right?

Larry Sheldon larryshel...@cox.net wrote:

On 6/9/2010 08:21, Joe Greco wrote:

 Your car emits lots of greenhouse gases.  Just because it's /less/ doesn't
 change the fact that the Prius has an ICE.  We have a Prius and a HiHy too.

Did Godwin say anything about rand discussions degenerating to
mythologies like gorebull warming?

-- 
Somebody should have said:
A democracy is two wolves and a lamb voting on what to have for dinner.

Freedom under a constitutional republic is a well armed lamb contesting
the vote.

Requiescas in pace o email
Ex turpi causa non oritur actio
Eppure si rinfresca

ICBM Targeting Information:  http://tinyurl.com/4sqczs
http://tinyurl.com/7tp8ml

   


-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: Nato warns of strike against cyber attackers

[Alexander Harrowell]

No, but we can and do require cars to have functional brakes and minimum tread 
depths, and to be tested periodically.

Obviously this is acceptable because the failure modes for cars are worse, but 
the proposed solution is less intrusive being after the fact.

Excuse topposting, on mobile.

Joe Greco jgr...@ns.sol.net wrote:

 So? If said end customer is operating a network-connected system without
 sufficient knowledge to properly maintain it and prevent it from doing 
 mischief
 to the rest of the network, why should the rest of us subsidize her 
 negligence?
 I don't see where making her pay is a bad thing.

I see that you don't understand that.

 The internet may be a vast ocean where bad guys keep dumping garbage,
 but, if software vendors stopped building highly exploitable code and ISPs
 started disconnecting abusing systems rapidly, it would have a major effect
 on the constantly changing currents. If abuse departments were fully funded
 by cleanup fees charged to negligent users who failed to secure their systems
 properly, it would both incentivize users to do proper security _AND_ provide
 for more responsive abuse departments as issues are reduced and their
 budget scales linearly with the amount of abuse being conducted.

The reality is that things change.  Forty-three years ago, you could still
buy a car that didn't have seat belts.  Thirty years ago, most people still
didn't wear seat belts.  Twenty years ago, air bags began appearing in
large volume in passenger vehicles.  Throughout this period, cars have been
de-stiffened with crumple zones, etc., in order to make them safer for
passengers in the event of a crash.  Mandatory child seat laws have been
enacted at various times throughout.  A little more than ten years ago, air
bags were mandatory.  Ten years ago, LATCH clips for child safety seats
became mandatory.  We now have side impact air bags, etc.

Generally speaking, we do not penalize car owners for owning an older car,
and we've maybe only made them retrofit seat belts (but not air bags,
crumple zones, etc) into them, despite the fact that some of those big old
boats can be quite deadly to other drivers in today's more easily-damaged
cars.  We've increased auto safety by mandating better cars, and by
penalizing users who fail to make use of the safety features.

There is only so much proper security you can expect the average PC user
to do.  The average PC user expects to be able to check e-mail, view the
web, edit some documents, and listen to some songs.  The average car driver
expects to be able to drive around and do things.  You can try to mandate
that the average car driver must change their own oil, just as you can try
to mandate that the average computer must do what you've naively referred
to as proper security, but the reality is that grandma doesn't want to 
get under her car, doesn't have the knowledge or tools, and would rather 
spend $30 at SpeedyLube.  If we can not make security a similarly easy
target for the end-user, rather than telling them to take it in to
NerdForce and spend some random amount between $50 and twice the cost of
a new computer, then we - as the people who have designed and provided 
technology - have failed, and we are trying to pass off responsibility 
for our collective failure onto the end user.

I'm all fine with noting that certain products are particularly awful.
However, we have to be aware that users are simply not going to be required
to go get a CompSci degree specializing in risk management and virus
cleansing prior to being allowed to buy a computer.  This implies that our
operating systems need to be more secure, way more secure, our applications
need to be less permissive, probably way less permissive, probably even
sandboxed by default, our networks need to be more resilient to threats,
ranging from simple things such as BCP38 and automatic detection of certain
obvious violations, to more comprehensive things such as mandatory virus
scanning by e-mail providers, etc., ...  there's a lot that could be done,
that most on the technology side of things have been unwilling to commit
to.

We can make their Internet cars safer for them - but we largely haven't.
Now we can all look forward to misguided government efforts to mandate
some of this stuff.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.


-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: Starting up a WiMAX ISP

[Alexander Harrowell]

On Wednesday 28 April 2010 03:13:24 John R. Levine wrote:
  Of course what they offer over those long long rural runs and what they 
can 
  actually provide are two different things.  DSL performance decreases with 
  distance rather dramatically..
 
 That's what I thought, but my friend out on the sheep farm in the next 
 county says he gets 3Mb just like I do in the village three blocks from 
 the CO.  (Yes, he knows what he's talking about.)  They must spend a lot 
 on repeaters and concentrators.
 
 R's,
 John
 
 

There is a great deal of relevant experience here: 
http://www.wirelesscowboys.com/
-- 
The only thing worse than e-mail disclaimers...is people who send e-mail to 
lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: T1 aggregation and data center gateways

[Alexander Harrowell]

On Wednesday 10 March 2010 14:09:18 Tim Franklin wrote:
  Isn't that just CYA?  Thank the lawyers and corporate compliance
 offices and professional whiners.
 
 The obvious answer is that if your corporate email policy makes you look
  like an idiot, post to mailing lists from a personal email address that
  doesn't make you look like an idiot.
 
 This also spares the list from out-of-office messages from Exchange
  servers too stupid to refrain from sending such messages to mailing lists.
 

I think I'll leave this to my new sig.


