Re: Outside plant - prewire customer demarc preference

[Gary Buhrmaster]

On Wed, Dec 6, 2023 at 3:45 AM Sean Donelan  wrote:

> U.S. NEC does not require any mechanical protection for fiber cables.  You
> can run "bare" fiber cables through most residential spaces (with a few
> exceptions for jacket material, i.e. direct burial cable not allowed
> inside habital spaces).

I also recall the requirement for "plenum rated cable"
in some cases (but not typically in residential spaces
as the ceilings are not typically part of the expect air
circulation system, although, as with all else, your
residence will vary).

Re: Outside plant - prewire customer demarc preference

[Gary Buhrmaster]

On Fri, Dec 1, 2023 at 1:56 AM owen--- via NANOG  wrote:

> However, apparently ENT was a predecessor to that, I just hadn’t encountered 
> it until now. I don’t recall even seeing it in the aisles at local HDs. I’ll 
> have to look for it.

Apparently I spend more time roaming the aisles
of the big box home improvement supply stores
than you do (I am not proud of that, I just do(*)).
I have seen it, and all the associated connectors.
and alternatives, for years, although for various
reasons I prefer to use the local electrical supply
stores when possible to source items (yes, they
can be more expensive for some items, but they
can also supply items that only the pro's know
even exist,  so I prefer supporting stores that
have that deep competency and supply sourcing).


(*) I do not visit the local big box home
improvement stores more than once a month
or so, but whenever I do I also walk down the
aisles which include electrical items even if
I have zero reason to purchase any items
just to level-set me list of items they stock.

Re: Advantages and disadvantages of legacy assets

[Gary Buhrmaster]

On Wed, Nov 22, 2023 at 8:14 PM William Herrin  wrote:

> It still seems unwise, but not entirely insane.

I would expect that at some point in the future
that many/all of the major players will require
RIR validated routing information, and whether
that is due to regulation or best practices for
which the majors will not want to become liable
for ignoring (and "think of the children") is hard
to know.  In the end I suspect we are likely just
trying to discern when that date will be, not the
eventual end result ("not today" is not, really,
a valid target goal).

Re: Article: DoD, DoJ press FCC for industry-wide BGP security standard

[Gary Buhrmaster]

On Tue, Sep 20, 2022 at 5:40 PM Randy Bush  wrote:

> to remind, ROV is a safety mechanism, not a security mechanism.  it is
> proving, as intended, to mitigate mistakes.  which is very cool.  but it
> does not mitigate attacks of any sophistication.

Mitigating against mistakes has value, and in some cases
so does being able to strongly suggest that there was a
more sophisticated approach taken.

Re: questions about ARIN ipv6 allocation

[Gary Buhrmaster]

On Mon, Dec 6, 2021 at 5:59 PM Owen DeLong  wrote:

> The situation is such that the current economic incentives would be most 
> advantageous to me to preserve my LRSA and abandon my RSA, which would 
> involve simply turning off IPv6.

While the details are certainly yours to keep private,
from other statements made, or implied, it sounded
as if consolidating all your resources under a single
RSA was the most financially advantageous to you
*today* (as in saving you money *today*).  And all
that while allowing you to continue to be connected
to the entire Internet (which includes IPv6), which
I would presume you wish to be.

Of course, it does go without saying, that no one
can predict future fees, so whether one would
continue to save with a combined RSA, and for
how long, is unknowable.  You place your bets
and take your chances (in ten to twenty years
we will know if moving to a consolidated RSA
would have saved you money vs. separate
 accounts).  That those that feel their admitted
foolishness in the past may influence their
future choices, is a given.

Re: questions about ARIN ipv6 allocation

[Gary Buhrmaster]

On Sun, Dec 5, 2021 at 2:23 PM Owen DeLong via NANOG  wrote:

> The double billing (had it been present at the time) would have prevented me 
> from signing the LRSA for my IPv4 resources.

There were some community participants that suggested
that having a formal relationship with the ARIN organization
by signing the LRSA was good for the resource holders,
and good for the overall commons.   There were other
members that suggested that signing the LRSA would be
potentially disadvantageous at some future time.

While I still believe that having a formal relationship is the
better approach, even if it costs a bit more(*), I do
understand that some people may feel vindicated about
not signing a LRSA, or have changed their opinion about
whether they should have signed, or suggested others do
so.  Perhaps there are lessons to be learned here.



(*) If the number resources no longer have value
exceeding their fees for an organization, I understand
there is a robust transfer market available :-)

Re: IPv6 and CDN's

[Gary Buhrmaster]

On Sat, Nov 27, 2021 at 5:05 PM Oliver O'Boyle  wrote:

> On Sat., Nov. 27, 2021, 10:46 Scott Morizot,  wrote:
>> Since we are deploying BYO IPv6 in AWS, I can assure you they do offer it 
>> now. That was a blocker for us.

> Wonderful! When did they start offering that?

I believe it was announced back in the first half
of 2020.

As I recall it was limited to certain regions at the
time of the original announcement (and being
AWS it probably still has some region and/or
resource specific availability limitations).

Re: DoD IP Space

[Gary Buhrmaster]

On Mon, Feb 15, 2021 at 9:36 PM Joe Loiacono  wrote:

> V8!  heh ... wow hadn't thought of that for a while ...

... Slaps forehead and says:  "Wow, I could've had a V8!"

Re: Waste will kill ipv6 too

[Gary Buhrmaster]

On Sat, Dec 30, 2017 at 2:31 AM, Michael Crapse  wrote:
> And if a medical breakthrough happens within the next 30 years? Nanobots
> that process insulin for the diabetic, or take care of cancer, or repair
> your cells so you don't age, or whatever, perhaps the inventor things ipv6
> is a good idea for such an endeavour. a nanobot is microns wide, and there
> will be billions per person, hopefully not all on the same broadcast
> domain.In fact, as you saay, we should treat /64s as a /32 and a /64 for
> ptp. So each nanobot gets a /64. 10B nanobots per person times 20B people =
> oh, crap, we've exhausted the entirety of ipv6 an order of magnitude ago.
> Let alone the fact that actual usable ipv6 /64s is 2 orders of magnitude
> below that.

(the time has finally arrived)

Obligatory xkcd ref:  https://xkcd.com/865/

Re: phone fun, was GeoIP database issues and the real world consequences

[Gary Buhrmaster]

On Thu, Apr 14, 2016 at 3:32 PM, Leo Bicknell  wrote:
.
> So maybe 10% of all cell phones are primarly used in the "wrong" area?

Obligatory xkcd ref:  https://xkcd.com/1129/

Re: small automatic transfer switches

[Gary Buhrmaster]

On Wed, Jan 27, 2016 at 9:16 PM, William Herrin  wrote:
> On Wed, Jan 27, 2016 at 3:29 PM, Chuck Anderson  wrote:
>> Does anyone have any recommendations for a small, cheap, reliable ATS?
>
> The APC SU042 series sell for dirt on ebay.

Or the SU041 if you have some patience to wait
for a motivated seller and only need/want NEMA 5-15.

Although as all of these used devices are getting up
there in age, the reliability number is likely going
downwards (so, which two are the priority again?)

Re: Updated Ookla Speedtest Server Requirements

[Gary Buhrmaster]

On Mon, Nov 9, 2015 at 9:38 PM, Dave Taht  wrote:
> I dearly would like them to update the software to 

not require flash.  Last I knew ookla still required flash,
and one should just say no to flash.  Dslreports (and
other speed tests) work with modern browser technologies
without flash or java.

Re: ARIN just subdivided their last /17, /18, /19, /20, /21 and /22. Down to only /23s and /24s now. : ipv6

[Gary Buhrmaster]

On Mon, Jun 29, 2015 at 4:07 PM, Bob Evans b...@fiberinternetcenter.com wrote:
 It would not surprise me to find ARCnet (Datapoint's) still running in
 some corner somewhere.

Possibly next to the system running Banyan VINES.

Re: Residential VSAT experiences?

[Gary Buhrmaster]

On Fri, Jun 26, 2015 at 5:25 PM, William Herrin b...@herrin.us wrote:

 If you want to nitpick. ;)

Well, if you are going to nitpick, the earth is modeled more
closely (but still not precisely) as an oblate spheroid than a
true sphere.

