Re: What do you think about this airline vs 5G brouhaha?
On Tue, Jan 18, 2022 at 17:49 Jay Hennigan wrote: > On 1/18/22 15:51, Brandon Martin wrote: > > > Further, it seems that good engineering practice was not used in the > > design of these vulnerable systems and that they are subject to > > interference from broad-spectrum "jammers" (i.e. signals that, in terms > > of modulation and timing, don't necessarily correspond to what they're > > expecting to receive) transmitting well outside their allocated band (by > > separation comparable to the entire band in which they operate) let > > alone outside the expected, tuned frequency of signal reception. All of > > these are typically very high on the list of consideration when > > designing an RF receiver and seem to have been either ignored entirely > > or at least discounted in the design of these instruments from what I'm > > hearing. > > This simply doesn't make sense. Radar receivers are usually direct > conversion driven from the same frequency source as the transmitter, > meaning that they are going to have rather good selectivity with regard > to frequency. > > Furthermore, a radio altimeter used for approach and landing is going to > have a very short time window. I'm by no means familiar with the > internal workings of these devices, their specifications, or their > effective range, but if the altitude to be measured is 5000 feet or less > the device will send a pulse and then open a receive window of no more > than about 11 microseconds to look for its return. If you're only > concerned about being 1000 feet or less above terrain, the window is > about 2 microseconds. The pulses are presumably sent relatively > frequently, probably several times a second, and the results averaged. > In addition, the radar antenna beamwidth is going to be relatively small > and pointed more or less straight down. GPWS, and all rescue/medevac/etc helicopter operations also use the RA, and this is NOT just in the landing/approach of a runway. Think about landing a helicopter at night on the freeway or a nearby field. TAWS uses GPS to locate in space and I don’t know where it’s altitude source is - probably the baro altimeter until the RA starts getting a return (or thinks it is) > > Intentional broadband jamming isn't going to be very effective against > an airplane as the jammer would need to be directly beneath a fast > moving target and get the timing exactly right with microsecond accuracy. > > Accidental interference from a source at least 220MHz out of band with a > beam pointed at the horizon is even more far-fetched unless, as you say, > the radar unit's receiver is complete garbage in which case how did it > get a TSO in the first place? Avionics equipment that is critical to a > precision approach isn't, or at least shouldn't be, crap. They’ve never been required to have immunity. Last spec update was AFAIK 1980s. It’s definitely a stack of problems…part of which is the FCC auctioning the Spectrum, it puts them in conflict as both the enforcement and beneficiary. Billions of dollars being the CTIA on one hand. On the other RTCA, AOPA, and some other small $ fish they stand nothing to gain from. Remember that the RA is sub 1W looking for reflected emissions. It’s very possible the ground equipment for a cell base station to have spurious harmonics…where they land requires more RF engineering chops than I’ve got, and would obviously be very system dependent. So yes in my understanding due to the RF voodoo of how they transmit and receive, and the .. field of view .. those factors mitigate interference for certain…but why did the FCC auction that chunk? Why not say ok you’ve got two years to develop a standard, update that 1980s requirement, and 5 or 10 to implement? Instead we’re just barely four years on and going to be seeing potentially interesting deployments. Interference that only can happen and only matters in critical flight phases…. > > -- > Jay Hennigan - j...@west.net > Network Engineering - CCIE #7880 > 503 897-8550 - WB6RDV > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: What do you think about this airline vs 5G brouhaha?