-- 
The only thing worse than e-mail disclaimers...is people who send e-mail to 
lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: dark fiber and sfp distance limitations

[Alexander Harrowell]

On Friday 01 January 2010 23:19:30 Richard A Steenbergen wrote:
 On Fri, Jan 01, 2010 at 02:52:33PM -0800, Mike wrote:
  I am looking at the possibility of leasing a ~70 mile run of fiber. I
  don't have access to any mid point section for regeneration purposes,
  and so I am wondering what the chances that a 120km rated SFP would be
  able to light the path and provide stable connectivity. There are a lot
  of unknowns including # of splices, condition of the cable, or the
  actual dispersion index or other properties (until we actually get
  closer to leasing it). Its spare telco fibers in the same cable binder
  they are using interoffice transport, but there are regen huts along the
  way so it works for them but may not for us, and 'finding out' is
  potentially expensive. How would someone experienced go about
  determining the feasibillity of this concept and what options might
  there be? Replies online or off would be appreciated.

 That shouldn't be too difficult, especially at only 1G (though pesonally
 I can't imagine why you would bother leasing dark fiber for that :P).
 There are several ways you could do it, including 120km+ rated SFPs
 (iirc there have been 200km SFPs out for a while too), an external
 optical amplifier (ideally you'd want to amp in the middle, but with a
 single channel you should be fine w/pre-amp), and a digital FEC wrapper
 to extend the receive sensitivity. Remember that the distance spec on
 optics is mostly a rough guideline, so depending on the fiber conditions
 and number of splices/panels along the way you could potentially expect
 to get the entire distance out of a standard 100km optic.

There was an excellent thread on this list last year about using unusual 
high power lasers for long range optical networking.

http://www.merit.edu/mail.archives/nanog/2008-10/msg00226.html


signature.asc
Description: This is a digitally signed message part.

Re: ip-precedence for management traffic

[Alexander Harrowell]

On Tuesday 29 December 2009 22:22:05 Randy Bush wrote:
  None of us knows precisely what we're going to absolutely require, or
  merely want/prefer, tomorrow or the next day, much less a year or two
  from now. Unless, of course, we choose to optimize (constrain)
  functionality so tightly around what we want/need today that the
  prospect of getting anything different is effectively eliminated.

 this is the telco solution to the nasty disruptive technologies spawned
 by the internet

 randy

It surely is. Also, when was the last time you had a customer ring up and ask 
for a product like the Internet but with bits missing? Nobody wants it, and 
the evidence of this is that nobody asks for it, and further that nobody's 
started an ISP that provides it, although people have been talking about it 
for years.

The support for the Internet but not quite is usually from either:
1) Telcos who secretly wish the Internet would go away
2) Security/morals bureaucrats (who secretly wish it would go away)
3) Engineers noodling on the idea, who don't have a business model for it

Note that this list doesn't include users or customers or anyone willing 
to offer money for it.

Also, I don't think it's at all clear that Internet-minus service would be 
cheaper to provide. Basically, if you have an IP network you can provide all 
the applications over it by default. Therefore, if you want to get rid of 
some, you've got to make an effort, which implies cost. There is no such thing 
as a Web DSL modem or a Web router.

In terms of traffic, as over 50% of the total is WWW these days, and a sizable 
chunk of the rest is Web-video streaming, once you've chucked in the e-mail, 
it's far from clear that you'd save significant amounts of bandwidth. 
Obviously, if you were intending to offer proper Internet service as an extra-
cost option, you wouldn't have two lots of access lines, backhaul, transit - 
you'd filter more ports for some subset of your addressing scheme, or put the 
less-than-Internet customers on a different layer 2 vlan. So you'd still need 
the extra bandwidth for the other customers.

Where is the saving? Fewer support calls due to...what exactly? aren't the 
biggest malware vectors now web-based drive by download, sql injection and the 
like? Of course, there'll be a fair few wanting to know why slingbox, skype, 
IM protocol of choice, work vpns etc don't work.

The exercise is pointless.


signature.asc
Description: This is a digitally signed message part.

Re: FTTH Active vs Passive

[Alexander Harrowell]

Another issue - how far does the technology support open access/infrastructure 
sharing/wholesaling? Not only are networks that get public funding likely to 
be expected to provide these, but there is evidence that they are important 
financially. 

Benoit Felten's presentation at eComm Europe suggested that the takerate and 
the presence of wholesale were the biggest sensitivities bearing on the pay off 
period for a FTTH deployment.


signature.asc
Description: This is a digitally signed message part.

Re: ISP/VPN's to China?

[Alexander Harrowell]

On Thursday 22 October 2009 12:38:11 Chris Edwards wrote:
 On Thu, 22 Oct 2009, Alex Balashov wrote:
 | Understood.  I guess the angle I was going more for was:  Is this
 | actually practical to do in a country with almost as many Internet users
 | as the US has people?
 |
 | I had always assumed that broad policies and ACLs work in China, but most
 | forms of DPI and traffic pattern analysis aren't practical simply for
 | computational feasibility reasons.  Not unless the system were highly
 | distributed.

 Perhaps they only need make an example of a few, and thus introduce an
 element of fear for everyone else.

I had always assumed that the Gt. Firewall, and especially the fake RST 
element of it, existed precisely to let the geeks and weirdos stand out of the 
naive traffic so they could be subjected to special treatment. 

Similarly, this is the approach the Iranians seem to have taken after their 
disputed election - although there isn't a telco monopoly, there's a wholesale 
transit monopoly, and they just had the transit provider rate-limit everyone. 
My understanding of this was that normal users would give up and do 
something else, and only people who really wanted to reach the outside world 
or each other  - i.e. potential subversives - would keep trying. Therefore, 
not only would the volume of traffic to DPI, proxy etc be lower, but the 
concentration of suspect traffic in it would be higher.

