Re: No route to weather.gov
On 6/11/2014 11:13 PM, Hugo Slabbert wrote: No luck from here. weather.gov resolves as 204.227.127.201 for me, and I have no routes for that IP. Likewise here, and we have various views. UTC-Border#show ip route 204.227.127.201 % Network not in table BGP path falls back to default route... UTC-Border#show ip bgp 204.227.127.201 BGP routing table entry for 0.0.0.0/0, version 671407710 Paths: (4 available, best #4, table Default-IP-Routing-Table) Multipath: eBGP Jeff
Re: Getting pretty close to default IPv4 route maximum for 6500/7600 routers.
On 5/6/2014 11:39 AM, Drew Weaver wrote: Hi all, I am wondering if maybe we should make some kind of concerted effort to remind folks about the IPv4 routing table inching closer and closer to the 512K route mark. We are at about 94/95% right now of 512K. For most of us, the 512K route mark is arbitrary but for a lot of folks who may still be running 6500/7600 or other routers which are by default configured to crash and burn after 512K routes; it may be a valuable public service. Yes, a Sup720/PFC3CXL defaults to 512K IPv4 routes, and reconfiguring the FIB requires a reload. So I've been quietly expecting a somewhat serious meltdown when we hit 512K :) Jeff
Re: We hit half-million: The Cidr Report
On 4/29/2014 2:06 PM, Owen DeLong wrote: If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1 (or even 3) IPv6 prefixes… As a bonus, we could get rid of NAT, too. ;-) /me ducks (but you know I had to say it) Yeah, just when we thought Slammer / Blaster / Nachi / Welchia / etc / etc had been eliminated by process of can't get there from here... we expose millions more endpoints... /me ducks too (but you know *I* had to say it)
Re: We hit half-million: The Cidr Report
On 4/29/2014 11:37 PM, TheIpv6guy . wrote: On Tue, Apr 29, 2014 at 7:54 PM, Jeff Kell jeff-k...@utc.edu wrote: On 4/29/2014 2:06 PM, Owen DeLong wrote: If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1 (or even 3) IPv6 prefixes… As a bonus, we could get rid of NAT, too. ;-) /me ducks (but you know I had to say it) Yeah, just when we thought Slammer / Blaster / Nachi / Welchia / etc / etc had been eliminated by process of can't get there from here... we expose millions more endpoints... /me ducks too (but you know *I* had to say it) No ducking here. You forgot Nimda. Do you have an example from the last 10 years of this class ? Oh? Anything hitting portmapper (tcp/135), or CIFS (tcp/445), or RDP (tdp/3389 -- CVE-2012-0002 ring any bells?). The vulnerabilities never stop. We just stop paying attention because most of us have blocked 135-139 and 445 and 3389 at the border long ago. Now granted that 80/443 (server-side) are more dangerous these days :) But that doesn't eliminate the original risks. These are ports that were originally open by default... and if you don't have a perimeter policy, you're wrong (policy, compliance, regulation, etc). Not to mention that PCI compliance requires you are RFC1918 (non-routed) at your endpoints, but I digress... Jeff
Re: Requirements for IPv6 Firewalls
On 4/18/2014 9:53 PM, Dobbins, Roland wrote: On Apr 19, 2014, at 1:20 AM, William Herrin b...@herrin.us wrote: There isn't much a firewall can do to break it. As someone who sees firewalls break the Internet all the time for those whose packets have the misfortune to traverse one, I must respectfully disagree. If end-to-end connectivity is your idea of the Internet, then a firewall's primary purpose is to break the Internet. It's how we provide access control. If a firewall blocks legitimate, authorized access then perhaps it adds to breakage (PMTU, ICMP, other blocking) but otherwise it works. As to address the other argument in this threat on NAT / private addressing, PCI requirement 1.3.8 pretty much requires RFC1918 addressing of the computers in scope... has anyone hinted at PCI for IPv6? Jeff
Re: Requirements for IPv6 Firewalls
On 4/18/2014 10:10 PM, Dobbins, Roland wrote: On Apr 19, 2014, at 9:04 AM, Jeff Kell jeff-k...@utc.edu wrote: It's how we provide access control. Firewalls 'access control'. Firewalls are one (generally, very poor and grossly misused) way of providing access control. They're often wedged in where stateless ACLs in hardware-based routers and/or layer-3 switches would do a much better job, such as in front of servers: I call BS... what do you expect closes the gap, host firewalls? Most 3rd party crap has no firewalls and gets no specific rules for local LANs or authorized users. Firewalls are front-line defense, for the crap that is too generic / misconfigured to protect itself. And there are tons of these. Anyone ever pentested you? It's an enlightening experience. Jeff
Re: Heartbleed Bug Found in Cisco Routers, Juniper Gear
On 4/12/2014 8:55 PM, Harry Hoffman wrote: Didn't Cisco already release a bunch of updates related to Anyconnect and heartbleed? There were AnyConnect for iOS (little i, not big I) issues with heartbleed, but everything else has been mostly phone and UCS related. IOS XE is affected if you have enabled https:// administrative interface. Otherwise no (at least not yet, they're still checking). There were, however, four separate security issues released this week that affected SSL VPN, AnyConnect, and ASAs (I had to patch our ASAs even though we do not do SSL VPN or AnyConnect, there is a DoS attack possible via SIP). signature.asc Description: OpenPGP digital signature
Re: Yahoo DMARC breakage
On 4/9/2014 5:24 PM, valdis.kletni...@vt.edu wrote: On Wed, 09 Apr 2014 17:15:59 -0400, William Herrin said: Meh. This just means list software will have to rewrite the From header to From: John Levine nanog@nanog.org and rely on the Reply-To header for anybody who wants to send a message back to the originator. Maybe this is a good thing - we can stop getting all the sorry I'm out of the office emails when posting to a list. The sort of programmer that writes out-of-mind software that doesn't employ the long well-known heuristics for detecting mailing lists (starting with checking Return-Path: for owner- and similar) will also likely disregard the Reply-To: header. This Is Not A Good Thing. The most sane out-of-mind response should only be sent *if* the out-of-mind person is named explicitly as a recipient in the RFC822 header. Anything To: somelist@somehost does not qualify :) Jeff
Re: Yahoo DMARC breakage
On 4/9/2014 6:11 PM, bmann...@vacation.karoshi.com wrote: On Wed, Apr 09, 2014 at 05:49:27PM -0400, Jeff Kell wrote: The most sane out-of-mind response should only be sent *if* the out-of-mind person is named explicitly as a recipient in the RFC822 header. Anything To: somelist@somehost does not qualify :) Jeff and just how is an algorithm supposed to detect that jeff-k...@utc.edu is a single human and not a list? Because *I* set the out-of-office notification for my email address[es]. If I'm not in the recipient list, do not respond. This is a per user knob we are talking about here, so it knows darn well what address[es] are me. Jeff
Re: Yahoo DMARC breakage
On 4/9/2014 7:22 PM, Larry Sheldon wrote: On 4/9/2014 5:11 PM, bmann...@vacation.karoshi.com wrote: On Wed, Apr 09, 2014 at 05:49:27PM -0400, Jeff Kell wrote: The most sane out-of-mind response should only be sent *if* the out-of-mind person is named explicitly as a recipient in the RFC822 header. Anything To: somelist@somehost does not qualify :) Jeff and just how is an algorithm supposed to detect that jeff-k...@utc.edu is a single human and not a list? It is really too bad that there is not place to put a precedence that the software could key on--with values like bulk or junk or list. Headers of your message include: Precedence: list List-Id: North American Network Operators Group nanog.nanog.org List-Unsubscribe: http://mailman.nanog.org/mailman/options/nanog, mailto:nanog-requ...@nanog.org?subject=unsubscribe List-Archive: http://mailman.nanog.org/pipermail/nanog/ List-Post: mailto:nanog@nanog.org List-Help: mailto:nanog-requ...@nanog.org?subject=help List-Subscribe: http://mailman.nanog.org/mailman/listinfo/nanog, mailto:nanog-requ...@nanog.org?subject=subscribe Errors-To: nanog-bounces+jeff-kell=utc@nanog.org Return-Path: nanog-bounces+jeff-kell=utc@nanog.org Proper mail clients can provide list links based on the List- headers, but few if any actually do. So take your pick, but my point remains, it still retains: Date: Wed, 9 Apr 2014 18:22:51 -0500 From: Larry Sheldon larryshel...@cox.net Organization: Maybe tomorrow User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 To: nanog@nanog.org Subject: Re: Yahoo DMARC breakage And I'm nowhere mentioned. I only appear in the envelope RCPT TO: RFC821 header, nowhere in the RFC822 header. It's not rocket science if you have headers available (which even Outlook can see, although you have to jump through a few hoops to see them). Jeff Jeff
Re: Anternet
On 4/5/2014 2:32 AM, Andrew D Kirch wrote: So, if there's more than 4 billion ants... what are they going to do? Who knows, but they'll definitely need IPv6 :) Jeff
Re: BGPMON Alert Questions
So we're somewhat safe until the fast food burger grills and fries cookers advance to level-3 routing? Or Daquiri blenders get their own ASNs? Bad enough that professional folks can goof to this extent, but scarier still that the Internet of Everything seems to progress without bounds... Jeff On 4/2/2014 11:43 PM, Randy Bush wrote: We've detected 415,652 prefixes being hijacked by Indosat today. Those who do not understand AS7007 are doomed to repeat it? i very much doubt this is a 7007, where bgp was redistributed into rip, which sliced it into a jillion /24s, and then redistributed from rip back into bgp. of course the lack of filtering or origin validation is an endemic disease. randy
Re: A little silly for IPv6
On 3/26/2014 12:28 AM, Larry Sheldon wrote: According to the Ace of Spades HQ blog: IPv6 would allow every atom on the surface of the earth to have its own IP address, with enough spare to do Earth 100+ times. Not with a /64 minimum allocation per customer :) Jeff
Re: IPv6 isn't SMTP
On 3/26/2014 12:33 AM, Larry Sheldon wrote: On 3/25/2014 11:18 PM, John Levine wrote: 3. Arguing about IPv6 in the context of requirements upon SMTP connections is playing that uncomfortable game with ones own combat boots. And not particularly productive. If you can figure out how to do effective spam filtering without looking at the IP addresses from which mail arrives, you will be in a position to make a whole lot of money. Is spam fighting really about SMTP? Or is it about abuse of the transport layer by (among other things) the SMTP? Well, with current spam, the transport layer is irrelevant, given the proper phished credentials :( Jeff