Re: certification (was: eBay is looking for network heavies...)

[Gary Buhrmaster]

On Mon, Jun 8, 2015 at 4:31 AM, Tony Hain alh-i...@tndh.net wrote:
 Randy Bush wrote:
 
  but you can't move packets on pieces of paper.

 Or can you?  RFC's 6214 2549 1149

But how many avian carriers would you need to move
the packets current pushed around per second, and
how many Mercedes' would have their paint ruined from
that number of carriers, or would the number be large
enough to collapse into a star (obligatory what-if
xkcd reference:  http://what-if.xkcd.com/99/)

Re: Verizon Policy Statement on Net Neutrality

[Gary Buhrmaster]

On Sun, Mar 1, 2015 at 12:14 AM, Michael Thomas m...@mtcc.com wrote:

  If they wanted to shape DOCSIS to have better upstream,
 all they had to say is JUMP to cablelabs and the vendors
 and it would have happened.

Like DOCSIS 3.1?  If I recall correctly, theoretical
upstream up to 2.5gb/s.  Your implementation will
vary (and so will your roll-out dates).  I also seem
to recall a Broadcom press release about chips
and reference designs becoming available.

Re: Now that's an odd failure mode...

[Gary Buhrmaster]

On Fri, Jan 30, 2015 at 10:31 PM, Larry Sheldon larryshel...@cox.net wrote:
.
 HOW did they make it

Maybe the woodpecker had a little help...
Obligatory Friday xkcd ref: http://xkcd.com/614/

Re: Got a call at 4am - RAID Gurus Please Read

[Gary Buhrmaster]

On Thu, Dec 11, 2014 at 2:25 AM, Randy Bush ra...@psg.com wrote:
 We are now using ZFS RAIDZ and the question I ask myself is, why
 wasn't I using ZFS years ago?

 because it is not production on linux,

Well, it depends on what you mean by
production.  Certainly the ZFS on Linux
group has said in some forums that it is
production ready, although I would say
that their definition is not exactly the
same as what I mean by the term.

 which i have to use because
 freebsd does not have kvm/ganeti.

There is bhyve, and virt-manager can
support bhyve in later versions (but is
disabled by default as I recall).  Not
exactly the same, of course.

 want zfs very very badly.  snif.

Anyone who really cares about their data
wants ZFS.  Some just do not yet know
that they (should) want it.

There is always Illumos/OnmiOS/SmartOS
to consider (depending on your particular
requirements) which can do ZFS and KVM.

Re: Shipping bulk hardware via freight

[Gary Buhrmaster]

On Thu, Nov 6, 2014 at 6:07 PM,  valdis.kletni...@vt.edu wrote:
 On Wed, 05 Nov 2014 23:11:23 -0500, William Herrin said:

 Ah yes, I recall watching them decommission the old Control Data Cyber 990
 back at Georgia Tech. The mover slipped trying to get it on the liftgate
 and the whole cabinet dropped about a foot to the ground with a nice solid
 thud.

 I know of a case where somebody managed to drop an IBM Shark storage
 array off a forklift.

 Amazingly enough, it still kinda sorta worked after that

And in the good ol' days (before the shark, actually) the IBM CE
assigned to your site would have worked day and night getting it
to work (and had fun doing it), replacing every part one by one if
needed while still wearing the white shirts.  But I date myself.

Re: Linux: concerns over systemd [OT]

[Gary Buhrmaster]

On Wed, Oct 22, 2014 at 9:17 PM, Jeffrey Ollie j...@ocjtech.us wrote:

 I think that Debian's plan to allow multiple init systems
 (irregardless of which one is default) is a bad plan.  The non-default
 ones won't get any love - at some point they'll just stop working (or
 indeed, work at all).

Indeed.  I believe that point was made during the
debian technical committee discussions by one
of the members of the TC (Russ, I think, although
it was such a long discussion it could have been
one of the other participants).

Re: IPv6 Default Allocation - What size allocation are you giving out

[Gary Buhrmaster]

On Thu, Oct 9, 2014 at 1:18 AM, Erik Sundberg esundb...@nitelusa.com wrote:
 I am planning out our IPv6 deployment right now and I am trying to figure out 
 our default allocation for customer LAN blocks. So what is everyone giving 
 for a default LAN allocation for IPv6 Customers.  I guess the idea of handing 
 a customer /56 (256 /64s) or  a /48 (65,536 /64s) just makes me cringe at the 
 waste.

A /48.

There is waste, and there is waste.  A /48 is not really
significant waste because IPv6 address space is so
large.  If one believes in the truly connected home or
enterprise, there will be a number of customer internal
device delegations.  Avoid having to renumber your
customers when they do those internal networks of
networks (yes, there are ways to do it transparently,
but not having to do it means you avoid the pain of
the transparent, which may not be transparent
at all).

As a residential customer, those that are handing me
smaller blocks seem to be planning to charge extra
for larger prefixes as a revenue stream (I presume
just like one got a single IPv4 address, but could pay
for more, now you get either a /64 or a /60, and get
to pay for more for a /56 or /48).  I consider that short
sighted from a customer centric viewpoint, but I can
see the revenue stream viewpoint.  So, the only reason
not to provide a /48 is if you think it is in your business
plan to charge by the address (and hope your viable
competitors in your market space follow a similar
strategy, for I would always choose a provider that
offers me more for the same, or less, money;  I
can even hear your competitors sales reps spiel
Why build for obsolescence, we provide you all
the space you will ever need at the same price
and service level.

Re: IPv6 Default Allocation - What size allocation are you giving out

[Gary Buhrmaster]

On Thu, Oct 9, 2014 at 4:45 AM, Faisal Imtiaz fai...@snappytelecom.net wrote:

 So, this is more of a 'opinion' / 'feel' (with all due respect) comment, and 
 not something which has a (presently) compelling technical reasoning behind 
 it ?

Think of something like HIPnet
  https://tools.ietf.org/html/draft-grundemann-homenet-hipnet-00
  
http://www.cablelabs.com/the-future-of-home-networking-putting-the-hip-in-hipnet/
with multiple levels of home devices performing routing
(prefix delegation), with multiple networks off of each.
Even a /56 can easily end up being too little for multiple
levels in a residence.  If one believes in the IoT/IoE
hype, everything will have a IPv6 address, and many
of those devices might have multiple internal networks.
So, yes, I assert based on a feel that a /48 is the right
choice, because I am hoping to not make the same
mistakes as with IPv4, and under estimate the growth
of the network by the customers, resulting in all
sorts of convoluted workarounds for not having
enough addresses and options to do things right.

Re: IPv6 Default Allocation - What size allocation are you giving out

[Gary Buhrmaster]

On Thu, Oct 9, 2014 at 5:16 AM, jamie rishaw j...@arpa.com wrote:
 (PS If I wake up in the morning and find out that someone has hacked my
 CatGenie litter boxes, I will hunt you down).

I am sure any hacking will result in taking a dump.

Re: IPv6 Default Allocation - What size allocation are you giving out

[Gary Buhrmaster]

On Thu, Oct 9, 2014 at 5:09 AM, jamie rishaw j...@arpa.com wrote:
.
 These arguments and debates make me sad. I suppose it's my own fault for
 assuming that everyone in this ML is a forward thinker.

Get used to disappointment.

Re: Owning a name

[Gary Buhrmaster]

On Thu, Jul 31, 2014 at 12:10 AM, Owen DeLong o...@delong.com wrote:

 Wonder how long it is before we recognize the need for an international 
 technical court for such matters where the guy on the bench has to be not 
 just a lawyer, but a nerd, too.

Can I nominate Judge William Alsup?

Re: Carrier Grade NAT

[Gary Buhrmaster]

On Wed, Jul 30, 2014 at 5:22 AM, Owen DeLong o...@delong.com wrote:

 On Jul 29, 2014, at 4:13 PM, Mark Andrews ma...@isc.org wrote:
.
 Add to that over half your traffic will switch to IPv6 as long as
 the customer has a IPv6 capable CPE.  That's a lot less logging you
 need to do from day 1.

 That would be nice, but I’m not 100% convinced that it is true.

For the 99.99% of the users who believe that facebook and twitter
*are* the internet, at least facebook is IPv6 enabled.  50.00%(*)!