From this point of view, I suppose there's some value in using an IPSec or SSL 
VPN, because that's what corporate traveller applications tend to use and 
they'll therefore never cut it off. I mean, are you suggesting that the 
assistant party secretary of Wuhan won't be able to log into CommunistSpace 
(Iike Facebook with Chinese characteristics) while he's on the road? 
Unthinkable!


signature.asc
Description: This is a digitally signed message part.

Re: Dutch ISPs to collaborate and take responsibility

[Alexander Harrowell]

On Wednesday 07 October 2009 00:27:55 Joe Greco wrote:

 Assuming that the existence of an infected PC in the mix translates to
 some sort of inability to make a 911 call correctly is, however, simply
 irresponsible, and at some point, is probably asking for trouble.

 ... JG

Also, someone mentioned that the FCC doesn't in fact mandate that PSTN 
terminals should be able to make emergency calls even if formally disconnected 
and asked about cellular.

The opposite is true about GSM and its descendants; whether or not you're a 
valid roamer for the network you're talking to, have a prepaid balance, have 
paid your bill, you must be able to make emergency calls. Similarly, even if 
no SIM card is present, the device should register with the network as 
limited service - i.e. emergency only.



signature.asc
Description: This is a digitally signed message part.

Re: operations contact @ facebook?

[Alexander Harrowell]

This is a classic case of one of the problems of the increasingly numerous and 
powerful Web dev platforms - as you let other people either control your app 
through an API, or even write code that executes on the server-side, you're 
increasing the cycles available to an attacker. It's similar to the dns 
reflector attack.


signature.asc
Description: This is a digitally signed message part.

Re: FCCs RFC for the Definition of Broadband

[Alexander Harrowell]

On Wednesday 26 August 2009 23:16:17 Robert Enger - NANOG wrote:
 As tedious as the downstream can be, engineering the upstream path of a
 cable plant is worse. A lot of older systems were never designed for
 upstream service.  Even if the amps are retrofitted, the plant is just not
 tight enough. Desirably, fiber should be pushed deeper; the quantity of
 cascaded amps reduced, coax fittings and splitters replaced and so on.

 On 8/26/2009 10:25 AM, Richard Bennett wrote:
  The trouble with broadband in rural America is the twisted pair loop
  lengths that average around 20,000 feet. To use VDSL, the loop length
  needs to down around 3000, so they're stuck with ADSL unless the ILEC
  wants to install a lot of repeaters. And VDSL is the enabler of triple
  play over twisted pair.
 

An interesting question: as the population gets sparser, the average trench 
mileage per subscriber increases. At some point this renders fibre deployment 
uneconomic. Now, this point can change:

1) as we deploy fibre we'll get more efficient at it - I think VZ's cost per 
sub 
has come down quite a lot since they started the FIOS rollout.
2) the flip side of the cost to serve a subscriber is of course revenue, and if 
you can find other services to sell'em you can go further. may also be scope 
for tiered pricing
3) public sector investment

Going the other way, as the population gets denser, it becomes harder to 
provide an acceptable broadband wireless service because of spectrum 
limitations. You either need more and more cells (=more and more sites and 
more and more backhaul), or more and more spectrum.

Where's the crossover point? There are clearly places where some fibre 
investment (like L(3)'s proposed deployment of many more POPs) would make it 
possible to get good service out using radio from the end of the fibre, 
precisely because they are sparse. There are clearly places where fibre to the 
home will eventually arrive.

Is there a broadband gap between the two groups, however, where it's not dense 
enough to ever deploy fibre and too dense to deploy good wireless? Or can we 
rely on FTTH for one lot and RTTR (Radio to the Ranch) for the other?


signature.asc
Description: This is a digitally signed message part.

Re: FCCs RFC for the Definition of Broadband

[Alexander Harrowell]

On Thursday 27 August 2009 15:04:59 Leo Bicknell wrote:
 In a message written on Thu, Aug 27, 2009 at 09:58:22AM +0100, Alexander 
Harrowell wrote:
  An interesting question: as the population gets sparser, the average
  trench mileage per subscriber increases. At some point this renders fibre
  deployment uneconomic. Now, this point can change:

 This statement makes no sense to me.

 The cost to dig a trench is cheaper in rural areas than it is in
 urban areas.  A lot cheaper.  Rather than closing a road, cutting
 a trench, avoiding 900 other obsticals, repaving, etc they can often
 trench or go aerial down the side of a road for miles with no
 obsticals and nothing but grass to put back.

 So while mileage per subscriber increases, cost per mile dramatically
 increases.  The only advantage in an urban enviornment is that one
 trench may serve 200 families in a building, where as a rural trench
 may serve 20 familes.

 But more puzzling to me is the idea that fiber becomes uneconomic.
 This may have once been true, but right now you can buy 10km or
 even 40km lasers quite cheaply.  Compare with copper which for even
 modest speeds requires a repeater every 2-4km.


True. But there is - there has to be - a limit, when the 70% or so civil works 
cost eats everything else. The limit may be more or less restrictive, but 
limit there is.


signature.asc
Description: This is a digitally signed message part.

Re: dnscurve and DNS hardening, was Re: Dan Kaminsky

[Alexander Harrowell]

There are really two security problems here, which implies that two different 
methods might be necessary:

1) Authenticate the nameserver to the client (and so on up the chain to the 
root) in order to defeat the Kaminsky attack, man in the middle, IP-layer 
interference. (Are you who you say you are?)

2) Validate the information in the nameserver. (OK, so you're the nameserver; 
but who says www.google.com is 1.2.3.4?)

1) is the transport layer problem; 2) is the dnssec/zone signing problem.


signature.asc
Description: This is a digitally signed message part.

Re: cisco.com

[Alexander Harrowell]

Up via Sprintlink in London...



signature.asc
Description: This is a digitally signed message part.