Re: Level 3 blames Internet slowdowns on ISPs' refusal to upgrade networks | Ars Technica
On 3/20/2014 7:32 PM, Jimmy Hess wrote: Then there is this whole matter of end-to-end connectivity. Just because your WAN device links up at 8 Megabits, does not mean you have been guaranteed 8 Mbits end-to-end. Have run into this one more times that I care to count. We're running very marginally loaded links all around, and have setup speedtest site locally to prove the issue is not local. Our upstream Commodity provider also has speedtest peer, and we can also point people there. You can point people to them to prove it's not between us and the next hop. Of course some folks just don't get it :) You chase down the squeaky wheel complainers, and find them running IE with a dozen toolbars, a few P2P clients, adware out the wazoo, and other things I can barely bring myself to think about, let alone admit in a public forum :) And doing it over wireless, while they're microwaving their dinner, and ignoring their wireless printer they never bothered to disable since they plugged it in wired. While playing XBox with their wireless controllers, listening to Pandora over their BlueTooth headset, while their roommate is watching Netflix (wirelessly) on their smart TV, with the wireless subwoofer and back speakers. Yeah, end-to-end guarantee? It's difficult enough to prove you have the first hop covered. Plug the damned thing in the wall, download Malwarebytes / Spybot / something, and deal with the real problem here, dude :) Your internet sucks!. Or as a recent Tweet from a student mentioned, Fix the Mother Effing wireless in the dorms. (The dorm with the 802.11n / gig ports on the APs / etherchannels back to the data center, nonetheless). Jeff
Re: Permitting spoofed traffic [Was: Re: ddos attack blog]
On 2/14/2014 9:07 PM, Paul Ferguson wrote: Indeed -- I'm not in the business of bit-shipping these days, so I can't endorse or advocate any particular method of blocking spoofed IP packets in your gear. If you're dead-end, a basic ACL that permits ONLY your prefixes on egress, and blocks your prefixes on ingress, is perhaps the safest bet. Strict uRPF has it's complications, and loose uRPF is almost too forgiving. If you're providing transit, it gets much more complicated much more quickly, but the same principles apply (they just get to be a less-than-100% solution) :) I can, however, say with confidence that it is still a good idea. Great idea, even. :-) Oh yeah :) Jeff signature.asc Description: OpenPGP digital signature
Re: Twinax trivia check (was Re: Is there such a thing as a 10GBase-T SFP+ transciever)
On 2/2/2014 4:03 PM, Bryan Tong wrote: These cables are most commonly known as Direct Attach Copper SFP+ The big issue appears to be that these are not always consistently functional crossing vendor lines (sometimes product lines within the same vendor). There does not appear to be any standardization in place. Not sure how much of this is picky vendor software looking for branded marks in their transceivers (e.g., Cisco service unsupported-transceiver) versus true incompatibilities. We have had issues in test cases crossing vendor lines (Cisco / Brocade / Dell / HP) with a twinax link that just simply won't work. If anyone has a clear explanation or better understanding, I'm all ears. Personal experience comes from only a few testbed cases. Jeff
Re: Will a single /27 get fully routed these days?
(snip) I doubt that anything /24 will ever be eligible as a portable provider independent block. If within a provider, you can slice and dice as you wish. Jeff
Re: turning on comcast v6
On 12/30/2013 8:16 PM, Leo Bicknell wrote: There's a reason why there's huge efforts to put RA guard in switches, and do cryptographic RA's. These are two admissions that the status quo does not work for many folks, but for some reason these two solutions get pushed over a simple DHCP router assignment option. The more disturbing feature for those that have been there, done that, debugged the meltdown, and tried to avoid repeating the issue is the growing proliferation of automatic discovery/configuration... whether RA / SLAAC / mDNS / Bonjour / uPnP / (the list goes on...). There are too many opportunities for spoofing / MITM / self-propagating issues. Yes, DHCP is prone to similar issues, but better to focus on one service and one authoritative source to try to lock down than to try to protect the plethora of growing options to introduce issues from arbitrary sources. But as the market focus appears to continue to try to address the home / SOHO environment of naive users, the self-configuration nastiness continues to propagate. It may fit at home / SOHO, but not in the Enterprise, and certainly not in a university environment where you can't be as restrictive on a universal basis as you might like to be :( Jeff signature.asc Description: OpenPGP digital signature
Re: NSA able to compromise Cisco, Juniper, Huawei switches
On 12/30/2013 11:06 PM, [AP] NANOG wrote: As I was going through reading all these replies, the one thing that continued to poke at me was the requirement of the signed binaries and microcode. The same goes for many of the Cisco binaries, without direct assistance, which is unclear at this point through the cloud of smoke so to speak, it would be difficult to load this code post implementation or manufacturing. Signed binaries?? Surely you jest... Try download *anything* from Cisco TAC these days with a new browser and latest Java and see how many exceptions you have to make to get an allegedly legitimate copy of anything. If you don't like it, open a TAC case, and count the number of exceptions you have to make to get to THAT point as well. And of course they'll want you to upload a show tech first thing, and see how many MORE exceptions you have to make to get that to work. Geez, just open ASDM today I have to honor Java exceptions. We're all getting far too conditioned for the click OK to proceed overload, and the sources aren't helping. Jeff
Re: Caps (was Re: ATT UVERSE Native IPv6, a HOWTO)
On 12/9/2013 12:48 AM, Jay Ashworth wrote: A 3270 that took 5 seconds of delay and then *snapped* the entire screen up at once was perceived as faster than a 9600 tty that painted the same entire screen in about a second and a half or so. Don't remember who it was either, but likely Bell Labs. This is a screen/block mode I/O issue versus a character-mode one. And the screen/block I/O won't start until the whole screen data is there, so there is an initial delay. The character-mode variant will paint portions of the screen as the data arrives. Similar anomalies exist on input... the screen/block mode is buffered locally and proceeds normally; while the character mode version has to transit the WAN link, whatever it may be. I won't argue that one is better than the other, depending on your link speed (transmitting a whole screen will incur longer delays than transmitting individual fields, though admittedly it happens less often). But the user perception goes a long way... I have seen advantages to both, having done serial termainal applications from back to the 1970s, and won't argue one way or the other. You choose your poison. With 3270 you have little choice other than full screen transactions. For other ASCII terminal interfaces, you could optimize the individual fields (while paying the full screen price). There are user perceived throughput values, transaction perceived throughput values, and application perceived throughput values. And very rarely did the three equal out for every application :( Jeff
Re: OT: Below grade fiber interconnect points
You can stick a splice in a manhole. You don't want a patch panel or cross-connect in that sort of environment, keep that housed inside, somewhere. Jeff On 11/13/2013 7:53 PM, Thomas wrote: Usually it would spliced outside at the manhole where the fiber meet to go in the building. Depends on the way you want to connect them etc. Thomas L Graves Sent from my IPhone On Nov 13, 2013, at 2:05 PM, Justin M. Streiner strei...@cluebyfour.org wrote: On Wed, 13 Nov 2013, Roy hockett wrote: Has anyone ever used a below grade vault for housing fiber cross connects? We have to move a fiber interconnect facility due to the current building being demolished. If you have I would be interested in talking to you. If there are more appropriate lists, I would appreciate any suggestions. When you say below grade vault, do you mean something that's only accessible through a manhole? I haven't done this specifically, however if the vault does not have a controlled environment, you could be dealing with massive headaches related to dust/dirt contamination, moisture penetration, etc. I work in a large-campus .edu environment, so I'm some of the headaches you're probably trying to avoid. Also, be aware that access to the vault could be an issue. There are OSHA regs related to what sort of training and safety equipment someone who will be working in an underground vault must have. I'm assuming that the fiber will be cross-connected to a new location prior to the building being demolished. Not knowing your outside plant or circumstances, would it be feasible to fusion-splice a new tail onto the fiber that was going to the building that's being demolished, or (ideally) pulling a new piece of fiber to the new building, so you don't have to deal with potentially dodgy splices? jms
Re: CPE dns hijacking malware
On 11/12/2013 1:12 AM, Dobbins, Roland wrote: On Nov 12, 2013, at 12:56 PM, Mike mike-na...@tiedyenetworks.com wrote: It appears that some of my subscribers DSL modems (which are acting as nat routers) have had their dns settings hijacked and presumably for serving ads or some such nonsense. How do you think this was accomplished? Via some kind of Web exploit customized for those devices and targeting your user population via email or social media, which tricked users into clicking on something that accessed the Web admin interface via default admin credentials or somsesuch; or via some direct attack on the CPE devices themselves; or via some other method? Basically two cases... (1) XSS attack on the router using default (or dictionary) credentials to set the DNS server on the router, or (2) DHCP hijacking daemon installed on the client, supplying the hijacker's DNS servers on a DHCP renewal. Have seen both, the latter being more common, and the latter will expand across the entire home subnet in time (based on your lease interval) Jeff
Re: Policy-based routing is evil? Discuss.
