Re: ARIN email address (was cogent spamming directly from ARIN records?)

[Daniel Corbe]

On 10/3/2023 3:48 PM, Christopher Morrow wrote:

those are a bit of a false equivalence... but... ok.
I think: "Oh look, more spam, delete"
is basically how this sort of problem (email from randos trying to
sell me ED pills or 10Gs) should be treated.
I don't know that it's helpful to keep re-litigating that end state :(

I'm sure telling dave shaeffer: "Hey, your sales droids are being
rude" is going to end as well as sending him ED pill emails.


On the other hand, it's actually nice knowing Cogent are up to their 
same old tricks, so that when they try to end-around me to get a sale 
done, I have plenty of ammunition at my disposal to shoot them down.


Much like your ED pill E-Mail analogy above (and I think you might have 
been able to pick a less explicit example, but hey, edgy humor amirite?) 
it should be pretty trivial for you to nuke this thread so it doesn't 
keep appearing at the top of your inbox.


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: maximum ipv4 bgp prefix length of /24 ?

[Daniel Corbe]

On 9/29/2023 5:25 PM, Owen DeLong via NANOG wrote:
Several people ate the cake. I received numerous positive comments on it 
and some

of them are about the flavor of the cake.


The question is did anyone from Cogent eat it?  Did they have their cake 
and eat it too?





OpenPGP_0x8E96B69A30C1993B.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

SMTP-friendly VPS provider where I can also get a BGP feed

[Daniel Corbe]

Hey all,

I apologize if this isn't the right place to post this; however, I 
thought maybe the NANOG community would be able to point me in the right 
direction.


I'm looking for a place that I can host a mailer.  My primary use case 
is a Mailman-style technical discussion list; much like NANOG but 
software related instead of network related: READ: non-commercial in nature.


I'm currently a vultr customer, but they're refusing to unblock port 25 
on my account.  I've tried explaining my use case but no matter who I 
talk to over there they just keep pointing me to their spam policy.


Thanks!
-Daniel


OpenPGP_0x8E96B69A30C1993B.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

Spectrum/Charter business (cable) contact

[Daniel Corbe]

I’m having zero luck getting an issue with Charter/Spectrum escalated and I’m 
hoping to find a sympathetic ear that can contact me off-list.

Thanks,
Daniel



signature.asc
Description: Message signed with OpenPGP

Re: A crazy idea

[Daniel Corbe]

> On Jul 29, 2021, at 16:06, Joe Maimon  wrote:
> 
> 
> 
> t...@pelican.org wrote:
>> On Monday, 19 July, 2021 14:04, "Stephen Satchell"  said:
>> 
>>> The allocation of IPv6 space with prefixes shorter than /64 is indeed a
>>> consideration for bigger administrative domains like country
>>> governments, but on the other end, SOHO customers would be happy with
>>> /96, /104 or even /112 allocations if they could get them.  (Just how
>>> many light bulbs, fridges, toasters, doorbells, phones,  does SOHOs
>>> have?)  I would *not* like to see "us" make the same mistake with IPv6
>>> that was made with IPv4, handing out large blocks of space like so many
>>> pieces of M or Skittles candy.
>> Nay, nay, and thrice nay.  Don't think in terms of addresses for IPv6, think 
>> in terms of subnets.  I can't stress this enough, it's the big v4 to v6 
>> paradigm shift - don't think about "how many hosts on this net", think about 
>> "how many nets".
> 
> Think of how many large ISP's a /3 of ipv6 effectively holds, assuming that 
> /48 per customer is the norm, and /24 up to /12 assignments for those ISP's 
> is also.
> 
> In those terms IPv6 isnt that much bigger.

I haven’t seen evidence that any RIR has allocated an entire /12 to an ISP.  
Even a large one.  

Re: Anycast but for egress

[Daniel Corbe]

 
> On Jul 27, 2021, at 17:20, Vimal  wrote:
> 
> Hi all, great replies. :) Let me clarify my initial question, and then 
> respond one by one:
> 
> My intention is to run a web-crawling service on a public cloud. This service 
> is geographically distributed, and therefore will run in multiple regions 
> around the world inside AWS... this means there will be multiple AWS VPCs, 
> each with their own NAT gateway, and traffic destined to websites that we 
> crawl will appear to come from this NAT gateway's IP address.
> 
> The reason I want a predictable IP is to communicate this IP to website 
> owners so they can allow access from these IPs into their networks.  I chose 
> IP as an example; it can also be a subnet, but what I don't want to provide 
> is a list of 100 different IP addresses without any predictability.
> 
> I understand that this is not perfect, and would frankly not be my preferred 
> approach to solve the problem but we've had requests of this nature from 
> websites to create an allowlist of a limited number of predictable IPs so it 
> doesn't trip their IDSs/other systems they might have... so we're trying to 
> see how well it would work in practice.  For the moment, let's set aside the 
> issue as to whether AWS will even let me advertise the same IP on all my VPC 
> NAT gateways, and just look at whether it's technically feasible.  My gut 
> feeling is that this wouldn't work well in practice, but I wanted to ask the 
> experts here...
> 
> Also, pointers on what the best practices for solving this issue are most 
> welcome, so I can reference those who ask for IP addresses to this discussion 
> and follow recommendations here.
> 
> Onto the responses:
> 
> @o...@delong.com and @wo...@pch.net athomp...@merlin.mb.ca
> > Because there’s no good/reliable way to get the replies back to the correct 
> > initiating host. 
> 
> > When my clients make connections outbound to anycast addresses, the 
> > destination is more-or-less stable, and the replies come back to the 
> > client's unique IP, so anycast works in that direction.  The guarantees are 
> > not present in the reverse direction.
> 
> Yes, this makes sense as the destination can be anywhere around the world, 
> and that routing is asymmetric as others mentioned.  However, if the 
> destination service is "close" (in the routing metric sense) to the 
> initiating host, anycast return IP ought to work well, right?  I understand 
> this is a very important caveat and impractical to implement correctly in the 
> real world.
> 
> > We use our IGP (IS-IS) for our Anycast services. We find it to be very
> basic, and as such, very predictable.
> 
> This is interesting... I wonder whether Anycast will still have some failure 
> modes and break TCP connections if routing (configuration) were to change?  I 
> checked the PDF linked by Bill Woodcock... while the methodology is the same 
> from 20y ago, would the data still be the same (order of magnitude)? :)
> 
> https://www.pch.net/resources/Tutorials/anycast/Anycast-v10.pdf (p38)
> "Limited operational data shows underlying instability to be on
> the order of one flow per ten thousand per hour of duration."
> 
> @dan...@corbe.net, @m...@netfire.net, 
> > Unless you’re twisting knobs, egress traffic should already exit your 
> > network at the closest possible egress point to its origin.  Is your 
> > intention to carry the traffic for longer than that?
> No, but I hope my intention is more clear in this email.  It's to have a 
> predictable egress IP to simplify firewall rules.
> 
> thanks all!!
> 
> 
> On Tue, Jul 27, 2021 at 12:25 PM Adam Thompson  wrote:
> Without any sarcasm: to make it harder to block.
> If, say, Google, always crawled your site from 8.8.1.2 (random made-up 
> example) then you would see a not-insignificant number of hosts and networks 
> null-routing that IP.  I have no idea why someone would do so, but I've seen 
> it done many times.  Mostly by people who don't understand how un-special 
> they are on the internet.  Also it would trigger IDS/IPS systems all over the 
> place, having gobs and gobs of connections coming from a single IP.
> 
> That's setting aside the technical issues involved; routing is often 
> asymmetric, i.e. the return packet takes a different path than the inbound 
> packet.  So it would, as Owen implied, be nearly impossible to ensure the 
> reply packets got back to the correct TCP stack.  As an example, I'm 
> multi-homed and use path-prepending, so if a packet claiming to be from 
> 8.8.8.8 arrived on one of my commercial links, I would send the reply out the 
> cheapest link, which in my case is a flat-rate R network (that has a path 
> to Google), thus ensuring the reply does not get to the originating anycast 
> node.
> 
> When my clients make connections outbound to anycast addresses, the 
> destination is more-or-less stable, and the replies come back to the client's 
> unique IP, so anycast works in that direction.  The 

Re: Anycast but for egress

[Daniel Corbe]

> On Jul 27, 2021, at 12:54, Vimal  wrote:
> 
> (Unsure if this is the right forum to ask this question, but here goes:)
> 
> From what I understand, IP Anycast can be used to steer traffic into a server 
> that's close to the client.
> 
> I am curious if anyone here has/encountered a setup where they use anycast IP 
> on their gateways... to have a predictable egress IP for their traffic, 
> regardless of where they are located?
> 
> For example, a search engine crawler could in principle have the same IP 
> advertised all over the world, but it looks like they don't...  I wonder why?
> 
> -- 
> Vimal
> 

Unless you’re twisting knobs, egress traffic should already exit your network 
at the closest possible egress point to its origin.  Is your intention to carry 
the traffic for longer than that?

Re: Cogent emails

[Daniel Corbe]

My reply to Cogent sales reps is usually something along the lines of
"We have a corporate policy of only taking connections from providers
that can give us a full Internet connection."

They get defensive when I point out that they have large holes in
their IPv6 routing table, but it usually gets them to go away for a
while.

On Mon, Sep 14, 2020 at 2:23 PM Ryan Wilkins  wrote:
>
> All I did was express interest a few years ago and ever since then they’ve 
> called and emailed me pretty regularly.  Just got one yesterday.  I’m 
> probably on the fourth sales guy now since I first asked.
>
> Ryan Wilkins
>
> > On Sep 14, 2020, at 3:00 PM, Jesse DuPont  
> > wrote:
> >
> > We started getting emails the moment we got our own AS (earlier this year).
>

Re: Carriers

[Daniel Corbe]

On Tue, Jan 21, 2020 at 12:47 PM Rod Beck 
wrote:

> Does anyone know who are the providers in this building? US Signal is
> there. Anyone else?
>
> 222 West Washington Ave, Madison.
>

Surely the landlord would have a list of carriers providing service into
the property.

Re: Unsolicited LinkedIn requests

[Daniel Corbe]

at 5:40 PM, John Levine  wrote:

In article  you  
write:

Agreed, and I do get unsolicited Linkedin requests quite often.
Sometimes, this is clearly the result of someone scraping a list like
NANOG in an effort to drum up new business/contacts.  Those end up in the
bitbucket.


When you turn down a connection there should be "I don't know this
person" which demotes them somehow.  I gather that with enough of
those, you can't do invites any more.


This was the case back when LinkedIn were actively enforcing their TOS. 
LinkedIn was largely started as and designed to be a referral service.   As  
far as I can tell though, they’ve been letting strangers freely connect  
with one another for years now.


-Daniel

Re: Unsolicited LinkedIn requests

[Daniel Corbe]

If you don’t want people contacting you on Linkedin then why do you have a  
link to your profile on your website?


at 4:08 PM, Alfie Pates  wrote:


Hi folks,

I'm not going to name-and-shame, but I just got a LinkedIn connection  
request completely out of the blue from somebody with the comment  
"Greetings from another NANOG user!"


I didn't recognise the name, and a quick search of my email history  
suggests we haven't interacted before.


Please don't do this: It's not very polite.

~A

Re: WIndows Updates Fail Via IPv6

[Daniel Corbe]

at 4:29 AM, Mark Tinka  wrote:


Hi all.

Anyone ever figured out why Windows updates fail when the computer has an  
IPv6 connection?


Google has tickets and tickets of this to and outside of Microsoft since  
2013, with no real solution or answer as to what the problem actually is.  
In essence, many of the solutions out there point toward making sure the  
updates do not occur over IPv6, which, in effect, is the same as  
disabling it.


I have a family PC at home running Windows 10 Pro, and noticed updates  
would fail in recent months. It took me a moment to realize that this  
started happening only after I enabled IPv6 in the TCP/IP stack.  
Disabling it immediately solves the issue.


Quite odd that this is happening in 2018...

Mark.


I’ve had IPv6 enabled for a while and I don’t have the same issue.  We also  
peer directly with Microsoft.   Are you sure it’s an IPv6 issue and not a  
general reachability issue?


-Daniel

Re: Amazon network engineering contact? re: DDoS traffic

[Daniel Corbe]

at 8:40 PM, Tom Beecher  wrote:

Nobody should ever be forced to peer to get someone to address abusive  
traffic originating from networks under their control.





