Re: telia selling carrier ops to polhem infra

2020-10-07 Thread Måns Nilsson
Subject: Re: telia selling carrier ops to polhem infra Date: Tue, Oct 06, 2020 
at 03:28:57PM + Quoting James Breeden (ja...@arenalgroup.co):
> Still smells Swedish to me. Probably will end up with a different name, but 
> other than that I don't see much changing. Sounds more like a spinoff than 
> acquisition.

I is, Polhem is wholly owned by a few of the large public pension funds in 
Sweden. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
I want to dress you up as TALLULAH BANKHEAD and cover you with VASELINE
and WHEAT THINS ...


signature.asc
Description: PGP signature


Re: Request comment: list of IPs to block outbound

2019-10-23 Thread Måns Nilsson
Subject: Re: Request comment: list of IPs to block outbound Date: Tue, Oct 22, 
2019 at 11:11:27PM -0600 Quoting Grant Taylor via NANOG (nanog@nanog.org):
> On 10/22/19 10:54 PM, Måns Nilsson wrote:

> > It is just more RFC1918 space, a /10 unwisely spent on stalling IPv6
> > deployment.
> 
> My understanding is that RFC 6598 — Shared Address Space — is *EXPLICITLY*
> /not/ a part of RFC 1918 — Private Internet (Space).  And I do mean
> /explicitly/.

I understand the reasoning. I appreciate the need. I just do not agree
with the conclusion to waste a /10 on beating a dead horse. A /24 would
have been more appropriate way of moving the cost of ipv6 non-deployment
to those responsible. (put in RFC timescale, 6598 is 3000+ RFCen later
than the v6 specification. That is a few human-years. There are no
excuses for non-compliance except cheapness.)
 
Easing the operation of CGN at scale serves no purpose except stalling
necessary change. It is like installing an electric blanket to cure the
chill from bed-wetting.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
I'm a nuclear submarine under the polar ice cap and I need a Kleenex!


Re: Request comment: list of IPs to block outbound

2019-10-22 Thread Måns Nilsson
Subject: Re: Request comment: list of IPs to block outbound Date: Sun, Oct 13, 
2019 at 09:24:39AM -0700 Quoting William Herrin (b...@herrin.us):
> 
> > 100.64.0.0/10   Private network Shared address space[3] for
> > communications between a service
> > provider and its subscribers
> > when using a carrier-grade NAT.
> >
> 
> This space is set aside for your ISP to use. like RFC1918 but for ISPs. It
> is not specifically CGNAT. Unless you are an ISP using this space, you
> should not block destinations in this space.

I have a hard time finding text that prohibits me from running machines
on 100.64/10 addresses inside my network. It is just more RFC1918 space,
a /10 unwisely spent on stalling IPv6 deployment.

/Måns, guilty. 
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
It's OKAY -- I'm an INTELLECTUAL, too.


signature.asc
Description: PGP signature


Re: IPAM recommendations

2019-09-05 Thread Måns Nilsson
Subject: IPAM recommendations Date: Thu, Sep 05, 2019 at 05:35:19PM +0900 
Quoting Mehmet Akcin (meh...@akcin.net):
> Looking for IPAM recommendations, preferably open source, API is a plus
> (almost must, almost..). 40-50K IPs to be managed.

nipap

infoblox if you are an enterprise needing AD herding and got too much cash. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
I had pancake makeup for brunch!


signature.asc
Description: PGP signature


Re: OT: Tech bag

2019-08-15 Thread Måns Nilsson
Subject: Re: OT: Tech bag Date: Mon, Aug 05, 2019 at 01:07:23PM -0700 Quoting 
Aaron Russo (aru...@pixar.com):
> I have been really happy with my Tom Bihn Brain Bag (https://tombihn.com).
> I carry a 15in and 13in laptop along with a snake charmer accessory for all
> my cables. If you loosen the straps there’s plenty of room to also stuff a
> jacket AND a small to medium sized UPS parcel if need be.

The Brain Bag continues to serve me well, after some 10 years. Definitely
seconded. As EDC it holds all I need, and works for a short trip, too.
For serious install work, (bordering on truck roll) I end up carrying
a fiber measurement/maintenance box (a small Peli-style case) and my
leather tool case. Anything described with the phrase " distinctive
standard issue cases, produced for over half a century." immediately
creates desire.

https://www.canford.co.uk/Products/16-389_TOOLMARK-TOOL-CASE-No.6-Brown-with-handles

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
Do you guys know we just passed thru a BLACK HOLE in space?


signature.asc
Description: PGP signature


Re: Protecting 1Gb Ethernet From Lightning Strikes

2019-08-14 Thread Måns Nilsson
Subject: Re: Protecting 1Gb Ethernet From Lightning Strikes Date: Wed, Aug 14, 
2019 at 02:01:01PM +0200 Quoting Bjørn Mork (bj...@mork.no):
> Måns Nilsson  writes:
> 
> > /Måns, has 6 pairs 9/125 between garage and house at home. 
> 
> Now you made me worry that my single OM4 pair to the garden shed might
> be insufficient ;-)

I have but one comment: "Friends don't let friends run multimode." 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
Yow!  I'm having a quadrophonic sensation of two winos alone in a steel mill!


signature.asc
Description: PGP signature


Re: Protecting 1Gb Ethernet From Lightning Strikes

2019-08-14 Thread Måns Nilsson
Subject: Protecting 1Gb Ethernet From Lightning Strikes Date: Tue, Aug 13, 2019 
at 02:22:12PM -0400 Quoting Javier J (jav...@advancedmachines.us):
> I'm working with a client site that has been hit twice, very close by
> lightening.
> 
> I did lots of electrical work/upgrades/grounding but now I want to focus on
> protecting Ethernet connections between core switching/other devices that
> can't be migrated to fiber optic.

If lightning comes so close that it will break things inside the same
facility because they are connected by structured cabling, two things
typically have failed;

* The building as such is not adequately protected.

* There exist too large potential differences within the electrical
  system inside the building.

For #1, telecoms regulations on site grounding and protection give good,
albeit expensive advice. The most important part is that all cabling
enter the facility with its screens at common potential. The reason
is that most blown equipment comes from in-ground potential difference
between different cables. (I've poured shattered IC's out of a poor ADSL
router after such a strike. ) If that potential difference is cancelled
upon entry in the facility by bonding all grounds the risk is minimised.

For #2, it is mostly solved by fixing #1, but it is proper to fix it by
mesh-connecting grounds on all equipment together. If there is a 10mm^2
(around AWG7) bonding conductor parallel to the 0,14mm^2 (AWG25) drain
wire in the foil screen, which way will the current take?
Do note that star grounds are popular, but they're impossible to maintain
and typically don't work at high frequiencies, which will lessen their
efficiency against fast-rising transients. Mesh grounds are better at
conducting high frequencies and are easier to maintain.

Having several power utility feeds into same facility will of course
exacerbate the problem, which is one of the reasons it is illegal
in Sweden.

If you need to cross between two buildings, copper should be
rejected. Fiber is so much better. And pays for itself immediately upon
first strike survived.

/Måns, has 6 pairs 9/125 between garage and house at home. 
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
I feel partially hydrogenated!


signature.asc
Description: PGP signature


Re: Time and Timing Servers

2019-07-11 Thread Måns Nilsson
Subject: Re: Time and Timing Servers Date: Thu, Jul 11, 2019 at 09:11:13PM 
+0200 Quoting Karsten Elfenbein (karsten.elfenb...@gmail.com):
> I think you are referencing their chip scale atomic clocks. Which are very
> frequency stable. But still need phase alignment. (Mobile UPS anyone?)

This is not a new problem. 

http://www.leapsecond.com/hpj/v15n11/

Fascinating reading. 
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
YOW!!  Now I understand advanced MICROBIOLOGY and th' new TAX REFORM laws!!


signature.asc
Description: PGP signature


Re: Time and Timing Servers

2019-07-11 Thread Måns Nilsson
Subject: Re: Time and Timing Servers Date: Thu, Jul 11, 2019 at 10:23:41AM 
-0500 Quoting Mike Hammett (na...@ics-il.net):
> I'll look into Meinberg. 
 
Meinberg are nice people with good hardware. They can do 2048KHz from
GPS and other timing signals, for instance. Then again, some router
vendors do that in boxes you need anyway. As long as the controlling
clock is PTP.
 
> I recent thread mentioned high-sensitivity receivers often allow GPS to work 
> inside. Obviously "inside" has a lot of definitions. 

Indeed. Colo buildings rarely are on the forgiving side of "inside".
In Sweden, most older central offices are built to some degree of bomb
proofness (certainly not safe from direct hit) , with some 10mm of steel
in shutters for all windows, etc. GPS fares not well there. 
 
> I will need this facility for the TDM timing signals. It's a central office, 
> not a datacenter. 

Then you're concerned with frequency and phase to ITU-T G.812, I
suspect. Unless this is your "central central" office, in which case
you need G.811.

> I don't know that Internet-based NTP would be accurate enough for the timing 
> signals that I need. Maybe, maybe not. 

The current trend in today's large frequency/phase consumers, ie. mobile,
is to run PTP over backhaul.  Well behaved NTP _could_ make it, I suspect,
given a good enough clock in the facility, but PTP will definitely work,
assuming you have transmission and hardware capable of doing it. 

"Capable" here, means dark fibre or WDM is required together with
routers and switches that can act as boundaries in PTP sense. If you
rent MPLS or are using plain Internet infrastructure, it becomes a lot
more complicated.

There are frequency/phase transmission solutions (mostly broadcast
related) that easily can transfer your central central cæsium clock
frequency to another site using reasonable-quality IP transport, but
those are neither cheap nor fire-and-forget.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
I'm gliding over a NUCLEAR WASTE DUMP near ATLANTA, Georgia!!


signature.asc
Description: PGP signature


Re: SFP supplier in Europe?

2019-04-08 Thread Måns Nilsson
Subject: SFP supplier in Europe? Date: Thu, Apr 04, 2019 at 10:09:15PM +0200 
Quoting nanog-...@mail.com (nanog-...@mail.com):
> Hello NANOG,
> 
> Could somebody recommend an SFP supplier in Europe with a warehouse in the EU 
> and fast shipping? I need to pick up some 80km Bidi SFPs and I'd prefer to 
> use a supplier has and will keep stock locally.

With the caveats discussed in the thread taken into consideration,
I'd pitch in that both FS and FlexOptix have proven useful to me.
Flex got me a very specific coding (Siemens SDH gear compatible) in
no time, and FS are -- for stocked items -- hard to beat on price and
shipping time. Both being inside EU means zero hassle with customs
which is important. (Poor Brits, what have they done to themselves?)

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
Are we on STRIKE yet?


signature.asc
Description: PGP signature


Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking

2019-02-28 Thread Måns Nilsson
Subject: Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS 
Hijacking Date: Thu, Feb 28, 2019 at 08:47:19AM + Quoting Mike Meredith 
(mike.mered...@port.ac.uk):
> On 27 Feb 2019 13:07:09 -0500, "John Levine"  may have
> written:
> > The IETF one says that nobody used type 99, and some of the few
> > implementations we saw were broken, so we deprecated it.
> 
> And just after I'd finished adding in all the SPF records too, so I had to
> turn around and take all them out again immediately after.

You did not have to. I still have them in. (As well as TXT records that
almost look like them, but mostly are there to tickle parser bugs. ) 

I still get queries for SPF.  Obviously "TXT as RRtype for SPF data"
is a failure and needs to be re-deprecated. (No, I'm joking, but I wish I 
wasn't.) 

Type-squatting is bad for the Internet, and should be discouraged. And,
Carthago should be destroyed.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
Yow!  Now I get to think about all the BAD THINGS I did to a BOWLING
BALL when I was in JUNIOR HIGH SCHOOL!


signature.asc
Description: PGP signature


Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking

2019-02-28 Thread Måns Nilsson
Subject: Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS 
Hijacking Date: Wed, Feb 27, 2019 at 07:59:49PM -0800 Quoting Seth Mattinen 
(se...@rollernet.us):
> On 2/27/19 7:02 PM, b...@theworld.com wrote:
> > I have proposed many times to just move domain WHOIS data into a new
> > RRTYPE and let whoever owns the domain put in that whatever they want,
> > including (and perhaps most usefully for many) just a URL for further
> > detail.
> 
> 
> We kind of have that with RP records. But does anyone do it?

I do, as preserver of strange RRtypes people try to deprecate. 

dig @primary.se besserwisser.org AXFR | awk '\
/^;/ { 
next; 
}; 
/besserwisser.org/ { 
types[$4]++; 
}; 
END { 
for ( RRTYPE in types ) { 
count++; 
printf "%s\t%d\n", 
RRTYPE, 
types[RRTYPE]; 
}; 
printf "Total:\t%d rrtypes in zone\n", 
count; 
};'

NS  5
21
DNSKEY  3
SPF 1
A   28
NSEC62
AFSDB   3
RP  1
MX  2
CNAME   9
SOA 2
RRSIG   147
TXT 6
SSHFP   14
SRV 20
DS  4
Total:  16 rrtypes in zone

(Yes, there's a bug there, but the end figure is correct.) 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
TONY RANDALL!  Is YOUR life a PATIO of FUN??


signature.asc
Description: PGP signature


Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking

2019-02-27 Thread Måns Nilsson
Subject: Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS 
Hijacking Date: Wed, Feb 27, 2019 at 01:07:09PM -0500 Quoting John Levine 
(jo...@iecc.com):
> In article <20190227161327.ga27...@besserwisser.org> you write:
> >that is RFC 7208.[0]
> 
> >[0] This document tries to deprecate RRTYPE 99 for SPF. By stating that
> >only TXT records can be trusted. ...
> 
> This must be a very different RFC 7208 from the one that the IETF published.
> 
> The IETF one says that nobody used type 99, and some of the few 
> implementations
> we saw were broken, so we deprecated it.

We will never agree on that.  Because I think you were, and are,
wrong. Mostly out of eagerness and lack of patience.

I'm fairly certain you think I have no idea what I'm talking about. But,
to rehash, a little less subtle:

My point was that the general state of criminal ignorance about the
finer nuances of DNS is so wide spread that around 2038 we'll have an
abstraction layer entirely built out of mile-long CNAME chains, because
nobody remembers any other record type. CNAMEs we tried to forget too,
replacing them with something out of the olde annals of Compuserve, but
since the golden standard of resiliency and load balancing is a chain
of them pointing into a bookstore's spare servers, we really can't do
without them.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
Don't worry, nobody really LISTENS to lectures in MOSCOW, either! ...
FRENCH, HISTORY, ADVANCED CALCULUS, COMPUTER PROGRAMMING, BLACK
STUDIES, SOCIOBIOLOGY! ...  Are there any QUESTIONS??


signature.asc
Description: PGP signature


Re: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking

2019-02-27 Thread Måns Nilsson
Subject: RE: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Date: 
Wed, Feb 27, 2019 at 10:17:22AM -0500 Quoting Eric Tykwinski 
(eric-l...@truenet.com):
> > Nah, you know, that won't happen any time soon. Mozilla is busy doing 
> > other, more important things, like streaming all of the users' DNS queries 
> > to Cloudflare, etc. The plain old security doesn't count anymore.
> >
> > --
> > Töma
> 
> This was sort of discussed awhile ago:
> Adam Langley:
> https://www.imperialviolet.org/2015/01/17/notdane.html

Calling TXT or DANE non-standard is a remarkable statement. Smells of the
deeply flawed reasoning that brought us the festering pile of defaitism
that is RFC 7208.[0]

As I wrote a few messages upthread, the user can not expect the network
to be trustworthy, and still, we who run the network would very much
like their business. So, what we must constantly strive for is maximum
transparency, carrying as much of the Internet experienc, good or bad,
to the end user. Or, more terse: "Middleboxes are bad for you." 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
I demand IMPUNITY!