As others have pointed out, PBR ... * Is a fragile configuration. You're typically forcing next-hop without a [direct] failover option, * Often incurs a penalty (hardware cycles, conflicting feature sets, or outright punting to software), * Doesn't naturally load-balance (you pick the source ranges you route where) However, there are few alternatives in some cases... * If you are using some provider-owned IP space you often must route to that provider, * There may be policies restricting what traffic (sources) can transit a given provider There are few alternatives for the latter cases, unless you split the border across VRFs and assign routing policy on the VRF, which is a global decision across the VRF, and avoids PBR. We're doing a little of both, so I clearly don't take sides :) Jeff signature.asc Description: OpenPGP digital signature
Re: Suggestion on Fiber tester
On 9/26/2013 6:53 AM, Justin M. Streiner wrote: What flavor of multimode fiber are you dealing with? The answer and the distance you can run becomes substantially more important at 10G. Hopefully you're at least dealing with OM3. OM1/OM2 imposes distance limitations and you'll likely need mode-conditioning jumpers to work at 10G. Excellent point. We have some over-a-decade old 62.5u MM that is useless for 10G (practically useless at 1G). It was fine at the time for 10Mb 10FL, but is now deprecated into oblivion. New runs are SM between buildings, and 50u OM3/OM4 inside. Another surprise that can vary by vendor... but retail Cisco LRM is cheaper than their SR, and is made for MM fiber (granted, OM3/OM4 ideally). Jeff
Re: iOS 7 update traffic
On 9/23/2013 9:36 PM, Joe Greco wrote: So then all the networks that have done $things to BitTorrent to demote it to second-rate traffic will suddenly have a bunch of very angry Apple fans whose downloads are mysteriously having issues. Just ask the Blizzard fans (World of Warcraft) about this phenomenon... Jeff
Re: iOS 7 update traffic
On 9/19/2013 5:29 PM, Warren Bailey wrote: So you understand things aren't always metro e.. That's what I was trying to say. I still have a coupler.. ;) Original message From: Fred Reimer frei...@freimer.org Actually, I started out with a 300 baud acoustic modem. You know, the kind where you take the handset and jam it into two cups? But I digress… Bah! That was a take-home convenience. How about the old ASR TeleType with the 110-baud link to get a hardcopy listing? Jeff
Re: [Paper] B4: Experience with a Globally-Deployed Software Defined
On 8/17/2013 7:14 PM, Arturo Servin wrote: Hacker will love SDN ... Yes. Traditional SDN is big, flat layer-2 network with global mac-address resolution, and a big fat Java applet managing the adjacency tables. What could *possibly* go wrong? Jeff
Re: CNN broadcasting online free? Hogging my bandwidth...
On 8/14/2013 9:24 PM, Zachary McGibbon wrote: It seems this started around 8am this morning and it was a macromedia tcp flash stream on port 1935. Wait until they throw some OctoShape P2P streaming video at you... Jeff
Re: Brighthouse issues
On 7/30/2013 10:55 PM, Jay Ashworth wrote: - Original Message - From: Jared Geiger ja...@compuwizz.net We are seeing that all our customers in the Brighthouse Orlando, FL market that would make outbound connections on TCP port 3306 suddenly can't connect to us now. This happened suddenly mid day today. Speculation: are these residential class cablemodem customers? Carriers are prone to block uncommon ports on such modems at random. Yeah, 3306 is MySQL. Overly-paranoid firewall somewhere? DDoS mitigation collateral damage? Jeff
Re: One of our own in the Guardian.
On 7/13/2013 10:15 PM, Jima wrote: On 2013-07-13 14:44, Bill Woodcock wrote: http://www.guardian.co.uk/world/2013/jul/09/xmission-isp-customers-privacy-nsa I can happily state that XMission is my home ISP, with UTOPIA (city-involved fiber optic provider) as the local loop. (Really, who has 100/100 at home?) A whole lot of folks in Chattanooga... https://epbfi.com/enroll/packages/#/fi-speed-internet-100 100Mb symmetric is $69/mo, 250Mb is $139, 1Gbit is $299 Largely Alcatel/Lucent GPON. Business rates considerably higher :) They are one of our providers and we aren't metered. I don't know how they're handling domestic rates / quotas. Jeff
Re: One of our own in the Guardian.
On 7/14/2013 3:37 PM, Warren Bailey wrote: I would imagine this cheap rural fiber showed up after the RUS stimulus? A former employer (GCI, in Anchorage Alaska) received quite a bit of money in the form of a grant/loan for a rural fiber network (I think they may have received the largest of all grants). Would be interesting to know how much of this was as a result of dot gov funding. It's decidedly not yet rural but starting to expand beyond simple urban. It is our Electric provider utility, and much of the build out was tied to Smart Grid power meter integration. I'm not familiar with the politics, but there were some battles over funding and justification. They are competing with (at least) Comcast/XFinity, ATT/Uverse, and Charter in the local market. Their initial buildout pre-dated stimulus funding. We were involved in an earlier effort for Metro Ethernet but that didn't work out so well. The more recent GPON is the ongoing success story. Jeff
Re: One of our own in the Guardian.
On 7/14/2013 9:08 PM, Jima wrote: XMission does offer 1000/1000, as well; I seem to recall the price is something like $300/mo. For us, the problem was more finding remote sites that can push data rates anywhere near one's own limit (as it's enough of a problem at 100mbit), making the price bump not quite worth it. Very true. We have two gigs, but a commercial speedtest comes up seriously short (typically 100+ Mbps) while a locally hosted speedtest will show 800-900+. Not sure how much is their upstream versus simple physics... you'd have to be the only test subject to a gig-connected server to do much better. We have had some contrived examples over I2 that pushed 500Mbps symmetric, but they ran that demo over our I2 pipe because their commodity link couldn't deliver the necessary rate/latency. Jeff
Re: Egress filters dropping traffic
On 6/30/2013 12:34 PM, Glen Kent wrote: Under what scenarios do providers install egress ACLs which could say for eg. 1. Allow all IP traffic out on an interface foo if its coming from source IP x.x.x.x/y 2. Drop all other IP traffic out on this interface. If you're an end node, it's BCP to block ingress from your own IP space, and block egress NOT from your IP space. If you're doing transit, it gets more complicated. Jeff
Re: Service provider T1/PPP question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/28/2013 10:56 PM, Leo Bicknell wrote: If you're willing to do without modern features, you should be able to pick up a ton of gear that does all this for dirt cheap. A 7513 with channelized DS-3 cards is still quite spiffy for terminating static routed T1's for instance, and people may even pay you take them at this point. :) The CPE will be more interesting, there are several vendors that still make CPE with T1 interfaces, but that's much more rare. As someone else already mentioned, back in the 720x-VXR /3640 days of T1 terminations, we scaled up to 5 T1s before going to [fractional] DS3, and the old cef per-packet load balancing was wonderful provided you were talking to another Cisco endpoint (which for us, at the time, was Qwest, and yes it was). We were so sold on it that we even tried that on campus, but soon learned that Catalysts had no idea what cef per-packet meant :( So enter EIGRP / utilization load sharing... Jeff -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iEYEARECAAYFAlHOT+gACgkQiwXJq373XhaozQCgiVGXOMIDccyONDRUQAk/M5GW 2OQAn2EfzwkvrgIl4eUsjIAGyXKq7z6s =u7Mw -END PGP SIGNATURE-
Re: net neutrality and peering wars continue
On 6/20/2013 10:26 PM, Jared Mauch wrote: Many things aren't as obvious as you state above. Take for example routing table growth. There's going to be a big boom in selling routers (or turning off full routes) when folks devices melt at 512k routes in the coming years. Indeed. We're running PFC3CXL's and had already reallocated FIB TCAM to 768K IPv4s in anticipation. We also had maximum-prefix 50 with a warning at 90%, and today it triggered (or at least first time I noticed it)... we ran 450K prefixes from 3 providers about 1:30 EDT today and got the warnings. The end is near :) If you haven't made provisions, please do so now :) Jeff
Re: 10gig coast to coast
On 6/17/2013 10:32 PM, George Herbert wrote: Also, what are reliability and redundancy requirements. 10 gigs of bare naked fiber is one thing, but if you need extra paths redundancy, figure that out now and specify. Is this latency, bandwidth, both? Mission critical, business critical, less priority? 24x7x365, or subset of that, or intermittent only? And are you looking for dark fiber or can you deal with a lambda? Can you supply tuned optics for the passive mux carriers? Dark coast-to-coast is going to cost you a few appendages. You may land a lambda for a reasonable price depending on the endpoints, you'll need an established carrier with DWDM gear on both ends. Jeff
Re: Blocking TCP flows?