New to the public eye but not orgs like AOPA who’ve been fighting since 2020 but there not multi billion dollar lobby groups. US is more affected because we have more general aviation, and an older fleet overall. And it’s not cheap to replace these radio altimeters (but that’s kind of like everything aviation) On Tue, Jan 18, 2022 at 13:32 Michael Thomas wrote: > > I really don't know anything about it. It seems really late to be having > this fight now, right? > > Mike > > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: A crazy idea
On Tue, Jul 20, 2021 at 7:48 AM Michael Loftis wrote: > > (Reply in-line) My apologies to everyone using an HTML mail client. Don't try in-line replies with Google's iOS app. *sigh* Really, it's not a blank reply... The gist of my reply was. Don't complain about DNS services when you're not paying for DNS services. register.com, godaddy, those are registrars. Go look for a managed DNS/authoritative DNS service provider and almost any of them will happily accept a reverse DNS zone delegation. And for IPv4 less-than-boundary (well..I guess you could use it for v6, but v6 should NEVER be on a less than boundary) see RFC2317. Again. Apologies. Honestly, it was my mail client that did it! :)
Re: A crazy idea
(Reply in-line) On Mon, Jul 19, 2021 at 06:11 Stephen Satchell wrote: > First, I know this isn't the right place to propose this; need a pointer > to where to propose an outlandish idea. > > PROBLEM: IPv6 support is still in its birthing pangs. I see a problem > that limits deployment of IPv6 fully: reverse PTR records in the > ".in6.arpa." zones. > > (Now that I think about it, this may very well be a network operator > issue. Who maintains the ".in.arpa." zones delegated by IANA now?) > > I've been going 'round and 'round with AT about "static" IPv6 > addresses. In particular, I can't get a PTR record in the ip6.arpa. > zone to save my life. Now, the problem is not really ripe yet, because > the big reason for PTR records is for mail servers -- best practice > calls for /PTR agreement, just like for IPv4 the best practice is > for A/PTR agreement. > > The existing DNS providers can support delegation domains, so that I > don't have to have DNS servers of my own if I don't want to. It could > be that one would need to "buy" the delegation domain, but that's a > front-office consideration. Personally, I use register.com for my > domain DNS zones. I believe strongly that other registrars that offer > customer zone editing, plus DNS service providers, can support reverse > delegation zones with a minimum of hassle, and without charging an arm > and a leg for the service. They’re not a DNS service provider. That is a registrar. Providing authoritative DNS is incidental to their business and not their focus. Go look for managed DNS or authoritative DNS services. There’s still the problem of getting the delegation which is largely unsupported for consumer IP services. And honestly…I don’t really expect consumer (dynamic) IP services to provide reverse delegation. Business (definitely needs to) and static IP services (really should) should provide either delegation of the reverse zone or PTRs for non boundary ipv4 space per RFC2317. From the customers' viewpoint, a GUI would make the maintenance > relatively painless. > > (Keying the information below took a long time. Any rational DNS admin > and DNS service provider would have automation in place to take out the > painful work.) > > > 96-103.194.65.99.in-addr.arpa. NS my-DNS-server-1 > > 96-103.194.65.99.in-addr.arpa. NS my-DNS-server-2> $GENERATE 96-102 $ > IN CNAME $.96-103.194.65.99.in-addr.arpa. > > In my BIND9 zone file, it would look something like this: > > > $ORIGIN 96-103.194.65.99.in-addr.arpa. > > @ SOA ... > > @ NS my-dns-server-1. > > @ NS my-dns-server-2. > > 96 IN PTR server1.example.com. > > 97 IN PTR server2.example.com. > See RFC2317. > > The advantage to this system to the number providers is they would have > one administrative record per customer, instead of having to deal with > each PTR record individually. The advantage to customers is they don't > have to beg and snivel to get PTR records, just beg and snivel once to > get the delegation. The advantage to DNS server providers is they have > something else to sell. > > Want to encourage IPv6 adoption? This would help. > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: South Africa On Lockdown - Coronavirus - Update!