[0] This document tries to deprecate RRTYPE 99 for SPF. By stating that
only TXT records can be trusted. Apparently, it is possible to decide
on the fly which RRtypes are possible to query for, depending on the
argument.


signature.asc
Description: PGP signature


Re: A Deep Dive on the Recent Widespread DNS Hijacking

2019-02-25 Thread Måns Nilsson
Subject: Re: A Deep Dive on the Recent Widespread DNS Hijacking Date: Mon, Feb 
25, 2019 at 05:04:39PM +1100 Quoting Mark Andrews (ma...@isc.org):
 
> I would also note that a organisation can deploy RFC 5011 for their own
> zones and have their own equipment use DNSKEYs managed
> using RFC 5011 for their own zones.  This isolates the organisation’s
> equipment from the parent zone’s management practices.
>
> I would also note that you can configure validating resolvers to expect
> secure responses for parts of the namespace and to reject
> insecure responses even when they validate as insecure.
 
One thing that immediately struck me upon reading the Krebs post was
that people got owned by having to downgrade the end-to-end model of
the Internet into Proxy-land. A hotel wifi. Probably only challenged by
"Free Wifi" in other spaces in its ability to demolish the Internet as
thought out and envisioned.
 
We can conclude in two different directions here; 

* We need to work on making the Internet more transparent to applications,
  and thus increasing security.

* We're all doomed anyway. DNSSEC is useless. 

Pick whichever you like. Our children will judge us. 
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
My EARS are GONE!!


signature.asc
Description: PGP signature


Re: How are you configuring BFD timers?

2018-03-22 Thread Måns Nilsson


--On 22 mars 2018 23:45:16 +0200 Saku Ytti <s...@ytti.fi> wrote:

> On 22 March 2018 at 22:41, Måns Nilsson <mansa...@besserwisser.org>
> wrote:
> 
>> Subject: Re: How are you configuring BFD timers? Date: Wed, Mar 21, 2018
>> at 04:24:47PM + Quoting Job Snijders (j...@instituut.net):
>>> Silly question perhaps, but why would you do BFD on dark fiber?
>> 
>> Because Ethernet lacks the PRDI that real WAN protocols have.
> 
> Indeed, RFI on ethernet is rather modern addition, turning 20 this year.

(You just reminded me I've been doing some sort of WAN network ops for
about 20 years.)

That does indeed solve the problem for dark fibre, and those lucky WDM
systems that actually reflect input status to output. Not always true, I'm
afraid (just look at the Ethernet switch mid-span that Thomas Bellman wrote
about; a fitting metaphor for all "ethernet-over-other.." models..).
Ethernet still regards "no frames seen on the yellow coax" as an
opportunity to send traffic rather than an error, if we're talking old
things ;-).  BFD solves that, and it is worthwhile to have one setup
regardless of technology, if possible. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
CHUBBY CHECKER just had a CHICKEN SANDWICH in downtown DULUTH!


pgpL9ZcdjvFO7.pgp
Description: PGP signature


Re: How are you configuring BFD timers?

2018-03-22 Thread Måns Nilsson
Subject: Re: How are you configuring BFD timers? Date: Wed, Mar 21, 2018 at 
04:24:47PM + Quoting Job Snijders (j...@instituut.net):
> Silly question perhaps, but why would you do BFD on dark fiber?

Because Ethernet lacks the PRDI that real WAN protocols have. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
If I am elected no one will ever have to do their laundry again!

PS: Don't get me wrong. I'm all for Ethernet, it is cheap (or perhaps,
SDH/SONET line cards were artificially expensive) and it makes networks
faster more often, by virtue of interface cheapness. But one really
needs to tack about half the signalling from SDH onto Ethernet (here,
BFD) to get some predictability from it. Which is OK, it was made for
NFS and Telnet on a LAN. It does really well considering that.


signature.asc
Description: PGP signature


Re: listserv hosed? [Was: Fwd: nanog.org mailing list memberships reminder]

2018-02-02 Thread Måns Nilsson
Subject: Re: listserv hosed? [Was: Fwd: nanog.org mailing list memberships 
reminder] Date: Fri, Feb 02, 2018 at 04:04:54PM -0500 Quoting 
valdis.kletni...@vt.edu (valdis.kletni...@vt.edu):

> And you have reason to think that it *still* does things that way, 17 years 
> later?

I honestly do not know, but I'd suspect so. More of a hunch than anything else, 
though. 

It *was* very fast back then, though. Today, not so much of a competitive edge. 
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
Hold the MAYO & pass the COSMIC AWARENESS ...


signature.asc
Description: PGP signature


Re: listserv hosed? [Was: Fwd: nanog.org mailing list memberships reminder]

2018-02-02 Thread Måns Nilsson
Subject: Re: listserv hosed? [Was: Fwd: nanog.org mailing list memberships 
reminder] Date: Fri, Feb 02, 2018 at 06:30:20AM -0500 Quoting Rich Kulawiec 
(r...@gsp.org):
> 
> 1. It's not a listserv.  It's a mailing list.  ListServ is obsolete,
> expensive, closed-source garbage software used exclusively by people
> who don't know any better and like to waste their money.

Butbutbut! 

A VM/370 app that still does all internal processing in EBCDIC, even on
POSIX OSes[0], with almost-ascii config files, and that ran very well
on VMS? What is there not to love?

/Måns, former sysop at SEGATE.SUNET.SE
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
What's the MATTER Sid? ... Is your BEVERAGE unsatisfactory?

[0] Eric Thomas, mr LISTSERV himself, told me this when we were migrating
that large LISTSERV one dark night 17 years ago.


signature.asc
Description: PGP signature


Re: IPv6 migration steps for mid-scale isp

2017-09-20 Thread Måns Nilsson
Subject: Re: IPv6 migration steps for mid-scale isp Date: Wed, Sep 20, 2017 at 
12:04:45PM -0300 Quoting Owen DeLong (o...@delong.com):

> > iBGP is scalable, you can introduce router reflectors to avoid full mesh
> > peering between PE routers – and the sky if your limit!
> 
> I think in general most serious networks consider this a question of OSPF
> vs. ISIS for IGP and BGP is the only choice for EGP.
> 
> I find it interesting that you don’t even mention ISIS in your discussion.
> 
> I don’t know of any substantial networks running EIGRP these days. I’m not
> saying they don’t exist, but they are certainly rare exceptions.

The fact that we'll be running dual-stack for perhaps another decade and
that there are no 36-hour days available makes the choice very simple;
IS-IS is my preferred choice. One routing instance less. 

But, I'd rather limit the IS-IS scope to "links and loopbacks" -- there
is no need to have link-state flooding for a customer network that will
always be originated from one specific access router. iBGP is much more
appropriate for that. As long as I'll have one working path up to that
router I can rely on BGP to tell me where the network is.

The key is the time domain. If the topology is likely to be changing
slowly (customer moves premises or commissions new connection), use
BGP to signal it. If the topology is potentially unstable, i.e. subject
to backhoes and similar, use IS-IS.

Oh, by the way; I concur with Owen: EIGRP is not done. I've stumbled
on it once the last decade, and it was a PABX network engineer who
insisted.
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
Am I in GRADUATE SCHOOL yet?


signature.asc
Description: PGP signature


Re: Virtual or Remote Peering

2017-08-16 Thread Måns Nilsson
Subject: Re: Virtual or Remote Peering Date: Wed, Aug 16, 2017 at 08:02:47AM 
-0500 Quoting Mike Hammett (na...@ics-il.net):

>>> How well does this service work? I understand it usually involves 
>>> point-to-multipoint Switched Ethernet with VLANs and resold IX ports. 
>>> Sounds like a service for ISP that would like to peer, but have relatively 
>>> small volumes for peering purposes or lopsided volumes. 

>> Its like buying regular ip-transit, but worse. 
 
> That seems to be a rather lopsided opinion. 

You get connections to other operators over an unreliable path that you
have no control over, and the opportunities to keep traffic local are
limited. Adding to that, it is all your fault since your provider does
not do L3 and can claim a very passive rôle in the process. 

Like transit, but worse. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
YOW!!  The land of the rising SONY!!


signature.asc
Description: PGP signature


Re: Dyn DDoS this AM?

2016-10-21 Thread Måns Nilsson
Subject: Re: Dyn DDoS this AM? Date: Sat, Oct 22, 2016 at 01:37:09AM +0200 
Quoting Niels Bakker (ni...@bakker.net):
> * mansa...@besserwisser.org (Måns Nilsson) [Sat 22 Oct 2016, 01:27 CEST]:
> >Also, do not fall in the "short TTL for service agility" trap.
> 
> Several CDNs, Akamai among them, do use short TTLs for this exact reason.
> Server load is constantly monitored and taken into account when crafting DNS
> replies.

But the problem is that this trashes caching, and DNS does not work
without caches. At least not if you want it to survive when the going
gets tough. 

If we're going to solve this we need to innovate beyond the pathetic
CNAME chains that todays managed DNS services make us use, and get truly
distributed load-balancing decision-making (which only will work if you
give it sensible data; a single CNAME is not sensible data) all the way
out in the client application. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Well, I'm INVISIBLE AGAIN ... I might as well pay a visit to the LADIES
ROOM ...


signature.asc
Description: Digital signature


Re: Dyn DDoS this AM?

2016-10-21 Thread Måns Nilsson
Subject: Re: Dyn DDoS this AM? Date: Sat, Oct 22, 2016 at 01:19:24AM +0200 
Quoting Niels Bakker (niels=na...@bakker.net):

> The point of outsourcing DNS isn't just availability of static hostnames,
> it's the added services delivered, like returning different answers based on
> source of the question, even monitoring your infrastructure (or it reporting
> load into the DNS management system).
> 
> That is very hard to replicate with two DNS providers.

Surely, it must be better to use a singular service that is provably
easy to take out. The advantages are overwhelming.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Yow!  Are we wet yet?


signature.asc
Description: Digital signature


Re: Dyn DDoS this AM?

2016-10-21 Thread Måns Nilsson
Subject: Re: Dyn DDoS this AM? Date: Fri, Oct 21, 2016 at 03:21:20PM -0700 
Quoting David Birdsong (da...@imgix.com):
> On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush <ra...@psg.com> wrote:
> 
> > anyone who relies on a single dns provider is just asking for stuff such
> > as this.
> >
> > randy
> 
> I'd love to hear how others are handling the overhead of managing two dns
> providers. Every time we brainstorm on it, we see it as blackhole of eng
> effort WRT to keeping them in sync and and then waiting for TTLs to cut an
> entire delegation over.

The fault is giving up the primary for an API connection. Sure, it is
tempting. We do, however, need to push the "application-integrated"
DNS vendors harder. They need to give their customers more choice in
how the DNS is populated. 

They also very much need to let people with above-mentioned
"application-integrated" needs add third party DNS providers in the mix.
This diversity capability is what makes DNS resilient. Monocultures have
suboptimal survivability in the long run.

Adding DNS providers when you control the primary is completely
painless. With EDNS0 there's lots of room for insanely large NS RRSETs. 

Also, do not fall in the "short TTL for service agility" trap. 

Besides, what Randy wrote. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Hold the MAYO & pass the COSMIC AWARENESS ...


signature.asc
Description: Digital signature


Re: Cost-effectivenesss of highly-accurate clocks for NTP

2016-05-15 Thread Måns Nilsson
Subject: Re: Cost-effectivenesss of highly-accurate clocks for NTP Date: Sun, 
May 15, 2016 at 03:21:02PM + Quoting Mel Beckman (m...@beckman.org):
 
> The upshot is that there are many real-world situations where expensive clock 
> discipline is needed. But IT isn't, I don't think, one of them, with the 
> exception of private SONET networks (fast disappearing in the face of metro 
> Ethernet).

Pro audio is moving to Ethernet (they talk about it, Ethernet, as either
"RJ45" or "Internet"...) and sometimes even to IP in a fairly rapid
pace. If you think the IP implementations in IoT devices are naîve, wait
until you've seen what passes for broadcast quality network engineering.

Shoving digital audio samples in raw Ethernet frames is at least 20 years
old, but the last perhaps 5 years has seen some progress in actually
using IP to carry audio streams. (this is close-to-realtime audio,
not file transfers, btw.)

A lot of audio is sent using codecs like Opus, with SIP as
signalling. That works quite nicely. We've got a smartphone app to do
that, for instance. 

But, this is all mostly floating in terms of absolute sampling
frequency. Digital audio needs a clock to work. In the simple home stereo
case, this is taken care of by listening to the pace samples arrive at,
and using that. But as soon as you are mixing two sources, they need
to be in tune. Something needs to decide what to use as master. In the
smartphone case, we simply buffer some 20-100ms of audio and start playing
back, using our own clock. Then we hope the interview is over before
the buffer is overflowing or drained. Which mostly works.

Inside facilities, when we use the SIP-signalled streams, we usually can
rely on a separate clock distribution. In our specific case, we've bought
country-wide clock distribution that gives us the same sample clock in
all facilities. (Digital TV is mostly built as single frequency networks,
which requires syntonous (at least) transmitters. Thus, it today is
quite easy to find providers of frequency in the broadcast business.)

Now, the Audio Engineering Society has published AES67 which in essence
is multichannel, multicast RTP audio (L48 mediatype, ie. linear 48KHz
24-bit) synchronized by PTP, also multicast.

Now, bear in mind that I wrote _synchronized_, not _syntonized_. 

Up to now, the only thing that mattered to keep track of was
frequency. Since one of the big reasons for AES67 is distributing
sound to several different loudspeakers that can be heard by one
listener simultaneously, the prime example being a stereo pair of active
loudspeakers with one network jack on each, _phase_ matters, as well as
absolute time. (Mostly, telco synchronization mentions absolute time as
phase.) This application requires absolute time, since a mono sound
in our stereo example needs to play back _at the same time_ from both
speakers. Or it ceases to be a mono sound, instead becoming a sound
that is offset in the soundstage by delaying it. 
Most classical stereo recordings are mono in terms of level, but not in
terms of the time domain; since they derive all spatial info from time,
not gain. Like we humans do.

The usual test case is to buy a PTP-aware switch, a PTP Grand Master,
steered by   and build a small LAN, test that Vendor A and
Vendor B can send audio between themselves via this simple network and
call it a day.

That is a nice lab setup. Also very far from what needs to be built in 
order to solve the actual production cases. 

But, to try to return to "relevant for NANOG", there are actual products
requiring microsecond precision being sold. And used. And we've found
that those products don't have a very good holdover. On ranty days I
usually accuse them of having hotglued an Ethernet adapter onto the old
TDM-based audio devices and sent them out to customers with a prayer
and instructions to build an overengineered network to make certain that
PTP always is delivered with zero IPDV.

A lot of strange things are getting network connectors these days. Not
all of them are content with a http connection to some cloud provider.
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
The PILLSBURY DOUGHBOY is CRYING for an END to BURT REYNOLDS movies!!


signature.asc
Description: Digital signature


Re: Top-shelf resilience (Re: Why the US Government has so many data centers)

2016-03-25 Thread Måns Nilsson
Subject: Top-shelf resilience (Re: Why the US Government has so many data 
centers) Date: Tue, Mar 22, 2016 at 07:59:24PM + Quoting Jay R. Ashworth 
(j...@baylink.com):
> 
> This seems like a good time to mention my favorite example of such a thing.
> 
> In the Navy, originally, and it ended up in a few other places, there was
> invented the concept of a 'battleshort', or 'battleshunt', depending on whom 
> you're talking to.