Better still, http://dilbert.com/strips/comic/1996-09-07/ Jeff On 6/13/2013 6:41 PM, Christopher Morrow wrote: On Thu, Jun 13, 2013 at 6:37 PM, Phil Fagan philfa...@gmail.com wrote: fast Perl haha :) that's cute.
Re: Prism continued
On 6/12/2013 7:59 PM, Mike Hale wrote: It would make sense. It's a friggin' sick syslog analyzer. Expensive as hell, but awesome. Compare it to most any other SIEM (ArcSight?) and it's a bargain. But still, yeah. Jeff
Re: PRISM: NSA/FBI Internet data mining project
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/6/2013 9:22 PM, valdis.kletni...@vt.edu wrote: On Thu, 06 Jun 2013 21:12:35 -0400, Robert Mathews (OSIA) said: On 6/6/2013 7:35 PM, Jay Ashworth wrote: [ . ] Happily, none of the companies listed are transport networks: Could you be certain that TWC, Comcast, Qwest/CenturyLink could not be involved? Pay attention. None of the ones *listed* are transport networks. Doesn't mean they're not involved but unlisted (as of yet). Umm... CALEA. They've *already* had access for quite some time. Jeff -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iEYEARECAAYFAlGxNxQACgkQiwXJq373XhZ3eACgyBgsW1iG2o2Vzqt0+XKHqRcc YOgAoIAObRb9KxUcTXlTa3eAi+exIhRG =FMTZ -END PGP SIGNATURE-
Re: Headscratcher of the week
OK, here's a wild guess from left-field. Well, at least from left-field where I made at least one game-saving catch :) We had a similar case some years back, but it was a ramp-up in overall traffic we were looking at. If you're looking at latency, it could be related to traffic (do you have traffic graphs?). One particular user that was accustomed to Windows and trying to get started with Linux was playing games with our NAT firewall. Rather than file a request with us for a static NAT and firewall openings for their new Linux server, they discovered that as long as they generated some internet traffic periodically, they could defeat the NAT translation timeout, and essentially keep a static outside IP. Problem was, they crontabed a ping of an outside server to run once a minute. Just a ping x.x.x.x. Windows as we know defaults to only ping 4 times then quit. Linux does not :) So you might look for some recurring scheduled event on the customer's end that might be cumulative rather than simply recurring. Jeff On 5/31/2013 6:25 PM, Mike wrote: Gang, In the interest of sharing 'the weird stuff' which makes the job of being an operator ... uh, fun? is that the right word?..., I would like to present the following two smokeping latency/packetloss plots, which are by far the weirdest I have ever seen. These plots are from our smokeping host out to a customer location. The customer is connected via DSL and they run PPPoE over it to connect with our access concentrator. There is about 5 physical insfastructure hops between the host and customer; The switch, the BRAS, the Switch again, and then directly to the DSLAM and then customer on the end. The 10 day plot: http://picpaste.com/10_Day_graph-YV3IdvRV.png The 30 hour plot: http://picpaste.com/30_hour_graph-DrwzfhYJ.png How can you possibly have consistent increase in latency like that? I'd love to hear theories (or offers of beer, your choice!). Happy friday all! Mike-
Re: Entry level WDM gear? follow-up
On 5/10/2013 9:56 AM, Jerimiah Cole wrote: On 05/08/2013 09:21 PM, Jeff Kell wrote: Ciena/Cyan/etc are way over our non-existant budget... what is the going recommendation to throw say 4-8 lambdas over a dark pair without breaking the bank? :) I've used http://www.omnitron-systems.com/ media converters and found them reliable. They've got the filters to do an 8 channel system. Thanks for this and other responses. Cumulatively I have some more information, but also more questions :) We have an existing fiber pair to location A where it is cross-connected to location B and terminated. It's currently a ~35km link running 10G-ER optics (1550nm). We're getting a little less than -7dBm receive over the link now with standard 10G-ER optics. We need to connect to another provider at location A (also 10G), so thinking of xWDM from campus to location A. Would like to handoff one lambda on to location B to maintain that circuit, and the new/additional ones would terminate at location A. CWDM is obviously cheaper and supports the 1550nm current band (but do we need to replace existing optics with tuned ones to keep things honest?). Cisco lists no CWDM 10G optics at all in any form factor, only DWDM, and they're really proud of them based on the list price. The tuned optics have no SR/LR/ER/ZR attributes... so what are their real distance characteristics? In particular, can we cross-connect one of the outputs to the existing location B and have the dBm budget to get there? This is becoming quite the adventure :) Jeff
Entry level WDM gear?
Apologies if this is a dumb newbie question, but this is one area of networking where I remain a virgin :) We have a local loop fiber to a regional fiber hut that has served us well for several years. It's carrying a 1550nm ER 10G circuit at the moment, but we're looking at another one, possibly two (or more) in the near future. Getting another dark pair is complicated so we're exploring options to [C|D]WDM multiple lambdas over the existing fiber. Ciena/Cyan/etc are way over our non-existant budget... what is the going recommendation to throw say 4-8 lambdas over a dark pair without breaking the bank? :) Jeff
Re: Data Center Installations
On 5/1/2013 7:57 PM, Mark Gauvin wrote: Zip ties have no reason to be in a dc grr They have their place, but decidedly not in data center racks where **nothing** is permanent/fixed very long :) Jeff
Fiber plant APC vs UPC... once again...
We are looking into doing cableTV/HFC distribution on campus, and fiber runs for HFC typically run APC connectors to avoid reflectance on the analog HFC signal where it is significant. We we're looking at converting some existing data UPC to APC for existing runs, and on the new ones either do a parallel split (UPC and APC) or just stay uniform (research seems to indicate APC is the winner). In asking some other groups (EDU LAN managers) I've heard both extremes... stick with all APC (and jumper APC-to-UPS on gear to data terminations), and I've heard the exact opposite (UPC is fine, just jumper UPC to APC at the terminations). The last time I asked here, the consensus seemed to be APC was ok, or else do parallel splits. My best understanding is that going APC across the board, and just using jumpers (APC to UPC) at the data ends should be fine, and I'm leaning in that direction. Are there any significant issues there? Do APC terminations confuse a data OTDR since you're now missing the expected reflections? Other issues? Before the RFQs go out on the fiber expansion, I'd like to have a clear goal in mind here :) Any reason NOT to go APC for the installed fiber plant and just adjust the terminating jumpers based on the endpoint targets? Thanks (again), Jeff
Re: RFC 1149
On 4/1/2013 10:15 PM, Eric Adler wrote: Make sure you don't miss the QoS implementation of RFC 2549 (and make sure that you're ready to implement RFC 6214). You'll be highly satisfied with the results (presuming you and your packets end up in one of the higher quality classes). I'd also suggest a RFC 2322 compliant DHCP server for devices inside the hurricane zone, but modified by implementing zip ties such that the C47s aren't released under heavy (wind or water) loads. Actually, given recent events, I'd emphasize and advocate RFC3514 (http://www.ietf.org/rfc/rfc3514.txt) which I think is LONG overdue for adoption. The implementation would forego most of the currently debated topics as related to network abuse or misuse :) Jeff
Re: Tier 2 ingress filtering
On 3/28/2013 7:49 PM, Saku Ytti wrote: On (2013-03-28 23:45 +), Rajiv Asati (rajiva) wrote: In fact, what makes it easier is that uRPF can be part of the template that can be universally applied to every edge port. There is incredible amount of L3 interfaces in the last mile, old ghetto stuff, latest gen Cisco, which does not do uRPF. Very true. Some of it you can even configure as such, it just doesn't do anything... Jeff
Re: 10 Mbit/s problem in your network
On 2/26/2013 10:57 PM, Owen DeLong wrote: In fact, many of the hotels that have solved this intelligently have simply placed DSLAMs in the phone room and run DSL to each room with a relatively inexpensive (especially when you buy 500 of them at a time) DSL modem in each room. Some also have wifi, some have wifi in the room from the DSL modem, but in most cases, these have been among the best functioning solutions in some of the larger properties. While other more brain-dead properties are streaming their TV content over wireless (have seen this more than once)... Jeff
Re: Hotel internet connectivity