On Mon, Mar 23, 2020 at 19:25 Owen DeLong wrote: > > I confess I haven’t investigated the implementation details, but is it > possible for one to issue ubikeys > to an employee in a secure way with those features disabled? > Yes. And changing that setup either requires a separate admin pin or wiping the associated private key data to reconfigure. It depends on which application/mode. FIDO I believe is most inflexible here as it can only be short touch to activate. I don’t use the HID keyboard mode OTP keying app/feature so I’m not terribly familiar with that. It might be that it can be configured limited such that N in X seconds or a replug is required (to circumvent the timer) but I really do not know. If people are really curious I can grab a spare key and check. I use the CCID/smart card type modes. I do know that the touch OTP key feature requires wiping the associated private key data, or having it available to reprogram and change options. They’re a shared secret mode so the yubikey authentication server has those private keys. > > It’s the allowing the employee to make a poor choice not necessarily > desired by the employer thing > that seems to me is the issue in this case. > > > > I agree that this abuse of the UBI Key is more an issue of implementation > than the inherent nature of the > UBIKEY, but the UBIKEY does allow this kind of abuse in ways that other > tokens don’t facilitate. > > > That's like saying that cars are worse than bicycles, because cars > allow you drive into things are a more dangerous speed. I mean, yes, > but …. > > > Cars are more dangerous than bicycles, but everything is a matter of > balancing tradeoffs. > > In this case, I’m not sure the ubikey offers anything over the Secur-ID to > balance that increased > hazard. > > Owen > > > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: crypto frobs
On Mon, Mar 23, 2020 at 20:08 Michael Loftis wrote: > > > On Mon, Mar 23, 2020 at 18:50 William Herrin wrote: > >> On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari wrote: >> > Well, yes and no. With a Yubiikey the attacker has to be local to >> > physically touch the button[0] - with just an SSH key, anyone who gets >> > access to the machine can take my key and use it. This puts it in the >> > "something you have" (not something you are) camp. >> >> Hi Warren, >> >> They're both "something you have" factors. The yubi key proves >> possession better than the ssh key just like a long password proves >> what-you-know better than a 4-digit PIN. But the ssh key and the yubi >> key are still part of the same authentication factor. >> >> >> > Not really -- if an attacker steals my laptop, they don't have the >> > yubikey (unless I store it in the USB port). >> >> You make a habit of removing your yubi key from the laptop when nature >> calls? No you don't. >> >> >> > If they *do* steal both, >> > they can bruteforce the SSH passphrase, but after 5 tries of guessing >> > the Yubikey PIN it self-destructs. >> >> What yubikey are you talking about? I have a password protecting my >> ssh key but the yubikeys I've used (including the FIPS version) spit >> out a string of characters when you touch them. No pin. >> > > The yubikey does many things depending on how it’s configured. None of > mine use the touch to spit out OTP mode, that is the factory mode though > yes. Other modes can be password protected (it uses the PIN nomenclature > which is confusing, it definitely accepts ASCII and nay even take binary > data as a PIN depending on mode of operation) — it can present as industry > standard smart card ( I have one with a pin/password for code signing in > Visual Studio f/ex...along with a backup kept locked elsewhere) > Replying to myself to clarify a bit... the PKI/SSL private keys are on the Yubikey, password protected, signing is accomplished by VS passing the bits to be signed to the smart card application on the yubikey, which requires a password to enable/unlock. On the yubikey Depending on configuration this is a just once operation typically. So each signing op requires a password entry. But it could be configured diffferebtly. By only keeping the private keys on the yubikey it’s something you have (the yubikey) and something you know (the password)... the yubikey (barring software bugs obviously) will not expose the private key, it only does the signing op. That same yubikey has a separate app and trust store in OpenGPG mode, which does signing for ssh pubkey auth, with a different private key. Same key also does FIDO, another application with another key store. The same key doing all that could also have a “long touch” to spit out an OTP. >> Regards, >> Bill Herrin >> >> >> -- >> William Herrin >> b...@herrin.us >> https://bill.herrin.us/ >> > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: crypto frobs