I've built one, sort of. In an outdoor broadcasting vehicle. See, in
order to get a working grounding scheme, the PDU in the bus gets to serve
as power source for a lot of things that might find themselves outside,
in climate. 200VDC feeds in triaxial cables to cameras, for instance.
(this was before cameras were connected with singlemode fiber, but
after the era of the multicore "shower handle" connectors) All this
was of course built for some exposure to the elements but not for
drenching. During setup, it was decided to protect people with a GFCI
breaker on the main three-phase bus in the bus[0][1], but once setup,
people were not really supposed to gefingerpoken the thingamaboobs, so
in the interest of reliability a bypass was created for the GFCI breaker.
This had to be built in-house, since no electrical contractor even wanted
to contemplate it. So we did.

/Måns, ex-builder of analog broadcast facilities. 
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
First, I'm going to give you all the ANSWERS to today's test ...  So
just plug in your SONY WALKMANS and relax!!

[0] Pun not intended but carefully kept once discovered. 

[1] This is (continental) Europe, where we are not afraid of 405VAC
three-phase mains. Tesla was European. Edison was born to American 
parents. 


signature.asc
Description: Digital signature


Re: junkmailers take the day off....?

2016-03-20 Thread Måns Nilsson
Subject: Re: junkmailers take the day off? Date: Sun, Mar 20, 2016 at 
01:50:31AM + Quoting Mel Beckman (m...@beckman.org):
> I'm seeing the same thing. Weird. 
> 
> -mel via cell
> 
> > On Mar 19, 2016, at 6:29 PM, Mike <mike-na...@tiedyenetworks.com> wrote:
> > 
> > Hi,
> > 
> >This is not a complaint, but today seems to be a major disturbance in 
> > the force...my junkmail load seems to be WAAA down today, like they all 
> > are out at the beach or something... some major botnet get shutdown or 
> > something???

A large portion of the Swedish newspaper web sites were hit with a fairly
large attack yesterday evening MET, around 1830UTC. Perhaps the keyword is
"retasked". Fwiw, I also saw a decline in my spamcount. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
VICARIOUSLY experience some reason to LIVE!!


signature.asc
Description: Digital signature


Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it

2016-01-28 Thread Måns Nilsson
Subject: Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane 
Electric - and how to solve it Date: Wed, Jan 27, 2016 at 05:36:13PM -0800 
Quoting Owen DeLong (o...@delong.com):
> 
> > On Jan 27, 2016, at 14:43 , Måns Nilsson <mansa...@besserwisser.org> wrote:
> > 
> > Subject: Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane 
> > Electric - and how to solve it Date: Fri, Jan 22, 2016 at 12:28:01PM + 
> > Quoting Brandon Butterworth (bran...@rd.bbc.co.uk):
> > 
> >> tier 1 seems consistent with Cogents refusal.
> > 
> > one does not become a tier 1 by refusing to peer. an actual tier 1 will
> > of course most of the time refuse  settlement-free interconnection with
> > smaller actors to protect their revenue stream, but the traffic volumes
> > and short settlement-free paths to large parts of the Internet are what
> > make them a tier-1.
> 
> I disagree with this last part.
 
So do I, actually. I was just reporting what Tier-1 operators might feel be 
good for business.  Not that I believe that they're right. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
On SECOND thought, maybe I'll heat up some BAKED BEANS and watch REGIS
PHILBIN ...  It's GREAT to be ALIVE!!


signature.asc
Description: Digital signature


Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it

2016-01-27 Thread Måns Nilsson
Subject: Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane 
Electric - and how to solve it Date: Fri, Jan 22, 2016 at 12:28:01PM + 
Quoting Brandon Butterworth (bran...@rd.bbc.co.uk):
 
> tier 1 seems consistent with Cogents refusal.

one does not become a tier 1 by refusing to peer. an actual tier 1 will
of course most of the time refuse  settlement-free interconnection with
smaller actors to protect their revenue stream, but the traffic volumes
and short settlement-free paths to large parts of the Internet are what
make them a tier-1.

do you hear me, medium-sized swedish  isp full of clued people but with
a serious case of peering reality distorsion?

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Can you MAIL a BEAN CAKE?


signature.asc
Description: Digital signature


Re: IGP choice

2015-10-24 Thread Måns Nilsson
Subject: IGP choice Date: Thu, Oct 22, 2015 at 06:57:01PM +0200 Quoting 
marcel.durega...@yahoo.fr (marcel.durega...@yahoo.fr):
> Hi everyone,
> 
> Anybody from Yahoo to share experience on IGP choice ?
> IS-IS vs OSPF, why did you switch from one to the other, for what reason ?
> Same question could apply to other ISP, I'd like to heard some international
> ISP/carriers design choice, please.

We use IS-IS in our network mostly because I was around when a bunch
of NREN switched to IS-IS some 15 years ago, and it stuck. It is, as
has been noted, mostly a matter of preference, but there is one or two
technical arguments for IS-IS that tip the scales for me;

- One IGP for both v6 and v4. Mostly interesting if you are running a
lot of traffic outside VRFen. But nevertheless a good  thing to keep v6
and v4 in sync.

- No leakage. Not many external peers speak IS-IS on their peering
interfaces, so chances are that even if I do, nothing will fall over.
This of course also applies to access interfaces, where my hosts won't 
even have an OSI stack and thus won't try to process the frames. 

The argument for OSPF mostly is that there are several FOSS OSPF dæmons
for Posixly machines, making it a good choice for things like anycast
name servers or similar. We do run it for precisely this setup. 

Do read the presentation Vijay Gill made and that people keep pointing to. 
It is a very good account of how to purge OSPF in favour of IS-IS. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I'm also pre-POURED pre-MEDITATED and pre-RAPHAELITE!!


signature.asc
Description: Digital signature


Re: How to wish you hadn't forced ipv6 adoption (was "How to force rapid ipv6 adoption")

2015-10-06 Thread Måns Nilsson
Subject: How to wish you hadn't forced ipv6 adoption (was "How to force rapid 
ipv6 adoption") Date: Thu, Oct 01, 2015 at 11:06:34PM -0400 Quoting Rob McEwen 
(r...@invaluement.com):
> 
> I welcome IPv6 adoption in the near future in all but one area: the sending
> IPs of valid mail servers. Those need to stay IPv4 for as long as reasonably
> possible.
> 

Using the link-level address to distinguish between good and bad email
content was always daunting at best. Thanks for pointing out that this
flawed behaviour must cease.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Why is it that when you DIE, you can't take your HOME ENTERTAINMENT
CENTER with you??


signature.asc
Description: Digital signature


Re: REMINDER: LEAP SECOND

2015-06-19 Thread Måns Nilsson
Subject: REMINDER: LEAP SECOND Date: Fri, Jun 19, 2015 at 01:06:22PM -0400 
Quoting Jay Ashworth (j...@baylink.com):
 The IERS will be adding a second to time again on my birthday; 

This time around there are a number of Vendor C devices that will fail
in spectacular ways if not upgraded with a pretty new release -- Nexus
and ASR1K being the two most interesting among those I've reviewed. 

http://www.cisco.com/web/about/doing_business/leap-second.html#~ProductInformation

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I'd like some JUNK FOOD ... and then I want to be ALONE --


signature.asc
Description: Digital signature


Re: Enterprise network as an ISP with a single huge customer

2015-06-13 Thread Måns Nilsson
Subject: Enterprise network as an ISP with a single huge customer Date: Fri, 
Jun 12, 2015 at 08:08:29PM +0300 Quoting Stepan Kucherenko (t...@megagroup.ru):
 Hello,
 
 I'm sure lots of you work for big enterprises, and some of you work
 for biggest of them.
 
 How many of you architect your network as an ISP, with that
 enterprise as the biggest customer ? Office networks in l3vpn,
 VPLS/EVPN on top of your own network for DCI, etc ? Or is it usually
 just a single IGP domain with no unnecessary bells and whistles ?

We do at $dayjob (public service radio station network). We try to stay
away from the TE side of MPLS, but the other knobs are in pretty much use.

A lot of our newer uses for the network are realtime audio in
hi-fi quality. Latency is our enemy, and so we don't do TCP, we skip
retransmits, buffers to be able to wait for a late packet are so short
it rarely matters, etc. That means a lot of prioritisation being done. It
is easier in our isp-type network.
 
As a very distributed company (in meatspace, but at the same time very
unified in infrastructure) we sure need the flexibility. Doing
this on usual VLAN/routing would not fly very well. A lot of the devices
we run aren't really fit for living with other networked devices,
especially those devices fondled by Users. We usually just push them in
another VRF.
 
 Do you think one approach is better than the other ? If so, why ?

I'd love to have a single flat routing domain. But I do not think it
works with the kind of legacy stuff (some of it brand new...) we run.

 I understand that it usually comes down to specific circumstances
 and most likely scale but I'd still love to hear about your
 experience.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Concentrate on th'cute, li'l CARTOON GUYS!  Remember the SERIAL
NUMBERS!!  Follow the WHIPPLE AVE. EXIT!!  Have a FREE PEPSI!!  Turn
LEFT at th'HOLIDAY INN!!  JOIN the CREDIT WORLD!!  MAKE me an OFFER!!!


signature.asc
Description: Digital signature


Re: most accurate geo-IP source to build country-based access lists

2015-06-08 Thread Måns Nilsson
Subject: most accurate geo-IP source to build country-based access lists Date: 
Mon, Jun 08, 2015 at 05:11:15PM +0300 Quoting Martin T (m4rtn...@gmail.com):
 
 
 Are there any other possibilities to geolocate IPv4 addresses with
 higher accuracy?

There are three levels of untruth: (in increasing order of falseness)

1. No, mom, I did not eat the pie.

2. There are no Russian soldiers in Crimea

3. IP Geolocation

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
GOOD-NIGHT, everybody ... Now I have to go administer FIRST-AID to my
pet LEISURE SUIT!!


signature.asc
Description: Digital signature


Re: AWS Elastic IP architecture

2015-06-04 Thread Måns Nilsson
Subject: Re: AWS Elastic IP architecture Date: Thu, Jun 04, 2015 at 01:16:03PM 
-0400 Quoting Christopher Morrow (morrowc.li...@gmail.com):
 On Thu, Jun 4, 2015 at 5:11 AM, Owen DeLong o...@delong.com wrote:
  I’d argue that SSH is several thousand, not a few hundred. In any case, I 
  suppose you can make the argument that only a few people are trying to 
  access their home network resources remotely other than via some sort of 
  proxy/rendezvous service. However, I would argue that such services exist 
  solely to provide a workaround for the deficiencies in the network 
  introduced by NAT. Get rid of the stupid NAT and you no longer need such 
  services.
 
 This is an interesting argument/point, but if you remove the rendevous
 service then how do you find the thing in your house? now the user has
 to manage DNS, or the service in question has to manage a dns entry
 for the customer, right?

Or something.
 
 you'll be moving the (some of the) pain from 'nat' to 'dns' (or more
 generally naming and identification). I think though that in a better
 world, a service related to the thing you want to prod from outside
 would manage this stuff for you.

Possibly. 

 It's important (I think) to not simplify the discussion as: Oh, with
 ipv6 magic happens! because there are still problems and design
 things to overcome even with unhindered end-to-end connectivity.

You have successfully demonstrated that users will need some locating
service. More so with the cure-all IPv6; because remembering hex is hard
for People(tm).

You have, however, not shown that all the possible ways of building a
locating service that become available once the end-points are uniquely
reachable (and thus, as long as we're OK with finding just the right host,
identifyable) present an equal level of suckage.

I believe that while the work indeed can be daunting for a sufficiently
pessimal selection of users, the situation so improves (if we look at
simplicity of protocol design and resulting fragility) when the end-points
can ignore any middleboxes that the net result, measured as inconvenicence
imposed on a standard End User, will improve.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Why is everything made of Lycra Spandex?


signature.asc
Description: Digital signature


Re: BGP in the Washngton Post

2015-06-01 Thread Måns Nilsson
Subject: BGP in the Washngton Post Date: Mon, Jun 01, 2015 at 09:24:33AM -0400 
Quoting William Herrin (b...@herrin.us):
 Interesting story about BGP and security in the Washington Post today:
 
 http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/

sort of dissappointed they did not quote randy using only lower case. looks 
weird. once past that, good comment. 
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Isn't this my STOP?!


signature.asc
Description: Digital signature


Re: Verizon Policy Statement on Net Neutrality

2015-03-01 Thread Måns Nilsson
Subject: Re: Verizon Policy Statement on Net Neutrality Date: Fri, Feb 27, 2015 
at 05:25:41PM -0600 Quoting Jack Bates (jba...@paradoxnetworks.net):
 On 2/27/2015 5:09 PM, Måns Nilsson wrote:
 What people want, at least once thay have tasted it, is optical
 last mile. And not that PON shit. The real stuff or bust.
 
 Yeah. Then they complain when a tornado wipes out their power and
 they can't make a phone call.

Given the state of the partially deregulated phone system and people
tending to depend on DECT phones, that is a non-dividing issue, in a
lot of cases. Me, I keep a landline with a rotary phone.
 
 It's hard to get DSL in some places in the country. Fiber? ha!

The current state of the affairs in rural / semi-rural USA is not the
standard we should strive for. Focusing too hard on the limitations
appearing as inherent to the casual observer will choke developement.
We can look at that techno-echonomical situation and use it as a starting
point, but nothing else.

(were I more of an entreprenour I'd look at no DSL available as a
 golden opportunity to get lots of fibre customers. Not replacing
 copper but augmenting it also solves the distress problem. That or a
 12V battery to power the Ethernet converter and the ATA Box.)

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Well, I'm a classic ANAL RETENTIVE!!  And I'm looking for a way to
VICARIOUSLY experience some reason to LIVE!!


signature.asc
Description: Digital signature


Re: Verizon Policy Statement on Net Neutrality

2015-02-27 Thread Måns Nilsson
Subject: Re: Verizon Policy Statement on Net Neutrality Date: Fri, Feb 27, 2015 
at 01:49:04PM -0600 Quoting Jack Bates (jba...@paradoxnetworks.net):

snip 

  Ideally, I suspect that most people would prefer a more
 variable approach, allowing for the complete frequency spectrum for
 upload and download and any combination in between.
 
What people want, at least once thay have tasted it, is optical last
mile. And not that PON shit. The real stuff or bust.

 Let's be honest, it would be nice to utilize wasted download
 frequency to send something quicker. 

Any access technology with less than 1Gbit symmetrical bandwidth is
20th century. Doing greenfield with that is plainly stupid. There 
is business to be made from smaller upgrades to copper that is in place,
but as soon as you dig (or set new poles in the ground), fiber is the
only real alternative.
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I like your SNOOPY POSTER!!


signature.asc
Description: Digital signature


Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment

2015-02-23 Thread Måns Nilsson
Subject: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment 
Date: Mon, Feb 23, 2015 at 10:02:44AM -0500 Quoting Eric Germann 
(ekgerm...@cctec.com):
 Currently engaged on a project where they’re building out a VPC 
 infrastructure for hosted applications.

snip

 Thoughts and thanks in advance.

using the wasted /10 for this is pretty much equal to using RFC1918 space. 