Re: EU elections - piratenpartei.net censored

[Alexander Harrowell]

On Sunday 07 June 2009 23:16:12 Peter Dambier wrote:
 Hello,

 right during the election the website

 piratenpartei.net

 of the german pirates party gets censored by the hoster.

 alfahosting.info

 Good advertising, isn't it?

 Interestingly enough their website is down too.
 Afraid of emails I guess.

Perhaps the election night on which they finally won a seat might - MIGHT - 
have posed a few load issues?


signature.asc
Description: This is a digitally signed message part.

Re: Looking for ATT / Verizon / Sprint WWAN service impressions - on or off-list replies welcome

[Alexander Harrowell]

On Thursday 16 April 2009 03:08:52 Eddie wrote:
  Also interested in similar information on impressions of similar EMEA
  WWAN service providers, particularly Vodaphone and T-Mobile, if anyone
  has experiences with these.


I regularly use 3UK (Hutchison)'s data service. £10 gets you 15GB of xfer a 
month, but you need to either sign a contract or else pay £50 for the 
hardware, which as with most UMTS operators is a Huawei E220 USB dongle.

That particular device currently supports radio air interfaces from GSM up to 
HSPA 7.2Mbit/s. There is support for the E220 in current Linux kernels. 
However, 3UK (and most of the other operators) ship it with a Windows client 
program installed on the USB device that autoruns when you connect it to a 
computer. This provides a pretty interface to it. Unfortunately, it also 
means that unless you activate the device at once, under Linux it gets 
detected as a USB mass storage device not a tty. You can get around this if 
you connect it before booting; I think there is a modprobe or similar 
operation that has to happen, so there is almost certainly a command-line 
workaround.

If it is working correctly you should be able to see three new ttys in 
/dev/USB. You can then use whatever program you like to dial up, or just run 
wvdial. In my experience 3UK works reasonably well; they advertise maximum 
speeds of 3.6Mbit/s downlink, but I've seen higher in practice. The uplink 
seems to max out at 600-700Kbit/s, which is considerably better than my DSL 
line. IPs are dynamic, and things like Skype pass through without trouble. I 
have successfully SSHd into a linux box both from a PC over the modem and 
using PuTTY from a Nokia E71.

Warnings: 3UK's DNS could be better, when I am using their service from a PC I 
usually set up OpenDNS. On the move, you may encounter problems with the step-
down between UMTS and GPRS; 3 gets its backup GPRS national roaming from 
Orange and you can easily lose a connection between the two.

T-Mobile UK was the first UK operator to provide open slather Internet service; 
they offer a higher level of unlimited for a price, which includes not 
blocking VoIP and a static IP. Otherwise expect similar to 3, as they are 
beginning to share their radio access networks.

Vodafone probably has more coverage than anyone else, but their Internet 
service may not be to your taste. When they started doing pure 'net, they had 
a restriction on Web pages over 200KB and pushed everything else through a 
Novarra box to compress it, which broke a lot of things; I once got a header 
in my blog server logs that mentioned an XMS, a Novarra, a squid proxy and 
something from 724 Networks.


---


signature.asc
Description: This is a digitally signed message part.

Verizon EVDO issues

[Alexander Harrowell]

On Thursday 09 April 2009 15:31:10 Daniel Senie wrote:
 On Apr 9, 2009, at 7:15 AM, Robert E. Seastrom wrote:
 
  Interesting.  When I got my Sprint EVDO card (u727) a year and a half
  ago, they were pretty nasty about gunning down (bidirectional spoofed
  RST coming out of the middle of the network somewhere) any TCP
  sessions that were idle for ten minutes or more.

 We observe this same kind of behavior with firewalls in the path
 watching for dead sessions they can clean up. Appears they send RSTs
 to both end points when they decide a session has gone away, as
 that'll let end hosts figure it out sooner. Same workaround of turning
 on keep=alives once a minute solves this too. The behavior in the case
 of firewalls makes sense, as state tables have to be cleaned up
 eventually.

The UMTS world has a lower-layer protocol called HARQ in the radio air 
interface which functions a little like TCP; the idea is to detect dropped 
packets on the radio link and retransmit them before the TCP interval times 
out, thus providing faster recovery. I wouldn't be surprised if there is a 
similar mechanism to police the use of spectrum; and a lot of mobile operators 
see Internet as an application. Somewhere around I have the incredibly long 
referral string Vodafone sent my blog server not long after they started real 
Internet service; a Squid, a Novarra, a 724 Solutions machine of some sort, 
and I think something else too.


signature.asc
Description: This is a digitally signed message part.

Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?

[Alexander Harrowell]

On Thursday 09 April 2009 16:48:32 Lee, Steven (NSG Malaysia) wrote:
 Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch)
 networks have Gi segment (interface between GGSN  IP Router/firewall). Due
 to the IP address constraint, operator usually do NAT on the Gi firewall to
 NAT the private IP to public IP in the past. Looking at the traffic pattern
 and user access behaviour, does it make sense to have firewall between the
 GGSN  Public Internet if the public IP addresses are sufficient to cater
 for mobile subscribers? Especially with 3G/UMTS/HSPA or even LTE in the
 future.

 Please share your thought and thanks in advance :)

 Regards,
 Steven Lee
I would think that, however you are providing IP addresses, any ingress point 
to a GSM core network ought to be carefully policed on security grounds. 
Especially if you have IMS or SIP-based services or intend to deploy them.


signature.asc
Description: This is a digitally signed message part.

Re: Verizon EVDO Issues

[Alexander Harrowell]

On Tuesday 07 April 2009 22:10:24 Charles Wyble wrote:
 Been troubleshooting a very strange problem for a couple of weeks now.