On 2/26/2013 11:35 PM, Jay Ashworth wrote: I don't spend a lot of time in a lot of hotels, but every hardwire I have seen with my own personal eyeballs was indeed DSL. Cheers, -- jra Hrmm... Ramada Inn, Okaloosa Island resort outside Fort Walton Beach (kinda your neighborhood Jay) two years ago had Cisco LRE boxes in the room for wired connectivity (no wireless when I was there). And lots of actual ethernet elsewhere. Jeff
Re: The 100 Gbit/s problem in your network
On 2/11/2013 11:05 PM, Tim Durack wrote: Multicast is dead. Feel free to disagree. :-) Tim: Multicast is a vendor selling point, as you essentially need a coherent end-to-end solution to get it to work PROPERLY. Of course if it does not work PROPERLY, it will still largely work, albeit inefficiently, in most cases other than routed multicast. So personally I'd love to see the multicast environment die as well :) It's so... well... decades old stuff. For cable / IPTV it may fly and scale, but there is a decided move to the on-demand model. And even with live broadcast, there's the growing DVR selling point of pause and resume which is buffering and unicast, just localized to the set top box. It is also the opposite of on demand as multicast only works on a synchronized timeline. Few if any people will demand a specific item on demand at the same time, or even within a reasonable time window for a buffered/staged multicast (...this channel should be available shortly...). You could multicast to cache boxes, but that is prone to cache hit randomization, and only useful to pre-populate an incident. Multicast still works for live broadcast. And can be convoluted to work in odd/mixed topologies (e.g., Octoshape... hideous thing). But working multicast requires tweaking (PIM, IGMP snooping, CGMP/etc vendor-specific L2 pruning) that makes it ugly. We had enough headaches just trying to route multicast computer imaging traffic (Ghost, SCOM, etc) that I couldn't imagine trying to extend that out into userland without some serious forklift upgrades to insure it would work at the hardware level. Locally, knock y'erself out with fingers crossed, you'll only nuke your broadcast domain, but routing it? Jeff
Re: Fwd: Rollup: Small City Municipal Broadband
This has been a fascinating discussion :) While we don't quite qualify as a small city, we do have quite a dispersion of coverage across our residence halls and general campus. There is an ongoing RFP process to build out our own CATV distribution (or more generally, to avoid the resident CATV provider charge monopoly). Initial competitors included incumbent cable (largely RF coax), new providers (also RF coax), and content-only providers (either assuming we do distribution over our fiber, or add another distribution component), to IPTV solutions (using existing network). IPTV requires a very co-operative multicast distribution, which we currently do not have (not exclusive vendor gear end-to-end); it needs to be designed that way from the beginning as opposed to bolted onto the end. RF CATV (or HFC distribution) requires some unique fiber plant... notably AFC terminations as opposed to the UPCs we have for data. And you have to consider one-way content provider network, versus two-way feedback (and the associated set-top box complications we're trying to avoid). And throw in the phone for the other triple play component, and you're generally talking PoE[+]. Even in a captive audience, the possibilities are challenging :) Jeff
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 1/17/2013 6:50 PM, Owen DeLong wrote: Vonage will, in most cases fail through CGN as will Skype, Xbox-360, and many of the other IM clients. Not sure about Vonage, but Skype, Xbox, and just about everything else imaginable (other than hosting a server) works just fine over NAT with default-deny inbound here, and we have several thousand students in the dorms that bang the heck out of those services. Most applications have adapted to the SOHO NATing router that is prevalent today on broadband internet. And if it didn't work, believe me, I'd hear about it :) Jeff
Dreamhost hijacking my prefix...
Not sure how widespread their leakage may be, but Dreamhost just hijacked one of my prefixes... Possible Prefix Hijack (Code: 10) Your prefix: 150.182.192.0/18: Update time: 2013-01-11 14:14 (UTC) Detected by #peers: 11 Detected prefix: 150.182.208.0/20 Announced by: AS26347 (DREAMHOST-AS - New Dream Network, LLC) Upstream AS: AS42861 (PRIME-LINE-AS JSC Prime-Line) ASpath: 8331 42861 42861 42861 26347 Anyone have a contact there? ASinfo gives net...@dreamhost.com where I have submitted a report, but so far no joy... Jeff
Re: Dreamhost hijacking my prefix...
Robtex would beg to differ... you show peered with AS42861, perhaps someone (else) is looping their advertisements? _R_egistered _O_ther side _B_GP visible Peer OB AS174 COGENT /PSI B AS4323 TWTC Autonomous system for tw telecom . B AS4826 VOCUS-BACKBONE-AS Vocus Connect International Backbone Vocus Communications Level 2, Vocus House 189 Miller Street North Sydney NSW 2060 B AS5580 ATRATO-IP / Atrato IP Networks B AS6461 MFNX MFN - Metromedia Fiber Network B AS6939 HURRICANE Electric B AS7575 AARNET-AS-AP Australia's Research and Education Network (AARNet3) B AS7922 COMCAST-IBONE Comcast Cable Communications, Inc. 1800 Bishops Gate Blvd Mt Laurel, NJ 08054 US B AS8359 MTS Dummy description for B AS10912 INTERNAP-BLK Internap Network Services B AS10913 INTERNAP-BLK Internap Network Services B AS12989 HWNG Eweka Internet Services B.V. B AS36351 SOFTLAYER Technologies Inc. B AS42861 PRIME-LINE-AS Dummy description for On 1/11/2013 10:42 AM, Kenneth McRae wrote: Jeff, We are not announcing the prefix in question nor do we peer with AS42861. -- Best Regards, Kenneth McRae *Director, Network Operations* kenneth.mc...@dreamhost.com Ph: 818-447-2589 www.dreamhost.com On Fri, Jan 11, 2013 at 7:23 AM, Jeff Kell jeff-k...@utc.edu wrote: Not sure how widespread their leakage may be, but Dreamhost just hijacked one of my prefixes... Possible Prefix Hijack (Code: 10) Your prefix: 150.182.192.0/18: Update time: 2013-01-11 14:14 (UTC) Detected by #peers: 11 Detected prefix: 150.182.208.0/20 Announced by: AS26347 (DREAMHOST-AS - New Dream Network, LLC) Upstream AS: AS42861 (PRIME-LINE-AS JSC Prime-Line) ASpath: 8331 42861 42861 42861 26347 Anyone have a contact there? ASinfo gives net...@dreamhost.com where I have submitted a report, but so far no joy... Jeff -- Best Regards, Kenneth McRae *Sr. Network Engineer* kenneth.mc...@dreamhost.com Ph: 323-375-3814 www.dreamhost.com
Re: [SHAME] Spam Rats
On 1/9/2013 11:41 PM, Mark Andrews wrote: $GENERATE, as someone else pointed out, solves that problem for you? (Does it scale for IPv6? I can't recall - but surely this could be scripted too.) No. A /64 has 18,446,744,073,709,551,616 addresses. Even if you had machines that supported zettabytes of data the zone would never load in human lifetimes. Can you wildcard it? (Still an IPv6 implementation virgin, just curious :) ) Jeff
Re: Gmail and SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/2/2013 10:31 PM, valdis.kletni...@vt.edu wrote: On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said: Google is setting a higher bar here, which may be sufficient to deter a lot of bots and script kiddies for the next few years, but it's not enough against nation-state or serious professional level attacks. To be fair though - if I was sitting on information of sufficient value that I was a legitimate target for nation-state TLAs and similarly well funded criminal organizations, I'd have to think long and hard whether I wanted to vector my e-mails through Google. It isn't even the certificate management issue - it's because if I was in fact the target of such attention, my threat model had better well include adversary attempts to use legal and extralegal means to get at my data from within Google's infrastructure. Operation Aurora. Well, the bar started at something as trivial as FireSheep. And I'm sure many more silly (in retrospect) exploits remain to be discovered in any cloud-based infrastructure (the bigger the cloud, the bigger the target, the greater the potential damages/losses). And a lot of infrastructure remains vulnerable to something as trivial as FireSheep. Jeff -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDk/dUACgkQiwXJq373XhYS6QCgtUyTSNHg8zXA5JxECi/c1Jd+ oDsAn0sSG3nZXSmKWUz2+wZ/1P3EXsps =B0X3 -END PGP SIGNATURE-
Re: Netflix transit preference?
On 12/27/2012 1:26 PM, Patrick W. Gilmore wrote: On Dec 27, 2012, at 13:19 , randal k na...@data102.com wrote: (We move ~1.4gbps to Netflix, and are thus not a candidate for peering. And they have no POP close.) Why don't you ask Netflix? And why not ask them for kit to put on-net? https://signup.netflix.com/openconnect The last time we asked, their criteria was ~2.0gbps, so he doesn't have enough qualifying traffic. Has anyone looked at a Qwilt? http://www.qwilt.com/ Jeff
Re: OpenFlow, please don't start a flame war...