IPv6 was invented to do this right. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
It's NO USE ... I've gone to CLUB MED!!


signature.asc
Description: Digital signature


Re: v6 deagg

2015-02-21 Thread Måns Nilsson
Subject: Re: v6 deagg Date: Sat, Feb 21, 2015 at 01:48:48PM +0100 Quoting 
Sander Steffann (san...@steffann.nl):

  However, apparently there is no such process or intention available
  from the RIR in question (RIPE), short of explicitly asking for that
  specific prefix.
 
 So you asked to grow the /48 to a /47? Was it accepted? Or did you want the 
 RIR to automatically grow your first assignment when you request a second one 
 without you having to ask?

So far have just discussed it with my LIR, but will reinit this. 
 
  Of course this does not help every case, but supporting aggregation
  where possible certainly ought to be in-scope for most policy-making
  bodies in this area.
 
 Then please take this to the appropriate policy-making body: 
 address-policy...@ripe.net :-)

Considering this as well. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
... this must be what it's like to be a COLLEGE GRADUATE!!


signature.asc
Description: Digital signature


Re: v6 deagg

2015-02-21 Thread Måns Nilsson
Subject: Re: v6 deagg Date: Fri, Feb 20, 2015 at 10:42:03AM +0100 Quoting 
Mikael Abrahamsson (swm...@swm.pp.se):
 
 From a technical point of view, I have little interest in my router
 handling the fact that an office at the other side of the planet
 shut down their router, and learning this via DFZ.

I'm working at one of those organisations who have a /48 and am announcing
it into DFZ. We have a situation where I might have another site with
separate connectivity to the DFZ (but there is internal networking)
which would entitle me to another /48 according to RIR rules. 

I did ask my LIR whether there is any thought given to the possibility of
getting the next higher prefix, thus creating a /47. They did understand
the why perfectly well, of course.

However, apparently there is no such process or intention available
from the RIR in question (RIPE), short of explicitly asking for that
specific prefix.

Of course this does not help every case, but supporting aggregation
where possible certainly ought to be in-scope for most policy-making
bodies in this area.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I'm wearing PAMPERS!!


signature.asc
Description: Digital signature


Re: draft-ietf-mpls-ldp-ipv6-16

2015-02-19 Thread Måns Nilsson
Subject: draft-ietf-mpls-ldp-ipv6-16 Date: Thu, Feb 19, 2015 at 11:06:40AM 
-0500 Quoting Tim Durack (tdur...@gmail.com):
 I notice draft-ietf-mpls-ldp-ipv6-16 was posted February 11, 2015.
 
 What is the chance of getting working code this decade? I would quite like
 to play with this new fangled IPv6 widget...
 
 (Okay, I'd like to stop using IPv4 for infrastructure. LDP is the last
 piece for me.)

One of the vendors has promised v6 ldp this year (as in 2015). Given
the interesting bugs that surfaced when we tried a couple years ago,
well, I'm at least breathing shallowly.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I'm having a BIG BANG THEORY!!


signature.asc
Description: Digital signature


Re: How our young colleagues are being educated....

2014-12-26 Thread Måns Nilsson
Subject: Re: How our young colleagues are being educated Date: Fri, Dec 26, 
2014 at 02:56:40AM -0500 Quoting William Herrin (b...@herrin.us):
 
 In the real world you often assign a /32 to a loopback address on each
 router and make all of the serial interfaces borrow that address (ip
 unnumbered in Cisco parlance) which wastes no addresses.

Why would you want to waste 79228162514264337593543950336 addresses on a 
loopback? 

More seriously, why does this discussion only briefly mention IPv6? Every
client comes with it (aggressvely) enabled -- it is there despite the
fat / happy parts of the networking community sitting on their legacy
space and laughing at Asia.

I've had, as mentioned earlier, a cisco graduate as intern and then
colleague for a year now. He's a fast learner, and that was needed. No
v6. Not much MPLS. No ISIS. Barely eBGP. No iBGP, especially not in
conjunction with a link-state IGP. Lots of RIP, Flame Delay and EIGRP. 

There are two problems; 

* The academic community is either outdated or married to a
  vendor-specific course -- and that marriage is not very 
  academic, IMNSHO. Academia must be vendor agnostic.

* The vendor courses are too enterprisey, and an outdated 
  enterprise at that. There is no course in running a 
  sensible chunk of the Internet. 

And this in a world where the largest innovation the last 5 years is
abstraction (as in virtualisation and to some extent SDN). Not in 
protocols. Should be reasonably easy to keep up.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
So this is what it feels like to be potato salad


signature.asc
Description: Digital signature


Re: How our young colleagues are being educated....

2014-12-25 Thread Måns Nilsson
Subject: Re: How our young colleagues are being educated Date: Wed, Dec 24, 
2014 at 11:40:48AM -0500 Quoting Scott Morris (s...@emanon.com):
 
 Now, as a side, one problem that I often have with various academic-based
 courses is that the people who teach them often don¹t have enough
 real-world experience (or not current anyway) in order to pass along any
 benefit in that matter.  There are many things that need to be addressed
 at this level within the higher-education arena, and I¹m sure it¹s not
 just related to networking subjects!

When I did teaching, it was as an employee hired to do network ops
first and academic stuff a definite second. I'm still not qualified
to even apply to the courses I taught, but I did get nice evaluations;
simply because what we taught was very connected to the NREN we ran. Thus
we could pick examples from Actual Reality and make the binary - hex
conversions relevant. 

I'm thinking that network operations and design today is a field much
like workshop toolroom knowledge was back before CAD/CAM; there is a
solid and long scientific backing to what is done, in materials science,
maths, etc; the machines used are products from elevated precision
and experience centres, but still, you can't get them to do anything
useful without a well balanced theoretical background coupled to solid
hands-on experience. The rookie and the engineer from the construction
dept. will both need training to be useful and non-lethal in that
environment, even if the engineer can design a successful lathe. 

The rôle of network courses in academia, then, is a lot like looking out
for the programmer with the soldering iron. People who know how things
ought to work in theory are quite likely to be dangerous in practice. (and
don't get me started on studio sound engineers in live sound...)

It might be though, that I've simply been watching Keith Fenner on
Youtube too many late nights. (That is a recommendation, btw.)
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Uh-oh!!  I forgot to submit to COMPULSORY URINALYSIS!


signature.asc
Description: Digital signature


Re: How our young colleagues are being educated....

2014-12-22 Thread Måns Nilsson
Subject: How our young colleagues are being educated Date: Mon, Dec 22, 
2014 at 04:13:42AM -0500 Quoting Javier J (jav...@advancedmachines.us):
 Dear NANOG Members,
 
 It has come to my attention, that higher learning institutions in North
 America are doing our young future colleagues a disservice.

Yes. Although, as long as they don't teach people that _every_ router
does NAT, we'll be fine.
 
 Are colleges teaching what an RFC is? Are colleges teaching what IPv6 is?

At the university I taught, yes.  But that is in Europe, on the Royal
Institute of Technology in Stockholm, Sweden, for 3rd year in a MsC
programme in EE, Physics or CS. I am seeing similar cluelessness at
smaller proto-universities in Sweden, where they have bought a branded
course. Lots of Flame Delay. And EIGRP. Branded course. Our trainee that
came out of that did prove to be highly trainable, though.
 
 What about unicast and multicast? I confirmed with one student half way
 through their studies that they were not properly taught how DNS works, and
 had no clue what the term “root servers” meant.

Multicast, check. 
DNS, check. 

 Am I crazy? Am I ranting? Doesn't this need to be addressed? …..and if not
 by us, then by whom? How can we fix this?

People who enter academentia in networking, especially to teach at
rural colleges, tend to freeze in time and stick to whatever fad was
in when they were young. Especially ATM is popular, since it has,
for all its uselessness, a nice theoretical undercarriage and stands
on the shoulders of decades of telco style Warum einfach wenns auch
kompliziert geht? (you will have to translate that yourself, it's German
and describes engineering well)

In Sweden, universities (where tuition is 0 for all citizens and can be
made 0 for all citizens of the EU) the universities have a third task
besides undergraduate production and research, and that is to interact
with greater society. The key to good education that fulfils the needs
of society is to ensure the interaction is two-way. Each course, get a 
industry lecturer in for at least one lecture. This, if chosen well, will
make it impossible to teach Flame Delay in 2014. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
We have DIFFERENT amounts of HAIR --


signature.asc
Description: Digital signature


Re: Phasing out of telco TDM Backbones (was: Phasing out of copper)

2014-11-30 Thread Måns Nilsson
Subject: Phasing out of telco TDM Backbones (was: Phasing out of copper) Date: 
Sun, Nov 30, 2014 at 12:09:40AM -0500 Quoting Jay Ashworth (j...@baylink.com):
 - Original Message -
  From: Måns Nilsson mansa...@besserwisser.org
 
  Maintaining copper plant is expensive. It will be retired as soon as
  buy-in on FTTH is high enough. Telia Sonera is doing it in Sweden,
  so the trend is global. (OTOH, in Sweden, young people moving out from
  their parents, if they can find somewhere to rent, usually only get a
  fixed connection for Internet access. Telephony is all mobile.)
 
 Absolutely: maintaining analog copper last-mile is expensive.
 
 But let us not conflate being ok with telcos replacing analog copper last-mile
 with being ok with telcos replacing PCM with VoIP, especially in trunking
 applications, and *especially* using non-dedicated backbones, as these are the
 directions the RBOCs appear to be going in, and those are much less acceptable
 ideas than the former.

Sadly enough, those man-centuries need to be reread in the light of the
fact that today, you can not buy most of those connections anymore. Voice
circuits are almost entirely trunked on IP; and the telcos fight to
decommission the carrier formats.

From 2014-12-31, you can't keep your 128kbit ISDN anymore in Sweden. This
is a big issue for me, since I work with radio broadcasting. There,
128kbit ISDN is a very common way to do remote broadcasting from
sports or similar events. We've been frantically buying and building
a new network to replace these circuits, and have built a quite nice
system on top of IP. The old ISDN codec phones (essentially small pro
mixer + A/D converter + MPEG codec + ISDN terminal) are being replaced
by similar-looking specialised SIP phones sporting much higher sound
quality. If the network permits (and, on those sites where we expect
to do live music, it does permit so) we can do 48KHz 24bit uncompressed
stereo  -- which is around 2,6 Mbit without protection by FEC.

Since the voice circuit is mostly being replaced by the Skype/FaceTime
call, this is not only a special observation; it is, I believe, a general
case. 

Our challenge thus lies not in preserving circuit-switching,
but instead in building an open, standards-based voice infrastructure
on top of IP. Viewed in that light, Skype and FaceTime are failures. I'm
not certain their owners see it that way.

/Måns, who *really* would like to have STM-64 frames instead of TenGig
   Ethernet for his long lines. Switched Ethernet is herded chaos. 
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
ANN JILLIAN'S HAIR makes LONI ANDERSON'S HAIR look like RICARDO
MONTALBAN'S HAIR!


signature.asc
Description: Digital signature


Re: Phasing out of copper

2014-11-29 Thread Måns Nilsson
Subject: Phasing out of copper Date: Fri, Nov 28, 2014 at 10:46:03AM -0500 
Quoting Jean-Francois Mezei (jfmezei_na...@vaxination.ca):
 Currently in the midst of a CRTC policy hearing in Canada on future of
 competition in ISPs.
 
 Incumbents claim they have no plans to retire their copper plant after
 deploying FTTP/FTTH.  (strategically to convince regulator that keeping
 ISPs on copper is fine and no need to let them access FTTP).

Maintaining copper plant is expensive. It will be retired as soon as
buy-in on FTTH is high enough. Telia Sonera is doing it in Sweden,
so the trend is global. (OTOH, in Sweden, young people moving out from
their parents, if they can find somewhere to rent, usually only get a
fixed connection for Internet access. Telephony is all mobile.)

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Four thousand different MAGNATES, MOGULS  NABOBS are romping in my
gothic solarium!!


signature.asc
Description: Digital signature


Re: Linux: concerns over systemd adoption and Debian's decision to switch

2014-10-22 Thread Måns Nilsson
Subject: Re: Linux: concerns over systemd adoption and Debian's decision to 
switch Date: Tue, Oct 21, 2014 at 01:44:17PM -0700 Quoting Eric 
Brunner-Williams (brun...@nic-naa.net):
 systemd is insanity.
 
 see also smit.

(assumption, we're talking about AIX smit here) 

smit is transparent, comprehensible and automatable, not to mention
bypass-able. My wife, who is running an impressive AIX farm at her place
of work, tells me that (and I've done it myself) F4 is the key to escape.

systemd is hellspawn crap compared to this. I'm really concerned
because I run complicated process control software on Linux and this
software is shipped by Vendors who believe in if there is a support
contract for the OS, all is well fairy tales. This leaves you having
to buy DeadRat licenses, unless you can convince them that Centos is
functionally equivalent.

Time to ask for BSD ports, I think. Linux will be unusable very soon. 
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
WHOA!!  Ken and Barbie are having TOO MUCH FUN!!  It must be the
NEGATIVE IONS!!


signature.asc
Description: Digital signature


Re: IPv6 Default Allocation - What size allocation for Loopback Address

2014-10-11 Thread Måns Nilsson
Subject: Re: IPv6 Default Allocation - What size allocation for Loopback 
Address Date: Sat, Oct 11, 2014 at 05:41:43AM + Quoting Faisal Imtiaz 
(fai...@snappytelecom.net):
 A follow up question on this topic..
 
 For Router Loopback Address  what is wisdom in allocating a /64 vs /128 ?
 (the BCOP document suggests this, but does not offer any explanation or 
 merits of one over the other).

I use a /128 -- these addresses are going to be used de-aggregated in
the IGP only; outside they are part of your aggregated allocation. Then
again; I'm using /127 on links. Just because it is a tad easier to do
dual-stack on the scripts that build the config. And, I get to have all
my links in 2001:0db8:f00:feed:dada::/80 :-)

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I'm thinking about DIGITAL READ-OUT systems and computer-generated
IMAGE FORMATIONS ...


signature.asc
Description: Digital signature


Re: Scotland ccTLD?

2014-09-16 Thread Måns Nilsson
Subject: Re: Scotland ccTLD? Date: Tue, Sep 16, 2014 at 10:09:27AM -0700 
Quoting Doug Barton (do...@dougbarton.us):
 
 A better question is why is SU still in the root?

Since the rebels in eastern Ukraine have been reported to call their
intimidation police НКВД[0] I suppose the rest of the apparat that
was Soviet Union will return shortly.  Better keep SU in the root just
in case.

On a more on-topic note, there are several domains still in use under SU. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
The entire CHINESE WOMEN'S VOLLEYBALL TEAM all share ONE personality --
and have since BIRTH!!

[0] https://en.wikipedia.org/wiki/Donetsk_People's_Republic#Sectarian_attacks


signature.asc
Description: Digital signature


Re: So Philip Smith / Geoff Huston's CIDR report becomes worth a good hard look today

2014-08-14 Thread Måns Nilsson
Subject: Re: So Philip Smith / Geoff Huston's CIDR report becomes worth a good 
hard look today Date: Wed, Aug 13, 2014 at 11:27:46AM -0700 Quoting Merike Kaeo 
(mer...@doubleshotsecurity.com):
 
  B: they *did* know about the issue, but convincing management to spend
  the cash to buy hardware that doesn't suck was hard, because
  everything is working fine at the moment -- some folk needed things
  to fail spectacularity to be able to justify shelling out the $$$ (
  yes, they could recard the TCAM, but they are using this as an excuse
  to get some real gear)…
 
 Oh yeah, I'd bet this is also the case.  Just like in 'security' related 
 issues….