 I have a few hundred systems deployed throughout the United States
 utilizing EVDO connectivity with Verizon as a carrier. They are stationary.

 Over the past few weeks clusters of them in SF and Lewisville TX and a
 few other areas have been failing intermittently. They are offline for
 several days, then online for a few days then go offline again. They are
 running Linux and PPPD.


Do they maintain a continuous data link in normal operation (like, say, 
connectivity for a LAN, or backhaul for a camera or some such), or do they 
request the data link when they need to send [whatever] (like a discrete SCADA 
system)? My (user only) experience is that cellular data service doesn't 
handle long sessions well. 



signature.asc
Description: This is a digitally signed message part.

Re: Netflix, Blockbuster, and streaming content ... what impact?

[Alexander Harrowell]

Regarding OnLive, the short answer would appear to be that it's like
streaming video, but more latency-critical.

Re: Seeking Connectivity in IRAQ

[Alexander Harrowell]

NewSkies' NSS703 is apparently intended to cover Turkey and Iraq especially
well; www.talia.net and probably many others resell the service, or you can
buy it directly (http://www.newskies.com/ipsyssolutions.htm).

Perhaps you could say what kind of connectivity you need? As various people
have pointed out, there are several GSM/UMTS operators, but this isn't a
solution for a whole network there.

On Thu, Mar 19, 2009 at 4:18 AM, Lamar Owen lo...@pari.edu wrote:

 On Wednesday 18 March 2009 22:27:25 Tim McKee wrote:
  www.sdnglobal.com does enterprise grade  satellite service.
 
  Tim mckee

 As a side job, I'm a consultant for a radio station in NC with a mobile SDN
 system; works great, very reliable, tolerable latency; a must, since this
 station, due to the terrain in the Appalachians, cannot easily use standard
 RPU's for many live remotes, and thus is using SDN satellite IP to carry
 audio
 and video streams from the site of the remote.

 Setup at the time this system was installed as a certified installer only
 thing; but the guy that did ours did it good.  SDN has a good reputation
 from
 what I can find, too.

 Shades of SunBelt, Tim!

Re: Yahoo and their mail filters..

[Alexander Harrowell]

On Thu, Feb 26, 2009 at 5:28 PM, John R. Levine jo...@iecc.com wrote:

 This also pre-dates organized crime becoming heavily involved, and
 pre-dates the obsession with browser exploits.  Back then a lot of spam was
 sent by semi-legitimate marketers from the US.  These days all the bad guys
 are out to get you to click on a single link.


 Right.  Back in the 90s spammers were trying to build their lists, and used
 fake opt outs to do so.  These days through a combination of web scraping
 and dictionary attacks, they have more addresses than they know what to do
 with.

 My advice to people these days is to unsub if a message is from someone
 you've corresponded with before, or if it looks like someone who is legit
 but clueless.  Then hit the spam button.


Of course, the browsploit issue means that clicking on ANY links in dubious
e-mail is highly unwise.

Re: 97.128.0.0/9 allocation to verizon wireless

[Alexander Harrowell]

Leo Bicknell:

Lastly, you've assumed that only a smart phone (not that the term
 is well defined) needs an IP address.  I believe this is wrong.
 There are plenty of simpler phones (e.g. not a PDA, touch screen,
 read your e-mail thing) that can use cellular data to WEP browse,
 or to fetch things like ring tones.  They use an IP on the network.


Alternatively, Verizon is planning to build an all-IP NGN architecture in
the near future, or is at least providing for the possibility of building
one. Mobilkom Austria, for example, has done a deal with Fring to put their
SIP VoIP client on handsets and serve their voice traffic over IP. In that
case, you'd need IP addresses for all the people who use VOICE.

You can do ringtones and the like through USSD...but there's no escape from
voice.

Hushmail postmaster

[Alexander Harrowell]

If you're on the list, can you contact me? You're being used to send out
spam through your tagline.hushmail.com service, which redirects to arbitrary
URLs either by design or because it's been compromised. Google shows it's
cropping up in list archives all over the place. (
http://www.google.co.uk/search?q=tagline.hushmail.comie=utf-8oe=utf-8aq=trls=org.mozilla:en-US:officialclient=firefox-a
)

PGP-encrypted spamI would think this is a serious issue for a
privacy/security-focused operation.

I've filled in the web form a couple of days ago, but no joy and no ticket
number.

Alexander Harrowell

Re:

[Alexander Harrowell]

 Stop


Making sense?

Re: Telecom Collapse?

[Alexander Harrowell]

Solar is civil defence - that goes for Node Bs as well as citizens.

In the UK, I have absolutely no confidence in the reliability of our major
cable op, because everywhere I go I find their street cabinets broken into,
presumably by scum looking for copper (how long will they take to respond to
the precipitous drop in metal prices?), which this being DOCSIS it doesn't
contain. The BT ones, which are full of copper, seem to be more robust.

Re: Telecom Collapse?

[Alexander Harrowell]

On Thu, Dec 4, 2008 at 7:18 PM, Michael Thomas [EMAIL PROTECTED] wrote:

   We haven't really had a major catastrophe where we've been totally
  dependent on IP yet, AFIAK. Maybe all of the qos, call gapping and
  the rest of the stuff the TDM networks do to deal with disasters
  will be left in the dustbin of Moore's Law, but maybe they won't. One
  thing is certain: we'll definitely find out one day, and it's not
  likely to be from a position of having taken the precautions,
  congratulating ourselves IMO.


 The only disaster I experienced which affected telecoms was the July, 2005
terrorist attack on London. Although the infrastructure wasn't affected,
there were significant load challenges for the GSM nets especially. It was
widely assumed by the unclued that either one or two GSM operators failed
under peak load; by the clued that the Access Overload Control process,
analogous to the PSTN's Government Telephone Preference Scheme, had been
initiated to deal with the peak load.