On 12/14/2012 11:11 PM, eric-l...@truenet.com wrote: It's been about 2 years in since I've heard about the concept, and honestly I'm about ready to jump into test environments at my house. My questions are pretty basic, what distro would you recommend for a controller, and should I start by virtualizing in VMWare or HyperV or jump into some cheap Linksys WRT routers. The more I hear about the tech from colleges, Google, BigSwitch, etc is leaning me to really start learning, so any help would appreciated. Yeah, it's the neatest thing since sliced bread, but requires layer-2 connectivity across the board. When you exhaust your mac address tables, we'll welcome you back to the real world. Jeff
Fiber terminations -- UPC vs APC
Looking for some guidance/references on the use of UPC versus APC terminations on fiber cabling. Traditionally we have done all of our fiber plant targeting data usage with UPC connectors. We are also looking at proposals for fiber distribution plant for video, and the possibility of using some of the existing fiber plant for that purpose; as well as any new fiber plant that gets installed for video potentially as data. The video folks are set, determined, and insistent that they need APC terminations. All data references I have found preach UPC. Cisco's SFP reference page even states (in bold): *Note:* Only connections with patch cords with PC or UPC connectors are supported. Patch cords with APC connectors are not supported. All cables and cable assemblies used must be compliant with the standards specified in the standards section. So are we doomed to having physically separated fiber plants with suitable connectors / jumpers dedicated to video? Anyone been down this snaky looking path? Jeff
Re: Eaton 9130 UPS feedback
On 11/13/2012 6:42 PM, Tom Morris wrote: Sorry to say, I've used them and had them eat themselves. They just die mysteriously and let out lots of smoke when they do. When they do, however, they leave behind a perfectly good set of batteries. I'd recommend looking elsewhere... Does Eaton/PowerWare still make the FerrUPS series? Those were *solid*. Interesting. So far the feedback sounds overwhelmingly negative. Heard some good points on Emerson (I'm assuming Liebert?). We've had much better luck overall with them, although a couple of incidents where they don't care to come back online after they were drained. We largely use the UPS to survive power glitches without dropping the network for switch reboot times, we're not after long runs. As such, the occasional extended outages drain the UPS'es and there are always the percentage of them that do not come back online and require manual intervention. We were formerly a big TrippLite user, but they seem to be incredibly fault-intolerant with regard to the scenario above (coming back online after draining), and to a lesser degree, going offline after a power glitch. Never used an Eaton that I'm aware of however. Would be interested in other recommendations for remote / IDF / MDF environment UPS systems to just keep the stack up over power glitches. Jeff
Re: Operation Ghost Click
On 4/26/2012 5:44 PM, Andrew Latham wrote: Yes its a major problem for the users unknowingly infected. To them it will look like their Internet connection is down. Expect ISPs to field lots of support calls. And what about the millions of users unknowingly infected with something else ?? These people need help, at least the Ghost Click victims will have a clue after July 9, unless we opt to extend our head-in-the-sand period. (We have enough trouble isolating/remediating issues among our relatively small user base, I'd hate to be facing a major ISP size support/remediation effort...) Does anyone have a plan? Jeff
Re: Whitelist of update servers
An IP-based whitelist is pretty much doomed from the start. Many vendors use content delivery networks and that is too large and volatile to chase. We have had some success in captive portal environments with DNS manipulation, allowing only certain domains to resolve, and redirecting everything else to the portal. The list is still non-trivial, but manageable. So don't manage it at the router level, you will have better luck at the DNS layer. Jeff On 3/12/2012 8:51 PM, Randy Bush wrote: i tend to two defenses o if it is not an urgent update, i wait to hear from peers that it is safe. o i generally do not accept pop-up updates. if one looks tasty, when possible i navigate directly to the site (yes, i know about dns spoofing) and download.
Re: which one a Technical Support or Help Desk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 3/3/2012 10:34 AM, valdis.kletni...@vt.edu wrote: On Sat, 03 Mar 2012 07:04:52 PST, JoeSox said: Go with 'Technical Support' unless you want to take all sorts of calls with end users wanting help on operational training issues. THIS DOES HAPPEN! Which is OK, if that's your business model. I know a few small ISPs that are making a comfortable living selling repackaged DSL plus handholding. Especially if a human answers promptly without a horrible accent... Jeff -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9SPhMACgkQiwXJq373XhZTgwCg7ImBfYfyanvYaAA6PcIVQCRw Ti0AoKSNAmH7RXrT1J0x1Ss1CVhLa76R =HBJ+ -END PGP SIGNATURE-
Re: which one a Technical Support or Help Desk
On 3/3/2012 10:57 AM, Faisal Imtiaz wrote: Especially if a human answers promptly without a horrible accent... Jeff Like a heavy Southern Drawl ? Oh yeah, y'all :) The major point was a human answering, at least my home ISP (Charter) has this unbearable voice response... in annoyingly perfect English, although there is a Spanish option when it first starts :) If you have humans answering, you can call them anything you like, you're ahead of the curve. If not, it is going to be called all sorts of things, and Technical Support or Helpdesk is not among the options that come to mind... Jeff
Re: which one a Technical Support or Help Desk
On 3/3/2012 11:48 AM, Faisal Imtiaz wrote: Touche! Being in South Florida, (heavy Latin Spanish accents) and having customers in Alabama, Tennessee (Heavy Southern accents) etc, we have had to Tune our ears as well as our Accents, including carefully choosing our words... Yes, it goes both ways :) It would be very interesting to get some statistics/reports out of Apple's Siri project as to the hardest cases. My cousin recently got an iPhone with Siri. She has a much worse drawl than mine :) She told it to Call Jeff, and Siri says I see no J F in your contacts. (Imagine a very heavily drawled Jeff more like Jaaay-Yufff, decidedly two syllables there...) She's had mixed results with Siri :) It may be beneficial speech therapy for her, but hard to change decades of Southern :) Jeff
Re: Switch designed for mirroring tap ports
How about splitting up a heavy stream (10G) into components (1G) to run through an inline device and reassemble the pieces back to an aggregate afterward? TippingPoint makes a core controller box for this but it's pretty hideously expensive. Could do it with two 6500s but that's pretty hideously expensive as well :) Jeff
Re: facebook.com DNS not found 20120218 2125 UTC
On 2/18/2012 4:32 PM, Everett Batey wrote: facebook.com DNS not found 20120218 2125 UTC Is there any outage information for DNS for facebook.com / www.facebook.com ? Oops! Google Chrome could not find www.facebook.com I have had two reports of can't get to facebook from campus today, not exactly from 3rd-tier helpdesk techs mind you, but a reasonably reputable source. Traceroute stops at 127.0.0.1 (yeah, I know). Works fine from campus for me, and they say the machine does nslookup a Facebook CDN provider IP (69.171.234.96). They can go anywhere else, no problem. Verified they have our DHCP server and internal recursive DNS servers so it's not an issue at that level. I'm ONLY bringing this up as my spidey-sense is wondering if there is some facebook-captive malware or browser plugin floating about? Ring any bells? If nothing else comes in I'm going to write it off as a Sunday evening hallucination and check it again tomorrow :) Jeff
Re: WW: Colo Vending Machine
On 2/18/2012 11:41 PM, Chris Adams wrote: Dumb terminals are sometimes very smart. Well, yeah, unless you're ever in one of those spots where you need to xmodem an IOS image... (Makes you appreciate those newfangled ones that can mount USB drives ...) Jeff
Re: Common operational misconceptions
On 2/17/2012 12:00 PM, Gary Buhrmaster wrote: If the TV went on the blink (they all did then), you opened up the back, looked for fried components, and if one of the resistors was smoking, you soldered in a replacement. Or you took the tubes down to the local drugstore and tested them. Wow... would be handy if Radio Shack stocked router modules and blades, and chassis to test your suspect ones? :) (Yes, remember the tube testers as well...) Jeff
Re: WW: Colo Vending Machine
Direct phone number of a 2nd level TAC that speaks English and doesn't read from a transcript :) Lots of good mentions, I might add two... (1) Snap-on multitool plier (or linesman equivalent), combination plier/diags/various screwdrivers, etc. (2) Universal power brick On the last one above, I arrived at GFIRST last year, opened up laptop to check for WiFi, and Ooops! no power brick. After debating Dell and FedEx and other disgusting options, there was a BestBuy vending machine at the Gaylord that included... you guessed it... So in addition to the parts/supplies you may need onsite, there's always the issue of what you forgot to stuff in the jump bag before you hit the road... Jeff
Re: WW: Colo Vending Machine
On 2/17/2012 6:32 PM, Aled Morris wrote: Though wax string is nicer. http://www.repsole.com/ProductGroup.asp?PGID=254 Or in less static environments, velcro ties, e.g., http://www.cabletiesandmore.com/velcro.php Jeff
Re: Common operational misconceptions
On 2/16/2012 8:17 AM, Ray Soucy wrote: I've found starting off with some history on Ethernet (Maine loves Bob Metcalfe) becomes a very solid base for understanding; how Ethernet today is very different; starting with hubs, bridges, collisions, and those problems, then introducing modern switching, VLANs, broadcast domain's etc. It's a bit dated (1998) but I always thought Rich Siefert covered the basics very well... http://www.amazon.com/Gigabit-Ethernet-Technology-Applications-High-Speed/dp/0201185539 Jeff
Re: Common operational misconceptions
Or a security vendor, or a security publication... the whole top ten delivered as ten individual clicks with pay-per-view banner ads on each page and a bazillion tracker cookies arrgh. Jeff On 2/16/2012 5:26 AM, Chris Campbell wrote: This isn't so much a list of misconceptions that recent students have as a list of misconceptions that security management have… On 15 Feb 2012, at 22:52, Rich Kulawiec wrote: ICMP is evil. Firewalls can be configured default-permit. Firewalls can be configured unidirectionally. Firewalls will solve our security issues. Antivirus will solve our security issues. IDS/IPS will solve our security issues. Audits and checklists will solve our security issues. Our network will never emit abuse or attacks. Our users can be trained. We must do something; this is something; let's do this. We can add security later. We're not a target. We don't need to read our logs. What logs? (with apologies to Marcus Ranum, from whom I've shamelessly cribbed several of these) ---rsk
Re: Common operational misconceptions
(1) Block all ICMP (obviously some are required for normal operations, unreachables, pMTU too large/DF set, etc). (2) Block certain ports (blindly, w/o at least established) taking out legitimate ephemeral port usage. (3) Local uRPF is unnecesary (or source spoofing mitigation in general) (4) Automagical things are necessary (Microsoft proprietary, UPnP, Apple Bonjour, mDNS, etc) (5) WAN routing to multiple providers will automagically load-balance automagically. or for that matter... (6) IGP routing across multiple paths will automagically load-balance automagically. Or for that matter... (7) Port-channel (link aggregation) will load-balance automagically. (8) Connectivity/throughput issues are always local or first-hop. (We have a gig connection, why am I not getting a gig throughput) I'm sure there are more, but those were at the top of my head :) Jeff
Re: Dear RIPE: Please don't encourage phishing
Heck, even Klingon made it to the private UTF-8 registry, http://en.wikipedia.org/wiki/Klingon_writing_systems :) Jeff
Re: Dear RIPE: Please don't encourage phishing
There used to be the old programming benchmark of how large a program (in lines, as well as compiled bytes) it took to say Hello, world. The 21st century benchmark might now well be the size of a Hello, world e-mail. Or a web page with a similar statement. Jeff On 2/10/2012 6:46 PM, Rich Kulawiec wrote: On Fri, Feb 10, 2012 at 09:37:01AM -0800, Leo Bicknell wrote: Remind me again why we live in this sad word Randy (correcly) described? Because banks and many other institutions have prioritized all-singing, all-dancing, bloated, horribly-badly-marked-up HTML email with stationary and logos and pictures and web bugs far, FAR ahead of security, privacy, accessability, portability and other -ilities that I'm too lazy to enumerate just now. Besides: it's not like it's *their* accounts that will get hosed or *their* money that will get lost. Things like that only happen to the little people. See also this related note: http://www.mail-archive.com/infowarrior%40attrition.org/msg08436.html ---rsk
Re: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one?