Yes, I think we can all stipulate that those participating
on this list are different, and have different expectations,
and different capabilities, than those other 99.99%.

Gary

(*) If we are going to make up statistics, four significant
digits looks better than one.

Re: Muni Fiber and Politics

[Gary Buhrmaster]

On Mon, Jul 21, 2014 at 8:34 PM, Owen DeLong o...@delong.com wrote:
.
 Whoever installs fiber first and gets any significant fraction of subscribers 
 in any
 but the densest of population centers is a competition killer, _IF_ you let 
 them
 parlay that physical infrastructure into an anti-competitive environment for 
 higher
 layer services.

I take it that on principal you would have petitioned against the
proposed Google Fiber roll-out in the San Jose area and would
have spoken out against it at the public hearing on June 17th
in favor of an alternative municipal funded project if you were not
otherwise engaged (the synopsis indicates no public comments
from the floor from that meeting)?  You may have missed an
opportunity to be the one to stop Google Fiber in San Jose in
preference to muni fiber, although there is never just one meeting
for such large scale projects.  I am sure you will have other
chances to offer your opinion, and encourage the council to
just say no.

Re: Muni Fiber and Politics

[Gary Buhrmaster]

On Mon, Jul 21, 2014 at 9:37 PM, Jay Ashworth j...@baylink.com wrote:

 No, but I wasn't asserting All government sucks. Ugh; you were.

All governments suck some of the time, and some
governments suck all of the time.  Your evaluation
as to the level of vacuum will depend on how often
your oxen pass the government goring centers
(part of the you can not please all of the people
all of the time theme).

Re: Muni Fiber and Politics

[Gary Buhrmaster]

On Mon, Jul 21, 2014 at 10:13 PM, Jay Ashworth j...@baylink.com wrote:

 Cause my mailer isn't RFC 2919 compliant.  Sorry.


Zimbra has had open follow the damn RFC's
tickets out there for a number of years.  Perhaps
it is past time to migrate away (fool me once,
shame on you, fool me twice, shame on me.
Fool me for three consecutive version upgrades)

Re: Net Neutrality...

[Gary Buhrmaster]

On Fri, Jul 18, 2014 at 6:49 PM, Paul S. cont...@winterei.se wrote:


 For all intents and purposes, it actually does work fine -- yeah.

 I've got a few friends who bought it, it seems to work fine.

This is way off topic, but 

This topic was covered back in the beginning of the year at:

  http://tiamat.tsotech.com/4k-is-for-programmers

and the followup at:

  http://tiamat.tsotech.com/4k-is-for-programmers-redux

The conclusion (in the case) was that for devs, the
goods outweigh the bads.  As always, your mileage
will vary, and some settling occurred during transport.

Note, too that Dell, Asus, and Lenovo have newer 4K
models out there that address some of the issues
(I have explicitly tried to avoid finding the reviews because
I do not want to be forced, forced I say, to buy
a 4K monitor).

Re: Ars Technica on IPv4 exhaustion

[Gary Buhrmaster]

On Thu, Jun 19, 2014 at 10:47 PM, Owen DeLong o...@delong.com wrote:
.
 Ideally, it would be nice if the UNH/IOL and/or CEA could come up with a 
 meaningful definition of IPv6 support and a logo to go with it that we could 
 tell consumers to look for on the box. Ideally, this would be a set of 
 standards that users of the logo agree to abide by rather than a fee-based 
 testing regime that excludes smaller players.

You mean something like the IPv6 Ready logo at http://www.ipv6ready.org ?

Re: Credit to Digital Ocean for ipv6 offering

[Gary Buhrmaster]

On Wed, Jun 18, 2014 at 11:37 PM, Daniel Ankers md1...@md1clv.com wrote:
 On 18 June 2014 19:05, Owen DeLong o...@delong.com wrote:

 OTOH, it's far better than those ridiculous providers that are screwing
 over their customers with /56s or even worse, /60s.

 Sad, really.

 Owen


 Is giving a /56 to residential customers REALLY screwing them over?

Maybe, maybe not (it is, as much else, about perceptions) but /60
certainly seems to be screwing them over, and a /56 is the
minimum would should see (with the ability to request at least
up to a /48) IMHO.

HIPnet ( http://tools.ietf.org/html/draft-grundemann-homenet-hipnet )
suggests that a /56 is the minimum one should expect in order to
support multiple sub-delegations within the residence.  Some $CABLECOs$
appear to be delegating only a /60 to residential customers (even though
some of those same $CABLECOs$ have participated in the project;
I guess that just proves the left hand and the right hand do not talk).

Gary

Re: US patent 5473599

[Gary Buhrmaster]

On Wed, May 7, 2014 at 5:18 PM, Rob Seastrom r...@seastrom.com wrote:

 Eygene Ryabinkin rea+na...@grid.kiae.ru writes:

 If you hadn't seen the cases when same VRIDs in the same network were
 used for both VRRP and CARP doesn't mean that they aren't occurring in
 the real world.  We use CARP and VRRP quite extensively and when we
 first were hit by this issue, it was not that funny.

 +1

 ...
 but choosing OUI from the VRRP space (hijacking that space) was
 clearly the poor design choice.  Fullstop.

 +\infty

 Either it was an intentional conflict that was meant to cause
 operational problems or it was not.

 If it was, then a previous characterization of CARP as a trojan is spot on.

 If it was not (and I'm willing to be charitable here), then the
 take-away from this is that the folks who made this decision are
 utterly clueless about standards, the reason for standards, and
 operations.  That would hardly be earth shattering news.

To be slightly less charitable, since I am having hard time
coming up with a third option, I am forced to choose between
maliciousness and incompetence.  And I never thought the
OpenBSD team was incompetent.  Perhaps I was wrong?

But (presuming no adjustments) the patent is now expired,
and the OpenBSD team could now release CARPv2 (or
whatever they decide to call it) which would implement the
standard, should they wish to work and play well with the
standards bodies and community.

Gary

Re: Residential CPE suggestions

[Gary Buhrmaster]

On Mon, May 5, 2014 at 11:59 PM, Deepak Jain dee...@ai.net wrote:

 Any recommendation for a residential CPE that supports dual SFP uplinks (WAN) 
 with either a routing protocol or a resilient Ethernet solution? Ideally, LAN 
 port should be 100/1000 CAT5.  I've looking at Mikrotik, Draytek and others. 
 Looking something in a lower three-digit price point. Otherwise I might have 
 to do a pair of media converters on a copper switch/router that can do it 
 (ugly!).

 Thanks in advance!

(No personal experience, but...)

Have you looked at the EdgeRouter Pro?  2 SFP links,
routing capability.  http://www.ubnt.com/edgemax

Re: Requirements for IPv6 Firewalls

[Gary Buhrmaster]

On Sat, Apr 19, 2014 at 2:29 PM, joel jaeggli joe...@bogus.com wrote:
 On 4/18/14, 7:04 PM, Jeff Kell wrote:
 PCI requirement 1.3.8 pretty  much requires RFC1918
 addressing of the computers in scope...

 It does not

You are correct.  In theory.  However, for those
organizations that have chosen to use a firewall
with NAT rather than apply one of the other alternatives,
the practice says that to implement IPv6, the
firewall they want needs to do NAT.

Again, telling someone that they are doing it
wrong (and that they should change) will not
be successful.  Especially if the network people
do not talk to the systems people, and do not
talk to the applications people, and do not talk
to the auditors  Not that any organization
would be so stove-piped.  Perhaps there should
be a I-D BCP about not stove-piping organizations
too.

And, while PCI compliance was the straw-man,
I have seen other audit results that called out
a lack of using NAT too (even though they, also,
should not have done so; it was the policy that
they should have called out.  But that would
require real understanding rather than a checklist).

Gary

Re: Requirements for IPv6 Firewalls

[Gary Buhrmaster]

On Fri, Apr 18, 2014 at 3:02 PM, William Herrin b...@herrin.us wrote:

 The main drivers behind the desire for NAT in IPv6 you've heard
 before, but I'll repeat them for the sake of clarity:

5. Some industries (PCI compliance) *require* NAT as part of
the audit-able requirements.  Yes, that should get changed.
But until it does, (at least some) enterprises are going to
be between a rock and a hard place.