Especially considering the fact that Amazon is just a bit selective about  
their peers.  Though, the size of our border probably had a lot to do with  
the fact that we didn’t get a response the first time when we requested  
peering for our 10s of megabits of traffic, we none the less didn’t get a  
response the first time we tried.   Not even a “go away until you have some  
traffic of significance.”


In the end, we had to implore a back channel to get a peering session set up.

Re: Brocade SLX Internet Edge

[Daniel Corbe]

I’m just going to echo what a few others have been saying.  Brocade (now  
Extreme) have come a long way since the Foundry days; and the SLX isn’t  
based on the old Netiron code.   The platform is a completely different  
animal.


I’ve been a happy Brocade customer for a while now.

Re: It's been 20 years today (Oct 16, UTC). Hard to believe.

[Daniel Corbe]

at 1:11 PM, Scott Weeks  wrote:



Wow, was it a table of folks new to network engineering?
If so, then schooling; if not, then clue bat...  :-)

scott


The one thing I remember about Postel, other than the fact that he had his  
fingers in a lot of DNS pies, is be liberal about what you accept, be  
conservative about what you send.  It’s a notion that creates undo burden  
on the implementor, because it places the expectation on the that you need  
to account for every conceivable ambiguous corner case and that’s not  
always the best approach when implementing a standard; and it mostly arises  
from the lack of adherence to the second part of that statement.

Re: Whats going on at Cogent

[Daniel Corbe]

at 11:34 AM, DaKnOb  wrote:

I guess people really don’t like Cogent judging by the fact that one  
unrelated email caused all this to happen again.. :-)


Cogent have more pain points on average but they’re still the best option  
for getting to other Cogent customers.  It’s not really hard to design  
around their shortcomings.   I’d rather have 30 small links and be  
well-connected than two large ones and be SOL because someone refuses to  
peer.


I can’t speak to their MPLS service, because cogent’s the last company I’d  
ever trust with my backbone.

Re: Hulu / ESPN: Commercial IP Address

[Daniel Corbe]

I had a customer with a similar issue.   I statically assigned them a  
different IP and it didn’t resolve it.   The problem turned out to be tied  
to their Hulu account.


The customer is going to need to keep pressing the issue with Hulu’s  
technical support group.   Make sure they’re not using a VPN to connect to  
the Internet and have them keep calling Hulu back until they get someone  
clueful on the phone.


In my customer’s case, they eventually had to “re-home” them to resolve  
it.  I have no idea what that entails.


-Daniel

at 12:35 PM, Jason Canady  wrote:


Hello,

I have a customer that is using Hulu Live to stream ESPN, however it  
isn't showing up in their Channel list.  They reached out to Hulu and  
it's because their IP address is 'commercial'.  We have many customers  
using Hulu without problems, but it seems specific to ESPN.  Anyone else  
have this issue?  Do you reach out to ESPN or Hulu?


If anyone has any information, please share it.  Appreciate your help in  
advance!


Best Regards,

Jason Canady
Unlimited Net, LLC
Responsive, Reliable, Secure

Re: new(ish) ipv6 transition tech status on CPE

[Daniel Corbe]

Tom Ammon  writes:

> Are there any CPE vendors providing MAP-T features yet? I'm working on 
> rolling v6 to residential subscribers and am trying to
> understand what the landscape looks like on the CPE side, for MAP-T 
> specifically.
>
> What about 464XLAT on a CPE - is that a thing? I know that 464XLAT has been 
> running for a while on some mobile provider networks,
> but are there any vendors out there with a decent/mature CLAT implementation 
> in a CPE product that is ready to buy right now?
>

Good luck.   I've been barking up the MAP-T tree with cable modem
vendors for a couple of years already.   Since I have literally 0 buying
power in comparison to the likes of Comcast and Cox, I've gotten nowhere.

-Daniel

Re: Massive Price Increase for X-conns at Telehouse Chelsea, NYC

[Daniel Corbe]

at 4:26 PM, Phil Lavin  wrote:

$350/mo seems to be standard. Our DCs are at $250.Seems more like  
they held onto out of date pricing for a long time then realized it.


For what it's worth, Telehouse London is around 30 USD/month for an  
x-connect within the same building. Our US datacentre (not Telehouse) on  
the other hand is around 200 USD/month. It's always felt  
disproportionally expensive but maybe those kind of prices are expected  
for the North America region.


Yeah $30 is definitely not the norm on this side of the pond.   Even if you  
buy in bulk.

Re: Massive Price Increase for X-conns at Telehouse Chelsea, NYC

[Daniel Corbe]

at 10:57 AM, Fredy Kuenzler  wrote:


Is anyone else affected by a massive price increase for x-conns by
Telehouse Chelsea?

When we moved in a few years ago they were asking 150$, it changed to
200$ and now we are asked to pay 260$. That's 73% more. I don't think
inflation is that high in the United states.

I get the impression that they feel comfortable enough to abuse their
position. When we complained they simply said 'you may consider to
cancel the contract'.

Of course they don't provide any better service, in fact, the service
quality is commonly indirectly proportional to the price at most 'big
names'. #rant

I suggest to anyone considering to buy colocation space in NYC (or
elsewhere) not to choose Telehouse, unlike a few years ago.

--
Fredy Kuenzler
Init7 (Switzerland) Ltd.


$300 MRC for a once-off cross connect isn’t unreasonable.   There’s costs  
and labor involved in running that cable through a riser.  Especially if  
you want it in innerduct.


I’m not sure what Telehouse’s policies are because I’m not a customer, but  
some companies (TelX comes to mind) you can order them in bulk at a  
significant discount.   Even with the extra labor involved in splicing it  
to a panel, running a 12 or 24 count cable into a cabinet is a much easier  
pill to swallow than having a guy up on a ladder or under a floor every  
time you want to turn up a customer.


Then there’s always off-market options too.   You don’t need to be in New  
York to have decent connectivity to the New York metro region.   There’s a  
few places in Jersey that offer free cross connects in their meet-me rooms  
because they’re so desperate to have carriers move into their  
facilities.I don’t think many of them have connectivity to major  
peering fabrics, though.

Re: Multicast traffic % in enterprise network ?

[Daniel Corbe]

On 8/8/2018 18:22:04, "Scott Weeks"  wrote:



--- j...@depaul.edu wrote:
From: John Kristoff 

:: In my experience, real world IP multicast experience
:: and expertise is almost non-existent.



Major snippage, but these're my experiences, too.
However, not in the .edu world.

scott





I've been working with IP now for close to 15 years and my first 
exposure to multicast wasn't until I recently began working on a cable 
TV product for an ISP that runs a residential access network.


So I can believe that, for sure.

Re: Feedback - SBC Vendors.

[Daniel Corbe]

at 7:56 PM, Ryan Finnesey  wrote:

I am going to have to install a series of SBCs for a  voice offering  
connected to Microsoft Teams.  We are going to pass the SIP traffic off  
to a larger number of SIP providers.  I would like  to get some feedback  
from the group on SBC vendors.  I have two options for vendors Ribbon or  
AudioCodes.  I am leaning towards a software based SBC over an appliance.


Would be helpful to get the other members feedback on Ribbon or  
AudioCodes deployments within their networks.


Cheers
Ryan


I have a few things to add to this because I’ve been through the ringer  
when it comes to SBCs.


1) I didn’t know AudioCodes still made SBCs.   But at one point in time,  
they absorbed NetRake and promised NetRake’s customers that they’d continue  
looking after the product.   A couple of years after that deal was done,  
they discontinued support with only a few months warning.   So given their  
track record, maybe it’s something to avoid.


2) No opinion on Ribbon.   I’ve never worked with their stuff.   If you’re  
looking for suitable market alternatives for feature and pricing  
comparison, check out Genband and Sansay.


3) Avoid Oracle’s SBCs like the plague.   They used to be Acme Packet, the  
industry gold standard.   But under Oracle, they’ve crushed themselves  
under the weight of their own apathy.   I’ve had nothing but support  
nightmares.  I still to this day have a pair of broken 3830s that they  
refuse to take a look at.


4) The notion that software based solutions are better than hardware ones  
is a good notion.   On modern hardware, a dual-core VM can process a few  
thousand simultaneous calls at very healthy and respectable tear-down and  
set-up rates.  And hardware is always going to be more expensive than  
software.


-Daniel

Re: optical circulator as a bidirectional one fiber solution

[Daniel Corbe]

On 8/7/2018 15:46:03, "Baldur Norddahl"  
wrote:



Hello

There is a lack of bidirectional one fiber (BIDI) options for 40G and 
100G optics. Usually BIDI is implemented using two CWDM wavelengths, 
one for tx and one for rx. However there is also a lack of CWDM and 
DWDM options for 40G and 100G.


Would it be possible to use an optical circulator like this one 
(customized to 1310 nm)?


https://www.fs.com/de/en/products/33364.html

Combined with a traditional two fiber 1310 nm 10 km 40G QSFP module 
like this: https://www.fs.com/de/en/products/24422.html


The link distance would be 5 km.

The optical circulator separates tx and rx by the direction the light 
travels in. It would work even though both directions use the same 
wavelength. There will likely be some reflection but hopefully 
attenuated enough that it is regarded as background noise.


Has anyone done this? Any reason it would not work?

Regards,

Baldur



The main issue you're going to run into (especially trying to plug 
anything into a DWDM shelf) is 40G and 100G transceivers usually emit 4 
lanes of traffic instead of a single lane like 10 and 1G optics do.


I'd imagine that's why there are so few solutions that don't involve 
things like OTN.

Re: Best practices on logical separation of abuse@ vs dmca@ role inboxes

[Daniel Corbe]

at 8:56 PM, John Levine  wrote:


In article  you write:

I'm very sorry to read that, as an ISP, you have to comply with a
para-judicial process that puts you in charge of censorship.


Dealing with DMCA notices is a matter of statute law in the US, and it
is a really, really bad idea to ignore them unread.  It doesn't matter
what anyone here thinks about it.

R's,
John

PS: Here's why:

https://www.techdirt.com/articles/20180802/17420540355/sensing-blood-water-all-major-labels-sue-cox-ignoring-their-dmca-notices.shtml


This.

Plus I’m largely indifferent to it.   On one hand, I’m a firm believer in a  
free and open Internet.   But on the other hand, it’s so easy to hide your  
online activity that I have a hard time feeling sorry for anyone who gets  
caught up in the drag net.  Anyone who gets a notice from us is completely  
and utterly apathetic about online privacy and it’s astonishing to be just  
how lazy people really are.


I only have a few hundred users, so definitely not a representative sample  
size, but in all my time here we’ve only had a single repeat offender.

Re: Best practices on logical separation of abuse@ vs dmca@ role inboxes

[Daniel Corbe]

On 8/5/2018 18:46:36, "Rich Kulawiec"  wrote:


On Sun, Aug 05, 2018 at 07:43:36PM +0000, Daniel Corbe wrote:

This is a solvable problem.  If they're sending unsolicited bulk email
(aka "spam"), then they are, by definition, spammers.  Block them and
move on.  If/when they decide to send proper DMCA notices and send them
to the proper address, perhaps you can then allow them to petition for
the privilege of access to your mail system.




It doesn't work like that though.   I can't just bitbucket DMCA takedown 
requests because I also provide people with cable TV service.  That 
means I have content contracts and these contracts are all very specific 
about what I need to do to process DMCA takedown requests.   I'm sure 
that they receive reports regularly from the companies they contract to 
do DMCA enforcment.Or maybe they don't and I have no idea what I'm 
talking about.   But I'm still not going to put my content contracts at 
risk because I think my users would be even more pissed off if their 
cable TV packages were suddenly unavailable to them.

Re: unwise filtering policy on abuse mailboxes

[Daniel Corbe]

Maybe he’s hoping there’s an off chance that someone from psychz.net is  
subscribed and listening.   After all they run a network and this is an  
operational mailing list.


at 10:54 PM, Mel Beckman  wrote:


Why are you telling us here on Nanog?
 -mel

Re: Comcast

[Daniel Corbe]

at 1:57 PM, Steve Saner  wrote:


On 06/29/2018 12:53 PM, Daniel Corbe wrote:

Can someone from Comcast contact me off list?
Your customers can’t reach my network right now.