On 12/29/2011 8:12 PM, Mark Andrews wrote: Well I'd like to be able to plug in the cable router and the DSL router at home and have it all just work. Well, that's not too far removed from the plugged-in laptop with the wireless still active. Toss-up which one wins default route. What would you like it to do? BGP feeds from both (likely not happening)? Defaults from both? Or you just want active/passive failover? The real-world case for host routing (IMHO) is a server with a public interface, an administrative interface, and possibly a third path for data backups (maybe four if it's VMware/VMotion too). Unless the non-public interfaces are flat subnets, you need some statics (today). It can be a challenge to get SysAdmins in a co-operative mindset to route that correctly (and repetitively if you have a server farm). I would be walking the fence on the virtues of automatic route discovery in that case versus the security of static routes/configurations. But home use from a host perspective? Jeff
Re: Range using single-mode SFPs across multi-mode fiber
On 12/14/2011 3:37 PM, Keegan Holley wrote: Single mode just has a smaller core size for the smaller beam emitted by laser vs. LED. it works although I've never done it outside of a lab (MM is cheaper). As for the distance it theory that should come down to the optics and your transmit power. Hopefully this is just a cable connecting the router to a long line. I've never heard of a 10K MM fiber run since SX optics can't shoot that far. You should be able to get through the 500m or so that MM optics are rated for, but YMMV (errors, light levels, bounces, etc etc) Cisco gives specs for SFP LX over MM (they aren't that great at gig, and really suck at 10G; if you have 50u OM3/OM4 you can do much better at 10G). See SFP/fiber/distance table at http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet0900aecd8033f885.html We have run LX-over-MM (62.5) on short building runs as a band-aid until SM is available, and trying to do all new building MM with 50u OM3/OM4. We do have some dependence on 62.5u MM - used by our aging Simplex alarm system - which does point-to-point looped token ring *cough* on the alarm side. I'm trying to get them to confirm 50u will work point-to-point, but at some non-alarm-points there would be a necessary 50-to-62.5 exchange taking place and I'm not certain how to accomplish that (50-62.5 would likely have tolerable loss, but not 62.5-50). (I would suspect similar results cross-vendor but YMMV) Jeff
Re: Ok; let's have the Does DNAT contribute to Security argument one more time...
On 11/14/2011 4:21 PM, Rubens Kuhl wrote: For the common good it doesn't matter if the NAT is good guys are right or the NAT is useless guys are right, as they both fail to decrease the numbers of their opposing parts. We must get IPv6 done for both of them. Hehehe... depending on your ISPs / transit providers / border technology level, putting critical infrastructure on IPv6[only] might be the safest most unreachable network of all :) Jeff
Re: Arguing against using public IP space
On 11/13/2011 4:27 PM, Phil Regnauld wrote: That's not exactly correct. NAT doesn't imply firewalling/filtering. To illustrate this to customers, I've mounted attacks/scans on hosts behind NAT devices, from the interconnect network immediately outside: if you can point a route with the ext ip of the NAT device as the next hop, it usually just forwards the packets... Phil It depends on your NAT model. If you take a default Cisco PIX or ASA device... (a) There is an option to permit non-NAT traffic through the firewall. If not selected (nat-control) then there must be a covering NAT rule for any inside host to communicate with the outside interface, let alone outside-to-inside. (b) By default all inbound traffic is default-deny, only return traffic for inside-initiated connections is allowed. Yes, it's stateful (which is another argument altogether for placing a stateful device in the chain) but by all means, it does not allow outside traffic into the inside, regardless of the addressing scheme on the inside. Beyond that, using 1918 space decreases the possibility that a new, unexpected path to the inside network will result in exposure. If you are using public space on the inside, and some path develops that bypasses the firewall, the routing information is already in place, you only need to affect the last hop. You can then get end-to-end routing of inside hosts to an outside party. Using 1918 space, with even nominal BCP adherence of the intermediate transit providers, you can't leak routing naturally. (Yes, it's certainly possible, but it raises the bar). If the added protection were trivial, I would think the PCI requirement 1.3.8 requiring it would have been rejected long ago. Jeff
Re: BGP conf
On 11/2/2011 9:58 PM, Jeff Wheeler wrote: I guess ten years of watching RIRs and users de-bogon new /8s didn't teach you why those Cymru examples are more dangerous than they are good. If you follow all the CYMRU examples and subscribe to the BGP bogon feed, that isn't an issue... Jeff
Re: Random five character string added to URLs?
On 11/1/2011 7:05 PM, Stefan Fouant wrote: Is there anything perhaps protecting or intercepting the data on its way to the server, perhaps an Arbor device of some type of load balancer? This type of behavior is quite common when protecting web assets to eliminate zombies and such, but its usually something you would see back to the clients, not tp the server. I have seen this in SEO-poisoning type of webpage defacement. They anchor a javascript in the main website frame and it generates optimization links using a numeric suffix or ?argument so that they appear as separate links. If the crawler is recognized (e.g., googlebot) then the SEO page is returned. Jeff
Re: Outgoing SMTP Servers
On 10/26/2011 10:57 PM, Scott Howard wrote: On Tue, Oct 25, 2011 at 2:51 AM, Aftab Siddiqui aftab.siddi...@gmail.comwrote: Blocking port/25 is a common practice (!= best practice) for home users/consumers because it makes life a bit simpler in educating the end user. And it's not just 25. I'm on Charter, and they're blocking 135-139, 445, and 1434 too. Give Netalyzr a shot from your ISP. Jeff
Re: NANOGers home data centers - What's in your closet?
On 8/12/2011 8:29 PM, valdis.kletni...@vt.edu wrote: So what's in NANOGers home networks/compute centers? :) Surprisingly minimalistic - a Linksys cablemodem and a Belkin Play wireless router, both from Best Buy, a Dell Latitude laptop from work, and a PS/3. (I used to have more gear, but it came down to floor space for compute gear I didn't use versus guitar gear I *do* use.. ;) I'm on a similar page with Valdis, cable modem and a couple wireless routers (11n with USB drive for media, b/g downstairs for kids Xbox). The serious toys are at the office :) And no guitar gear, but keyboards and home theater gear have priority. Used to run a Nepenthes honeypot but have retired it as very little malware is network-driven these days and the returns were minimal. Also have a small museum in the back room, with an IBM 2311 disk drive carcass (glass door intact), a 360/65 front panel, and an HP9000 D-class (still boots when I can afford the power/noise/nostalgia). Jeff
Re: US internet providers hijacking users' search queries
On 8/5/2011 8:53 PM, Brielle wrote: Until they start MitM the ssl traffic, fake certs and all. Didn't a certain repressive regime already do this tactic with facebook or some other major site? Marketscore did (via installing root certs in the victim's machines), and as far as I know, still does. Jeff
Re: unqualified domains, was ICANN to allow commercial gTLDs
On 6/19/2011 9:24 PM, Paul Vixie wrote: i think we have to just discourage lookups of single-token names, universally. Not to mention the folks of the Redmond persuasion with their additionally ambiguous \\hostname single names. (In the absence of a configured search domain, Windows won't even try DNS for a single name through it's own resolver libraries; although nslookup will). Jeff
Re: IPv6 and DNS
On 6/12/2011 11:44 AM, Matthew Palmer wrote: I don't believe we were talking about DHCPv6, we were talking about SLAAC. And I *still* think it's a better idea for the client to be registering itself in DNS; the host knows what domain(s) it should be part of, and hence which names refer to itself and should be updated with it's new address. Register with what/which DNS? If no DHCPv6 no DNS information has been acquired, so you're doing the magical anycast/multicast. Not a fan of self-registration, in IPv4 we have DHCP register the DDNS update; after all, it just handed out an address for a zone/domain that *it* knows for certain. The host knows what domains it should be part of ?? Perhaps a server or a fixed desktop, but otherwise (unless you're a big fan of ActiveDirectory anywhere) the domain is relative to the environment you just inherited. Letting any host register itself in my domain from any address/location is scary as heck :) Jeff
Re: Yup; the Internet is screwed up.