On Mon, Mar 23, 2020 at 18:50 William Herrin wrote: > On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari wrote: > > Well, yes and no. With a Yubiikey the attacker has to be local to > > physically touch the button[0] - with just an SSH key, anyone who gets > > access to the machine can take my key and use it. This puts it in the > > "something you have" (not something you are) camp. > > Hi Warren, > > They're both "something you have" factors. The yubi key proves > possession better than the ssh key just like a long password proves > what-you-know better than a 4-digit PIN. But the ssh key and the yubi > key are still part of the same authentication factor. > > > > Not really -- if an attacker steals my laptop, they don't have the > > yubikey (unless I store it in the USB port). > > You make a habit of removing your yubi key from the laptop when nature > calls? No you don't. > > > > If they *do* steal both, > > they can bruteforce the SSH passphrase, but after 5 tries of guessing > > the Yubikey PIN it self-destructs. > > What yubikey are you talking about? I have a password protecting my > ssh key but the yubikeys I've used (including the FIPS version) spit > out a string of characters when you touch them. No pin. > The yubikey does many things depending on how it’s configured. None of mine use the touch to spit out OTP mode, that is the factory mode though yes. Other modes can be password protected (it uses the PIN nomenclature which is confusing, it definitely accepts ASCII and nay even take binary data as a PIN depending on mode of operation) — it can present as industry standard smart card ( I have one with a pin/password for code signing in Visual Studio f/ex...along with a backup kept locked elsewhere) > > Regards, > Bill Herrin > > > -- > William Herrin > b...@herrin.us > https://bill.herrin.us/ > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: South Africa On Lockdown - Coronavirus - Update!
On Mon, Mar 23, 2020 at 4:53 PM Sabri Berisha wrote: > > Hi, > > In my experience, yubikeys are not very secure. I know of someone in my team > who would generate a few hundred tokens during a meeting and save the output > in a text file. Then they'd have a small python script which was triggered by > a hotkey on my macbook to push "keyboard" input. They did this because the > org they were working for would make you use yubikey auth for pretty much > everything, including updating a simple internal Jira ticket. > > Thanks, This is an artifact of a poor implementation, not of a yubikey or any other security. Yubikeys support MANY methods of authentication. I have a number of them, a couple of them are setup for TOTP (using yubico authenticator), FIDO (native), and use the GPG functionality for ssh public key auth via agent. Pre-generating or replaying will not work with any of those methods. So saying "Yubikeys are not very secure" is very incorrect. The specific deployment decisions weren't great in your specific case. Any OTP system based on incrementing counters could be abused in this manner if the OTP keys can be generated rapidly and saved. TOTP is the common method for solving this with 2FA. Yubikeys also support a number of challenge/response type authentications (which is effectively what my GPG setup does, and what FIDO sort of does)
Re: power to the internet
On Wed, Dec 25, 2019 at 19:00 Constantine A. Murenin wrote: > On Wed, 25 Dec 2019 at 19:32, Michael Thomas wrote: > >> On the dark side, this is probably coming to a lot more states and >> countries due to climate change. Australia. Sigh. >> > > Do you have a source for this? It would seem that these power issues are > rather unique to California not because of some "climate change" bogeyman, > but rather because of a failed public policy at the state level. > > It would also seem that these issues of rolling blackouts aren't even new > to California, either, as, apparently, it's already been the norm during > 2000/2001: > Having lived through the blackouts that was entirely different. 90% Enron manipulating the markets. There was plenty of capacity both in transmission and generation, but Enron manipulated prices and apparent supply to make money and screwed the whole state over. There was just about 2x the generating capacity, no real shortage. This time it’s PG all alone, but still fallout from back then. Too much liability and they’ve not maintained the infrastructure and so they decided that to reduce the liability costs it’s cheaper to blackout. Same story again different colors. PG making a mint while people get screwed (PG was mostly at the getting screwed end in 2000-2001) > > * https://en.wikipedia.org/wiki/California_electricity_crisis > > C. > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: improving signal to noise ratio from centralized network syslogs