In fact, it turned out much later that AOC had indeed been declared, but
unnecessarily, and against the decision of the lead agency dealing with the
emergency. The Metropolitan Police didn't request it, but the (smaller) City
of London force did, although the network in question was coping - the
entire outage was caused by mismanaging the TDM call-gapping and QoS
features.

Both the Internet, and our corporate VoIP system including its peering with
the wider PSTN, worked throughout.

Re: Prefix Hijack Tool Comaprision

[Alexander Harrowell]

It may be the North American NOG, but it's been said before that it functions 
as a GNOG, G for Global. I don't think Brazil is insignificant. I respect 
Todd's work greatly, but I think he's wrong on this point.

- original message -
Subject:Re: Prefix Hijack Tool Comaprision
From:   Scott Weeks [EMAIL PROTECTED]
Date:   13/11/2008 7:42 pm



--- [EMAIL PROTECTED] wrote:
From: Todd Underwood [EMAIL PROTECTED]

interesting, but it's not operationally significant.  i would not
consider the fact that PHAS and Watchmy didn't alert any particular
criticism of them.  

but perhaps there was something else to which you were referring.
--



I think he was just referring to and answering my question.  I hope to see how 
these tools work in 'small' incidents as well as large-scale incidents.  
Knowing the tool's capabilities increases one's ability to assess the damage 
while troubleshooting.

scott

Re: Prefix Hijack Tool Comaprision

[Alexander Harrowell]

OK. This seems to be a flaw in RIPE RIS, a pity because BGPlay is great.

- original message -
Subject:Re: Prefix Hijack Tool Comaprision
From:   Todd Underwood [EMAIL PROTECTED]
Date:   13/11/2008 8:05 pm

alexander, all,

On Thu, Nov 13, 2008 at 07:56:26PM +, Alexander Harrowell wrote:
 It may be the North American NOG, but it's been said before that it
 functions as a GNOG, G for Global. I don't think Brazil is
 insignificant. I respect Todd's work greatly, but I think he's wrong
 on this point. 

you misread me.

i did not say that brazil was insignificant. it's not.  it has some of
the fastest growing internet in latin america.  

i said that *this* hijacking took place in an insignificant corner of
the internet.  i mean this AS-map wise rather than geographically.
this hijacking didn't even spread beyond one or two ASes, one of whom
just happened to be a RIPE RIS peer.  

real hijackings leak into dozens or hundreds or thousands of ASNs.
they spread far and wide.  that's why people carry them out, when they
do.  this one was stopped in its tracks in a very small portion of one
corner of the AS graph.  

as such, i don't count it as a hijacking or leak of any great
significance and wouldn't want to alert anyone about it.  that's why i
recommend that prefix hijacking detection systems do thresholding of
peers to prevent a single, rogue, unrepresentative peer from reporting
a hijacking when none is really happening.  others may have a
different approach, but without thresholding prefix alert systems can
be noisy and more trouble than they are worth.

sorry if it appears that i was denegrating .br .  i was not.

t.

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporation
[EMAIL PROTECTED]   http://www.renesys.com/blog

Re: Internet partitioning event regulations (was: RE: Sending vs r equesting. Was: Re: Sprint / Cogent)

[Alexander Harrowell]

Have we yet had a peering war that was genuinely international, i.e. the 
partition was between net X in country Y and net Z in country W? Rather than 
between X's Y and Z's Y divisions, which wd both be in Y jurisdiction?

- original message -
Subject:Re: Internet partitioning event regulations (was: RE: Sending 
vs requesting. Was: Re: Sprint / Cogent)
From:   Scott Weeks [EMAIL PROTECTED]
Date:   05/11/2008 10:47 pm



--- [EMAIL PROTECTED] wrote:

That having been said, jurisdiction is a red herring. Every
transit-free provider does at least some of its business in the United
States. Economic reality compels them to continue to do so for the
foreseeable future. That's all the hook the Feds need.
-


Are you saying that if any part of a network touches US soil it can be 
regulated by the US govt over the entirety of the network?  For my part, this 
is not an attempt to change the subject or divert the argument (red herring).  
It is a valid question with operational impact.

scott

Re: Internet Traffic Begins to Bypass the U.S.

[Alexander Harrowell]

On Mon, Sep 15, 2008 at 7:13 AM, Jim Mercer [EMAIL PROTECTED] wrote:

 oddly enough, the ISP's in the region have not caught on to the potential
 winfall of providing cost effective hosting locally, so therefore, the bulk
 of the hosting for companies in the region is primarily done in the US,
 then
 in EU, then, maybe locally.

 if you drive down Sheikh Zayed Road in Dubai, and check where the hosting
 is
 for 90% of the URL's on the billboards (even those with .ae domains), you
 will
 find that they follow the above pattern.

 a primary example is that of du.ae, one of the only two
 incumbent/dual-opoly
 providers for the UAE, hosts its own website and customer portal in Canada,
 even though it has a perfectly fine data center (if not more than one) in
 Dubai.


The political implications are interesting; the UAE has been more than keen
to attract fibreoptic infrastructure, but setting up an IX would encourage
local networks to interconnect without going via either Etisalat or Du,
which has consequences both for their quasi-official monopoly and for the
government's mass Internet filtering policy.

There are (as you know Bob) already office developments that are allowed to
have their own access to $World, and presumably there are networks in them;
if they were allowed to interconnect with each other and with other
networks, who knows? anarchy, cats and dogs making love in the streets, etc.

Interestingly, other emerging markets did it the opposite way round. Kenya,
frex, established an IX long before it had even the hope of submarine cable
access. Now, with the new East African projects, there is talk of an
Indian-style call centre/backoffice boom.