This is why test crash was introduced. 

http://markmail.org/message/tu46ecy272o3stvp

/Måns, just rebooted. (with a new carving already configured) 
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Thousands of days of civilians ... have produced a ... feeling for the
aesthetic modules --


signature.asc
Description: Digital signature


Re: So Philip Smith / Geoff Huston's CIDR report becomes worth a good hard look today

2014-08-13 Thread Måns Nilsson
Subject: So Philip Smith / Geoff Huston's CIDR report becomes worth a good hard 
look today Date: Tue, Aug 12, 2014 at 09:40:55PM +0530 Quoting Suresh 
Ramasubramanian (ops.li...@gmail.com):
 512K routes, here we come.  Lots of TCAM based routers suddenly become
 really expensive doorstops.

We had a planned outage yesterday 2300 UTC to perform the operation Hank
mentions. Alas, around 0850UTC the table went critical and we had to
do an emergency reboot. Well, the good part is that all 10G line cards
survived, and we're back in operation. The new routers are bought or
in the investment plan for this year. Just need to wait until it's time
for our vendors fiscal year end race...

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Am I accompanied by a PARENT or GUARDIAN?


signature.asc
Description: Digital signature


Re: Muni Fiber and Politics

2014-08-03 Thread Måns Nilsson
Subject: Re: Muni Fiber and Politics Date: Sun, Aug 03, 2014 at 05:11:09AM 
+0200 Quoting Mark Tinka (mark.ti...@seacom.mu):
 On Sunday, August 03, 2014 01:31:17 AM Måns Nilsson wrote:
 
  Oh, yes, there is. Multicast? IPv6? Both CAN be done, but
  probably won't.
 
 I'm talking about the opportunities large bandwidth 
 presents, non-technical issues aside.
 
 Certainly, IPv6 and Multicast have a place on a 1Gbps link 
 into the customer's home.
 
 Unless I misunderstand what you're trying to say...

My point is that involving active electronics on a link lease may limit
the ways that link can be used and that there is a very high probability
-- guesstimated from current unbundling infrastructure landscape --
that there will be severe constraints in services possible to provide
if you as provider aren't lighting the path yourself.

The constraints multiply with every OSI layer that is included in the
unbundling offer, of course.

A typical Swedish example is the solution with a communications
operator -- a separate entity that owns and operates a layer
2 environment over which several different providers can sell IP
connectivity. In most, if not all, cases in Sweden, the provisioning
and management systems installed simply do not have any idea of an IPv6
address. Shortsighted? Yes, but driven by bad decisions and market needs
NOW. (FSVO NOW that is embarrasingly recent...)  A PITA to upgrade? Yes,
of course, and the incentives aren't there, because the communications
operator is a monopoly, so if you want to sell connections, you have to
use them.

The limits imposed on unbundled infrastructure are at the core 100%
business-related; and as long as they are present, there must be regulated
access to passive infrastructure, perhaps even including things like
ducting/manholes/etc.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I'm shaving!!  I'M SHAVING!!


signature.asc
Description: Digital signature


Re: Muni Fiber and Politics

2014-08-02 Thread Måns Nilsson
Subject: Re: Muni Fiber and Politics Date: Fri, Aug 01, 2014 at 07:40:50AM 
+0200 Quoting Mark Tinka (mark.ti...@seacom.mu):
 On Thursday, July 31, 2014 02:01:28 PM Måns Nilsson wrote:
 
  It is better, both for the customer and the provider.
 
 If the provider is able to deliver 1Gbps to every home 
 (either on copper or fibre) with little to no uplink 
 oversubscription (think 44x customer-facing Gig-E ports + 4x 
 10Gbps uplink ports), essentially, there is no limit to what 
 services a provider and its partners can offer to its 
 customers.

Oh, yes, there is. Multicast? IPv6? Both CAN be done, but probably
won't. Dark fibre to CO is the only way to be sure. As long as that is
possible, perhaps mandated by regulation, there's no major issue with
providing a packaged service.

In the end, though, if we get the quality of Internet access up to
sensible levels (today minimum of a /56 and 100Mbit symmetric and no
stupid peering wars ;-) there are few reasons not to bundle L1-L3. 

However, given the nature of monopolies and their tendency to underperform
and overcharge, that is an optimisation dream...

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Hello.  Just walk along and try NOT to think about your INTESTINES
being almost FORTY YARDS LONG!!


signature.asc
Description: Digital signature


Re: Muni Fiber and Politics

2014-07-31 Thread Måns Nilsson
Subject: Re: Muni Fiber and Politics Date: Wed, Jul 30, 2014 at 06:56:40PM 
-0500 Quoting Leo Bicknell (bickn...@ufp.org):
 
 On Jul 30, 2014, at 1:47 AM, Mark Tinka mark.ti...@seacom.mu wrote:
 
  Symmetrical would be tough to do unless you're doing Active-
  E.
 
 I'm an outlier in my thinking, but I believe the best world would be
 where the muni offered L1 fiber, and leased access to it on a 
 non-discrimatory basis.  That would necessitate an Active-E solution
 since L1 would not have things like GPON splitters in it, but it 
 enables things like buying a dark fiber pair from your home to
 your business, and lighting it with your own optics.  That to me is
 a huge win.
 
 It also means future upgrades are unencumbered.  Want to run 10GE?
 100GE?  50x100GE WDM?  Please do.  You leased a dark fiber.  If the
 muni has gear (even just splitters) in the path they will gatekeeper
 upgrades.
 
 It may be a smidge more expensive up front, but in the long run I
 think it will be cheaper, more reliable, and most importantly hugely
 more flexible.

GPON is basically unheard of in Sweden. All fiber access is either
copper to a switch in the basement/similar in multi-tenant houses or
direct pairs to CO. Some middle solutions exist where there's a rugged
switch in a pole or roadside cabinet, but they are exceptions. I think
the Amsterdam buildout is similar.

It is better, both for the customer and the provider. The only loser
is a potential third party acting as comms provider on L1, possibly L2.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
DON'T go!!  I'm not HOWARD COSELL!!  I know POLISH JOKES ... WAIT!!
Don't go!!  I AM Howard Cosell! ... And I DON'T know Polish jokes!!


signature.asc
Description: Digital signature


Re: Shared Transition Space VS. BGP Next Hop [was: Re: Best practices IPv4/IPv6 BGP (dual stack)]

2014-05-03 Thread Måns Nilsson
Subject: Shared Transition Space VS. BGP Next Hop [was: Re: Best practices 
IPv4/IPv6 BGP (dual stack)] Date: Fri, May 02, 2014 at 03:58:42PM -0600 Quoting 
Chris Grundemann (cgrundem...@gmail.com):

 Would you expound a bit on what you mean here? I don't quite follow but I
 am very interested to understand the issue.

The fact that you need v4 space to build a MPLS backbone is a very good
reason to not waste a /10 on CGN crap. 

Ideally, we would have a solution where an entire MPLS infrastructure
could be built without v4 space, demoting v4 to a legacy application
inside a VRF, but the MPLS standards wg seems content with status quo.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I wish I was a sex-starved manicurist found dead in the Bronx!!


signature.asc
Description: Digital signature


Re: Best practices IPv4/IPv6 BGP (dual stack)

2014-05-02 Thread Måns Nilsson
Subject: Best practices IPv4/IPv6 BGP (dual stack) Date: Fri, May 02, 2014 at 
07:44:33PM + Quoting Deepak Jain (dee...@ai.net):
 
 Between peering routers on a dual-stacked network, is it considered best 
 practices to have two BGP sessions (one for v4 and one for v6) between them? 
 Or is it better to put v4 in the v6 session or v6 in the v4 session?

Like others, yes, two sessions, v6 over v6 and v4 over v4. only the native AF 
is active. 
 
 According to docs, obviously all of these are supported and if both sides are 
 dual stacked, even the next-hops don't need to be overwritten.

It works, but might produce interesting side effects. I've had to resort
to it when peering between different IOS versions; but that might have
been the result of fat-fingering as well.

 Is there any community-approach to best practices here? Any FIB weirdness 
 (e.g. IPv4 routes suddenly start sucking up IPv6 TCAM space, etc)  that 
 results with one solution over the other?

If having MPLS bgp peers over v6 carrying vpnv4 routes all sorts of
strange things can happen. There is no standard for it; so one should
not expect it to work. But the failure modes are interesting; I've had
the next-hop for a v6-carried vpnv4 peering be the first 32 bits of the
v6 next-hop, interpreted as a v4 address.. It only works if there is a
v4 route to that made-up address.

This is a field where v4 next-hops are essential to make things
work. rantIn that context, allocating 100.64.0.0/10 to CGN was
especially un-clever... /rant

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Xerox your lunch and file it under sex offenders!


signature.asc
Description: Digital signature


Re: why IPv6 isn't ready for prime time, SMTP edition

2014-03-31 Thread Måns Nilsson
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Mon, Mar 
31, 2014 at 12:17:19AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net):
 On Mar 30, 2014, at 16:40 , Måns Nilsson mansa...@besserwisser.org wrote:
  Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, 
  Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore 
  (patr...@ianai.net):
  On Mar 29, 2014, at 3:15, Måns Nilsson mansa...@besserwisser.org wrote:
  Quoting John R. Levine (jo...@iecc.com):
  Ergo, ad hominem. Please quit doing that.
  As a side note I happen to run my own mail server without spam filters
  -- it works for me. I might not be the norm, but then again, is there
  really a norm? (A norm that transcends SMTP RFC reach, that is --
  
  I know a lot of people who run a lot of mail systems, and let's just
  say you're so far out in the long tail we need a telescope to see
  you.
  
  I will not debate with people who resort to humiliation techniques
  when questioned.
  
  I will not argue whether you were humiliated as that is something only you 
  can decide.
  
  The puny attempt at master suppression technique[0]  was identified
  as such and countermeasures were launched. No damage done.
 
 I was serious. Your reaction .. well, I shouldn't say anything more lest you 
 call me puny again. (What were you saying about humiliation techniques? Glad 
 to see you would never be hypocritical.)
 
My apologies. I was not refering to your statement -- if that was not
clear I should most certainly have written more clearly.
 
  However, John was still factually correct. No big deal, lots of people are 
  humiliated by facts. Although I admit I didn't find the quote above 
  terribly humiliating myself. 
  
  You have a point. Further, I do not debate the truth in the statement. My
  personal email system IS small -- I did even state that -- but that does
  not mean I do not run larger systems for others, nor does it mean that
  the general public should dismiss my ideas and only listen to people
  who brag about their acquaintances.  There are other much more compelling
  reasons not to do as I say. 
 
 You misunderstand. Or perhaps I did?
 
 I read John's statement to be in reference to your stance, i.e. running 
 without spam filters. Not that your server is small.

I read you handle no big amount of e-mail and I know people who do and
therefore you should STFU and not bother us with your silly ideas about
following standards in Johns message, and while that might seen like
one of many interpretations of what was written, it is an interpretation
I hope to be not so far out on the insulted fringe so as to be silly.
 
 John can clarify if he likes. But either way, running without spam filters is 
 beyond unusual these days.

Indeed. 
 
 My personal server is run with very few filters, all of which REJECT or 
 accept and send to a box I read. I have no spam folder. So while I am not 
 as far down the tail as you are, I am definitely out of the mainstream. The 
 only reason I mention that is so you don't go researching for another reason 
 to identify my comments as anything except exactly what they say.

Oh, I'm not hoping to pick a fight. Bad move to pick fights with people
that function as mediators.
 
  Also, realize that John has already done more to stop spam in his career 
  then you and your thousand closest friends ever will. (E.g. Look up 
  abuse.net.) Again not humiliation, just a fact.
  
  Feel free to plonk me as well. I won't be humiliated. :-)
  
  I won't. There is a clear divide between politely pointing out facts
  and abusing facts to tell people that their opinion does not matter.
  
  And, for the record, I do not support spamming in any form. But the
  mitigation techniques MUST NOT impose undue constraints on the legitimate
  use of e-mail, even when it is not vetted by passing it through big
  insecure monitored US webmail providers.
 
 I like your use of MUST.
 
 However, I think you'll find your definition of undue and most of the rest 
 of the Internet's is vastly different.

I'm fully aware of that. The clear separation between network and
application that is at the core of IP is easily compromised by the
best intentions.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I selected E5 ... but I didn't hear Sam the Sham and the Pharoahs!


signature.asc
Description: Digital signature


Re: why IPv6 isn't ready for prime time, SMTP edition

2014-03-30 Thread Måns Nilsson
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar 
29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patr...@ianai.net):
 Composed on a virtual keyboard, please forgive typos. 
 
  On Mar 29, 2014, at 3:15, Måns Nilsson mansa...@besserwisser.org wrote:
  Quoting John R. Levine (jo...@iecc.com):
  Ergo, ad hominem. Please quit doing that.
  As a side note I happen to run my own mail server without spam filters
  -- it works for me. I might not be the norm, but then again, is there
  really a norm? (A norm that transcends SMTP RFC reach, that is --
  
  I know a lot of people who run a lot of mail systems, and let's just
  say you're so far out in the long tail we need a telescope to see
  you.
  
  I will not debate with people who resort to humiliation techniques
  when questioned.
 
 I will not argue whether you were humiliated as that is something only you 
 can decide.

The puny attempt at master suppression technique[0]  was identified
as such and countermeasures were launched. No damage done.
 
 However, John was still factually correct. No big deal, lots of people are 
 humiliated by facts. Although I admit I didn't find the quote above terribly 
 humiliating myself. 

You have a point. Further, I do not debate the truth in the statement. My
personal email system IS small -- I did even state that -- but that does
not mean I do not run larger systems for others, nor does it mean that
the general public should dismiss my ideas and only listen to people
who brag about their acquaintances.  There are other much more compelling
reasons not to do as I say. 

 Also, realize that John has already done more to stop spam in his career then 
 you and your thousand closest friends ever will. (E.g. Look up abuse.net.) 
 Again not humiliation, just a fact.
 
 Feel free to plonk me as well. I won't be humiliated. :-)

I won't. There is a clear divide between politely pointing out facts
and abusing facts to tell people that their opinion does not matter.

And, for the record, I do not support spamming in any form. But the
mitigation techniques MUST NOT impose undue constraints on the legitimate
use of e-mail, even when it is not vetted by passing it through big
insecure monitored US webmail providers.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Vote for ME -- I'm well-tapered, half-cocked, ill-conceived and TAX-DEFERRED!

[0] http://en.wikipedia.org/wiki/Master_suppression_techniques


signature.asc
Description: Digital signature


Re: why IPv6 isn't ready for prime time, SMTP edition

2014-03-29 Thread Måns Nilsson
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Thu, Mar 
27, 2014 at 10:32:42AM -0400 Quoting John R. Levine (jo...@iecc.com):
 Ergo, ad hominem. Please quit doing that.
 As a side note I happen to run my own mail server without spam filters
 -- it works for me. I might not be the norm, but then again, is there
 really a norm? (A norm that transcends SMTP RFC reach, that is --
 
 I know a lot of people who run a lot of mail systems, and let's just
 say you're so far out in the long tail we need a telescope to see
 you.

I will not debate with people who resort to humiliation techniques
when questioned.

PLONK

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I feel like a wet parking meter on Darvon!


signature.asc
Description: Digital signature


Re: why IPv6 isn't ready for prime time, SMTP edition

2014-03-27 Thread Måns Nilsson
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Wed, Mar 
26, 2014 at 03:35:48PM -0400 Quoting John R. Levine (jo...@iecc.com):
 It must be nice to live in world where there is so little spam and
 other mail abuse that you don't have to do any of the anti-abuse
 things that real providers in the real world have to do.
 