On Thu, Jan 25, 2018 at 8:11 PM Joe Maimonwrote: > Hey All, > > Centralized logging is a good thing. However, what happens is that every > repetitive, annoying but not (usually) important thing fills up the log > with reams of what you are not looking for. > > Networks are a noisy place and silencing every logged condition is > impractical and sometimes undesirable. > > What I am interested in is an automated zoom-in zoom-out tool to mask > the repetition of "normal" events and allow the unusual to stand out. > > Add to that an ability to identify gaps in the background noise. (The > dog that didnt bark) > > What I am not interested in are solutions based upon preconfigured > filters and definitions and built in analysis for supported > (prepopulated definitions) platforms, this is all about pattern > mining/masking and should be self discoverable. Ideally a command tool > to generate static versions of the analysis coupled with a web platform > (with zoom +- buttons) for realtime. > > I made a crude run of it with SLCT, using its generated patterns to grep > -v, and that in and of itself was useful, but needs a bit of work. Also, > its not quite real time. > > Any ideas would be greatly appreciated. Not cheap, but Splunk comes to mind. > > > Joe > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: Google DNS intermittent ServFail for Disney subdomain
None of the NS records/delegations are in agreement. com delegations don't agree with authoritative in disney.com, and disney.com's delegations don't agree with studio.disney.com's NSen. On Fri, Oct 20, 2017 at 7:35 AM, Christopher Morrowwrote: > On Fri, Oct 20, 2017 at 1:10 AM, David Sotnick > wrote: > >> Well well, it looks like a Direct Connect circuit to Google was leaking the >> route to this DMZ 153.7.233.0/24 back to Google via BGP. >> >> Return traffic from Google (for only some fraction of DNS queries) was >> passing back across this leaked route, and being dropped on this Direct >> Connect peering point at Disney. >> >> Gotta love it when a problem is solved, by the OP, within an hour of >> resorting to mailing the NANOG community. >> >> > > This shows some issues as well, I think? > http://dnsviz.net/d/studio.disney.com/servers/ > > $ dig NS disney.com > > ;; ANSWER SECTION: > disney.com. 4676 IN NS huey11.disney.com. > disney.com. 4676 IN NS huey.disney.com. > disney.com. 4676 IN NS Orns02.dig.com. > disney.com. 4676 IN NS Orns01.dig.com. > disney.com. 4676 IN NS Sens02.dig.com. > disney.com. 4676 IN NS Sens01.dig.com. > > $ dig NS studio.disney.com @huey11.disney.com. > ;; AUTHORITY SECTION: > studio.disney.com. 600 IN NS wallyb.pixar.com. > studio.disney.com. 600 IN NS andre.pixar.com. > studio.disney.com. 600 IN NS cliff.studio.disney.com. > studio.disney.com. 600 IN NS norm.studio.disney.com. > > $ for d in $(dig +short NS disney.com); do dig +short SOA disney.com @$d; > done > huey.disney.com. root.huey.disney.com. 2017102000 3600 900 360 3600 > huey.disney.com. root.huey.disney.com. 2017102000 3600 900 360 3600 > huey.disney.com. root.huey.disney.com. 2017102000 3600 900 360 3600 > huey.disney.com. root.huey.disney.com. 2017102000 3600 900 360 3600 > huey.disney.com. root.huey.disney.com. 2017102000 3600 900 360 3600 > huey.disney.com. root.huey.disney.com. 2017102000 3600 900 360 3600 > > $ for d in $(dig +short NS studio.disney.com); do dig +short SOA > studio.disney.com @$d; done > cliff.studio.disney.com. admin.studio.disney.com. 2017101904 10800 3600 > 604800 86400 > cliff.studio.disney.com. admin.studio.disney.com. 2017101904 10800 3600 > 604800 86400 > cliff.studio.disney.com. admin.studio.disney.com. 2017101904 10800 3600 > 604800 86400 > cliff.studio.disney.com. admin.studio.disney.com. 2017101904 10800 3600 > 604800 86400 > cliff.studio.disney.com. admin.studio.disney.com. 2017101904 10800 3600 > 604800 86400 > > it looks like the second-level and third-level don't agree with each other > on whom should be the NS for the third-level? > > that shouldn't be fatal, but is something to cleanup. > > > Thanks all, nothing to see here! >> >> -David >> >> On Thu, Oct 19, 2017 at 8:41 PM, David Sotnick >> wrote: >> >> > Hi Nanog, >> > >> > I am principal network engineer for sister-studio to Disney Studios. They >> > have been struggling with DNS issues since Thursday 12th October. >> > >> > By all accounts it appears as though *some* of the Google DNS resolvers >> > cannot reach the authoritative nameservers for "studio.disney.com". >> > >> > This is causing ~20-30% of all DNS requests against Google Public DNS >> > 8.8.8.8 / 8.8.4.4 to fail for requests in this subdomain. >> > >> > The name servers reside in 153.7.233.0/24. >> > >> > Might someone be able to *connect me* with someone at Google to assist my >> > poor colleagues who are banging their heads against a brick wall here. >> > >> > Thank you, >> > David >> > >> -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: Moving fibre trunks: interruptions?