Seems to be a known issue:

https://tech.slashdot.org/story/18/06/29/1730238/comcast-and-xfinity-facing-a-nationwide-outage-users-say

Steve



Thank you all!   Sorry for the noise.

-Daniel

Comcast

[Daniel Corbe]

Can someone from Comcast contact me off list?

Your customers can’t reach my network right now.

Re: Tunable QSFP Optics

[Daniel Corbe]

QSFPs generally output 4 lanes of traffic.  Either 4 channels at 10G or 4  
channels at 25G.   So unless you find an optic that can do single-channel  
OTN at 100G, you’re probably going to have a hard time plugging them into a  
DWDM shelf.


at 12:27 PM, Lewis,Mitchell T.  wrote:

Does anyone know if any Single Mode QSFPs exist on the market that use  
wavelengths other than 1310nm (either self tunable or factory tuned)? I  
am looking to put more than one 40gb link on a fiber pair similar to  
using DWDM OADMs for 1g & 10g but can't seem to find any qsfp optics that  
don't use 1310nm.


Thanks.


Regards,

Mitchell T. Lewis

[ mailto:mle...@techcompute.net | mle...@techcompute.net ]


[ http://linkedin.com/in/mlewiscc ] |203-816-0371

PGP Fingerprint: 79F2A12BAC77827581C734212AFA805732A1394E [  
https://pgp.mit.edu/pks/lookup?op=get=0x2AFA805732A1394E | Public  
PGP Key ]

Re: What are people using for IPAM these days?

[Daniel Corbe]

+1 for Netbox.

at 4:56 PM, Justin Seabrook-Rocha  wrote:

Netbox (https://github.com/digitalocean/netbox  
) is our choice. Can be  
completely API driven, has a lot of DCIM type functionality as well.


Justin Seabrook-Rocha
--
Xenith || xen...@xenith.org || http://xenith.org/




On Jun 10, 2018, at 13:48, Mike Lyon  wrote:

Title says it all... Currently using IPPlan, but it is kinda antiquated..

Thanks,
Mike

--
Mike Lyon
mike.l...@gmail.com
http://www.linkedin.com/in/mlyon

Re: Need /24 (arin) asap

[Daniel Corbe]

at 12:11 PM, Mike Hammett  wrote:

Unfortunately, for an eyeball network, you don't have a good way of  
knowing that ahead of time without actually using it.





Very true.   We got lucky with our transfer block.   A /21 from Dupont’s  
address space that was never even announced before.   But as always, YMMV.

Re: ICANN GDPR lawsuit

[Daniel Corbe]

at 2:40 PM, Baldur Norddahl  wrote:


man. 4. jun. 2018 17.31 skrev McBride, Mack :


GDPR doesn't play well with directory listing services.
BUT since providing contact information is exactly what a directory
listing service does,
It is safe to assume that this is 'essential' under GDPR.


No it is very clear that publishing private information about individuals
is in fact not necessary to assign netblocks and domains to companies.

It is a little less clear when the ressource is assigned to an individual.
But considering there already exist privacy options for domains, the same
solutions could be implemented for other ressource types.



It occurs to me that operators might want to opt-in to have their data  
published through PeeringDB.  From a purely pragmatic standpoint, I won’t  
peer with anyone I can’t reach out to and if you don’t have a 24/7 NOC  
chances are good that you’re going to get depeered the first time there’s a  
technical issue and I can’t reach you for help.


An academic exercise, for sure.   But one that would render this line of  
thinking rather moot.

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Daniel Corbe]

On 5/15/2018 05:59, Brian Kantor wrote:
> 
> I imagine some fool told them this improves security, and they were
> stupid enough to believe it.
>   - Brian
> 

It's a bit simpler than that.   Too many people are dazzled by polished
presentations.   It's a sad fact of life that there are way too many
people walking around that are distracted by shiny things.

Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.

[Daniel Corbe]

Is MyEtherWallet really doing 500k/hr in business though?

> On Apr 24, 2018, at 2:35 PM, Fredrik Korsbäck  wrote:
> 
> Aloha.
> 
> Surprised this hasnt "made the news" over at this list yet.
> 
> https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f
> 
> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/2teeVLJ44RM/Yqk5GHSpCQAJ
> 
> https://twitter.com/barton_paul/status/988788348272734217
> 
> TLDR; So it seems that AS10297 (some small hostingprovider in the US) 
> suddenly started to announce de-aggregated AWS
> IP-space, containing quite alot of Route53 infrastructure, put up resolvers 
> on their own on the hijacked IP-space and
> pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some 
> kind of transparent proxy out of russia
> with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
> 
> I did digging in my own logs and played it through BGP-play - seems like it 
> was in fact only Hurricane Electric (6939)
> that actually propagated this prefix to the Internet. Which makes sense since 
> we have seen them being part of the
> problem in almost all recent hijacks.
> 
> Can we do some collaborative digging in other tools you have handy (i guess 
> thousand eyes probes etc could be of help
> here) to track how big the propagation was?
> 
> Being abit involved in the Ethereum world it could be noted that the login to 
> MyEtherWallet.com is abit special since
> you actually login with you wallet-seed and not user/pass to the site... 
> giving the possibility to make really swift
> transfers without having actual access to the real site (for good and 
> bad).
> 
> -- 
> hugge @ 2603
> 

Firewall as a Service.

[Daniel Corbe]

Are there any vendors that have hardware firewalls and maintain their own 
Openstack nova/neutron driver set?

I’m looking for something that I can offer to my VPS customers as a 
self-managed service.   At the moment, I’m using the default firewall driver. 
Which is nothing but a wrapper for iptables; and while seamless, I can’t 
imagine it’s going to scale very well.   

I’m looking for something that has 10 gig client connectivity and either 100G 
or 40G uplinks.

-Daniel

Re: Comcast / Level3 Peering Issues?

[Daniel Corbe]

> On Mar 22, 2018, at 5:48 PM, David Deutsch  wrote:
> 
> Hey guys,
> 
> VoIP provider here with primary connectivity through Level3 in LAX.
> 
> For the past week+ we have seen dropped RTP packets between our Level3
> connection and Comcast fiber customers located in Denver and Detroit
> 
> Initially we worked under the assumption that something was occuring at the
> customer locations (such as localized packet loss), however we now suspect
> dropped packets between L3 and Comcast. Forcing traffic over to other
> carriers through community strings resulted in no packet loss.
> 
> The issue appears to be in the evening and I was hoping either someone from
> L3 network ops or a list member in the know might have some useful
> information.
> 
> Thanks,
> David
> 

I’m no expert in the way Comcast run their network, so the following advice 
needs to be taken with a giant grain of salt.

Historically, Comcast have a tendency to run their peering hot.  

It sounds like you’re trying to reach a Comcast wholesale customer.  In which 
case, steering your traffic around the Level3<->Comcast Interconnect by 
filtering Comcast’s prefixes from your Level3 connection and manipulating your 
community strings is the right move. 

If you’re trying to reach Comcast broadband customers, steering the traffic 
away from their Level3 interconnect is still probably the correct thing to do 
but with the caveat that broadband cable access is and always has been a 
best-effort service.

-Daniel

Re: Amazon Contact

[Daniel Corbe]

> On Sep 8, 2016, at 1:54 PM, Shon Elliott  wrote:
> 
> Hi everyone,
> 
> Sorry for having to ask this, but I haven't been able to chase down anyone 
> from Amazon. Can someone from Amazon who might be watching the list who deals 
> with the Amazon Instant Video, FireTV, Music, and other streaming media 
> sections please contact me off-list regarding a serious issue? I would 
> appreciate it very much.
> 
> 
> Kind Regards,
> Shon Elliott, KK6TOO
> selli...@getunwired.com
> 
> 
> 


I also need to chase down someone from Amazon.  None of my customers seem to be 
able to access websites hosted on AWS.  Including www.netflix.com and 
www.amazon.com proper.

-Daniel

Re: IPv6 is better than ipv4

[Daniel Corbe]

> On Jun 2, 2016, at 12:13 PM, Ca By  wrote:
> 
> On Thursday, June 2, 2016, Josh Luthman  wrote:
> 
>> Just a thought - ipv4 includes older more rural connections such as 1M DSL
>> out in the sticks.  That weighs the average connection time down.  v6 being
>> capable on modern 4G wireless and fiber connections makes the average
>> faster.
>> 
>> 
>> 
> Akamai, linkedin, and facebook are not lightweights when it comes to data
> analysis.   Meaning, they know about selection basis. I'll also mention
> that google has v6 as well.
> 
> FTFA,  Akamai states they isolated dual-stack iphones on vzw and ran
> parallel RUM v4 and v6 tests.  I believe FB did the same thing and
> presented the data at nanog 64
> 
> CB
> 

Just an ancillary thought.

Maybe we should let people believe that IPv6 is faster than IPv4 even if 
objectively that isn’t true.  Perhaps that will help speed along the adoption 
process.

NYC & Philly Metro rack stack and config

[Daniel Corbe]

If anyone in the NYC and Philly metro areas want to make a few extra bucks, 
contact me off list.

I need someone to drop an initial config on some brocade routers and run some 
cabling.  

Best,
Daniel

Re: ARIN down?

[Daniel Corbe]

> On Mar 26, 2016, at 12:43 AM, Mel Beckman  wrote:
> 
> I haven’t been able to connect to http://arin.net for several hours, but was 
> able to open a ticket this morning. I’ve tried from several different 
> networks, all roads seem to lead to the same place, with packets dropping at 
> the NTT interface 129.250.196.154. e.g.:
> 
> ...
> 
> I recall ARIN had a DDoS attack a week or so ago. Does anybody know if this 
> is a recurrence?
> 
> -mel

An announcement went out on arin-announce yesterday (but you might not be able 
to follow the link if you can’t reach list.arin.net):

http://lists.arin.net/pipermail/arin-announce/2016-March/001963.html

tl;dr: Massive DDoS.  Usual affair.  Welcome to the Internet.

Re: Remote hands mailing lists?

[Daniel Corbe]

You may also want to try some places where content providers and content 
creators gather like webhostingtalk because there’s often small operators and 
individuals there trying to get their names known who may appreciate picking up 
extra work. 

> On Feb 20, 2016, at 9:31 PM, Christopher Morrow  
> wrote:
> 
> I think (though I don't see much traffic on it):
> 
>  newh...@snausages.com
> 
> works like this.
> 
> On Fri, Feb 19, 2016 at 5:30 AM, nanog  wrote:
>> Sorry if this off-topic.
>> 
>> Are there any mailing lists/forums/websites that independent techs can post
>> availability for remote hands work?
>> 
>> I just got let go from my company and am looking for anyone who needs remote
>> hands work in Phoenix.
>> Server/wiring/fiber/dwdm/design/button-pushing/consulting/etc.
>> 
>> Thanks- and apologies again if this isn't on-topic.
>> 
>> b
> 

-48DC electrical supply

[Daniel Corbe]

Where do you guys get your supplies (wire, connectors, tools) for -48VDC stuff?

as24748

[Daniel Corbe]

Can anyone venture a guess as to what this might be about?

http://irrexplorer.nlnog.net/search/AS24748:AS-THINX

Why would my ASN be part of a foreign AS-SET?  Is this something I need to 
worry about?  My gut reaction is to reach out to ripe.

Re: Cable Operator List

[Daniel Corbe]

Hey Colton, 

We’re using small 16 channel CMTS systems for residential MDUs and colocating 
them directly on premise inside of wiring closets and then connecting them by 
metro ethernet.  We’ve had great successes so far with this model.

There’s lots of CMTS vendors.

There’s tons of used Motorola BSR 64Ks on the market, but be aware of the lack 
of useful IPv6 features (like prefix delegation) in older software releases.  
If you buy a box and want to run 7.x or 8.x, you’ll need to relicense your 
downstream and upstream channels at some additional arbitrary fixed cost.  

I’m personally fond of these things:

http://picodigital.com/product-details.php?ID=miniCMTS200a

You can only bond 16 channels together max though because that’s all the box 
supports and you can’t bond across boxes; however, these things are less than 4 
grand if you buy them in bulk so they’re really fucking easy to just spam 
everywhere.