 What is a real provider? And what in the email specifications tells us
 that the email needs and solutions of any one individual, as long as they
 are following protocol (which I'm quite convinced Mark is) are unreal?
 
 A real provider is one that provides mail for real users, as opposed
 to someone who plays RFC language lawyer games.  I only have a few
 dozen users, but I can assure you I use a whole lot of different
 filtering approaches including DNSBLs to keep my users' mailboxes
 usable.

Ergo, ad hominem. Please quit doing that. 
As a side note I happen to run my own mail server without spam filters
-- it works for me. I might not be the norm, but then again, is there
really a norm? (A norm that transcends SMTP RFC reach, that is -- the
necessity to stick to protocol is not under debate)
 
 I must say it's pretty amusing that someone who works for the
 organization that published the original DNSBL seems to be ranting
 against them.

The ability to change ones mind when circumstances change is usually
seen as advantageous. Why not here?

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
This is a NO-FRILLS flight -- hold th' CANADIAN BACON!!


signature.asc
Description: Digital signature


Re: why IPv6 isn't ready for prime time, SMTP edition

2014-03-26 Thread Måns Nilsson
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Tue, Mar 
25, 2014 at 10:45:00PM -0400 Quoting John R. Levine (jo...@iecc.com):
 None of this is REQUIRED.  It is forced on people by a cartel of
 email providers.
 
 It must be nice to live in world where there is so little spam and
 other mail abuse that you don't have to do any of the anti-abuse
 things that real providers in the real world have to do.

What is a real provider? And what in the email specifications tells us
that the email needs and solutions of any one individual, as long as they
are following protocol (which I'm quite convinced Mark is) are unreal?

There are scalability issues that single out the mega-class providers
as something special. But those are no reason to go around debating the
realness of other email handling organisations.

Also, the accept/reject policies of email recipients are subject to
individual evaluation and implementation at each MX host. Attempts at
describing the state of email as other than that are false and should
be discarded[0].

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Content:  80% POLYESTER, 20% DACRONi ... The waitress's UNIFORM sheds
TARTAR SAUCE like an 8 by 10 GLOSSY ...

[0] I'm sorry for the wording here, I just had to recall a paraphrased 
instruction from when Sweden had a psyops defence organisation. 
Varje meddelande om att motståndet skall uppges är falskt.


signature.asc
Description: Digital signature


Re: SIP on FTTH systems

2014-02-05 Thread Måns Nilsson
Subject: SIP on FTTH systems Date: Wed, Feb 05, 2014 at 11:52:51PM -0500 
Quoting Jean-Francois Mezei (jfmezei_na...@vaxination.ca):
 Quick question:
 
 I am thinking in a possible wholesale FTTH environment operated by a
 telco where the end user is connected to ISP-X via PPPoE.
 
 ONTs have built-in ATAs that can provide POTS service to a house and do
 SIP/VoIP over the fibre with QoS system to ensure VoIP traffic gets through.
 
 In a scenario where the data PPPoE connection is done by an external
 router, what are the options to operate the VoIP service so that
 
 - VoIP still uses the special lane on the GPON with QoS
 
 - VoIP gets IP from ISP-X and traffic flow via ISP-X so that telco is
 not involved in routing such traffic or allocating an IP address ?

Or, one could make sure everything has a globally unique IP address and is
using reasonably secured communications. The downside is that one
then can't defend the existence  of those empire-building middleboxes. It
is not the telco way, so is of course unthinkable. Like anything beyond
WAP was on cell phones a decade ago.

Warum soll man es einfach machen, 
wenn man es so schön komplizieren kann?

(Why make things simple when you can 
 build them so beautifully complicated?)

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
We are now enjoying total mutual interaction in an imaginary hot tub ...


signature.asc
Description: Digital signature


Re: Pad 1310nm cross-connects?

2013-10-20 Thread Måns Nilsson
Subject: Re: Pad 1310nm cross-connects? Date: Sun, Oct 20, 2013 at 07:21:42AM 
+0200 Quoting Måns Nilsson (mansa...@besserwisser.org):
 Subject: Pad 1310nm cross-connects? Date: Sat, Oct 19, 2013 at 07:33:19PM 
 -0700 Quoting Chris Costa (ccosta92...@gmail.com):
  What are the opinions/views on attenuating short, 1310nm LR cross-connects.
   Assume  20m cable length and utilizing the same vendor optics on each
  side of the link.  Considering the LR transmit spec doesn't exceed the
  receiver's high threshold value do you pad the receiver closer to the
  median RX range to avoid potential receiver burnout over time, or just
  leave it un-padded?
 
   LR usually needs padding in that scenario, IMHO. This also 

My apologies. I was thinking not of 10km / 20km class optics but the
80-100km stuff. There, padding is quite necessary in short-range setups.
For 10/20km stuff, I, too, have run lots of 2m patch cords directly
between linecards without harm.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
One FISHWICH coming up!!

Courtesy conversions: (km-miles, km- miles, metres/100 - feet) 

10/1.6
6.2500
80/1.6
50.
200/(2.54*12)
6.56167979002624671916




signature.asc
Description: Digital signature


Re: Pad 1310nm cross-connects?

2013-10-19 Thread Måns Nilsson
Subject: Pad 1310nm cross-connects? Date: Sat, Oct 19, 2013 at 07:33:19PM -0700 
Quoting Chris Costa (ccosta92...@gmail.com):
 What are the opinions/views on attenuating short, 1310nm LR cross-connects.
  Assume  20m cable length and utilizing the same vendor optics on each
 side of the link.  Considering the LR transmit spec doesn't exceed the
 receiver's high threshold value do you pad the receiver closer to the
 median RX range to avoid potential receiver burnout over time, or just
 leave it un-padded?

LR usually needs padding in that scenario, IMHO. This also 
applies to MMR interconnects or other premises / campus situations. 5
or 10dB depending on patching quality -- sometimes up to 15. The value
is best determined by measuring the signal. Then compare the measurement
with the line card / SFP datasheet and determine the amount of padding
necessary. As you write, the damage from overload is gradual, so simply 
trusting it works is quite bad for longevity reasons. 
Not all line cards and / or optical modules report the input signal 
level, so a good meter sometimes is necessary.
Get a good level meter, and a reasonably good light source for 
testing and calibration purposes. I'm happy with our purchase of
SMLP4-4[0] from AFL Noyes.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Pardon me, but do you know what it means to be TRULY ONE with your BOOTH!

[0] 
http://www.aflglobal.com/Products/Test-and-Inspection/Loss-Test-sets/SMLP4-4_Single-mode_Multimode_Loss_Test_Kits.aspx


signature.asc
Description: Digital signature


Re: minimum IPv6 announcement size

2013-09-24 Thread Måns Nilsson
Subject: Re: minimum IPv6 announcement size Date: Tue, Sep 24, 2013 at 
08:00:44AM -1000 Quoting Randy Bush (ra...@psg.com):
  I am running a network that is operating on multiple sites and
  currently rolling out our IPv6 on the perimeter level.  Having to
  get our /48 allocation from our RIR
 
 excuse, but which rir handed out a /48 under which policy?

Any of them?

% Information related to '2001:67c:d8::/48'

inet6num:   2001:67c:d8::/48
netname:SR-V6
descr:  Sveriges Radio AB
country:SE
org:ORG-SR18-RIPE
admin-c:MN1334-RIPE
admin-c:LEW3-RIPE
tech-c: MN1334-RIPE
tech-c: LEW3-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower:  RIPE-NCC-END-MNT
mnt-by: SR-MNT
mnt-routes: SR-MNT
mnt-domains:SR-MNT
source: RIPE # Filtered



-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Now, let's SEND OUT for QUICHE!!


signature.asc
Description: Digital signature


Re: minimum IPv6 announcement size

2013-09-24 Thread Måns Nilsson
Subject: Re: minimum IPv6 announcement size Date: Wed, Sep 25, 2013 at 
11:10:52AM +0800 Quoting Nathanael C. Cariaga (nccari...@stluke.com.ph):
 Hi,
 
 I raised actually this concern during our IP resource application.
 
 On a personal note, I think /48 IPv6 allocation is more than enough
 for our organization to use for at least the next 5-10 years
 assuming that this can be farmed out to our multiple sites. What
 makes this complicated for us is that we are operating on a multiple
 sites (geographically) with each site is doing multi-homing and
 having a /48 in each site would be very big waste of IP resources.

If you've got island networks w/o links between you SHOULD request a /48 per 
site. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Pardon me, but do you know what it means to be TRULY ONE with your BOOTH!


signature.asc
Description: Digital signature


Re: Leap Second

2013-07-02 Thread Måns Nilsson
Subject: Leap Second Date: Tue, Jul 02, 2013 at 10:23:58AM -0400 Quoting Todd S 
(t...@borked.ca):
 We found we got leap seconds added on some systems over the weekend.  There
 were no leap seconds planned (
 http://www.usno.navy.mil/USNO/earth-orientation/leap-second-announcement),
 however some of our systems got one.
 
 We run our own s2/s3/s4 system, with only the s2s going to the Internet.
  We have about 20 servers defined there, but looking through the logs, I
 can't figure out which one(s) may have been advertising the leap second.  I
 went through all our systems on Friday and Saturday to check for the leap
 bit, but had nothing, so it must have come out on Sunday.
 
 Anyone else run in to this, or have any further intel about servers that
 advertised the leap second?

We did get an advisory from Infoblox about a bug in NTP servers based
on open source NTP that would do just that. For Infoblox NIOS there
was a hotfix, and Symmetricom also has a patch out.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I think my career is ruined!


signature.asc
Description: Digital signature


Re: SixXS Contact

2013-06-28 Thread Måns Nilsson
Subject: Re: SixXS Contact Date: Thu, Jun 27, 2013 at 09:43:19PM +0200 Quoting 
Måns Nilsson (mansa...@besserwisser.org):

 Personally, even though I'm on the same IRC channel as one of the admins
 and could have all support I want, I went with HE. Zero trouble. Excellent
 service. I'm peering with them at work, as does my colo provider, så
 have great connectivity.
 
 And, in v6, renumbering is easy (RIGHT? ;) so swapping providers is
 no pain.
 
 Now, Owen, where's my T-shirt?  ;-) 

Apparently I'm not on the same IRC channel as an admin anymore: 

Just let me state that the day after I quit working with SIXXS I got myself a 
HE tunnel

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
The FALAFEL SANDWICH lands on my HEAD and I become a VEGETARIAN ...


signature.asc
Description: Digital signature


Re: SixXS Contact

2013-06-27 Thread Måns Nilsson
Subject: Re: SixXS Contact Date: Thu, Jun 27, 2013 at 10:47:51AM -0400 Quoting 
Anthony Williams (alby.willi...@verizon.com):
 
 
 
  Can I piggy back on that inquiry and request a reset of my ISK points
 after committing a faux pas with respect to going negative from down v6
 tunnels and deleting. Now to create a new tunnel I need positive ISK
 points and I'm stilling at -10 with no way to boost my numbers. :(
 
  Reset Points: AWJ11-SIXXS   Oh Pretty please w/sugar on top.  :)

Personally, even though I'm on the same IRC channel as one of the admins
and could have all support I want, I went with HE. Zero trouble. Excellent
service. I'm peering with them at work, as does my colo provider, så
have great connectivity.

And, in v6, renumbering is easy (RIGHT? ;) so swapping providers is
no pain.

Now, Owen, where's my T-shirt?  ;-) 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
If Robert Di Niro assassinates Walter Slezak, will Jodie Foster marry Bonzo??


signature.asc
Description: Digital signature


Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

2013-06-25 Thread Måns Nilsson
Subject: Re: Are undersea cables tapped before they get to ISP's? [was Re: 
Security over SONET/SDH] Date: Tue, Jun 25, 2013 at 10:38:30AM -0400 Quoting 
Christopher Morrow (morrowc.li...@gmail.com):

  It's potentially a lot simpler than that:
 
  http://en.wikipedia.org/wiki/Operation_Ivy_Bells
 
 this involved, I think, just intuiting signals from the nearfield
 effects of the cable, no? 'drop a large sensor ontop-of/next-to the
 cable, win!'

IVY BELLS (USN is / was an ALL-CAPS org, right?) was a copper era
project, and it did use EMI tapping (TEMPEST) to get to the traffic
without tampering with the cable.

Having gotten that cleared, I'd argue that if you're on speaking terms
with the cable operator, it is much easier to use a full-spectrum
monitor port on the WDM system.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Your CHEEKS sit like twin NECTARINES above a MOUTH that knows no BOUNDS --


signature.asc
Description: Digital signature


Re: PDU recommendations

2013-06-24 Thread Måns Nilsson
Subject: Re: PDU recommendations Date: Sun, Jun 23, 2013 at 09:32:00PM -0400 
Quoting shawn wilson (ag4ve...@gmail.com):
 So, that's not a very good endorsement :)
 
 Idk why you'd use a fuse in a PDU.

MCB units age.  Especially with vibration.  A 10A MCB becomes a 9A MCB after 
some miles. 

Fuses don't. 

MCB units are good at protecting people since they trip quickly and 
aggressively. 

Fuses tend to linger before blowing, and thus are comparatively bad at 
protecting
people (longer shock) but better at protecting infrastructure (surge
and switch-on-transient resistance).

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
There's a little picture of ED MCMAHON doing BAD THINGS to JOAN RIVERS
in a $200,000 MALIBU BEACH HOUSE!!


signature.asc
Description: Digital signature


Re: Prism continued

2013-06-15 Thread Måns Nilsson
Subject: Re: Prism continued Date: Wed, Jun 12, 2013 at 05:13:45PM -0700 
Quoting Scott Weeks (sur...@mauigateway.com):

 or cat /var/log/router.log | egrep -v 'term1|term2|term3' | less

Surely you mean 

egrep -v 'term1|term2|term3' /var/log/router.log | less

(http://partmaps.org/era/unix/award.html)
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
While you're chewing, think of STEVEN SPIELBERG'S bank account ...  his
will have the same effect as two STARCH BLOCKERS!


signature.asc
Description: Digital signature


Re: PRISM: NSA/FBI Internet data mining project

2013-06-07 Thread Måns Nilsson
Subject: Re: PRISM: NSA/FBI Internet data mining project Date: Fri, Jun 07, 
2013 at 12:25:35AM -0500 Quoting jamie rishaw (j...@arpa.com):
 tinfoilhat
 Just wait until we find out dark and lit private fiber is getting vampired.
 /tinfoilhat

I'm not even assuming it, I'm convinced. In Sweden, we have a law,
that makes what NSA/FBI did illegal while at the same time legalising,
after some scrutiny, the practice of tapping traffic that passes Sweden
and is not both originated by and destined to Swedes. . We're pretty
good at selling transit abroad. Eastward. Go figure.  Combine that with
our NSA buddy, the FRA (http://www.fra.se) actively attempting to hire
WDM experience and there is enough circumstantial data that I'm convinced
it's being done.

Also, what agencies like NSA, GCHQ and FRA have done for ages is listening
to a broad spectrum of RF data with their aerials. Moving it into fiber
is just keeping pace with the technology.

Another historical fact is that the FRA has its roots in a extremely
successful wiretapping operation in WW2, where the German teleprinter
traffic between Norway (occupied) and Germany was passed on leased lines
through western Sweden. Cross-border wiretap.