As Bill says, the place to get this fixed is not to tell the
enterprises they are doing it wrong, but to change the
requirements that auditors measure against.  I would cheer
the effort to engage those bodies to get them to understand
that NAT is not the way (for it is not).  This does not mean
ignore the problem.  It does not mean to tell people they
are doing it wrong.  It means active engagement with such
organizations.  And it is hard, policy type, work,

Re: A little silly for IPv6

[Gary Buhrmaster]

On Wed, Mar 26, 2014 at 12:55 PM, rw...@ropeguru.com rw...@ropeguru.com wrote:
.
 I want to see HIS source of hpow many atoms are actually on the earth.
 Somehow, I do not think anyone knows that answer. So his comparision is a
 joke.

Obligatory xkcd ref:  https://xkcd.com/865/

Re: Level 3 blames Internet slowdowns on Technica

[Gary Buhrmaster]

On Tue, Mar 25, 2014 at 3:56 AM, Naslund, Steve snasl...@medline.com wrote:
 You are right but that is usually how it works with fiber because that last 
 drop to the home is a pretty expensive piece that you don't usually want 
 installed until it is needed.  The LECS usually don't even light a building 
 unless there is a service that requires it.  I was trying to make the point 
 that $700 - 800 per premise as quoted seems extremely low to me.

If one believes the estimates from the Google Fibre rollout in Kansas City
(and I suspect they are all wrong, but they probably have the magnitude right)
the cost was (about) $600/premise passed.  As you point out, the passed
part is important, and did not include that last 100 yards of install and
equipment.  But that last 100 yards (and equipment) does not need to be
spent until a subscriber signs on the dotted line.  So the order of magnitude
to pass a premise is roughly consistent between this known example of
a recent build-out, and Jay's numbers, with all the right stars in alignment
(I believe Google Fibre got agreements in advance regarding abbreviated and
expedited zoning and permitting, which would likely have substantially
decreased their costs (having seen how long/expensive that can take, I
can understand why they wanted those agreements in place up front)).

Now, whether a city would want to float a 30 year bond for city fibre, or
for a new ballpark, or a new pier (or do all three and increase taxes by
maybe 10%) and trust that if you build it, they will come is a different
question.

Re: L6-20P - L6-30R

[Gary Buhrmaster]

On Thu, Mar 20, 2014 at 4:00 PM, Rob Seastrom r...@seastrom.com wrote:

 Lamar Owen lo...@pari.edu writes:

 Actually, there is no NEC 384.16 any more, at least in the 2011 code.

 Guilty.  I reflexively reached for my 2008 copy since that's the code
 of record here where I live.  Glad we're not on 2011, wish we were
 still on 2005; a lot of stupidity has crept in since then.  Tamper-resistant
 receptacles required in the unfinished basement shop?  *really*?

Think of the children!

I hear the 2017 edition of NFPA 70 (aka NEC) may require
one to turn off the power to the entire household in order to
plug in a coffee maker to minimize potential arc flash hazard
(just kidding).

Gary

Re: NetSol opts domain customers into $1800 Security program?

[Gary Buhrmaster]

On Wed, Jan 22, 2014 at 7:20 PM, Barry Shein b...@world.std.com wrote:

 P.S. Doing that, removing auto-renew, changes you to receiving urgent
 email from them once a week or so starting 90 days in advance about
 how your domain is ABOUT TO EXPIRE!

Sort of reminds me of the late night TV ads for ginsu knives:
So you don't forget, call before midnight tonight!

Gary

Re: turning on comcast v6

[Gary Buhrmaster]

On Fri, Jan 3, 2014 at 4:09 PM, Leo Bicknell bickn...@ufp.org wrote:

 Rogue RA's can take down statically IPv6'ed boxes.

 Rogue DHCP servers will never affect a statically configured IPv4 box.

I believe that that would depend on whether your configuration
of a static IPv6 address on your box also disabled accepting RA.
On LInux, I believe it is something like net.ipv6.conf.if.autoconf=0
and net.ipv6.conf.if.accept_ra=0 (could easily be typos there,
doing it from memory).  As with much else, your devops
scripts/processes may need to change for IPv6 vs IPv4
(which is why, especially for enterprises, it is not as easy as
just turning it on).

Re: turning on comcast v6

[Gary Buhrmaster]

On Fri, Dec 20, 2013 at 5:42 AM, Christopher Morrow
morrowc.li...@gmail.com wrote:
 On Fri, Dec 20, 2013 at 12:30 AM, Owen DeLong o...@delong.com wrote:

 I'd like to encourage people to use prefix-hint=::/48.
...
 I think if I ask (via wide-dhcpv6-server) for more than is going to be
 sent I don't get anything configured at all :(

 I'm pretty sure I get sent a /64 in the response packet, but I don't
 install that.. which leads to busted v6 configuration on my device.

I concur (with the request a /48, get a /64, not a /60).  At least
that is how I recall it used to work (I have not tried for some time
at this point, and while I know Comcast has changed things
in the interim, I am pretty sure I do not want to wait for Comcast
to time out a /64 if that is what I end up getting).  If someone
has better information, I am willing to consider a test.

Gary

Re: Caps (was Re: ATT UVERSE Native IPv6, a HOWTO)

[Gary Buhrmaster]

On Mon, Dec 9, 2013 at 6:02 AM, Jeff Kell jeff-k...@utc.edu wrote:
 ... With 3270 you have little choice other
 than full screen transactions.

It has been a long long time, but for the truly crazy, I
thought it was possible to write single characters at a
time (using a Set Buffer Address and then the character)
as long as you had set up the field attributes previously.
Lots of transactions, but one could appear to write out
individual characters as slowly as the KSR 33 it replaced.
Or perhaps my 3270 memory has finally faded away.

Gary

Re: ATT UVERSE Native IPv6, a HOWTO

[Gary Buhrmaster]

On Mon, Dec 2, 2013 at 11:47 PM, Owen DeLong o...@delong.com wrote:

 (Hint, NEST has already released an IPv4 smoke detector).

And they really should have enabled IPv6 on it :-(
But the processor should be able to handle it, if
they update the firmware. I hear Tado does IPv6.

Re: ATT UVERSE Native IPv6, a HOWTO

[Gary Buhrmaster]

On Thu, Nov 28, 2013 at 9:07 PM, Leo Vegoda leo.veg...@icann.org wrote:

 Is a /60 what is considered generous these days?

I do not think so.  I think that is more minimal than generous.

 I thought a /48 was
 considered normal and a /56 was considered a bit tight. What prefix
 lengths are residential access providers handing out by default these
 days?

A /60 appears (by reports from ATT and Comcast customers)
seems to be the current behavior for some residential access
providers.  I am sure one can find counter examples.

And while I can rationalize the thinking (I suspect few
home users currently use more than 16 internal networks),
with solutions that will eventually depend on further prefix
sub-delegation downstream (aka HIPNet), /60 feels a bit tight.
I would certainly feel more comfortable seeing the providers
start offering at least a /56, if not a /48, if requested by the
customer.

It is conceivable that the residential providers intend to offer
more than a /60 at additional costs (as they offer more than
one IPv4 address today), or to offer more than a /60 only to
those that request it (to minimize some perceived waste
of IPv6 numbers).  I would expect that Business customers
will almost certainly see different offerings (/48s?).  It is also
conceivable that the residential providers have not (yet)
thought it all through.

Gary

Re: OT: Below grade fiber interconnect points

[Gary Buhrmaster]

On Fri, Nov 15, 2013 at 9:25 PM, Jay Ashworth j...@baylink.com wrote:
...
 Yeah; cranes are a bitch.  :-)

No, it is arranging for a rigging crew and the
safety plan reviews for the lift (at least in any
major company/institution which wants to
stay on the happy side of OSHA; and has
consul that suggests that the risks of not
following the process is likely a CEE).

Gary

Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic

[Gary Buhrmaster]

On Fri, Nov 1, 2013 at 4:43 AM, Anthony Junk anthonyrj...@gmail.com wrote:
...
 It seems as if both Yahoo and Google assumed that since they were private
 circuits that they didn't have to encrypt.