Blonder Tongue makes a pizza-box style CMTS too:

http://www.blondertongue.com/shop-by-department/catv/ip-over-coax/docsis/euro-docsis/

As does Harmonics:

http://harmonicinc.com/product/cable-edge/nsg-exo

All three are based on the same chipset, so the real differentiation is price 
and firmware features.  

Then there’s Cisco.

The UBR is a popular platform.  And pretty soon there’s going to be a glut of 
UBR10Ks on the Market because Comcast is busy ripping their UBRs out of 
production because they’re upgrading their cable plant to the CBR platform.

Then the Arris C4, if you have deep pockets, is a modern version of the BSR:

http://www.arris.com/products/c4-cmts/


> On Feb 2, 2016, at 9:00 AM, Colton Conor <colton.co...@gmail.com> wrote:
> 
> Well, maybe NANOG's not a bad place for this post then! I would like to know 
> more about the data-only side of CMTS systems, and who the main vendors are. 
> 
> We have MDU properties where there is either old inside CAT3 phone wire, or 
> coaxial cable. We have looked and are very familiar with the multiple 
> technologies that work over phone lines namely VDSL2 and G.FAST. However, 
> using the coaxial cable seems to be a much better solution than using the 
> phone wires.
> 
> So I am looking for compacts, low cost CMTS systems. Based on the specs, I am 
> looking for something at least DOCSIS 3.0 capable, with at least 16X4 output. 
> Something with the ability to upgrade to software upgrade to DOCSIS 3.1 would 
> be nice, but I doubt that would be a low cost solution.
> 
> Whats out there for small operators that don't want a large chassis based 
> system to feed an entire town with. 
> 
> So far I have found the 
> http://picodigital.com/product-details.php?ID=miniCMTS200a which seems to 
> retail for under $5000. 
> 
> 
> On Tue, Feb 2, 2016 at 7:48 AM, Daniel Corbe <dco...@hammerfiber.com> wrote:
> 
> > On Feb 2, 2016, at 8:42 AM, Colton Conor <colton.co...@gmail.com> wrote:
> >
> > Are there any mailing lists out there dedicated for cable/MSO type
> > operators?
> >
> 
> I'm curious about this too.
> 
> I’m not a cable operator (in that I haven’t successfully registered for a 
> cable franchise yet) but I do operate a docsis network and I’ve successfully 
> negotiated the treacherous waters of obtaining and providing content to my 
> users.
> 
> I’m still a bit green behind the ears but I could probably offer some measure 
> of assistance if you have a specific question.
> 
> -Daniel
> 
> 

Re: Cable Operator List

[Daniel Corbe]

In-line below.

-Daniel

> On Feb 2, 2016, at 10:47 AM, Colton Conor <colton.co...@gmail.com> wrote:
> 
> Daniel,
> 
> Thanks for the wealth of information. What kind of speeds are you offering? 
> How many customers are you putting on one of these boxes? What modems are you 
> using?

We’re using Arris modems because we have the least amount of signal-related 
issues with them.  We’ve had to drop to 64qam because portions of our network 
runs over the air and we run into SNR issues at 256qam on the downstream.  This 
is important because it basically halves our available bandwidth.  I quoted 
some figures below based strictly on channel width but the reality of our 
situation is we see about half those numbers.

We don’t cap our users.  Every modem on the network can bond all 16 channels if 
it’s capable and it wants to.  We’ve got one plan.  Which means they can burst 
as high as they want within reason.  Every month we’re in contact with the top 
talkers in each sector and we ask them to curb their bandwidth usage.  

With this model we get about 50 to 75 users to every 16 channel CMTS we deploy. 
 In a 200 unit apartment building, we’d deploy 4 to 6 boxes.   On a 2000 user 
airbox station, we’d deploy about 20 of them.  

There’s also one more consideration.  Our TV service is IPTV.  Since we’re not 
pumping DVB-C or DVB-S signal down the cable, we’ve got nearly a full Ghz of 
spectrum with which to use for DOCSIS channels.  This gives us a lot of 
flexibility to just add additional CMTS when we begin to run into capacity 
issues.

> 
> I would honestly perfer something that was hardened for outdoor use. Think 
> garden style apartments. What is the best for something like that? 

I’m sure someone somewhere makes an environmentally hardened CMTS but I’m not 
currently aware of any at the moment.  Most of my equipment sits in wiring 
closets. 

> Any reasons not to use EURO DOCSIS in the USA? Looks like it offers more 
> speeds by using fatter channels. We don't plan on offering TV, but even if we 
> did couldn't we just start the channels at a higher range, and still use EURO 
> DOCSIS? 

EuroDOCSIS would be a better option if you’re looking to maximize bits per 
hertz and have enough spectrum to play with.  You get 8Mhz channels for 6Mhz 
channels which means at 16 channels you’ll get 800Mbit/sec to a modem instead 
of 640Mbit.

> 
> On Tue, Feb 2, 2016 at 8:17 AM, Daniel Corbe <dco...@hammerfiber.com> wrote:
> Hey Colton,
> 
> We’re using small 16 channel CMTS systems for residential MDUs and colocating 
> them directly on premise inside of wiring closets and then connecting them by 
> metro ethernet.  We’ve had great successes so far with this model.
> 
> There’s lots of CMTS vendors.
> 
> There’s tons of used Motorola BSR 64Ks on the market, but be aware of the 
> lack of useful IPv6 features (like prefix delegation) in older software 
> releases.  If you buy a box and want to run 7.x or 8.x, you’ll need to 
> relicense your downstream and upstream channels at some additional arbitrary 
> fixed cost.
> 
> I’m personally fond of these things:
> 
> http://picodigital.com/product-details.php?ID=miniCMTS200a
> 
> You can only bond 16 channels together max though because that’s all the box 
> supports and you can’t bond across boxes; however, these things are less than 
> 4 grand if you buy them in bulk so they’re really fucking easy to just spam 
> everywhere.
> 
> Blonder Tongue makes a pizza-box style CMTS too:
> 
> http://www.blondertongue.com/shop-by-department/catv/ip-over-coax/docsis/euro-docsis/
> 
> As does Harmonics:
> 
> http://harmonicinc.com/product/cable-edge/nsg-exo
> 
> All three are based on the same chipset, so the real differentiation is price 
> and firmware features.
> 
> Then there’s Cisco.
> 
> The UBR is a popular platform.  And pretty soon there’s going to be a glut of 
> UBR10Ks on the Market because Comcast is busy ripping their UBRs out of 
> production because they’re upgrading their cable plant to the CBR platform.
> 
> Then the Arris C4, if you have deep pockets, is a modern version of the BSR:
> 
> http://www.arris.com/products/c4-cmts/
> 
> 
> > On Feb 2, 2016, at 9:00 AM, Colton Conor <colton.co...@gmail.com> wrote:
> >
> > Well, maybe NANOG's not a bad place for this post then! I would like to 
> > know more about the data-only side of CMTS systems, and who the main 
> > vendors are.
> >
> > We have MDU properties where there is either old inside CAT3 phone wire, or 
> > coaxial cable. We have looked and are very familiar with the multiple 
> > technologies that work over phone lines namely VDSL2 and G.FAST. However, 
> > using the coaxial cable seems to be a much better solution than using the 
> > ph

Re: Cable Operator List

[Daniel Corbe]

> On Feb 2, 2016, at 8:42 AM, Colton Conor  wrote:
> 
> Are there any mailing lists out there dedicated for cable/MSO type
> operators?
> 

I'm curious about this too.

I’m not a cable operator (in that I haven’t successfully registered for a cable 
franchise yet) but I do operate a docsis network and I’ve successfully 
negotiated the treacherous waters of obtaining and providing content to my 
users.  

I’m still a bit green behind the ears but I could probably offer some measure 
of assistance if you have a specific question.

-Daniel

Re: Peering Exchange

[Daniel Corbe]

> On Jan 26, 2016, at 3:09 PM, Colton Conor  wrote:
> 
> Is there a way to browse a route server at certain exchanges, and see who
> is and is not on the route server?
> 

Publicly?  No.

Best way is to peer with one and see what routes it’s giving you.  

Some exchanges (like Equinix) do publish information about who is on their 
route servers, but they only make that information available to other customers.

-Daniel

Re: Peering Exchange

[Daniel Corbe]

> On Jan 26, 2016, at 3:22 PM, Daniel Corbe <dco...@hammerfiber.com> wrote:
> 
> 
>> On Jan 26, 2016, at 3:09 PM, Colton Conor <colton.co...@gmail.com> wrote:
>> 
>> Is there a way to browse a route server at certain exchanges, and see who
>> is and is not on the route server?
>> 
> 
> Publicly?  No.
> 
> Best way is to peer with one and see what routes it’s giving you.  
> 
> Some exchanges (like Equinix) do publish information about who is on their 
> route servers, but they only make that information available to other 
> customers.
> 
> -Daniel
> 
> 

You could also peruse the information people individually publish in PeeringDB. 
 It won’t give you a comprehensive list but it will give you a sense of who is 
where.

http://www.peeringdb.com

Re: RADb Outage?

[Daniel Corbe]

How come?  What situations would you run into that are so urgent about updating 
prefix lists that the task can’t be put off for a few hours? 

> On Jan 23, 2016, at 1:50 PM, Max Tulyev  wrote:
> 
> People do prefix filtering based on *DB may think twice...
> 
> On 23.01.16 07:42, Larry J. Blunk wrote:
>> 
>>   Service for the RADb whois protocol has now been restored.  We were 
>> experiencing
>> extensive DDOS activity directed at the whois service host(s).
>> 
>> Regards,
>>   Larry Blunk
>>   Merit
>> 
>> 
> 

Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it

[Daniel Corbe]

> On Jan 21, 2016, at 1:07 PM, Matthew D. Hardeman  
> wrote:
> 
> Since Cogent is clearly the bad actor here (the burden being Cogent's to 
> prove otherwise because HE is publicly on record as saying that they’d love 
> to peer with Cogent), I’m giving serious consideration to dropping Cogent 
> come renewal time and utilizing NTT or Zayo instead.
> 
> While that would not immediately solve the problem that if the NTT or Zayo 
> link went down, single-homed Cogent customers would loose access to me via 
> IPv6, I’m actually ok with that.  It at least lets ensures that when there is 
> a problem, the problem affects only single-home Cogent clients.  Thus, the 
> problem is borne exclusively by the people who pay the bad actor who is 
> causing this problem.  That tends to get uncomfortable for the payee (i.e. 
> Cogent).
> 
> 

Take two transit providers that aren’t in the group of (HE, Cogent).  Cogent is 
probably banking on this being the response; figuring that they have the 
financial resources to outlast HE if they’re both shedding customers.  

If you really wanted to stick it to Cogent, take 3 transit providers: HE and 
two of any other providers besides Cogent.  

Cogent clearly aren’t going to cave to their own customers asking them to peer 
with HE.  Otherwise it would have happened by now.  

Cogent sucks for lots of reasons and this one isn’t even in the top 5 IMHO.

Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it

[Daniel Corbe]

> On Jan 21, 2016, at 1:47 PM, Robert Glover <robe...@garlic.com> wrote:
> 
> On 1/21/2016 10:40 AM, Daniel Corbe wrote:
>>> On Jan 21, 2016, at 1:07 PM, Matthew D. Hardeman <mharde...@ipifony.com> 
>>> wrote:
>>> 
>>> Since Cogent is clearly the bad actor here (the burden being Cogent's to 
>>> prove otherwise because HE is publicly on record as saying that they’d love 
>>> to peer with Cogent), I’m giving serious consideration to dropping Cogent 
>>> come renewal time and utilizing NTT or Zayo instead.
>>> 
>>> While that would not immediately solve the problem that if the NTT or Zayo 
>>> link went down, single-homed Cogent customers would loose access to me via 
>>> IPv6, I’m actually ok with that.  It at least lets ensures that when there 
>>> is a problem, the problem affects only single-home Cogent clients.  Thus, 
>>> the problem is borne exclusively by the people who pay the bad actor who is 
>>> causing this problem.  That tends to get uncomfortable for the payee (i.e. 
>>> Cogent).
>>> 
>>> 
>> Take two transit providers that aren’t in the group of (HE, Cogent).  Cogent 
>> is probably banking on this being the response; figuring that they have the 
>> financial resources to outlast HE if they’re both shedding customers.
>> 
>> If you really wanted to stick it to Cogent, take 3 transit providers: HE and 
>> two of any other providers besides Cogent.
>> 
>> Cogent clearly aren’t going to cave to their own customers asking them to 
>> peer with HE.  Otherwise it would have happened by now.
>> 
>> Cogent sucks for lots of reasons and this one isn’t even in the top 5 IMHO.
>> 
>> 
> Let's hear the top 5.   Peering disputes are up there, but what else?
> 
> We've had them as one of our providers going on 8 years, and we can only 
> complain about the occasional peering disputes.
> 
> -Robert
> 

I don’t really have 5 reasons to hate cogent but I’ve got 3 big ones.  If 
you’ve had static transit with Cogent for 8 years at one or just a handful of 
locations, none of these will apply.  But..