In conclusion; I'm convinced.
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I'm having an emotional outburst!!


signature.asc
Description: Digital signature


Re: Dear NANOG Gods

2013-05-22 Thread Måns Nilsson
Subject: Re: Dear NANOG Gods Date: Tue, May 21, 2013 at 02:56:22PM -0400 
Quoting Joe Abley (jab...@hopcount.ca):
 
 The last time we had to ship a number of (Dell, actually) boxes from ICANN in 
 LA we bought some flight cases that we could rack the servers into. Our 
 thought was to go for reusable, rather than one-off (and we had doubts about 
 the state of the boxes upon arrival if they weren't securely packed; a flight 
 case with 19 rails inside seemed like a good bet).

If survivability is important, I like CP Cases: 

http://www.cpcases.com/prodrange.asp?prodrangeid=15typeid=3

More expensive than SKB, but they bounce when dropped. And preserve the
stuff inside.

One probably should opt for removing PSU and drives if shipping is
expected to be very rough.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
What a COINCIDENCE!  I'm an authorized SNOOTS OF THE STARS dealer!!


signature.asc
Description: Digital signature


Re: ISIS and OSPF together

2013-05-12 Thread Måns Nilsson
Subject: ISIS and OSPF together Date: Sun, May 12, 2013 at 02:11:37PM +0530 
Quoting Glen Kent (glen.k...@gmail.com):
 Hi,
 
 I would like to understand the scenarios wherein the service
 provider/network admin might run both ISIS and OSPF together inside their
 network. Is this something that really happens out there?

Indeed; one of the more sane situations might be to have say anycast
name servers or full-service resolvers in the network and having them
talk OSPF to the first hop router. ISIS daemons on PC operating systems
are scarce, working ones hardly exist.

It is clear, though, that the path forward is ISIS; most people I've
spoken to roll it out (in greenfield/forklift situations) or migrate to it.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I always have fun because I'm out of my mind!!!


signature.asc
Description: Digital signature


Re: RFC 1149

2013-04-04 Thread Måns Nilsson
Subject: Re: RFC 1149 Date: Wed, Apr 03, 2013 at 02:59:47PM -0400 Quoting Jay 
Ashworth (j...@baylink.com):
 George Herbert george.herb...@gmail.com wrote:
 
 In europe?  He probably was thinking of a Volvo 245...
 
 I don't /think/ Andy was over there that far back.

that far back? The 245 still rolls, and probably will, for another 30 years. 

/Måns, drove 245 in youth. 
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
The SAME WAVE keeps coming in and COLLAPSING like a rayon MUU-MUU ...


signature.asc
Description: Digital signature


Re: Open Resolver Problems

2013-04-02 Thread Måns Nilsson
Subject: Re: Open Resolver Problems Date: Tue, Apr 02, 2013 at 05:25:53AM +0200 
Quoting Mikael Abrahamsson (swm...@swm.pp.se):
 On Tue, 2 Apr 2013, Måns Nilsson wrote:
 
 What percentage of the SOHO NAT boxes actually are full-service
 resolvers? I was under the impression that most were mere
 forwarders; just pushing queries on toward the DHCP'd full service
 resolvers of the ISP.
 
 What does that help? They can still be amplifiers, it's just that
 now the ISP resolver will see the resolving load as well.

But, yes, of course. Nobody would be so stupid so ast o accept queries
on the WAN side and answer them? Would they? /innocent

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
My vaseline is RUNNING...


signature.asc
Description: Digital signature


Re: Open Resolver Problems

2013-04-01 Thread Måns Nilsson
Subject: Re: Open Resolver Problems Date: Mon, Apr 01, 2013 at 10:21:42PM +0200 
Quoting Niels Bakker (niels=na...@bakker.net):
 * patr...@ianai.net (Patrick W. Gilmore) [Mon 01 Apr 2013, 18:18 CEST]:
 Of course, since users shouldn't be using off-net name servers
 anyway, this isn't really a problem! :)
 
 You're joking, right?  Should they also use only the telco-approved
 search engine, via the telco-hosted portal?

Far too many (perhaps not Patrick) in this thread are not joking. Laughter
gets stuck in my throat, as we say in Sweden. Having proper Internet
access is more and more a privilege for the Internet gentry that are
clued and able to pay for a box in a colo or similar.

The unwashed masses are left with broadband We can't call it Internet
because there are a few raving graybeards that claim they invented it
and intended it to be two-way instead of stuffing .flv down peoples
facebook-viewing devices while also supplanting cable TV with demand 
streaming.

/rant

What percentage of the SOHO NAT boxes actually are full-service
resolvers? I was under the impression that most were mere forwarders; just
pushing queries on toward the DHCP'd full service resolvers of the ISP.


-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Everywhere I look I see NEGATIVITY and ASPHALT ...


signature.asc
Description: Digital signature


Re: Open Resolver Problems

2013-03-25 Thread Måns Nilsson
Subject: Re: Open Resolver Problems Date: Mon, Mar 25, 2013 at 12:45:40PM -0400 
Quoting Joe Abley (jab...@hopcount.ca):
 
 DNS servers (recursive and authoritative-only) are the low-hanging fruit du 
 jour. I agree that there are many other effective amplifiers, and that even 
 maximum DNS hygiene will not make the wider problem go away.
 
 A quick note on your final comment, though: whilst adaptive response rate 
 limiting (so-called RRL) is fast developing into an effective mitigation for 
 reflection attacks against authority-only servers, there is far less 
 experience with traffic patterns or the effects of rate-limiting (using RRL 
 or anything else) on recursive servers.
 
 The best advice for operation of recursive servers remains restrict access 
 to legitimate clients, not apply rate-limiting.

Twice agree.  I try to have ::1 as resolver on my server machines that
are in a position to be used, and only accept queries on ::1. Takes care
of access control nicely.

For auth servers, those serving DNSSEC records are especially attractive
as amplifiers. At the moment, I'd have a hard time defending unrestricted
query rates on auth servers if they serve DNSSEC.

I've successfully applied the Redbarn patches to my BIND, and I expect
the NSD rate-control to be of similar quality, or better.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
BELA LUGOSI is my co-pilot ...


signature.asc
Description: Digital signature


Re: Visio-fu

2013-02-26 Thread Måns Nilsson
Subject: Visio-fu Date: Mon, Feb 25, 2013 at 08:20:34PM + Quoting Warren 
Bailey (wbai...@satelliteintelligencegroup.com):
 All,
 
 I have been searching our beloved internet endlessly for months on 
 information regarding Visio technique. Does anyone have a good resource(s) 
 for advanced visio drawings, or more to the point a good place for high 
 quality connectors? There is some great quality work out there, this is 
 something I found just a little while ago 
 http://www.parallels.com/r/upload/figure2-1.gif
 
 This may not be a visio drawing (do not have any background on it), but I 
 would really dig some resources that you guys out there may or may not use. 
 The cables in that drawing look fantastic to me, so I would really appreciate 
 any guidance you all have in helping me improve my output.

I'd just quit beating the rotting carcass of Visio into producing anything
not appalling and go with OmniGraffle instead.

http://www.omnigroup.com/products/omnigraffle/

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
DON'T go!!  I'm not HOWARD COSELL!!  I know POLISH JOKES ... WAIT!!
Don't go!!  I AM Howard Cosell! ... And I DON'T know Polish jokes!!


signature.asc
Description: Digital signature


Re: 10 Mbit/s problem in your network

2013-02-10 Thread Måns Nilsson
Subject: Re: 10 Mbit/s problem in your network Date: Sun, Feb 10, 2013 at 
05:07:49PM +0100 Quoting JP Velders (j...@veldersjes.net):
 
  Not to be pedantic, but The Last Mile Cache will actually help you to
  solve this problem, with a local cache server at the hotel.
 
 And as a business traveller I want to have the ISP or Hotel cache (aka 
 be able to read and for others to be found!) my possibly very 
 sensitive corporate documents exactly _why_ ? 

A VPN or SSH session (which is what most hotel guests traveling for
work will do) won't cache at all well, so this is a very bad idea. Might
improve some things, but not the really important ones.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Thousands of days of civilians ... have produced a ... feeling for the
aesthetic modules --


signature.asc
Description: Digital signature


Re: IPV6 in enterprise best practices/white papaers

2013-01-29 Thread Måns Nilsson
Subject: Re: IPV6 in enterprise best practices/white papaers Date: Mon, Jan 28, 
2013 at 08:45:39PM +0400 Quoting Mukom Akong T. (mukom.ta...@gmail.com):
 On Mon, Jan 28, 2013 at 7:27 PM, Eugeniu Patrascu eu...@imacandi.netwrote:
 
  I thought about running pure IPv6 inside and do 6to4, but it's too
  much of a headache,

 Does an L2 switch really care about IPv6? (except for stuff like DHCPv6
 snooping, etc?)

For management it does care.  NO ipv4 is NO ipv4. As in not even
management addresses.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Will the third world war keep Bosom Buddies off the air?


signature.asc
Description: Digital signature


Re: IPV6 in enterprise best practices/white papaers

2013-01-27 Thread Måns Nilsson
Subject: Re: IPV6 in enterprise best practices/white papaers Date: Sun, Jan 27, 
2013 at 10:01:04AM -0800 Quoting joel jaeggli (joe...@bogus.com):

 Tunning dekstop operating systems is not the scalable side of
 enterprise network deployment.
 
No problem if it is a deployment. If it is the usual chaos, yeah, then
there is a problem.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I'm encased in the lining of a pure pork sausage!!


signature.asc
Description: Digital signature


Re: IPV6 in enterprise best practices/white papaers

2013-01-27 Thread Måns Nilsson
Subject: Re: IPV6 in enterprise best practices/white papaers Date: Sun, Jan 27, 
2013 at 12:31:37PM -0500 Quoting William Herrin (b...@herrin.us):
 
 Right. On a each local machine you can often override the default
 behavior. That default dynamically kicks in for all machines as soon
 as there's an IPv6 router on the LAN. Configurable? Sort of. Realistic
 solution to the cited problem? Not in your wildest dreams.

Well, I'm doing a careful, slow rollout of v6 in an enterprise. Things
like this can be herded so as to be way below the threshold of noticeable
for 99% of the users. The only quirk we've found is a LAN that first
got v6 and then lost it (long story of IOS upgrades enforcing sanity and
breaking hackish deployments). Clients on other segments were a bit upset.
 
 That's right, blame the applications for the defective API. After all,
 any skilled application programmer can work around the problem, given
 sufficiently long experience with IPv6.

IMNSHO, the API is not as defective as you might think. The idea was to
replace v4. If we cling to v4, what is going to happen? (Well, ask just
about any ISP except HE and a few others, they can tell how it feels to
cling to v4 and go LALALALALALALACANTHEARYOU when customers ask for v6)
The happy eyeballs fix is of course convenient, but only necessary when
the network is so broken for v6 that you should not have turned RA on..

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
How do you explain Wayne Newton's POWER over millions?  It's th' MOUSTACHE
...  Have you ever noticed th' way it radiates SINCERITY, HONESTY  WARMTH?
It's a MOUSTACHE you want to take HOME and introduce to NANCY SINATRA!


signature.asc
Description: Digital signature


Re: [SHAME] Spam Rats

2013-01-09 Thread Måns Nilsson
Subject: Re: [SHAME] Spam Rats Date: Thu, Jan 10, 2013 at 03:50:37PM +1100 
Quoting Mark Andrews (ma...@isc.org):
 
 In message 50ee471c.7010...@utc.edu, Jeff Kell writes:

  Can you wildcard it? 
 
 No point.  address - name - address doesn't work with wildcards.

OTOH, if the requirement is must have PTR and/or organisation fwd
domain name should show up in PTR RDATA then wildcards have a place. And
yes, BIND loads and answers, as expected.

*.4.4.3.0.5.a.0.0.8.b.d.0.1.0.0.2.ip6.arpa. PTR a.node.on.vlan344.namn.se.

...will work just fine, for instance. I did it for a 200+ segment LAN
party, couple years ago. And as is usual with wildcards, if you do need
to insert a real record, it will take over just as expected.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
The FALAFEL SANDWICH lands on my HEAD and I become a VEGETARIAN ...


signature.asc
Description: Digital signature


Re: Any enterprise operators very happy with their MPLS providers?

2012-12-06 Thread Måns Nilsson
Subject: Any enterprise operators very happy with their MPLS providers? Date: 
Wed, Dec 05, 2012 at 02:14:25PM + Quoting McCall, Gabriel 
(gabriel.mcc...@thyssenkrupp.com):
 I'm getting ready to prepare an RFP for our next generation WAN, and would 
 like feedback from anyone else who has 100+ MPLS nodes on their quality of 
 account service and technical performance.
 
 My current landscape includes ATT, Sprint, and Verizon. I'm almost 
 completely happy with Sprint- they're about in the A- range. ATT is muddling 
 along at about a C, and Verizon is a solid F. I've heard very good things 
 from some CenturyLink customers and will definitely include them in the 
 bidder list- is anyone else doing a very good job for you?

We did a survey around 2008-9 in Sweden and concluded that the risk
of large hysteresis IPDV and Q-in-Q outweighed the attractiveness
(mainly price) of running on top of somebody elses MPLS. A major
contributing factor was, and is, also that we ourselves are running
MPLS for our logical separation needs, and that we predicted and got a
lot of real-time critical RTP streams on the internal WAN. We bought
Gigabit Ethernet compatible channels over mainly dark fiber or WDM
and included text in the call for tender about not even trying to offer
MPLS-based L2.. This was done under EU Public call for tender legislation,
which was a challenge. We are quite happy, and slashed our old inflated
price for relatively small SDH links by a lot.

If, OTOH, you are not a very distributed radio company trying to do
RTP in 48kHz 24-bit linear stereo over internal WAN, using multicast,
you might be fine with a MPLS offering...

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I have a VISION!  It's a RANCID double-FISHWICH on an ENRICHED BUN!!


signature.asc
Description: Digital signature


Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....

2012-11-29 Thread Måns Nilsson
Subject: Re: Programmers can't get IPv6 thus that is why they do not have IPv6 
in their applications Date: Thu, Nov 29, 2012 at 09:55:19AM -0500 Quoting 
William Herrin (b...@herrin.us):
 On Thu, Nov 29, 2012 at 9:01 AM, Ray Soucy r...@maine.edu wrote:
  You should store IPv6 as a pair of 64-bit integers.  While PHP lacks
  the function set to do this on its own, it's not very difficult to do.
 
 Hi Ray,
 
 I have to disagree. In your SQL database you should store addresses as
 a fixed length character string containing a zero-padded hexadecimal
 representation of the IPv4 or IPv6 address with A through F forced to
 the consistent case of your choice. Expand :: and optionally strip the
 colons entirely. If you want to store a block of addresses, store it
 as two character strings: start and end of the range.

No, you are both worng. The answer is simple and practical: 

Use a database that has a modern IP adress database type. Like
Postgres. Its IP-adress data types understand and parse both adress
strings and network strings (and, of course -- a network with the proper
netmask set might be interpreted like a host.)

The 32-bit integer trick might, just might make do for IPv4, but a proper
data type is so much simpler to use.

non-technical ranting part
Also, stepping away from MySQL or Oracle makes Larry less powerful. 
/non-technical ranting part

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I am covered with pure vegetable oil and I am writing a best seller!


signature.asc
Description: Digital signature


Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....