Re: ICANN opens up Pandora's Box of new TLDs

[Alexander Harrowell]

Well, at least the new TLDs will promote DNS-based cruft filtration. You can
already safely ignore anything with a .name, .biz, .info, .tv suffix, to
name just the worst. If only there was a way to get the cruft to move over
into the new ones...

On Fri, Jun 27, 2008 at 1:05 PM, John Levine [EMAIL PROTECTED] wrote:

  Some people are going to get very rich over this.
 
 How do you know this? Judging by the past experience of TLDs
 there will not be a rush of customers but there will be a rush
 of people trying to make a buck.

 You might enjoy my blog entries about the .TRAVEL domain:

 http://weblog.johnlevine.com/ICANN/travelcroak.html

 http://weblog.johnlevine.com/ICANN/travelnotdead.html

 http://weblog.johnlevine.com/ICANN/traveldrain.html

 http://weblog.johnlevine.com/ICANN/travelstillnotdead.html

Re: [NANOG] [Nanog] P2P traffic optimization Was: Lies, Damned Lies, and Statistics [Was: Re: ATT VP: Internet to hit capacity by 2010]

[Alexander Harrowell]

On Thu, Apr 24, 2008 at 2:38 PM, Mike Gonnason [EMAIL PROTECTED] wrote:


 This idea is what I am concerned about. Until the whole copyright mess
 gets sorted out, wouldn't these iTracker supernodes be a goldmine of
 logs for copyright lawyers? They would have a great deal of
 information about what exactly is being transferred, by whom and for
 how long.


A good point about the approach of announcing a list of prefixes and
preference metrics, rather than doing lookups for each peer individually, is
that the supernode's logs will only tell you who used a p2p client at all;
nothing about what they did with it.

If you have to lookup each peer, the log would be enough to start building a
social graph of the p2p network, which would be a good start towards knowing
who to send the nastygram to. Reading the following description of the P4P
group's current approach, this looks like it's what they're doing:

The approach that P4P takes is to have an intermediate server (which we
call an iTracker) that processes the network maps and provides abstracted
guidance (lists of IP prefixes and percentages) to the p2p networks that
allows them to figure out which peers are near each other.
___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog

Re: [Nanog] Lies, Damned Lies, and Statistics [Was: Re: ATT VP: Internet to hit capacity by 2010]

[Alexander Harrowell]

On Wed, Apr 23, 2008 at 3:47 PM, Christopher Morrow 
[EMAIL PROTECTED] wrote:


 It strikes me that often just doing a reverse lookup on the peer
 address would be 'good enough' to keep things more 'local' in a
 network sense. Something like:

 1) prefer peers with PTR's like mine (perhaps get address from a
 public-ish server - myipaddress.com/ipchicken.com/dshield.org)
 2) prefer peers within my /24-/16 ?

 This does depend on what you define as 'local' as well, 'stay off my
 transit links' or 'stay off my last-mile' or 'stay off that godawful
 expensive VZ link from CHI to NYC in my backhaul network...


Well. here's your problem; depending on the architecture, the IP addressing
structure doesn't necessarily map to the network's cost structure. This is
why I prefer the P4P/DillTorrent announcement model.

Alex
___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog

Re: [Nanog] Lies, Damned Lies, and Statistics [Was: Re: ATT VP: Internet to hit capacity by 2010]

[Alexander Harrowell]

NCAP - Network Capability (or Cost) Announcement Protocol.

On Tue, Apr 22, 2008 at 2:24 PM, Matthew Moyle-Croft [EMAIL PROTECTED]
wrote:

 (I know, replying to your own email is sad ...)
  You could probably do this with a variant of DNS.  Use an Anycast
  address common to everyone to solve the discovery problem.   Client
  sends a DNS request for a TXT record for, as an example,
  148.165.32.217.p2ptopology.org.  The topology box looks at the IP
  address that the request came from and does some magic based on the
  requested information and returns a ranking score based on that (maybe
  0-255 worse to best) that the client can then use to rank where it
  downloads from. (might have to run DNS on another port so that normal
  resolvers don't capture this).
 
  The great thing is that you can use it for other things.
 
 Since this could be dynamic (I'm guessing BGP and other things like SNMP
 feeding the topology box) you could then use it to balance traffic flows
 through your network to avoid congestion on certain links - that's a win
 for everyone.   You could get webbrowsers to look at it when you've got
 multiple A records to chose which one is best for things like Flash
 video etc.

 MMC

 --
 Matthew Moyle-Croft - Internode/Agile - Networks
 Level 5, 150 Grenfell Street, Adelaide, SA 5000 Australia
 Email: [EMAIL PROTECTED]  Web: http://www.on.net
 Direct: +61-8-8228-2909 Mobile: +61-419-900-366
 Reception: +61-8-8228-2999  Fax: +61-8-8235-6909

   The difficulty lies, not in the new ideas,
  but in escaping from the old ones - John Maynard Keynes


 ___
 NANOG mailing list
 NANOG@nanog.org
 http://mailman.nanog.org/mailman/listinfo/nanog

___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog

Re: Dubai impound ships suspected in cable damage

[Alexander Harrowell]

Lots - for values of lots including practically all - of ships use the AIS
(Automatic Identification System), which broadcasts various details on
radio. For an example application, try www.aisliverpool.org.uk

On Fri, Apr 11, 2008 at 6:44 AM, [EMAIL PROTECTED] wrote:

 On Tue, 08 Apr 2008 22:16:57 PDT, Joel Jaeggli said:

  spot can generally deliver an image within 1 day in 60kmx60km blocks
  assuming no contention for the slot. 20m resolution is more than
  adequate to pick up ships underway at sea. ikonos can deliver 11x11km
  swaths.