On 6/10/2011 7:43 PM, Jeroen van Aart wrote: I wonder, what's wrong with dialup through ISDN? You get speed that is about the same as low end broadband I'd say. And I think it'd be available at these locations where DSL is not. Well, it was available. I had one ~15 years ago, and a Cisco 801 to boot. There was a big build-out in some areas, the small-town local Bell (not yet Borg'ed into the conglomerate) went all digital (well, digital at the time) on their new nnx CO. Still recall the Northern Telecom network interface boxes on the sides of houses. Closer to the city, it was order and wait as you had to be crossed over or patched to the nearest ISDN CO. They weren't wholesale digital. Most of that has converted over to DSL. But ISDN is still available (we have some video conferencing gear that uses bonded ISDN). Jeff
Re: OT: Question/Netflix issues?
Now getting We’re sorry, the Netflix website and the ability to instantly watch movies are both temporarily unavailable. out of Charter. Campus getting same routed via 1239 209 2906. Jeff
Re: unsubscribing, was Switching Email
On 3/12/2011 10:02 AM, John Levine wrote: Anyone have a list of MUAs that actually support RFC 2369 with subscription management widgets in the GUI? Surely someone has written one but I can't seem to find any documentation to that effect. Alpine, which has what must be the cruddiest GUI on the planet, does. Too bad people prefer glitz to function. And Glitzy MUAs and MTAs tend to be the least RFC compliant of all. Thunderbird (older versions) had a plugin (Display Mailing List Headers) that would do it, but the plugin is not compatible with the current version[s] of Thunderbird. Any MUA that has a toggle or view to display all headers may indirectly do it if they create clickable links for http: and mailto: directives, e.g., from this list: List-Id: North American Network Operators Group nanog.nanog.org List-Unsubscribe: https://mailman.nanog.org/mailman/listinfo/nanog, mailto:nanog-requ...@nanog.org?subject=unsubscribe List-Archive: http://mailman.nanog.org/pipermail/nanog List-Post: mailto:nanog@nanog.org List-Help: mailto:nanog-requ...@nanog.org?subject=help List-Subscribe: https://mailman.nanog.org/mailman/listinfo/nanog, mailto:nanog-requ...@nanog.org?subject=subscribe Jeff
Re: Switching Email
On 3/11/2011 8:24 PM, Scott Weeks wrote: --- b...@herrin.us wrote: From: William Herrin b...@herrin.us No, it isn't. Contrary to mailing list best practices, NANOG unsubscribe information is stubbornly stashed in the email headers -- That's a feature. Not a bug. :-) Actually, it's RFC 2369 :) Jeff
Re: Mac OS X 10.7, still no DHCPv6
On 2/28/2011 8:44 AM, Dobbins, Roland wrote: On Feb 28, 2011, at 8:40 PM, Jim Gettys wrote: Again, having a permanently known identifier being broadcast all the time is a potentially a serious security/safety issue. We already have this with MAC addresses, unless folks bother to periodically change them, do we not? Not globally, no. Jeff
Re: Mac OS X 10.7, still no DHCPv6
On 2/27/2011 11:53 PM, Franck Martin wrote: No, when I first played with IPv6 only network, I found out that RD was silly, it gives an IP adddress but no DNS, and you have to rely on IPv4 to do that. silly, so my understanding is then people saw the mistake, and added some DNS resolution... Because the only option was to get DHCPv6 to get the DNS, but then why create RD in the first place? Well, for the malware authors, it really is an awful lot of trouble to go broadcasting gratuitous ARPs claiming to be the default gateway, and then blasting those spoofed gratuitous ARPs at the gateway claiming to be the clients, and having to do all that packet-forwarding foo just to get to be the man-in-the-middle... when you can just generate an RA and you don't even have to set the evil bit!! And why bother with all those silly DNS-changer malware pointing the resolvers off to Inhoster-land so you can provide your own interesting answers for interesting names you'd like to phish, when you can just sit there and listen on the DNS anycast address and answer the ones you want!! And why bother parsing out the Facebook friends or AOL buddies or MSN contacts list to spew out those phishing URLs to everybody we know, when we can just sit back and let Bonjour/Rendezvous/iChat do all the work for us? Plug and Play malware is the future :-) Jeff
Re: Sunday Funnies: Using a smart phone as a diagnostic tool
On 2/27/2011 9:00 PM, Jay Ashworth wrote: Do you have a smartphone? Blackberry? iPhone? Android? Do you use it as a technical tool in your work, either for accessing devices or testing connectivity -- or something else? I have a Droid2 with the WiFi Analyzer freebie app by Kevin Yuan. Compared to dragging around a real analyzer, it's helpful in the field. Certainly haven't gone to any great lengths to find more, or purposefully use my phone as a test device, but at least that one is handy (was discovered by our WiFi guy) and the price is right. Jeff
Re: PSTN address expansion
On 2/11/2011 11:28 PM, Jack Bates wrote: My apologies for the error, it will actually be a 32 digit system, and we're switching to base-16, so all phones will have to be replaced with phones supporting 0-9A-F. Well, they already do, you just need a military phone or a linesman's handset to get the last 4 to actually dial :-) (Who needs the freakin' * and # anyway) Jeff
Re: quietly....
On 2/3/2011 2:11 PM, Jay Ashworth wrote: Was TCP/IP this bad back in 1983, folks? Yeah. Only real hosts on the network, and you had to be a real root user to bind a listening port 1024 :-) Now a 5-year-old with a freakin' phone can do it. Jeff
Re: quietly....
On 2/2/2011 2:42 PM, valdis.kletni...@vt.edu wrote: The only other charitable conclusion I can draw is Somebody hasn't spent time chasing down people with misconfigured laptops on the wireless who are squawking RA's for 2002: There's a *big* operational difference between all authorized and properly configured routers know who they are and all nodes that think they're routers (deluded though they may be) know who they are. Amen to that, and add all mischievous nodes that would /*love*/ to be your router / DNS / default gateway / etc Jeff
Re: Found: Who is responsible for no more IP addresses
On 1/27/2011 2:43 PM, david raistrick wrote: here's the original quote (which a friend had pasted to me): Web developers have tried to compensate for this problem by creating IPv6 -- a system that recognizes six-digit IP addresses rather than four-digit ones. And as replied privately to someone else earlier, that was quoted from Fox news IPv6 website, http://ww.foxnews.com :-) Jeff
Re: Is NAT can provide some kind of protection?
On 1/12/2011 2:57 PM, Owen DeLong wrote: Try this at home, with/without NAT: 1. Buy a new PC with Windows installed 2. Install all security patches needed since the OS was installed Without NAT, you're unpatched PC will get infected in less than 1 minute. Wrong. Repeat the experiment with stateful firewall with default inbound deny and no NAT. Yep... Same results as NAT. Now let that laptop (or another one on the home subnet) show up with Bridging or Internet Connection Sharing enabled with wired/wireless connections and see what you get. Still maybe OK if it's the host firewall, and it's turned on, and it's not domain-joined with the local subnet allowed, etc., but that was post-SP2 and assumes some malware [or the user] hasn't turned it off. NAT+RFC1918 = no accidental leakage/bridging (yes, they could spoof RFC1918 destinations, assuming they get routed all the way to the endpoint... but that's a bigger if than a public address) Perfect stateful firewall with perfect default inbound deny and no other variables thrown in the mix and yes, but it's breakable in contrast to the NAT+RFC1918 case. There is something to be said for unreachable (i.e., not in your forwarding table) -- else the VPN / VRF / MPLS / etc folks wouldn't have a leg to stand on :-) With that said, this isn't a one-size-fits-all, everybody's perfect solution. We've covered the gamut from home CPE to server farms here, with the original question being about a DMZ case. They are however legitimate security layers applied to certain cloves of this particular bulb of garlic (a more appropriate model than the homogeneous onion) :-) Jeff
Re: Is Cisco equpiment de facto for you?
On 1/10/2011 3:20 PM, Greg Whynott wrote: HP probably was the most helpful vendor i've dealt with in relation to solving/providing inter vendor interoperability solutions. they have PDF booklets on many things we would run into during work. for example, setting up STP between Cisco and HP gear, ( http://cdn.procurve.com/training/Manuals/ProCurve-and-Cisco-STP-Interoperability.pdf ). Well, technically, the HP reference tells you how to convert your Cisco default PVST over to MST to match the HP preference. The handful of HP switches versus the stacks and stacks of production Cisco requiring conversion to suit them was intimidating to say the least :-) Foundry/Brocade on the other hand do PVST (so they say, I haven't given it a thorough lab test). Jeff