1) They charge per IPv4 BGP session per month
2) They constantly screw up our orders.  
3) It then takes days for them to fix their own screw ups in their order 
system. 
 

Re: Is it normal for your provider to withhold BGP peering info until the night of the cut?

[Daniel Corbe]

> We have 4 full-peering providers between two data centers. Our accounting 
> people did some shopping and found that there was a competitor who came in 
> substantially lower this year and leadership decided to swap our most 
> expensive circuit to the new carrier. 
> (I don't know what etiquette is, so I won't name the carrier... but it's a 
> well-known name) Anyways, we were preparing for the circuit cutover and asked 
> for the BGP peering info up front like we normally do. This carrier said that 
> they don't provide this until the night of the cut. Now, we've done this 5 or 
> 6 times over the years with all of our other carriers and this is the first 
> one to ever do this. We even escalated to our account manager and they still 
> won't provide it.
> I know it's not a huge deal, but life is so much easier when you can prestage 
> your cut and rollback commands. In fact, our internal Change Management 
> process mandates peer review all proposed config changes and now we have to 
> explain why some lines say TBD!
> Is this a common SOP nowadays? Anyone care to explain why they wouldn't just 
> provide it ahead of time?
> Thanks in advance.
> CWB 
> 

My question to the OP would be why didn’t you schedule the turndown of the old 
circuit to overlap with the turnup of the new circuit?  That way you could 
perform your cut independently of turn-up testing with your new provider.  Why 
is it that you MUST perform both activities on the same night?  You can always 
turn up a circuit, make sure it works and then turn it back down on your end 
until you’re actually ready to use it.  

Re: Programmable SFP+ Transcievers

[Daniel Corbe]

> On Jan 18, 2016, at 2:02 PM, Colton Conor  wrote:
> 
> What options are out there for re-programmable SFP and SFP+ transceivers?
> So far I have found both
> https://www.flexoptix.net/en/flexbox-v3-transceiver-programmer.html and
> http://solid-optics.com/tools/multi-fiber-tool/so-multi-fiber-tool-id1768.html
> Is there anything else out there? Any opinions on these two companies?
> 
> 
> I believe they both require you to use their SFPs in order to program them,
> but I could be wrong.
> 

Menara also makes a tunable XFP+ which supports FEC and OTN framing.

http://menaranet.com/

-Daniel

Re: Programmable SFP+ Transcievers

[Daniel Corbe]

Eric,

If you’ve got something to relevant to add to the discussion, feel free to 
reply to the list yourself.  I’m not endorsing Menara’s pluggables any more 
than I’m endorsing yours.  I’m just simply stating that I’m aware that Menara 
exists as a company.  I took a quick look at your site and Luma’s products do 
indeed bear some relevance to this topic.  

Best,
Daniel

> On Jan 18, 2016, at 2:27 PM, Eric Litvin <e...@lumaoptics.net> wrote:
> 
> Hi Daniel-  we have a programmable tool called Cloudcode.  I'd appreciate you 
> updating the board about it.  Also,  it's free! 
> 
> Eric Litvin 
> Luma
> 
> Sent from my iPhone
> 
> On Jan 18, 2016, at 11:08 AM, Daniel Corbe <dco...@hammerfiber.com> wrote:
> 
>>> On Jan 18, 2016, at 2:02 PM, Colton Conor <colton.co...@gmail.com> wrote:
>>> 
>>> What options are out there for re-programmable SFP and SFP+ transceivers?
>>> So far I have found both
>>> https://www.flexoptix.net/en/flexbox-v3-transceiver-programmer.html and
>>> http://solid-optics.com/tools/multi-fiber-tool/so-multi-fiber-tool-id1768.html
>>> Is there anything else out there? Any opinions on these two companies?
>>> 
>>> 
>>> I believe they both require you to use their SFPs in order to program them,
>>> but I could be wrong.
>> 
>> Menara also makes a tunable XFP+ which supports FEC and OTN framing.
>> 
>> http://menaranet.com/
>> 
>> -Daniel
>> 
>> 
> 

CPE that supports 464XLAT

[Daniel Corbe]

Anyone out there aware of any DOCSIS 3.0 cable modems that have a working CLAT 
implementation?

Re: Survey on Middlebox modeling and troubleshooting

[Daniel Corbe]

> On Jan 6, 2016, at 7:51 PM, Zhang, Ying  wrote:
> 
> Dear All,
> 
> We are researchers in HP Labs and Duke university. We are currently working 
> on a project related to Middlebox modeling and troubleshooting.
> We are currently conducting a survey and gathering feedback from operators.
> Can you help us by providing some answers? Please feel free to email us if 
> you have any additional suggestions.
> https://www.surveymonkey.com/r/5SFP6G8
> 
> Thanks!
> -Ying
> 

Why do you keep posting the same thing to the list over and over again?

Do you really think the subscriber count changes that much from week to week?

Re: de-peering for security sake

[Daniel Corbe]

> On Dec 25, 2015, at 7:14 AM, Nick Hilliard <n...@foobar.org> wrote:
> 
> Daniel Corbe wrote:
>> Let’s just cut off the entirety of the third world instead of having
>> a tangible mitigation plan in place.
> 
> You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel?
> 
>> https://en.wikipedia.org/wiki/Third_World
> 
> What an enormously silly idea.
> 
> Seasons greetings to all,
> 
> Nick
> 

It was a stupid idea even before you corrected me.

Re: de-peering for security sake

[Daniel Corbe]

> On Dec 25, 2015, at 9:18 AM, Mike Hammett <na...@ics-il.net> wrote:
> 
> To the thread, not necessarily Daniel, if blocking countries\continents is a 
> bad thing (not saying I disagree), how do you deal with the flood of trash? 
> Just take it on the chin? 

If you as an end user want to be the cyber-equivalent of a xenophobe because 
OMG BAD INTERNETS then be my guest.  On the other hand, I’m a network operator 
so I don’t have the luxury of dictating to my users what they can and cannot 
reach.  

> 
> The degree of splash damage by blocking this way will vary based upon what 
> kind of network you are. Residential eyeballs? You could probably block most 
> of a lot of things and people wouldn't notice or care, as long as it wasn't 
> Google, Facebook, Netflix, etc. 

As a residential ISP with many first and second generation American immigrants 
in my service footprint I can assure you this notion is patently false.  People 
will definitely notice and care if they can’t communicate with their relatives 
and consume content in their home countries.  

> 
> 
> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
> 
> 
> 
> Midwest Internet Exchange 
> http://www.midwest-ix.com 
> 
> 
> - Original Message -
> 
> From: "Daniel Corbe" <dco...@hammerfiber.com> 
> To: "Nick Hilliard" <n...@foobar.org> 
> Cc: "NANOG" <nanog@nanog.org> 
> Sent: Friday, December 25, 2015 8:11:55 AM 
> Subject: Re: de-peering for security sake 
> 
> 
>> On Dec 25, 2015, at 7:14 AM, Nick Hilliard <n...@foobar.org> wrote: 
>> 
>> Daniel Corbe wrote: 
>>> Let’s just cut off the entirety of the third world instead of having 
>>> a tangible mitigation plan in place. 
>> 
>> You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel? 
>> 
>>> https://en.wikipedia.org/wiki/Third_World 
>> 
>> What an enormously silly idea. 
>> 
>> Seasons greetings to all, 
>> 
>> Nick 
>> 
> 
> It was a stupid idea even before you corrected me. 
> 
> 

Re: de-peering for security sake

[Daniel Corbe]

You know, without actually looking I’m willing to lay money down that the 
people beating the blocklist drum are the same people who scream the loudest 
about net neutrality when they can’t actually get to the content they want. 

> On Dec 25, 2015, at 11:25 AM, Daniel Corbe <dco...@hammerfiber.com> wrote:
> 
> 
>> On Dec 25, 2015, at 9:18 AM, Mike Hammett <na...@ics-il.net> wrote:
>> 
>> To the thread, not necessarily Daniel, if blocking countries\continents is a 
>> bad thing (not saying I disagree), how do you deal with the flood of trash? 
>> Just take it on the chin? 
> 
> If you as an end user want to be the cyber-equivalent of a xenophobe because 
> OMG BAD INTERNETS then be my guest.  On the other hand, I’m a network 
> operator so I don’t have the luxury of dictating to my users what they can 
> and cannot reach.  
> 
>> 
>> The degree of splash damage by blocking this way will vary based upon what 
>> kind of network you are. Residential eyeballs? You could probably block most 
>> of a lot of things and people wouldn't notice or care, as long as it wasn't 
>> Google, Facebook, Netflix, etc. 
> 
> As a residential ISP with many first and second generation American 
> immigrants in my service footprint I can assure you this notion is patently 
> false.  People will definitely notice and care if they can’t communicate with 
> their relatives and consume content in their home countries.  
> 
>> 
>> 
>> 
>> 
>> - 
>> Mike Hammett 
>> Intelligent Computing Solutions 
>> http://www.ics-il.com 
>> 
>> 
>> 
>> Midwest Internet Exchange 
>> http://www.midwest-ix.com 
>> 
>> 
>> - Original Message -
>> 
>> From: "Daniel Corbe" <dco...@hammerfiber.com> 
>> To: "Nick Hilliard" <n...@foobar.org> 
>> Cc: "NANOG" <nanog@nanog.org> 
>> Sent: Friday, December 25, 2015 8:11:55 AM 
>> Subject: Re: de-peering for security sake 
>> 
>> 
>>> On Dec 25, 2015, at 7:14 AM, Nick Hilliard <n...@foobar.org> wrote: 
>>> 
>>> Daniel Corbe wrote: 
>>>> Let’s just cut off the entirety of the third world instead of having 
>>>> a tangible mitigation plan in place. 
>>> 
>>> You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel? 
>>> 
>>>> https://en.wikipedia.org/wiki/Third_World 
>>> 
>>> What an enormously silly idea. 
>>> 
>>> Seasons greetings to all, 
>>> 
>>> Nick 
>>> 
>> 
>> It was a stupid idea even before you corrected me. 
>> 
>> 
> 

Re: de-peering for security sake

[Daniel Corbe]

Let’s just cut off the entirety of the third world instead of having a tangible 
mitigation plan in place.

> On Dec 24, 2015, at 6:44 PM, Colin Johnston  wrote:
> 
> see
> http://map.norsecorp.com
> 
> We really need to ask if China and Russia for that matter will not take abuse 
> reports seriously why allow them to network to the internet ?
> 
> Colin
> 

Atlantic City

[Daniel Corbe]

Can someone quote me a price off-list for 300Mbit (preferably on a GigE) in 
Atlantic City somewhere?

Re: Nat

[Daniel Corbe]

> On Dec 20, 2015, at 1:22 PM, Matthew Petach <mpet...@netflight.com> wrote:
> 
> On Sun, Dec 20, 2015 at 9:55 AM, Daniel Corbe <dco...@hammerfiber.com> wrote:
>>> On Dec 20, 2015, at 11:57 AM, Mike Hammett <na...@ics-il.net> wrote:
>>> 
>>> There is little that can be done about much of this now, but at least we 
>>> can label some of these past decisions as ridiculous and hopefully a lesson 
>>> for next time.
>> 
>> There isn’t going to be a next time.
> 
> *points and snickers quietly*
> 
> You're either an incredible optimist,
> or you're angling to be the next oft-
> misquoted "640KB should be enough
> for anyone" voice.
> 
> We got a good quarter of a century
> out of IPv4.  I think we *might* hit
> the century mark with IPv6...maybe.
> But before we hit that, I suspect we'll
> have found enough shortcomings
> and gaps that we'll need to start
> developing a new addressing format
> to go with the newer networking
> protocols we'll be designing to
> fix those shortcomings.
> 
> Until the sun goes poof, there's *always*
> going to be a next time.  We're never going
> to get it _completely_ right.  You just have
> to consider a longer time horizon than our
> own careers.
> 
> Matt
> 

I’m only going to say one more thing on this subject because this is 
essentially a side bar that has very little to do with the subject matter of 
the OP.  