 And ikonos can do a lot better than 20m resolution.  We had ikonos target
 the campus for a special event a few months ago:

 http://glovis.geog.vt.edu/hokiesthanktheworld/

 The full extent of the satellite image is approximately 100-square
 kilometers,
 stretching from Brush Mountain (upper left) across Blacksburg (center) to
 Ellett Valley (lower right). The Virginia Tech Drillfield is located near
 the
 center of this November 17, 2007 scene from the GeoEye IKONOS satellite.
 This
 true color rendering by Peter Sforza combines red, green, and blue
 wavelengths
 (3.7-meter pixels) into a RGB color image, and sharpened using the
 panchromatic
 band (0.92-meter pixels). Note the sun's angle of elevation was 32 degrees
 and
 the azimuth was 164.1 degrees (north being zero).

 1-meter pixels sounds about right - if you look at the right place on the
 full-scale image, you can find (and tell the difference between) my dark
 green
 Camry, and the immediately adjacent dark grey Nissan my neighbor drives,
 and
 still see 3 feet worth of parking lot pavement in between them too...

 Not bad for 423 miles up and moving at 4.7 miles per second

Re: cooling door

[Alexander Harrowell]

On Sun, Mar 30, 2008 at 8:16 PM, Buhrmaster, Gary [EMAIL PROTECTED]
wrote:



  10-20mW (or more) of nuclear power/gensets.

 While I would be much amused to see the response
 in the area when Paul requested approval to site a
 nuclear reactor on the Peninsula, I do not think
 even Paul is quite up to that challenge


Not so long up-thread, people were opposing water cooling on the grounds it
was too dangerous...what if something leaked? Now we're talking sticking a
nuclear reactor in your data centre.

Re: SMTP addresses in

[Alexander Harrowell]

On Jan 4, 2008 5:52 PM, Andrew Sullivan [EMAIL PROTECTED] wrote:


 I completely agree.  If it weren't for that philosophy, we wouldn't
 have an email problem at all.

 A


Becausewe wouldn't have e-mail? Consider the pain of getting worldwide
interoperability for a notmail system that insisted on strict
validation...

Is anyone aware of recent by-protocol traffic data in the public domain?

[Alexander Harrowell]

Excellent public studies of Internet traffic by protocol exist from NSFNet
times up to 2002 or 2003; we thank Odlyzko, Claffy et al for their work.

However, has anyone else noticed a serious lack of data after the end of the
studies summarised in Longitudinal study of Internet traffic 1998-2003,
Fomenkov, Keys, Moore  Claffy, 2003? (This has been discussed in the past,
I think.) All that seems to be available is vendor handwaving of the sort
Andy Odlyzko takes so much trouble to debunk; and that without any source
data.

Curiously, no-one seems to be funding this stuff in Europe, either.

Alexander Harrowell

Re: Creating a crystal clear and pure Internet

[Alexander Harrowell]

On Nov 27, 2007 3:28 PM, John Musbach [EMAIL PROTECTED] wrote:

 On Nov 27, 2007 6:38 AM, Sean Donelan [EMAIL PROTECTED] wrote:
  France anti-piracy initiative
 
  http://www.culture.gouv.fr/culture/actualites/index-olivennes231107.htm
 

 I don't understand, how in the world do they plan to differentiate
 normal legal traffic from illegal pirating???

Especially as they also want to ban DRM; it's like they gave half the
report to Cory Doctorow to write and half to the MPAA.

Re: Comcast blocking p2p uploads

[Alexander Harrowell]

Good idea, but there's a trust issue. If I were Comcast I might
configure the box to lie about our backhaul network in order to spork
the p2pers.

On 10/22/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

  I can't think of an obvious way for a p2p client to detect this.

 Work through middleboxes installed in the ISP's network and configured
 by the ISP.

 --Michael Dillon

Re: Can P2P applications learn to play fair on networks?

[Alexander Harrowell]

MSO's typically understand this as eyeball heavy content
retrieval, not content generation

I was under the impression Comcast advertised Internet access, which
is read/write. Clearly I was mistaken...

Really, the heart of the matter is that in doing this they are not
being honest with their customers, the wider public, or other
networks. If they want to do this they should say so. Arguably, they
shouldn't do it anyway; I'd be delighted to pay some more for the
assurance that my ISP will, uh, provide Internet service if that turns
out to be necessary.

Perhaps it's time to recognise that we've reached a pricing floor.

Re: shameful-cabling gallery of infamy - does anybody know where

[Alexander Harrowell]

On Mon Sep 10  1:14 , Jay Hennigan  sent:


 
 Vinny Abello wrote:
 
  One of the stranger things a field tech of ours encountered wasn't
 necessarily
 bad wiring (although it's not great), but the fact that the demarc was
 located
 next to the toilet in the bathroom. Naturally, the constant humidity
 caused bad
 corrosion problems and other issues with their telco services. :) So as a
 general
 rule of thumb, avoid putting your telco and/or network gear next to the
 crapper
 or the services the equipment is meant to provide might also stink.
 
  http://users.tellurian.com/vabello/bathroom-demarc.jpg
 
 On the plus side, they didn't have to go far for a ground.


Our Internet service is in the toilet again!

Yes, that's where we installed it..

Re: FBI tells the public to call their ISP for help

[Alexander Harrowell]

On 6/17/07, Frank Bulk [EMAIL PROTECTED] wrote:



In the 2+ years I have been working for an ISP I'm not aware of one
customer
that has gone over to one of our competitors because we identified and cut
them off for an abuse issue.  Most of them have been very grateful that we
identified a problem and are earnest in resolving it.



I'm pretty sceptical of the notion that it's easier to change ISP than
download a Windows update.  If that's true for your network, perhaps you
should tell us something about your provisioning/billing/CRM arrangements!