I actually cannot see them assuming that.  Google
and Yahoo engineers are smart, and taping fibres
has been well known for, well, forever.  I can
see them making a business decision that the
costs would be excessive to mitigate against
taping(*) that would be allowed under the laws
in any event.

Gary

(*) A mitigation  was run the fibre through your
own pressured pipe which you monitored for loss
of pressure, so that even a hot tap on the pipe
itself would possibly be detected (and there are
countermeasures to countermeasures
to countermeasures of the various methods).
And even then, you had to have a someone walk
the path from time to time to verify its integrity.
And I am pretty sure there is even an NSA/DOD
doc on the requirements/implementation to do
those mitigations.

Re: Urgent: rack mounting kit / rack shelf

[Gary Buhrmaster]

On Fri, Jul 5, 2013 at 8:16 PM, Mike Lyon mike.l...@gmail.com wrote:
 Frys on Kifer

Fry's is actually on Arques Ave in Sunnyvale.

Not sure about all the Fry's, but the Sunnyvale store has re-imagined
itself (no longer has rows upon rows of 8' shelves, they are now all
about 5' tall, so you get a more open store experience) and no longer
has quite the amount of rack stock on display it once had.  I presume
they have it in the back storeroom if one asks.

+1 for Weirdstuff for random new-to-you racks and accessories
(and I believe they have even more in their warehouse area, if you
ask).

Gary

Re: Security over SONET/SDH

[Gary Buhrmaster]

On Mon, Jun 24, 2013 at 9:37 PM, Jamie Bowden ja...@photon.com wrote:

 Actually, you CAN do that, but you have to apply for ITAR exceptions.  EXIM 
 is complex and you really want a good legal team who are familiar with it 
 hand holding you through it (and on extended retainer going forward...).

We used to joke that our export control officer was the designated felon
(in the case that the process/decision was wrong, that person was the
one going to go to prison (and note the US Govt takes ITAR controls very
very seriously; do not guess, do not even think about guessing; do not
even think that the words in the regs mean what you think they mean)).

Gary

Re: why haven't ethernet connectors changed?

[Gary Buhrmaster]

On Thu, Dec 20, 2012 at 10:20 AM, Michael Thomas m...@mtcc.com wrote:

 So why, oh why, nanog the omniscient do we still use rj45's?

Because 8P8C connectors are well understood (both
physically, and electrically)?  And inertia matters.

On some newer kit, Apple has removed the Ethernet port
and uses a Thunderbolt - Ethernet dongle.  Apple
seems to link Ethernet ports are too big.

Re: Whats so difficult about ISSU

[Gary Buhrmaster]

On Sun, Nov 11, 2012 at 1:45 AM, Saku Ytti s...@ytti.fi wrote:
 ... Or is GPL not really problematic
 issue, as you can hide your intellectual property in binary kernel modules?

GPLv2, which governs the Linux Kernel, does tolorate use of
binary kernel modules under some conditions (the classic
example is the nVidia driver blob which uses a GPL shim).
Regardless, most lawyers would advise a company to avoid
being a test case for some of the poorly defined terms used in
the license, including derivative work.  A recent paper
discussing the issue can be found at:

LOADED QUESTION: EXAMINING LOADABLE KERNEL
MODULES UNDER THE GENERAL PUBLIC LICENSE V2

http://digital.law.washington.edu/dspace-law/bitstream/handle/1773.1/1115/7WJLTA265.pdf?sequence=8




Gary

Re: Whats so difficult about ISSU

[Gary Buhrmaster]

On Sun, Nov 11, 2012 at 7:31 AM, Felipe Zanchet Grazziotin
fel...@starbyte.net wrote:
...
 If your silicon vendor supports BSD's, of course.
 From my (little) experience most vendors SDK will be available to
 Linux and vxWorks but not BSD.
 This limits companies that are building equipments based on third
 parties ASIC to use anything but Linux.

You are right, of course, since the silicon vendors
customers decide what they want the device to support,
and that is (currently) Linux and VxWorks.  Some BSD
folk are trying to change that, by investing their time in
the patches/ports needed to support additional
embedded processor types/derivatives and make it a
viable platform.  There is even a Raspberry Pi port now
available for FreeBSD as I recall.  Ideally those efforts
will produce a viable ecosystem for BSD in this space.

Gary

Re: RPKI Pilot Participant Notice

[Gary Buhrmaster]

On Wed, Sep 5, 2012 at 7:24 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
.
 a closer (by me) reading of:
  In order to access the
 production RPKI TAL, you will first have to agree to ARIN's Relying
 Party Agreement before the TAL will be emailed to you. To request the
 TAL after the production release, follow this link:
 http://www.arin.net/public/rpki/tal/index.xhtml;

 though kinda leads me into the hole randy/richard fell into... 'to
 poke the TAL and figure out where things are, you have to sign an
 agreement'.

My interpretation was what Randy implied, and that ARIN
wants an agreement with everyone who gets a (presumably
unique to the agreement) TAL to protect ARIN.  That would
seem like a lot of overhead to maintain to me (since as I recall
a TAL may never, ever (ok, very rarely) change), but then
appropriate risk management has always been an interesting
thing to watch in the (potentially litigious) ARIN region.

Gary

Re: DNS caches that support partitioning ?

[Gary Buhrmaster]

Re: LRU badness

One approach is called adaptive replacement cache (ARC) which is
used by Oracle/Sun in ZFS, and was used in PostgreSQL for a time
(and slightly modified to (as I recall) to be more like 2Q due to
concerns over the IBM patent on the algorithm).  Unfortunately,
we do not have any implementations of the OPT (aka clairvoyant)
algorithm, so something like 2Q might be an interesting approach
to experiment with.

Gary

Re: US House to ITU: Hands off the Internet

[Gary Buhrmaster]

On Fri, Aug 3, 2012 at 6:06 PM, Patrick W. Gilmore patr...@ianai.net wrote:

 Unanimous?  I didn't think this congress could agree the earth is round 
 unanimously.

Perhaps because the earth is usually more properly described as an
oblate spheroid...

Gary

Re: EBAY and AMAZON

[Gary Buhrmaster]

On Tue, Jun 12, 2012 at 4:33 PM, Michael R. Wayne wa...@staff.msen.com wrote:
...
 It is important to understand that there is nothing inherent in the
 Windows experience which prohibits security. Rather, it is a
 deliberate design choice on the part of MS.

Windows.  A strange game.  The only winning move is not to play.
How about a nice game of FreeBSD?

Re: CVV numbers

[Gary Buhrmaster]

On Sun, Jun 10, 2012 at 8:02 AM, Owen DeLong o...@delong.com wrote:

 The skimmers can use CVV1 and bypass the CVV2 protection in most
 cases (though that requires them to gen up a fake or fraudulent card and
 do card present transactions which does add risk for them).

Not so much for them, but the sacrificial mules that go to the (physical)
stores (and the mules, at best, know the location to meet their handler,
who is not even the person/group responsible for the acquisition of the
numbers, but just another middle person).

 It costs almost nothing, so a few fraudulent transactions blocked is probably
 enough. That doesn't change the fact that I believe there have to be more
 effective methods that wouldn't cost much more.

One of the CC industry think tanks (the think tank part of first data; to
be honest, I am not sure that part still exists) has proposed various
alternatives over the years (including a true non-traceable cash type of
CC alternative that was sort of appealing), but the priority of the banks
continues to be to insure convenience (with minimal losses for the banks),
and almost all the of the alternative involved some sort of additional
inconvenience to the customer.  If you can come up with a good alternative,
there are many many millions to be made.  I am not smart enough to
be able to come up with a clearly better alternative (other than a
personal optimization to remember all the CC numbers, including the
CVV2, as you stated you do).

Gary

Re: WW: Colo Vending Machine

[Gary Buhrmaster]

On Wed, Feb 22, 2012 at 08:09, Joel jaeggli joe...@bogus.com wrote:
...
 If we just stop printing things the problem goes away.

I think Xerox promised me a paperless office
(starting in the 1980s?).  I am still waiting.

Re: Common operational misconceptions

[Gary Buhrmaster]

On Fri, Feb 17, 2012 at 06:52, -Hammer- bhmc...@gmail.com wrote:
 Let me simplify that. If you are over 35 you know how to troubleshoot.