If we hadn’t run out of address space we’d still be trying to fix IPv4.  The 
numbers don’t lie.  It’s not very likely that we’re going to be space 
constrained on the IPv6 Internet like we are on the IPv4 internet.  Nobody is 
going to want to repeat the pain of the last 17 years of trying to convince 
people to run IPv6.

Just about every technical challenge with the underlying protocol stack is 
fixable.  Except for one: what happens when we run out addresses.  For all of 
its flaws, IPv6 addresses this one particular issue quite well.

Re: Nat

[Daniel Corbe]

> On Dec 20, 2015, at 11:57 AM, Mike Hammett <na...@ics-il.net> wrote:
> 
> However, keeping back 64 bits for the host was a stupid move from the 
> beginning. We're reserving 64 bits for what's currently a 48 bit number. You 
> can use every single MAC address whereas IPS are lost to subnetting and other 
> such things. I could have seen maybe holding back 56 bits for the host if for 
> some reason we need to replace the current system of MAC addresses at some 
> point before IPv6 is replaced. 

EUI-64 isn’t the only thing out there that expects hosts to have 64-bit 
addresses.  That was only an example.  

> 
> There may be address space to support it, but is there nimble boundary space 
> for it? 

Yes.  Do the math.  If every end user got a /48 there’s still 281 *trillion* 
subnets to go around.   The limiting factor in IPv4 is that nobody expected to 
be able to connect 4 billion devices to the Internet when it was conceived.  I 
really doubt that we’ll see 281 trillion people walking around any time in the 
next 1000 generations of human civilization.  

IPv6 is here to stay.  

> 
> The idea that there's a possible need for more than 4 bits worth of subnets 
> in a home is simply ludicrous and we have people advocating 16 bits worth of 
> subnets. How does that compare to the entire IPv4 Internet? 

You’re still stuck on “LL ADDRESSES.”  

> 
> 
> There is little that can be done about much of this now, but at least we can 
> label some of these past decisions as ridiculous and hopefully a lesson for 
> next time. 

There isn’t going to be a next time.

> 
> 
> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
> 
> - Original Message -
> 
> From: "Daniel Corbe" <co...@corbe.net> 
> To: "Mike Hammett" <na...@ics-il.net> 
> Cc: "Mark Andrews" <ma...@isc.org>, "North American Network Operators' Group" 
> <nanog@nanog.org> 
> Sent: Saturday, December 19, 2015 10:55:03 AM 
> Subject: Re: Nat 
> 
> Hi. 
> 
>> On Dec 19, 2015, at 11:41 AM, Mike Hammett <na...@ics-il.net> wrote: 
>> 
>> "A single /64 has never been enough and it is time to grind that 
>> myth into the ground. ISP's that say a single /64 is enough are 
>> clueless." 
>> 
>> 
>> 
>> OOL 
>> 
>> 
>> A 100 gallon fuel tank is fine for most forms of transportation most people 
>> think of. For some reason we built IPv6 like a fighter jet requiring 
>> everyone have 10,000 gallon fuel tanks... for what purpose remains to be 
>> seen, if ever. 
>> 
>> 
> 
> You’re being deliberately flippant. 
> 
> There are technical reasons why a single /64 is not enough for an end user. A 
> lot of it has to do with the way auto configuration works. The lower 64 bits 
> of the IP address are essentially host entropy. EUI-64 (for example) is a 64 
> bit number derived from the mac address of the NIC. 
> 
> The requirement for the host portion of the address to be 64 bits long isn’t 
> likely to change. Which means a /64 is the smallest possible prefix that can 
> be assigned to an end user and it limits said end user to a single subnet. 
> 
> Handing out a /56 or a /48 allows the customer premise equipment to have 
> multiple networks behind it. It’s a good practice and there’s certainly 
> enough address space available to support it. 
> 
> 
> 

Re: Nat

[Daniel Corbe]

Hi,

> On Dec 19, 2015, at 11:41 AM, Mike Hammett  wrote:
> 
> "A single /64 has never been enough and it is time to grind that 
> myth into the ground. ISP's that say a single /64 is enough are 
> clueless." 
> 
> 
> 
> OOL 
> 
> 
> A 100 gallon fuel tank is fine for most forms of transportation most people 
> think of. For some reason we built IPv6 like a fighter jet requiring everyone 
> have 10,000 gallon fuel tanks... for what purpose remains to be seen, if 
> ever. 
> 
> 

You’re being deliberately flippant.

There are technical reasons why a single /64 is not enough for an end user.  A 
lot of it has to do with the way auto configuration works.  The lower 64 bits 
of the IP address are essentially host entropy.  EUI-64 (for example) is a 64 
bit number derived from the mac address of the NIC.

The requirement for the host portion of the address to be 64 bits long isn’t 
likely to change.   Which means a /64 is the smallest possible prefix that can 
be assigned to an end user and it limits said end user to a single subnet.

Handing out a /56 or a /48 allows the customer premise equipment to have 
multiple networks behind it.  It’s a good practice and there’s certainly enough 
address space available to support it.

Re: Comcast carrier sales

[Daniel Corbe]

> On Dec 16, 2015, at 8:37 PM, Mike  wrote:
> 
> Hi,
> 
>Im trying to establish connectivity with comcast and their normal sales 
> channel doesn't seem to be equipped to deal with a facilities based carrier 
> who wishes to establish some kind of meet-me arrangement on fiber. Does 
> anyone know or can a comcast carrer sales rep contact me? I want to give you 
> money
> 
> Mike-
> 

What’s your definition of a “normal” sales channel?  If you’re calling the 
Comcast business line you probably won’t get much help.

Have you tried pinging someone at Comcast wholesale yet?

http://www.comcastwholesale.com/

Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app

[Daniel Corbe]

> On Dec 12, 2015, at 1:18 AM, Jay Ashworth  wrote:
> 
> Is McAfee just talking to dry his teeth here? This isn't actually practical, 
> is it? Carriers would notice, right?

Whether carriers might notice (or even care, because hey we can bill for data!) 
is debatable.  But...

> 
> http://www.ibtimes.co.uk/john-mcafee-massive-ddos-attack-internet-was-smartphone-botnet-popular-app-1532993

"and the unsophisticated way the botnet could be implemented through a simple 
smartphone app, suggests hackers sympathetic to Islamic State (Isis) may be 
behind it."

"The majority of the domain servers are controlled by U.S. interests - three 
are controlled by the US government. Who has the largest axe to grind? Isis. 
Who has the most to gain? Isis. Isis certainly has the technical capability to 
write a popular app.”

He certainly is making some wild leaps of logic here.

This is the most substantive sentence in the article: "But I have no direct 
evidence.”

Re: Ransom DDoS attack - need help!

[Daniel Corbe]

> On Dec 3, 2015, at 10:26 AM, Nick Hilliard  wrote:
> 
> On 03/12/2015 08:15, halp us wrote:
>> a very well known group that has been in the news lately. Recently they've
>> threatened to carry out a major DDoS attack if they are not paid by a
>> deadline which is approaching. They've performed an attack of a smaller
>> magnitude to prove that they're serious.
> 
> bear in mind that if you pay a ransom like this:
> 
> 1. you're opening up a bank account for them to dip into whenever they feel
> they need more money.

Most of these types of service ransom deals are conducted via bitcoin.  So I 
don’t see how this could be the case unless you mean to say that appeasing your 
attackers is a bad idea because they might just be emboldened enough to try and 
extort you again whenever the piggy bank is beginning to run dry.

Third Party NOC services

[Daniel Corbe]

Can anyone recommend some good third parties for NOC services?

I don’t necessarily need something on the scope of companies like iNOC where 
they charge 20 bucks a device because I’ve got my own monitoring system.  What 
I need are bodies to watch my monitors and react to problems.  I also need a 
place to forward a toll free phone number for first level incident response.  

Re: route converge time

[Daniel Corbe]

Baldur Norddahl  writes:

> Hi
>
> I added a default static route 0.0.0.0 to provider A on router A and did
> the same to provider B on router B. This is supposed to be a trick that
> allows the network to move packets before everything is fully converged.
> Traffic might not leave the most optimal link, but it will be
> delivered.

The other thing here is the one of the main advantages of taking a full
routing table is so that you can be free of default routes.

>
> Anyone got any tricks or pointers to what can be done to optimize the
> downtime in case of a IP transit link failure? Or the related case of one
> my routers going down or the link between them going down (the traffic
> would go a non-direct way instead if the direct link is down).
>

With only two providers, route convergence is always going to be a
painful process.  Especially if you're still using old equipment on your
edge.

But you shouldn't be losing transit links often enough for it to be a
major problem for your users.  If you are, I'd start looking at other
options for transit.

You could also take smaller tables from a wider variety of providers.
Most folks in the wholesale transit business offer default routing and
customer specifics.  This won't give you best path selection in the
truest sense but if you're connected to enough upstream providers it can
get you pretty close.

And if you're a content consumer rather than a content provider, go and
peer with anyone that has an open peering policy.  Most important
content providers will peer with anyone that services customer and have
relatively flexible traffic minimums.  Off the top of my head that's
facebook, google, netflix, yahoo, microsoft and several others.

Re: New ISPs getting of the ground without IPv4?

[Daniel Corbe]

nanog-...@mail.com writes:

> Surprisingly enough demand for Internet services did not end when we
> ran out of IPv4. I'd like to hear from the guys and gals starting new
> ISPs how they are facing this brave new world.

I can help.  We're a cable company operating in Atlantic City who hope
to have 800 beta customers launched between November 30 and February 1.

>
> Is it NATs all the way down?

We've got two large NAT pools and a /24 set aside for customers who must
absolutely be globally routable for IPv4.  We're trying to qualify as
few customers for this need as possible.

>
> Is IPv6 the knight in shining armor?

We're going to try to deploy as many people as we can as native
IPv6-only customers but we also expect there to be a considerable amount
of protest to this idea.  In which case, we'd simply turn IPv4 on for
them and NAT them.

It's disgusting how much stuff out there still doesn't support IPv6.
We're all ready for that with NAT64 on the edge for sites like twitter
and 464XLAT for devices that support it.

But just off the top of my head, we know we're going to run into
problems with people's XBox 360s and anyone who uses PSN (that's all PS3
and PS4 users as of this writing), Skype, Android on wifi, etc.


>
> Are you getting enough IPs? If not, how are you coping? Buying/renting
> some, tunneling to somebody who has some, what?

We wish we had enough address space to give everyone a globally routable
IPv4 address; alas, we don't.

We're on ARIN's waiting list.  We're also trolling the transfer market
and keeping our eyes open for anyone who might like to put their company
up for sale for its resources and revenue.

>
> It's all good and well hearing about how you should dual stack and
> reading about how established players handle IPv6 and IPv4 exhaustion,
> but what do you do when dual stacking isn't an option and IPv6 only
> takes you so far?

We're just going to limp along as best we can until the rest of the
world wises up.  BTW, hardware NAT costs $$$.  So the barrier for entry
is pretty high right now.

Re: configuration sanity check

[Daniel Corbe]

"marcel.durega...@yahoo.fr"  writes:

> Hi Nanogers,
>
> Any recommendation about a software which check the live config of
> cisco/juniper devices against some templates ?
>
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
>
> And the software run once every day to check which device do not
> comply with those rules and generate an alert.
>
> Thank,
> - Marcel

You can also catch and minimize mistakes in real-time by:

1) Implementing and enforcing a proper change control system

2) Implementing tools like Rancid, which are designed to scrape router
configs and E-Mail changes in the format of a unified diff to everyone
in your engineering team.

3) Make liberal use of tools like RtConfig so routine changes aren't a
painful (read: manual) time-consuming process.