2012-11-28 Thread Måns Nilsson
Subject: Re: Programmers can't get IPv6 thus that is why they do not have IPv6 
in their applications Date: Wed, Nov 28, 2012 at 06:45:54PM +0100 Quoting 
Mikael Abrahamsson (swm...@swm.pp.se):
 
 I believe they ask for the apps to work on the Internet. Part of
 that requirement is soon to be a requirement for IPv6 support.

It is so already. 

 IPv6 Support Required for All IP-Capable Nodes

Abstract

   Given the global lack of available IPv4 space, and limitations in
   IPv4 extension and transition technologies, this document advises
   that IPv6 support is no longer considered optional.  It also cautions
   that there are places in existing IETF documents where the term IP
   is used in a way that could be misunderstood by implementers as the
   term IP becomes a generic that can mean IPv4 + IPv6, IPv6-only, or
   IPv4-only, depending on context and application.

RFC 6540 / BCP 177
 
 I believe the person signing the checks never asked for IPv4 support.

Probably not. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
... this must be what it's like to be a COLLEGE GRADUATE!!


signature.asc
Description: Digital signature


Re: Big day for IPv6 - 1% native penetration

2012-11-26 Thread Måns Nilsson
Subject: Re: Big day for IPv6 - 1% native penetration Date: Mon, Nov 26, 2012 
at 11:18:13PM + Quoting Dobbins, Roland (rdobb...@arbor.net):
 
 How much of a priority do you think IPv6 capabilities are for corporate IT 
 departments, beyond a checklist item on RFPs in order to CYA?

I am -- in addition to running eBGP for my employer -- also the acting
network strategist and proper IP networking evangelist at my employer. We
have been buying v6 compatible gear and connections for four years
now. We are configuring IPv6 on all backbone links and are carefully
deploying v6 to workstation and server networks all over the enterprise.
 
 Where are the IPv6-only SQL Server deployments within enterprises, for 
 example?  In fact, where are the IPv6-enabled client access LANs within 
 enterprises?  Or even the *plans* for these types of deployments/capabilities?

There are no v6-only deployments of SQL Server. The admins request and
setup v4, the server requests and sets up v6, and the clients use whatever
is in the DNS. The server will register in DNS so v6 has a fair chanche
of getting chosen.
 
 Maybe they're hiding in plain sight.  But I don't think so.

We discovered that the HUB/TRANSPORT nodes in the Exchange collective
talked Link-local v6 to the MBOX nodes. Service discovery. Magic. The
Exchange admins had no idea, but that probably was because they are good,
obedient employees and use the mandated email client, which makes viewing
headers something of a challenge.

V6 will, given a few careful pushes, deploy itself. Slightly exaggerated,
but that's how it is.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I love ROCK 'N ROLL!  I memorized the all WORDS to WIPE-OUT in
1965!!


signature.asc
Description: Digital signature


Re: Big day for IPv6 - 1% native penetration

2012-11-25 Thread Måns Nilsson
Subject: Re: Big day for IPv6 - 1% native penetration Date: Sun, Nov 25, 2012 
at 04:29:15AM + Quoting Dobbins, Roland (rdobb...@arbor.net):
 
 On Nov 25, 2012, at 10:09 AM, joel jaeggli wrote:
 
  from goeff huston's data they have more v6 at home.
 
 And not purposely, either - because it's enabled by default on recent client 
 OSes.  My guess is that a non-trivial fraction of observed IPv6 traffic today 
 is unintentional.

This is excellent! It is not likely that any end-user traffic over IPv4
is intentionally sent over IPv4. It is sent to Facebook. (eh, faceb00c,
of course) Likewise, the -4 and -6 options for SSH are there for debugging
and fault mitigation, nothing else.

I'm quite satisfied that this now is the norm. It's the only way we'll be
able to restore e2e on the Internet and evolve beyond simple client-server
models like TN3270^H^H^H^Hthe web. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I didn't order any WOO-WOO ... Maybe a YUBBA ... But no WOO-WOO!


signature.asc
Description: Digital signature


Re: Is a /48 still the smallest thing you can route independently?

2012-10-13 Thread Måns Nilsson
Subject: Re: Is a /48 still the smallest thing you can route independently? 
Date: Sat, Oct 13, 2012 at 09:01:51AM -1000 Quoting Randy Bush (ra...@psg.com):
 
 /48 is the new /24

Except you can stuff pretty much into one. I'm numbering my entire
workplace from one. 1500 people and 26 offices. Our v4 is a constrained
/16, which is enough. But not more.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
FROZEN ENTREES may be flung by members of opposing SWANSON SECTS ...


signature.asc
Description: Digital signature


Re: Big Temporary Networks

2012-09-19 Thread Måns Nilsson
Subject: Re: Big Temporary Networks Date: Tue, Sep 18, 2012 at 01:03:00PM -0700 
Quoting Jo Rhett (jrh...@netconsonance.com):
 On Sep 13, 2012, at 7:29 AM, Jay Ashworth wrote:
  I'm talking to the people who will probably be, in 2015, running the first 
  Worldcon I can practically drive to, in Orlando, at -- I think -- the Disney
  World Resort.  I've told them how critical the issue is for this market; 
  they,
  predictably, replied We look forward to your patch.  :-}
 
 So I just want to point out that this is an utterly irrelevant topic. 
 Worldcon is full to the brim with really smart people who can build good 
 networks, but in every place large enough to host a Worldcon the owners of 
 the building make money selling Internet access and don't want competition. 
 The very best we've been able to do was create an Internet Lounge with good 
 connectivity, and even that isn't acceptable at most locations.
 
All the IETF and RIPE meetings I've been to have had excellent custom networks. 
How come? 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
How do you explain Wayne Newton's POWER over millions?  It's th' MOUSTACHE
...  Have you ever noticed th' way it radiates SINCERITY, HONESTY  WARMTH?
It's a MOUSTACHE you want to take HOME and introduce to NANCY SINATRA!


signature.asc
Description: Digital signature


Re: Big Temporary Networks

2012-09-16 Thread Måns Nilsson
Subject: Re: Big Temporary Networks Date: Sat, Sep 15, 2012 at 01:11:54PM -0500 
Quoting Jimmy Hess (mysi...@gmail.com):
 On 9/15/12, Masataka Ohta mo...@necom830.hpcl.titech.ac.jp wrote: 
 Mans Nilsson wrote:
 
   I am not suggesting that. I'm just trying to point out that there
  might be a bunch of assumptions that aren't as true anymore when a
  lot of client connections share both source and destination address,
  and perhaps also destination port. If this happens simultaneously when
  a large amount of other tcp connections are NATed through the same box,
  resource starvation will occur.
 
 Assumptions that are already broken in Enterprise networks where 100+
 users may share an IP

snip LONG description of fragile b0rkendeness applied to a perfectly
working network without NAT just so that NAT can be used to break it
even more

Warum einfach, wenn es auch kompliziert geht? 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
The FALAFEL SANDWICH lands on my HEAD and I become a VEGETARIAN ...


signature.asc
Description: Digital signature


Re: Big Temporary Networks

2012-09-16 Thread Måns Nilsson
Subject: Re: Big Temporary Networks Date: Sat, Sep 15, 2012 at 10:15:26PM -0400 
Quoting Eric Adler (eapt...@gmail.com):
 Are you working with locally originated video or video that originates as
 DVB-T?
 
 I'm looking at a similar project to replace NTSC distribution around the
 facility where I work (locally originated, DVB-S[2] receive, ATSC receive,
 and even NTSC receive) with an IP multicast system.
 
 I'd be interested in discussing options, caveats, and nuance further with
 all of those interested but I fear we're drifting off-topic for this list
 (and this thread).

The only real problem is rights. The tech is easy. Get a last years PC,
install as much tuners as you need, and install the right software.

First google hit, more or less: 

http://wiki.arts.usyd.edu.au/meta/index.php/Building_a_DVB_streaming_server

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Should I start with the time I SWITCHED personalities with a BEATNIK
hair stylist or my failure to refer five TEENAGERS to a good OCULIST?


signature.asc
Description: Digital signature


Re: Big Temporary Networks

2012-09-15 Thread Måns Nilsson
Subject: Re: Big Temporary Networks Date: Fri, Sep 14, 2012 at 09:40:02AM -0400 
Quoting Jay Ashworth (j...@baylink.com):
 - Original Message -
  From: Måns Nilsson mansa...@besserwisser.org
 
  12:20:33AM -0700 Quoting Octavio Alvarez (alvar...@alvarezp.ods.org):
  
   I'd have expected someone to have QoS mentioned already, mainly to put
   FTP and P2P traffic on the least important queues and don't hog up the
   net.
  
  As long as there is no multicast entering the wlan this is best solved
  by getting more bandwidth.
 
 Well, we'll be on the *sending* end of the Hugo's, but... ;-)
 
 It would still be nice to multicast them inside our network (and out to
 whomever wants to watch), but what the heck's the consumer-level client side
 of multicast video streaming look like these days?

IIRC a number of IETF meetings were badly maimed in the wireless
side until people remembered that the WLAN was no place for multicast
video. VLC does mcast really nice. We're testing it for replacing antenna
distribution systems and DVB-T receivers at work.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Mr and Mrs PED, can I borrow 26.7% of the RAYON TEXTILE production of
the INDONESIAN archipelago?


signature.asc
Description: Digital signature


Re: Big Temporary Networks

2012-09-14 Thread Måns Nilsson
Subject: Re: Big Temporary Networks Date: Thu, Sep 13, 2012 at 05:45:55PM -0400 
Quoting Jay Ashworth (j...@baylink.com):
 - Original Message -
  At all possible cost, avoid login or encryption for the wireless.
 
 Yes, and no.

snip 

Just keep in mind that every action you make the visitors have to perform
to get Internet connectivity is a support workload.
 
 (For example, I have no problems blocking outbound port 25 and redirecting
 recursive DNS -- though I do want a system that permits me to whitelist 
 MACs on request.  But I would do those on the guest and dealer nets, and
 not on the staff one.)

Remember that DNSSEC breaks quite easily if you redirect DNS and since
this is three years in the future, the uptake on DNSSEC may well have
hit the point where there is visual feedback on validation in client UI.
 
  While things have become much better, doing 802.1x on conference
  wireless probably is a bit daring. OTOH eduroam does it all over Europe.
 
 If I did try to do that, it would probably only be on the staff network; 
 it's a much more contrained environment.

It'll work much better there, and FWIW, will be a little yet perhaps
effective speedbump for intruders.
 
  And get v6.
 
 Yeah, I assumed that, though it will be interesting to see how much play 
 it actually gets; these are SF geeks, not networking geeks.

Again, even in North America, the uptake may well have accelerated
enough that it is To Be Expected. Besides, IME, SF geeks are computer savvy
more than others.
 
 Oh yeah.  I'm fond of leases as short as 30 minutes, though if I have
 a /16, I won't care as much.

A couple hours will get the user over a lunch break if not overnight,
which means that long TCP sessions survive on Proper Computers (that
don't tear down TCP on link loss. I'm looking at you, Microsoft!). This
is Really Nice. Open up computer from sleep and press enter in xterm
and ssh session is up. (my personal record is for telnet, an untouched
connection survived two taxi trips,  one night, some NATed wlan at the
hotel and when i got back to the right network I just plugged the cable in
and continued in the same session. But I cheated and had fixed addresses.)
  
 Very nice, Måns; thanks.

My pleasure. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
He is the MELBA-BEING ... the ANGEL CAKE ... XEROX him ... XEROX him --


signature.asc
Description: Digital signature


Re: Big Temporary Networks

2012-09-14 Thread Måns Nilsson
Subject: Re: Big Temporary Networks Date: Fri, Sep 14, 2012 at 12:20:33AM -0700 
Quoting Octavio Alvarez (alvar...@alvarezp.ods.org):
 
 I'd have expected someone to have QoS mentioned already, mainly to put
 FTP and P2P traffic on the least important queues and don't hog up the
 net.

As long as there is no multicast entering the wlan this is best solved
by getting more bandwidth.
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
... the HIGHWAY is made out of LIME JELLO and my HONDA is a barbequeued
OYSTER!  Yum!


signature.asc
Description: Digital signature


Re: Big Temporary Networks

2012-09-14 Thread Måns Nilsson
Subject: Re: Big Temporary Networks Date: Fri, Sep 14, 2012 at 09:22:01PM +0900 
Quoting Masataka Ohta (mo...@necom830.hpcl.titech.ac.jp):
 Måns Nilsson wrote:
 
 And get v6.
 
 Do not NAT. When all those people want to do social networking to the same
 furry BBS while also frequenting three social app sites simultaneously
 you are going to get Issues if you NAT. So don't.
 
 Don't?
 
 Considering that, ten years ago, some computers were still often
 shared by thousands of people distinguished by their port numbers
 and that, today, pseudo ISPs are using NAT, it is not only wrong
 but also impossible to identify a user only by his IP address
 without port numbers.

Ohta-san, 

I am not suggesting that. I'm just trying to point out that there
might be a bunch of assumptions that aren't as true anymore when a
lot of client connections share both source and destination address,
and perhaps also destination port. If this happens simultaneously when
a large amount of other tcp connections are NATed through the same box,
resource starvation will occur. If public address space is available,
it is better to use that. Also, no NAT means there will be no session
timers for things like long lived low bandwidth tcp sessions.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I think my career is ruined!


signature.asc
Description: Digital signature


Re: Big Temporary Networks

2012-09-13 Thread Måns Nilsson
Subject: RE: Big Temporary Networks Date: Thu, Sep 13, 2012 at 04:05:41PM + 
Quoting Dylan Bouterse (dy...@corp.power1.com):
 
 I'm not sure if this is obvious for this list or not, but with your WiFi 
 nodes, a good practice for that kind of density is more nodes, lower power. 
 Keep the client connection load per AP as low as possible to improve overall 
 performance. Jacking up the power in a small area like that will just step on 
 the adjacent APs and cause issues.

++; 

An enterprisey AP flock that perhaps even can talk to eachother about
power levels is a must.

At all possible cost, avoid login or encryption for the wireless. Captive
portals suck, especially if they try to be clever and keep an eye on the
link-state to each client. Tablets and smartphones turn their radios off
to conserve battery, and that means having to login all the time.

While things have become much better, doing 802.1x on conference wireless
probably is a bit daring. OTOH eduroam does it all over Europe. 

Get lots of IP addresses. A /16 probably still can be borrowed for this
kind of event. I know RIPE had rules and addresses for this kind of use
a couple years ago, at least.

And get v6. 

Do not NAT. When all those people want to do social networking to the same
furry BBS while also frequenting three social app sites simultaneously
you are going to get Issues if you NAT. So don't. (Keep in mind that the
5-tuple for each TCP connection more often will become a 3-tuple if the
demographic of the user base is skewed towards a focus group and NAT is
in use. )

Lots of IP adresses will also enable you to set sensible DHCP lease
times on the failover-connected (because they are, right?) DHCP
servers. Nothing is so detrimental to connectivity experience as lost
leases from either crashed DHCP servers or short lease times.  
Be very thorough and careful in setting DHCP up. It'll pay off. 

Have DNS resolvers locally. Unbound is good. As is BIND. 

It might be a good idea to have reverse DNS delegation set up,
perhaps via the BIND $GENERATE directive; just something like
wireless-node-47-11.world.con will do. 

Make sure that the whois contacts for the address block are proper. 

Try setting some monitoring up; it is good to be able to keep an eye on
client count per AP etc. This is also much easier if the wireless solution
is enterprisey.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
The entire CHINESE WOMEN'S VOLLEYBALL TEAM all share ONE personality --
and have since BIRTH!!


signature.asc
Description: Digital signature


  1   2   >