 Yes, I'm going to get flamed. Yes, there are exceptions in both directions.

Necessity is the mother of invention

Long before there was a Grainger (and Home Depot) in
every city, and you could get parts shipped overnight,
one had to make do, and making do meant being
able to figure things out to be able to git r done
with what you had on hand, or could figure out.

When working on my Grandfather's farm, I did not
look for work to do (actually, I looked for ways
not to do any work :-), but if the project required
pulling out the oxy-acetylene torch to cut and
weld something onto the tractor to get something
done, that is what you had to do, so you did it.
If the TV went on the blink (they all did then),
you opened up the back, looked for fried
components, and if one of the resistors was
smoking, you soldered in a replacement.  Or
you took the tubes down to the local drugstore
and tested them.  Even if you had no idea what
you were doing, you were willing (and expected)
to give it a shot, and try to fix it.  More often
than not you learned something along the way,
even if it took hours to figure it out (and had to
repair your repair a few times :-).  For those
without the capabilities, you took it to the shop,
where someone else did the troubleshooting
and repair.

Along the line, the costs of technicians to
do that type of work started to exceed the
cost of simply replacing the entire unit
(how many people remember when going
to the auto dealer that the cost of the parts
far exceeded the cost of the labor?  Now it
is the other way around).  Troubleshooting
became a lost art.  Swap 'til you drop
became the mantra.  It became the cost
effective way to do repairs.

There are advantages to the new way of
disposable devices, but almost no one
knows how they work anymore, and they
do not care to know.  The members of this
list are likely to be sufficiently self selected
to be in the minority of actually wanting to
know.

There is a (small) backlash of people who
are trying to get back into the world of
actually building things, and understanding
how they work (popularized by such things
as Make magazine, and Maker Faires).

Gary

Re: common time-management mistake: rack stack

[Gary Buhrmaster]

On Thu, Feb 16, 2012 at 23:29, Jeff Wheeler j...@inconcepts.biz wrote:
...
 Imagine if the CFO of a bank spent a big chunk of his time filling up ATMs.
 Flying a sharp router jockey around to far-flung POPs to install gear
 is just as foolish.

There is a theory of management that says a good manager
needs to know nothing about the staff or the jobs he is managing,
because his job is about returning profit to the shareholder,
and not about what the company does.  AFAIK, these
theories are made in the academic halls of the business
schools, which churn out MBAs, and, self-selected group
that they are, believe in (more) managers, and (more)
powerpoint business plans, and (more) theory.

I happen to come from a different background, and believe
that it has value to understand what the people who are
working for you actually do.  That does not mean the CEO
should spend all day delivering the mail (or flipping burgers),
but she had better have done it a few times, and it is a good
idea to do it from time to time to see what has changed.
It keeps the manager grounded with the reality.

(I have been told that the reason that the commanders
in the Army are reluctant to send their people to battle
is that they have experienced it, and know it is hell.
And the reason the people will go to hell for their
commander is that the commander has the moral
authority of having done it, experienced it, know
that they are asking a lot, but it is for the common
good.  People will follow a leader who has been there,
done that, and not so much when it is just an academic
business plan on a powerpoint slide.)

Re: Common operational misconceptions

[Gary Buhrmaster]

On Fri, Feb 17, 2012 at 18:06, George Bonser gbon...@seven.com wrote:

 Fry's wanted $55 for a 1 meter LC-LC multi-mode patch cord yesterday at the 
 store on Arques in Sunnyvale.

Admittedly high, but in the same store, one set of rows to the
left (as you were looking at the fibres) they sell 12-24 rack
screws for something like $10/bag of 12.  Now *that* is
markup.

Re: Colo Vending Machine

[Gary Buhrmaster]

On Sat, Feb 18, 2012 at 01:02, George Herbert george.herb...@gmail.com wrote:

 Will IANA accept netblock transfers as an exchange medium for
 datacenter goodies vending machine payments? ...  ;-)

 Joking while busy discouraged.  s/IANA/ARIN/d'oh

I suspect ARIN would follow its policy to recognize
any transfer and update its records as long as the
needs assessment was successfully completed,
but any compensation between the seller and
buyer of the resource is not part of the ARIN process.

(This is a (bad?) joke reference to a currently
ongoing discussion on the ARIN PPML list).

Re: LX sfp minimum range

[Gary Buhrmaster]

On Thu, Jan 26, 2012 at 13:47, David Storandt dstora...@teljet.com wrote:
 You can put a 3dB or 5dB optical pad on the link if the receiver can't
 handle zero-distance optical power.

As I recall, the problem may not only be the power
(which can cause receiver saturation), but issue that
fibre paths shorter than (around) 2-10m do not properly
condition the light(*), which can result in some issues
at the receiver.

Gary

(*) My memory says modal distribution issues.
While 'single mode' fibre only supports one
mode of transmission, it takes a short distance
for the fibre to really be single mode.  You can
use a mode filter to address the problem, or just
use fibres that are at least a few meters.

Re: AD and enforced password policies

[Gary Buhrmaster]

On Tue, Jan 3, 2012 at 05:09, Greg Ihnen os10ru...@gmail.com wrote:

 A side issue is the people who use the same password at fuzzykittens.com as 
 they do at bankofamerica.com. Of course fuzzykittens doesn't need high 
 security for their password management and storage. After all, what's worth 
 stealing at fuzzykittens? All those passwords.

Second obligatory xkcd reference (Password reuse):

http://xkcd.com/792/

Re: AD and enforced password policies

[Gary Buhrmaster]

On Mon, Jan 2, 2012 at 22:32, Jimmy Hess mysi...@gmail.com wrote:

 The sole root cause for easily guessable passwords  is  not  lack of
 technical restrictions. It's also:  lazy or limited memory humans who need
 passwords that they can remember.

 Firstname1234!    is very easy to guess, and meets complexity and usual
 length requirements.

Obligatory xkcd reference:  http://xkcd.com/936/

Gary

Re: IP addresses are now assets

[Gary Buhrmaster]

On Sat, Dec 3, 2011 at 18:18, David Barak thegame...@yahoo.com wrote:

 Should the HAC be expected to manage the transition to HumorV6?


I am not that familiar with Humorv6.  Has Hv6 had sufficient
operational input, or is it based on a philosophically pure
redesign of humor making it theoretically funny, but
in practice most of the humor falls flat.  Does it require a
redesign of the existing infrastructure (i.e. comedy clubs)
in order to get the joke?  And, of course, is the British
implementation of HumourV6 compatible the American
implementation of HumorV6?

Gary

Re: IP addresses are now assets

[Gary Buhrmaster]

On Fri, Dec 2, 2011 at 20:01,  bmann...@vacation.karoshi.com wrote:
.
 
 Suggestion received and needing confirmation:

 That ARIN or a party it designates assign one or more sense(s) of humour to 
 the CEO.


I believe this suggestion suffers from being too non-specific,
and could lead to unintended consequences.  ARIN could,
for example, assign John a slapstick comedy sense of humor
and all the chairs at the next meeting would have a whoopee
cushion.  And do you really want John taking on the role
of a Don Rickles as an insult comedian?

And, of course 87% percentage of the population believes
that they already have an above average sense of humor
(and 62% of the population believes any statement with
a statistic in it).

I would recommend that this suggestion be revised
with community input into what type of humor can
achieve a community consensus.

Gary

Re: IP addresses are now assets

[Gary Buhrmaster]

On Fri, Dec 2, 2011 at 03:52, Robert E. Seastrom r...@seastrom.com wrote:

 In any litigation, Counsel always wins.  I often remind myself that
 there's still time to go to law school.  :-)

It may be too late.  The glory days of getting a JD
and then racking in the money are apparently over.
I remember reading recently (in the NYTimes?) that
newly minted lawyers are having a hard time finding
employment, as the customers of the law firms are
pushing back on the ever higher fees, and the firms
are responding by a combination of outsourcing some
research, and using non-lawyers for other work,
reducing the demand for (and hiring of) new lawyers.
Exceptions noted for the Harvard grads due to the OBN.