Re: new message

[Daniel Corbe]

Everyone else is getting them too.  You can easily snag them with an
appropriate procmail filter though:

:0:
* ^Subject:.*Fw: new message
Maildir/.Junk/

-Daniel

Matt Hoppes  writes:

> Am I the only one getting these messages repeatedly for the last day???
>
>> On Oct 24, 2015, at 21:35, Ricky Beam  wrote:
>> 
>> Hey!
>> 
>> 
>> 
>> New message, please read 
>> 
>> 
>> 
>> Ricky Beam
>> 

Re: Current IPv4 Options

[Daniel Corbe]

Chris Knipe  writes:

> On Thu, Oct 22, 2015 at 4:24 PM, Clay Curtis  wrote:
>
>> I work for a VAR and we are starting to have customers come to us to help
>> with internet redundancy projects and they are unable to get address space
>> from ARIN.  What are the viable options here?  I have read about secondary
>> markets, transfers, auction sites, leasing, etc.  Can NANOG point me in the
>> right direction as to the most effective way to get v4 space right now in
>> the US?  And before we get into the whole IPv6 discussion, yes, yes, we are
>> discussing this with customers as well.  That being said, they still need
>> the IPv4 space in the near-term.
>>
>
>
> Sitting in exactly the same position.  IPv6 is great and all, but running
> my business natively on IPv6 means nothing to me if my customers can't
> reach me.

AFAIK you can still receive as much as a /24 from ARIN if you qualify
under section 4.10.  If you've already got PA space from ARIN then you
need to start hiding things behind NAT pools and load balancers.

In order to receive an allocation or assignment under this policy:

1. the applicant may not have received resources under this policy in
the preceding six months;

2. previous allocations/assignments under this policy must continue to
meet the justification requirements of this policy;

3. previous allocations/assignments under this policy must meet the
utilization requirements of end user assignments;

4. the applicant must demonstrate that no other allocations or
assignments will meet this need;

5. on subsequent allocation under this policy, ARIN staff may require
applicants to renumber out of previously allocated / assigned space
under this policy in order to minimize non-contiguous allocations.

Re: IGP choice

[Daniel Corbe]

"marcel.durega...@yahoo.fr"  writes:

> Hi everyone,
>
> Anybody from Yahoo to share experience on IGP choice ?
> IS-IS vs OSPF, why did you switch from one to the other, for what reason ?
> Same question could apply to other ISP, I'd like to heard some
> international ISP/carriers design choice, please.
>
> Thank in advance,
> Best regards,
> -Marcel

I worked a project as recently as 2009 where we tried to connect two
6509s together over a tunnel interface and wanted to extend Area 0
across it and couldn't because it was a limitation of the version of IOS
we were running at the time.

That forced us to use isis.

It was a decision based on pragmatism rather than design choice; and we
were a small operator, too.  The choice of an interior routing protocol
really doesn't have much implication for small operators.

Re: Huawei and ZTE Routers

[Daniel Corbe]

Colton Conor colton.co...@gmail.com writes:

 The other thread about the Alcatel-Lucent routers has been pleasantly
 delightful. Our organization used to believe that Juniper, Cisco, and
 Brocade were the only true vendors for carrier grade routing, but now we
 are going to throw Alcatel-Lucent into the mix.

 ZTE and Huawei, the big chinese vendors, have also been mentioned to us. I
 know there are large national security issues with using these vendors in
 the US, but I know Level3 and other large American vendors use Huawei and
 ZTE in their networks.

 How do their products perform? How are they compared to Cisco and Juniper
 on the performance side of the house? Is their pricing really half or less
 of that of Cisco and Juniper? Is it worth using these vendors or not worth
 the hassle?

I don't know much about Huawei but be wary of ZTE's claims.  They love
their vendor lock-in.  They have a bad habit of giving away hardware for
next to nothing and then ratcheting up support costs.

Opex needs to be a consideration when selecting an equipment vendor as
well as capex.

Re: Need recommendations for high-feature, high-density L3 Switch

[Daniel Corbe]

Cliff Bowles cliff.bow...@apollo.edu writes:

 We have some aging infrastructure and need to start budgeting next-gen.


 * The network has several small routers as individual edges to peers, 
 WAN, SIP services.

 * It has a couple 6509s as Internet edge (full tables, 2 carriers, no 
 transit, simple policies)

 * It has some Nexus 7K as an aggregation layer for all the server pods

 * It has some 6509s as a backbone to interconnect the aggregation 
 layers and inter-site links.

 * We do run VRFs/MPLS across our backbone with L3, L2 and L1
 services. Nothing super fancy, but it's a requirement.

You could always roll the 6509s into 6800 series stuff if you're married
to Cisco for Campus style switches in your distribution network.  But I
really hate the Sup2T.  In my admittedly limited scope, they have a
pretty high failure rate.

If you want something simple that still supports MPLS and VPLS, you
can't really beat Brocade for port density.  I getting ready to rip out
6 sets of 6509s and replace them with 16 slot MLXe chasis.

And if I were in your shoes I'd be looking at either ASR9K or Juniper MX
series stuff to replace the 6509s that you have on your edge.

I can't speak much for the server-facing stuff on your network though.

-Daniel

Re: Cisco IOS stable/production safe versions?

[Daniel Corbe]

Nick Ellermann nellerm...@broadaspect.com writes:

 I have a Cisco IOS specific question for the group and also
 specifically related to the 6500 platform. We have always been very
 conservative with our IOS version that we run in production, we are
 still running a pretty old safe harbor build of 12.2.x on SUP 720
 3BXLs with BGP and OSFP routing. Any advice from fellow network
 operators that are running the 6500 platform in the core still for
 versions that are considered safe for production? We are stable, but I
 am really wanting access to features such as Netflow v9, etc.

 Thanks for any advice!


You're pretty spot on with your thinking here.  Don't upgrade unless
there's a known vulnerability, a bug fix or a feature that you need on a
particular device; and don't expose your management to the Internet.

tl;dr: don't fix what isn't broken.

Having said that; make use of the software download tools on your CCO
account.   Cisco has a list of recommended builds for your particular
platform and code train.

When in doubt you can always fall back to S-train stuff on a Sup720.
-S images were made for service providers and are generally very stable.

-Daniel

Re: Network ops lists.

[Daniel Corbe]

Ryan Finnesey r...@finnesey.com writes:

 At one point I stumbled across a site that listed all of the network
 ops lists for the corresponding regions but now I can't seem to find
 it would anyone happen to have a similar list?


Are you referring to a list regional NOGs?

Because there's other interesting content out there too, like
dns-operations and voice-ops, v6-operations, etc.

-Daniel

Re: 1U or SS7 to SIP services in Sovereign House London

[Daniel Corbe]

Just to save him some googling:
https://puck.nether.net/mailman/listinfo/voiceops

-Daniel

Carlos Alcantar car...@race.com writes:

 Voiceops list might be better suited for this request.


 Carlos Alcantar
 Race Communications / Race Team Member
 1325 Howard Ave. #604, Burlingame, CA. 94010
 Phone: +1 415 376 3314 / car...@race.com / http://www.race.com
 http://www.race.com/






 On 1/8/15, 8:13 AM, Daryl G. Jurbala da...@introspect.net wrote:

I know it¹s a long shot on this list, but if you know of anyone who can
provide these services or even just a good place like NANOG for that part
of the world please contact me off list.

Re: Transit, Exchange Point Agreements, and Acceptable Use?

[Daniel Corbe]

Paul Ferguson fergdawgs...@mykolab.com writes:

 I'll apologize up front if this offends anyone's sensitivities as to
 what is relevant for list conversation... but one sentence in this
 Channel4 News story (from what I understand, Channel4 is a very
 popular news source in the UK) struck me as perhaps in violation of
 some sort of peering and/or transit agreement. Cable and Wireless:

 ...even went as far as providing traffic from a rival foreign
 communications company, handing information sent by millions of
 internet users worldwide over to spies.

 The entire article is here:

 http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq

 My question is this: Do willful actions such as these violate peering,
 transit, and/or exchange agreements in any way?

 Thanks,

 - ferg

Welcome to the modern age of communications.  The privacy nuts and
tinfoil hat types turned out to be correct.  Assume that you have no
privacy and encrypt everything you do.  Or just stop caring about
privacy all together.  Either way, not much has actually changed.

Re: Linux: concerns over systemd adoption and Debian's decision to switch

[Daniel Corbe]

Andrew Sullivan asulli...@dyn.com writes:

 On Wed, Oct 22, 2014 at 12:43:53PM -0400, C. Jon Larsen wrote:

 Incorrect assumption. systemd is a massive security hole waiting to happen
 and it does not follow the unix philosophy of done 1 thing and do it
 well/correct. 

 But I have no clue what one can do about it.  For many years, I liked
 to keep some Linux and some BSD systems around, because it seemed to
 me that the different styles tended to encourage diversity and that
 was a good thing.  But management of BSD systems -- particularly the
 nonsense of rebuilding things from source all the time -- started to
 look mighty onerous compared to apt-get update; apt-get upgrade.
 Others apparently agreed, and now there are enough things that work
 well on Linux but not as well (or not at all) on BSD that the
 diversity argument isn't as strong.  (Also, of course, certain kinds
 of things, like some kinds of database replication, don't work well
 across platforms, so there's another reason to converge on a single
 system.)  Debian was always the Linux platform that seemed most
 insistent on having more than one way to do it, but in recent years
 that philosophy has made it more work to use than the alternatives;
 and the alternatives have often gotten good enough that one doesn't
 care (Ubuntu is the obvious example here).

 So, now we have an encroaching monoculture, and no real option to do
 anything about it.  Maybe this is just the way the Internet is, now.

 A

Not to get even further off topic here but when was the last time you
maintained a BSD system?   FreeBSD (at least) adopted binary package
management as its preferred interface to ports through pkg-ng somewhere
in the 9-RELEASE cycle.  

As long as you don't need exotic compile-time options you should be good
to go.  Which is in contrast to the Linux package management paradigm
where you basically enable everything at compile time.  

If you do need to compile something by source though you still have that
option.  

This systemd debacle is an excellent reason to look into stuff that
isn't Linux.  The Linux camp all too often become victims of not
invented here and because we can is not a good enough reason to
replace something that has worked just fine for 30 or 40 some-odd years.

  

Re: IPv6 Default Allocation - What size allocation are you giving out

[Daniel Corbe]

Mark Andrews ma...@isc.org writes:

 In message 54366ab9.3040...@gmail.com, Paige Thompson writes:
 makes more sense to hand out /48s imho. theres only a mere 65k /48s per
 /32 (or something like that), though.

 A /32 is the minimum allocation to a ISP.  If you have more customers
 or will have more customers request a bigger block from the RIRs.

 Mark

Has anyone successfully gotten a RIR to assign anything bigger than a
/32?  I seem to recall in recent history someone tried to obtain a /31
through ARIN and got smacked down.  

Even if you're assigning a /56 to every end user, that's still on the
order of 16 million allocations.  I can't imagine anyone but the truly
behemoth access network operators being able to justify a larger
allocation with a straight face.

Equinix Sales

[Daniel Corbe]

Equinix Sales seem impossible to reach.  Should I just give up and go
through a sales agent or can someone from Equinix sales contact me
off-list?

upstream support for flowspec

[Daniel Corbe]

I was perusing RFC5575 after reading a presentation that ALU did
(presumably during some previous NANOG conference).  Reference:
https://www.nanog.org/sites/default/files/wed.general.trafficdiversion.serodio.10.pdf

This seems like it would be a godsend for small operators like myself who don't 
have
access to unlimited bandwidth and are put off by off-site scrubbing
services.  

As far as I can tell though the only platforms that offer support are
the 7750-SR and platforms made by Juniper.

Is there anything in the air about widening the adoption base?  Cisco?
Brocade?  

And once that happens, what are the chances of services providers
adopting this for their customers to make use of on as wide of a scale
as (for example) blackhole community strings.

I'd certainly *love* to have a way to mitigate an attack that doesn't
involve me sacrificing one service on my network to save the rest.

Best,
Daniel

Re: upstream support for flowspec

[Daniel Corbe]

Saku Ytti s...@ytti.fi writes:

 On (2014-09-18 13:53 -0400), Daniel Corbe wrote:

 Hi Daniel,

 This seems like it would be a godsend for small operators like
 myself who don't have
 access to unlimited bandwidth and are put off by off-site scrubbing
 services.  
 
 As far as I can tell though the only platforms that offer support are
 the 7750-SR and platforms made by Juniper.

 Cisco IOS-XR supports flowspec today as well.