Re: Dynamic (changing) IPv6 prefix delegation

[Gary Buhrmaster]

On Mon, Nov 21, 2011 at 22:18, Nathan Eisenberg nat...@atlasnetworks.us wrote:
 Look at the number that are refusing to make generous prefix
 allocations
 to residential end users and limiting them to /56, /60, or even worse,
 /64.

 Owen,

 What does Joe Sixpack do at home with a /48 that he cannot do with a /56 or a 
 /60?

Flexibility.  With dhcpv6 prefix delegation, you are going to want devices
to be able to request (at least) /60s for further delegation (and better yet
/56s to allow them to delegate /60s with further delegation when needed).

While Joe may not have as complex of an environment as his neighbor
Sue, should we target the common Joe, or the advanced Sue?  As I
suspect Owen will say, there is no reason *not* to give out /48s
(ipv6 space is huge), and this is good opportunity to enable the
residential user to not have to work around artificial limits in the future.

Gary

Re: Internet mauled by bears

[Gary Buhrmaster]

On Tue, Sep 20, 2011 at 01:49, Richard Barnes richard.bar...@gmail.com wrote:
 And if they turn up the voltage on the fence high enough, dinner could be
 cooked by the time the crew gets there!

Not quite.  The point of the electric fence is to discourage
moooving through it, but you do not want to kill (or
seriously injure) your livestock.  That, however does not
always work as expected.  Cows are really dumb creatures.
And while an electric fence may discourage them, I have
seen the extra special ones just lounge against the electric
fence for a long time (I presume until the brain notices that
something does not feel right, so perhaps they should
consider, but only consider, being somewhere else).
On a good day the cow goes (or does not go) where you
want it.  On a bad day you repair the electric fence.

Gary

Re: East Coast Earthquake 8-23-2011

[Gary Buhrmaster]

On Wed, Aug 24, 2011 at 05:55, JC Dill jcdill.li...@gmail.com wrote:
 On 23/08/11 3:13 PM, William Herrin wrote:

 A. Our structures aren't built to seismic zone standards. Our
 construction workers aren't familiar with*how*  to build to seismic
 zone standards. We don't secure equipment inside our buildings to
 seismic zone standards.

 They should be.
 They should be.
 You should.

 Earthquakes can happen anywhere.  There's no excuse to fail to build/secure
 to earthquake standards.

I am not sure the original statement is completely
accurate.  At least for commercial construction,
there are (now) seismic standards.  It is true that
the right coast did not change the building codes
until (as I recall) the mid (to) late 1970s to account
for earthquakes.  I believe there are some differences
in those codes from the left coast standards, to reflect
the type and intensity of the quakes likely to occur
(and the liquefaction issues are presumably different
when the granite bedrock is practically under your feet).
However, there are a *lot* of older buildings that
predate the newer codes, and in general no monies
are allocated for seismic retrofits (except, as in
many jurisdictions, when you do major modifications
and you then have to upgrade the building to the
current codes).

As far as securing equipment, I do remember
some safety person coming around suggesting it
at one point as a possibly improvement when I
worked in that region in the 90's, but, not surprisingly,
they were more worried about other safety
improvements (like snow and ice removal, and
repair of cracked sidewalks and stairs).  Priorities
for safety improvements will always be made.

Gary
(I am also not a geologist)

Re: What do you do when your Home ISP is down?

[Gary Buhrmaster]

On Thu, Aug 18, 2011 at 18:09, Eric Wieling ewiel...@nyigc.com wrote:
 Obligatory xkcd http://xkcd.com/806/

Obligatory dilbert: http://www.youtube.com/watch?v=gc2Ks3lQew8
(the first part regarding tech support)

Re: Microsoft's participation in World IPv6 day

[Gary Buhrmaster]

On Thu, Jun 2, 2011 at 21:42, Cameron Byrne cb.li...@gmail.com wrote:

 Pure speculation here, but these stats that you refer to are not a
 scientifically representative sample of the internet at large, this
 sample is a self selecting group of people who have chosen to run an
 ipv6 test.

Commonly called sample bias.  Good statistical analysis will
address (and adjust for) such bias, but that can be (very) hard
work.  As with all the CNN polls, there should be a disclaimer
on such sites that say this is not a scientific poll, but that
would ruin the fun.

Gary

Re: IPv6: numbering of point-to-point-links

[Gary Buhrmaster]

On Mon, Jan 31, 2011 at 09:13, Blake Hudson bl...@ispn.net wrote:

 I setup a p2p /127 link and found that BGP would not peer over the link;
 Changing to /126 resolved the problem. I never looked into it further
 because I had intended to use /126 from the start. My guess is that
 while BGP should be a unicast IP, Cisco's implementation uses an anycast
 in some cases, disregarding the configured unicast address.

 Just one practical example...

I suspect this is very platform/version specific, as I have run BGP
on a Cisco 6500 (SXImumble) to a Juniper MX and we had no
trouble with a /127 (although prepared to move to a /126 or whatever
if needed).  As always, your environment will vary.  I would open
a TAC case on the principal that it should work.

Re: anyone running GPS clocks in Southeastern Georgia?

[Gary Buhrmaster]

 NTP isn't going to be the only ripple.

Most of the brand name GPS NTP solutions have a clock
with is more than stable enough to survive without GPS
lock for 45 minutes(*).  Some of the more expensive units with
temperature controlled oscillators have hold times in the
many weeks.  My guess is that the NTP ripples will be
limited to those NTP servers just (or recently) booted
which have not yet achieved a stable clock state.

Gary

(*) This presumes that this test results in loss of signal
lock, and not intentionally injected false information.

Re: Want to move to all 208V for server racks

[Gary Buhrmaster]

On Fri, Dec 3, 2010 at 22:28, Owen DeLong o...@delong.com wrote:
  ... This is easily done with AC and would be quite complex
 and inefficient (especially with the technology available at the time this
 decision was made) with DC.

Correct.  Now, of course, with switched mode conversion
and power FET technology DC-to-DC converter efficiency
can be greater than 95% in optimized designs, but back
when Edison and Tesla were arguing the merits, DC
conversion was very inefficient compared to AC.

Re: Want to move to all 208V for server racks

[Gary Buhrmaster]

 48V (and some more when batteries are full) are slightly below the limit of
 non harmfull voltage.

I suspect you have never seen the pictures of a wrench
that exploded/splattered all over someones body.
50V may not (usually, but your mileage will vary) be
able to produce enough current in a body to kill via
fibrillation, but as usually deployed it has enough
joules to kill in other ways.

50V is the number in the regs below which certain
controls are not required.  In some jurisdictions, it
also allows those that are not electricians to
perform work.

Anyone regularly working around that many joules,
no matter the voltage, has either been properly
trained in a safety regimen, or is extremely
lucky.

It is no different than people who work around
high pressure compressed air/steam.  There is
a lot of stored energy there, and you need to treat
it with respect (same with heavy weights
suspended above your head, or lots of other
examples).

Gary

Re: Want to move to all 208V for server racks

[Gary Buhrmaster]

On Thu, Dec 2, 2010 at 22:39, Seth Mattinen se...@rollernet.us wrote:
...
 Arc fault breakers are a very new code requirement which I believe is
 primarily targeted at sleeping areas. My place has them (built about 4
 years ago) on the bedroom outlet circuits. If I spin the socket switch
 on one of the table lamps too fast it'll trip.

The NFPA priority is to protect life (property/equipment
are there too, but lower in priority).

(Note that while NFPA 70 is not required, most
jurisdictions eventually turn it into their law/codes.
But exceptions exist, and your specific requirements
may vary, and not all jurisdictions adopt the new
rules immediately.  Some still (only) require
NFPA 70-2005, and not NFPA 70-2008.  There is
no known case where applying more recent
practices has resulted in liability, so some
contractors may build to 2008 when only 2005
is being enforced by the inspector).

Now that most outlets are grounded, and GFCIs are
in locations where people are likely to be the source
to ground (wet areas), one of the bigger remaining
issues for loss of life in the home due to electricity
was in the bedroom with arcing between the hot/neutral
when people were asleep (and could be overwhelmed
by the smoke before they could get out of the house).

Another addition to the code a few years ago was
what I call child proofing the outlets(*).  You will
see all new (but not existing old stock) outlets having
a (usually) mechanical cover for the slots which requires
a plug to be pushed in (only the pressure from both prongs
will open the cover) to protect against the inquisitive
fork or finger problem.

NFPA 70 does take into account industry recommendations
(for the conspiracy theorists), and the perceived return
on the costs (something that saves 1 life over 10 years
but costs billions is not likely to make it into code).

Gary

(*) Technically, I think these are called Tamper-Resistant
 Receptacles, and are required in all new work as
 of NFPA 70-2008.

Re: Want to move to all 208V for server racks

[Gary Buhrmaster]

On Fri, Dec 3, 2010 at 07:54, Chuck Anderson c...@wpi.edu wrote:

 On another note, how do you calculate N+1 power feeds in your racks?
 If you have 2 PDUs fed from two different branch circuits/UPSes/etc.
 do you just set your PDU load alarm thresholds at 50% of the max
 rating of each PDU and never load them beyond that point, so that if
 you lose one PDU/branch circuit/UPS and the dual-power servers
 transfer their load over to the other side, it doesn't get overloaded?

That would be around 40%, not 50% (80% of 50%).

Note that there are some caveats.  Some power supplies are
more or less efficient at different (low vs. high) utilizations, and
depending on the design, you are running (with 2 power
supplies) either each at (around) 50% of load, or 1 at 100%
and the other at 0%.  It is *possible* to be able to run near
60% on two UPS circuits if the power supplies are inefficient
at 50%.  But this requires a lot more design and evaluation
work than the (easy to calculate) 40% target.

Also note that *your* electrical engineer may de-rate the
circuits capacity due to the fact that switching power
supplies generate numerous artifacts on the lines.  These
are all advanced (electrical) engineering topics.

Gary

Re: Want to move to all 208V for server racks

[Gary Buhrmaster]

On Fri, Dec 3, 2010 at 04:02, John van Oppen jvanop...@spectrumnet.us wrote:
...
 GFCI breakers are often required on large services, most large (new) 480v 
 services I have seen (1000A and larger) a have Ground fault breakers,

Actually, my recollection is that large new services include arc
suppression rather
than ground fault (480V service may be floating in any case, since it
would depend
on delta-wye distribution).  There has been strong efforts to protect
the low voltage
electricians (in common power distribution speak, 12K+ voltage is high voltage,
less is considered low voltage; yes, this is a different point of
view).  Even with
a 100Cal suit on, you really want arc suppression at those high joule ratings
to protect a life (every master electrician has a story about arc flashes, and
some stories include the outline of the ex-individual on the opposite
wall).  It is
now common when doing work on downstream devices to reduce the arc
limits so that ones life has increased protection.  A protective trip
is better than
the alternative.

 in fact I have seen some bad outages on entire datacenters where the main 
 breakers had a lower ground-fault current setting (for tripping) than a 
 branch circuit that had a phase-to-ground fault resulting in the main 
 breakers tripping instead of the branch circuit.

*Proper* engineering is more than just putting in a breaker with a
high enough rating.  The days of nice resistive (think incandescent
light bulbs) or inductive (motor/transformer) loads are long gone.
Switching power supplies (or large pulse rectifiers) require a more
careful analysis.  I have seen too many upstream breakers being
set at the wrong trip values (the larger breakers have internal
adjustments), and trip first.

Gary

Re: Want to move to all 208V for server racks

[Gary Buhrmaster]

btw, one thing I do not recall seeing on this thread is that
208v avoids one of the common problems with 120v, which
is the third harmonic issue.

With the cheaper switching power supplies, one will often
see significant 3rd harmonics in the waveforms(*).  The 3rd
harmonic, across a 3 phase circuit, are additive on the
neutral.  In worst case, your (common) neutral current
may exceed the line currents.  Proper engineering for
significant 120v distribution in new DC construction often
requires double sized neutrals to mitigate against this.
Using 208v mitigates this particular issue.

Gary

(*) There are also other harmonics, but for this
discussion, 3rd is what matters.

Re: Want to move to all 208V for server racks

[Gary Buhrmaster]

On Thu, Dec 2, 2010 at 22:07, Ricky Beam jfb...@gmail.com wrote:
...
 I think they are now a violation of the NEC.  And they were delisted by UL
 years ago.  They pose a hazard as they will not react fast enough to prevent
 a fatal shock. (and the only one's I've ever seen were outlawed as the
 breaker itself was a fire hazard.)

While I do not have a copy of NFPA 70-2011 (the latest latest, released
a few months ago), my reading of NFPA 70-2008 still allows GFCI
breakers (NFPA 70 is the official name for NEC).  Personally, I
prefer to specify and use GFCI outlets (and I tend to not daisy
chain) so that the the fault is next to the use (and no collateral
outages occur).  Of course, specific breakers may not meet the
newest requirements.

Re: Want to move to all 208V for server racks

[Gary Buhrmaster]

On Thu, Dec 2, 2010 at 22:17, Antonio Querubin t...@lava.net wrote:
...
 You sure about that?  GFCI breakers as well as their close cousins AFCIs are
 still being sold and bought at hardware stores.

I am not sure I would call AFCIs a close cousin to the GFCI (except
that they are both more expensive that a non-xFCI breaker).  They
serve different purposes.  The (arc) faults that AFCIs are designed
to interrupt would commonly be passed through the GFCI without notice.
GFCIs are designed to protect people from shock, and AFCIs are
designed to protect against fire from the arc (which also tends to
protect people, but less directly).

Re: Did your BGP crash today?

[Gary Buhrmaster]

On Mon, Aug 30, 2010 at 15:55, Jack Bates jba...@brightok.net wrote:

...
 As good a place to break in on the thread as any, I guess. Randy and others
 believe more testing should have been done. I'm not completely sure they
 didn't test against XR. They very likely could have tested in a 1 on 1
 connection and everything looked fine.

 I don't know the full details, but at what point did the corruption appear,
 and was it visible? We know that it was corrupt on the output which caused
 peer resets, but was it necessarily visible in the router itself?

 Do we require a researcher to setup a chain of every vender BGP speaker in
 every possible configuration and order to verify a bug doesn't cause things
 to break? In this case, one very likely would need an XR receiving and
 transmitting updates to detect the failure, so no less than 3 routers with
 the XR in the middle.

 What about individual configurations? Perhaps the update is received and
 altered by one vendor due to specific configurations, sent to the next
 vendor, accepted and altered (due to the first alteration, where as it
 wouldn't be altered if the original update had been received) which causes
 the next vendor to reset. Then we add to this that it may pass silently
 through several middle vendor routers without problems and we realize the
 scope of such problems and why connecting to the Internet is so
 unpredictable.

I am not aware that anyone has provided the complete details at
this point which would include any test plans that may have been
performed.  From what I have been able to discern, it does seem
likely that a test plan that would have caught this almost had to
know of the specific issue in advance.  More testing would have
been better, but there is just too much variability out there to
assure you can do a complete test.

I am also not aware that the introduction of the attribute was
announced to the usual operational lists in advance just in
case (Ok, in this case, I mean NANOG).  This, is my mind,
 is actually the bigger faux pas.  An Oh S*** moment has
happened to most of us.  It probably will happen again to
many of us.  But letting people know in advance of scheduled
changes is the important thing.

I would hope that in the future researchers will commit to
test plans to (at least) all the major vendor BGP speakers
(which, I admit, would likely not have caught this issue),
and that before introducing such new attributes into the
Internet, they would announce it to the usual operational
lists, again, just in case.  But my hopes are often dashed.

Gary

Re: DNSSEC and SSL

[Gary Buhrmaster]

On Sat, Aug 21, 2010 at 18:00, ML m...@kenweb.org wrote:
 Would a future with a ubiquitous DNSSEC deployment eliminate the market
 for commercial CAs?

 Would functioning DNSSEC + self signed certs be more secure/trustworthy
 than our current system of trusted CAs chosen by OS/browser developers?

See Dan Kaminski's presentation at this years BlackHat  Defcon
for a proposal, and the prototype glue that provides a proof of
concept.  http://www.recursion.com/talks.html (I seem to recall
the X.509/CA part starts about 3/4 of the way through the deck).

That said, Dan does not suggest that everything a CA does
is obsolete, there will still be a market for making sure that
BankOfAmerica.com really is the bank you want to do
business with (branding).