 How much more would you pay per Mbps/month to have operator offer flowspec?
 IP transit is quite low margin product, supporting flowspec may have some
 adverse effects to business case:

 a) you're paying less, as you're not receiving the traffic

This ventures into the realm of an operator doing something responsible
to protect me vs routing me unwanted traffic and going lol, bill.

If you want to start playing that game, I'm happy to pay more per mbit
of traffic if you're happy to guarantee me that you won't route me
traffic that I'm expressly uninterested in.

 b) operator may get more traffic, as attack does not yield desired
 outcome

Not necessarily true.  If I can identify and push malicious traffic
towards your edge, then you can do the same towards your peers. 

If I can ask you to filter by source, can you turn around and do so by
source *AND* destination?  You know what I'm announcing, so it seems
like this ought to be possible.  Short of that, it would require us to
be in a trust relationship and I can see how that would be problematic.

If we circle back around to paying a premium for the service, then I'm
going to expect you to absorb the attack on my behalf.



 And when we look at the feature technically

 a) junos does not allow setting flowspec on in FW filters and then apply FW
 filter where you wish to do it, it's automatically turned on for all traffic
 transiting box. This may be undesirable.

 b) by default junos accepts all flowspec actions, such as diverting traffic to
 new IP or new VRF. This may cause undesirable security issues.

 c) added feature == added complexity == reduced availability

-Daniel

Re: upstream support for flowspec

[Daniel Corbe]

Also, if I'm buying full line rate commit from you then you're not
actually losing any money on the deal whether or not you route me the
traffic.

-Daniel

Daniel Corbe co...@corbe.net writes:

 Saku Ytti s...@ytti.fi writes:

 On (2014-09-18 13:53 -0400), Daniel Corbe wrote:

 Hi Daniel,

 This seems like it would be a godsend for small operators like
 myself who don't have
 access to unlimited bandwidth and are put off by off-site scrubbing
 services.  
 
 As far as I can tell though the only platforms that offer support are
 the 7750-SR and platforms made by Juniper.

 Cisco IOS-XR supports flowspec today as well.

 How much more would you pay per Mbps/month to have operator offer flowspec?
 IP transit is quite low margin product, supporting flowspec may have some
 adverse effects to business case:

 a) you're paying less, as you're not receiving the traffic

 This ventures into the realm of an operator doing something responsible
 to protect me vs routing me unwanted traffic and going lol, bill.

 If you want to start playing that game, I'm happy to pay more per mbit
 of traffic if you're happy to guarantee me that you won't route me
 traffic that I'm expressly uninterested in.

 b) operator may get more traffic, as attack does not yield desired
 outcome

 Not necessarily true.  If I can identify and push malicious traffic
 towards your edge, then you can do the same towards your peers. 

 If I can ask you to filter by source, can you turn around and do so by
 source *AND* destination?  You know what I'm announcing, so it seems
 like this ought to be possible.  Short of that, it would require us to
 be in a trust relationship and I can see how that would be problematic.

 If we circle back around to paying a premium for the service, then I'm
 going to expect you to absorb the attack on my behalf.



 And when we look at the feature technically

 a) junos does not allow setting flowspec on in FW filters and then apply FW
 filter where you wish to do it, it's automatically turned on for all traffic
 transiting box. This may be undesirable.

 b) by default junos accepts all flowspec actions, such as diverting traffic 
 to
 new IP or new VRF. This may cause undesirable security issues.

 c) added feature == added complexity == reduced availability

 -Daniel

Re: old-school wiring nightmares

[Daniel Corbe]

Christopher Morrow morrowc.li...@gmail.com writes:

 On Wed, Sep 3, 2014 at 1:27 PM, John Kinsella j...@thrashyour.com wrote:
 Wiring closet rats nests have frequently been a fun topic, so with that in
 mind, may I present telephone lines in Stockholm, circa late 1800s:
 http://www.thisiscolossal.com/2014/09/telefontornet-stockholm/

 Have fun wire-tracing *that*

And things worked like that for decades.


 imagine the probably almost constant outages in the winter months due
 to ice buildup on the lines...


This still happens.   Overhead fiber is a thing you know.

 Click through to the flickr albums - the Tekniska Museet has put some great
 stuff up!

Re: Gonodal GS4008

[Daniel Corbe]

Gnodal doesn't seem to have a website anymore.  They've apparently been
bought by Cray (as in the supercomputer company).  Can one even buy a gnodal 
switch anymore?

-Daniel

Faisal Imtiaz fai...@snappytelecom.net writes:

 Anyone who is or has any hands on experience with the Gonadal GS4008 switch, 

 Can you please share your experience, pros's  con's , on list of
 off-list will be fine.

 Many Thanks in advance.

 Regards.

 Faisal Imtiaz
 Snappy Internet  Telecom

Re: Urgent

[Daniel Corbe]

http://www.christianforums.com/t3057187/

-Original Message- 
From: ra...@psg.com 
Sent: Monday, August 18, 2014 1:00 PM 
To: nanog@nanog.org 
Subject: Urgent 


Contact for God, please reach out to me offlist.

Regards,
-AS666 NOC

Re: Cisco Switch Matrix

[Daniel Corbe]

I can't think of anything like this off the top of my head but here's
what I would do if I were in a pinch and trying to put configurations
together:

Find someone who sells (or resells) Cisco gear professionally.  They'll
help you identify equipment which is appropriate for your build.  

-Daniel

Shawn L sha...@up.net writes:

 Has anyone seen a good matrix of Cisco switches and their port-types, etc?
 I'm looking for something where I can say 'I need a switch with X 10-gig
 ports and Y 1-gig sfp ports, which models meet that criteria?'

 I know I can look through all of the data sheets at cisco's website, but
 there has to be a better way to see the specs of a large array of switches
 at a glance.

 thanks

Re: Carrier Grade NAT

[Daniel Corbe]

Colton Conor colton.co...@gmail.com writes:

 We are looking for recommendations for a carrier grade nat solution. Who is
 the leaders in this space? How do carrier grade NAT platforms integrate
 with DHCP and DNS solutions? How do you keep track of copyright violations
 in a CGNAT solution if multiple customers are sharing the same public IP
 address?

Right now I'm using A10 for NAT.  I can't say enough good things about
these dudes.

But as far as DMCA takedowns are concerned, we're in the habit of
casually ignoring them unless they come through our custodian of
records. 

That would be an excellent question for your SE.  And I'm kind of
curious myself now.

-Daniel

Re: Carrier Grade NAT

[Daniel Corbe]

Colton Conor colton.co...@gmail.com writes:

 I searched carrier grade NAT in google, and A10 came up a lot. I thought they
 just had good SEO going on, but it seems they have a good product as well!
 Does A10 offer DHCP, DNS, and IPAM solutions as well? You really need all 4 to
 handle carrier grade NAT on an access network right? 


They don't have an IPAM built in.  IPAMs are usually a back office
thing.  It's a deeply personal choice usually made by the very same
monkey in your organization responsible for managing IP allocations.

You can toss IP pool management (in your case, DHCP) at your A10s, but I
don't.

You can also do some interesting things with DNS on the boxes if you
have a software load that supports load balancing.  But you don't need
that for NAT.  Nor is it wise to put all your eggs into one magical
packet-routing basket.

-Daniel

Re: Richard Bennett, NANOG posting, and Integrity

[Daniel Corbe]

I don't have much to add to this discussion, but...

Richard Bennett rich...@bennett.com writes:

 I'm also not enthusiastic about relying on government programs
 to upgrade infrastructure to fiber of some random spec, because the
 entry of government into this market suppresses investments by
 independent fiber contractors and doesn't necessarily lead to optimal
 placement of new fiber routes. The First Net experience is proving
 that to be the case, I believe.

People will eventually come to rely on the Internet as a critical piece
of infrastructure.  And many already do.  Provisioning service and
routing packets needs to be separated from provisioning physical access
in any form.  If the governments need to step in to do the latter, I'm
happy for them to do so as long as it falls under some lattice of
framework similar to the public utilities commission.  So that the
localities responsible for maintaining the infrastructure are compelled
to act responsibly. 

Or if you *really* want to be in the business of owning infrastructure
on a commercial basis, your business should be wavelengths, not packets.

 
 In other words, the Internet that we have today isn't the best of all
 possible networks, it's just the devil we know.


-Daniel

Re: Verizon Public Policy on Netflix

[Daniel Corbe]

Ca By cb.li...@gmail.com writes:

 On Jul 22, 2014 7:04 AM, Jared Mauch ja...@puck.nether.net wrote:

 Verizon wireless has other transits apart from 701.


 That's interesting that they have a different capacity management strategy
 for the competitive wireless market than they have for their captive
 landline customers.

 Seems market forces are making wireless a functional network without the
 peering brinksmanship while market failings are allowing landline to take
 advantage of a captive install base


Or it could be that they're just functionally two different business
units.  From what my contacts at Verizon Wireless tell me, Verizon
Business move at a glacial pace, so they buy circuits from whomever they
can.  

Re: Cheap LSN/CGN/NAT444 Solution

[Daniel Corbe]

I use the Thunder for CGNAT but I've never tried to do NAT444 with it.  

The thing I like about A10 is their TAC is awesome.  If they say the box
supports something, then their TAC people will break their backs to try
and get it working for you.  

-Daniel

Skeeve Stevens skeeve+na...@eintellegonetworks.com writes:

 Hi all,

 I have had the A10 Thunder platform recommended off-list by a couple of
 people and by all reading it looks good, but anyone can do good marketing
 material.

 Anyone else here used the Thunder (looking at the 930 or 1030S, maybe even
 the vThunder) as a NAT444/LSN solution?


 ...Skeeve

 *Skeeve Stevens - *eintellego Networks Pty Ltd
 ske...@eintellegonetworks.com ; www.eintellegonetworks.com

 Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

 facebook.com/eintellegonetworks ;  http://twitter.com/networkceoau
 linkedin.com/in/skeeve

 experts360: https://expert360.com/profile/d54a9

 twitter.com/theispguy ; blog: www.theispguy.com


 The Experts Who The Experts Call
 Juniper - Cisco - Cloud - Consulting - IPv4 Brokering


 On Mon, Jun 30, 2014 at 3:59 PM, Skeeve Stevens 
 skeeve+na...@eintellegonetworks.com wrote:

 Hi all,

 I am sure this is something that a reasonable number of people would have
 done on this list.

 I am after a LSN/CGN/NAT444 solution to put about 1000 Residential profile
 NBN speeds (fastest 100/40) services behind.

 I am looking at a Cisco ASR1001/2, pfSense and am willing to consider
 other options, including open source Obviously the cheaper the better.

 This solution is for v4 only, and needs to consider the profile of the
 typical residential users.  Any pitfalls would be helpful to know - as in
 what will and and more importantly wont work - or any work-arounds which
 may work.

 This solution is not designed to be long lasting (maybe 6-9 months)... it
 is to get the solution going for up to 1000 users, and once it reaches that
 point then funds will be freed up to roll out a more robust, carrier-grade
 and long term solution (which will include v6). So no criticism on not
 doing v6 straight up please.

 Happy for feedback off-list of any solutions that people have found work
 well...

 Note, I am in Australia so any vendors which aren't easily accessible down
 here, won't be useful.


 ...Skeeve

 *Skeeve Stevens - *eintellego Networks Pty Ltd
 ske...@eintellegonetworks.com ; www.eintellegonetworks.com

 Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

 facebook.com/eintellegonetworks ;  http://twitter.com/networkceoau
 linkedin.com/in/skeeve

 experts360: https://expert360.com/profile/d54a9

 twitter.com/theispguy ; blog: www.theispguy.com


 The Experts Who The Experts Call
 Juniper - Cisco - Cloud - Consulting - IPv4 Brokering

Level3 IP contact

[Daniel Corbe]

If anyone from Level3 here that might be able to help me solve a transit issue 
out of east Africa, please contact me off-list.

Re: Megaupload.com seized

[Daniel Corbe]

Anon has already retaliated

http://rt.com/usa/news/anonymous-doj-universal-sopa-235/

On Thu, Jan 19, 2012 at 04:41:02PM -0600, Ryan Gelobter wrote:
 The megaupload.com domain was seized today, has anyone noticed significant
 drops in network traffic as a result?
 
 http://www.scribd.com/doc/78786408/Mega-Indictment
 http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/