If it is in the railroad RoW they may be restricted to daylight working only. Check with your provider or OSP crew. -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: BCM5341x
The chip really doesn't even function as an Ethernet switch by itself...all of the behavior is software driven. It's the ... actualization of "software defined networking" -- It provides a lot of low level constructs inside the hardware to support your application, but it's really a software defined switch. It has many programmable offload functions the idea being you do not handle packets on the onboard CPU. ContentAware is their term for L4-L7 I believe I don't think it's much more than simple pattern matching in the hardware and can be used to apply as ACL or drive QoS decisions. The chip can do things like handle limited v4/v6 lookups and routing (but it's not going to do ARP response... nor LACP...) It has a huge number of integrated hardware counters, lots are built in but you can count basically anything the hardware can match (which is basically anything you can describe in a stateless manner). So s-flow... probably in hardware it can be programmed to do most or all of it as it's largely copying a buffer into a header but I don't have the data sheets so couldn't say for sure. MCLAG/MLAG, sure, that's software directed and behaves exactly like LACP or static lag down at the hardware. Really the hardware doesn't much care as that all exists above it in the control plane. I'm not clear at all what depth of v4/v6 classification they support - but that's usually the basics of QoS and calling it out specifically is marketing wankery I think. How big the tables can get I don't know. Nearly two decades ago they had 2k in the L3 space with 8K in L2 on 24x100+2x1G ... so I can't imagine it's less than that for table sizes :) probably like 8k/4K entries range as the RAMs and TCAMs haven't scaled up in speed very well. On Sat, Dec 24, 2016 at 15:52 Mike Hammettwrote: > I've asked Broadcom directly, but being as though I don't have an intent > to buy tens of thousands of chips (or any at all), I don't expect I'll hear > back. I was hoping someone here would have some insight. > > > > Do any of you know what functionality is available on those chips? That's > the chip that powers the Ubiquiti 10G switches and I figured I would limit > my most aggressive feature requests to things they can actually deliver > with the platform as is. > > > > Other than things you just assume a managed switch has like 802.1p and > 802.1q, it mentions an advanced ContentAware™ Engine (which means?), > IEEE1588 (sync over Ethernet), 802.1ag (OAM stuff), "Enhanced DoS attack > statistics gathering" (which means?), "IPv4/IPv6 L3 packet classification" > (which means?), etc. > > > > I'm sure there's an array of things to ask about, but MLAG and S-Flow are > at the top of my list at the moment. > > > > > https://www.broadcom.com/products/ethernet-connectivity/switch-fabric/bcm5341x/ > > > > > > > > > > - > > Mike Hammett > > Intelligent Computing Solutions > > > > Midwest Internet Exchange > > > > The Brothers WISP > > > >
Re: 10G switch drops traffic for a split second
Yeah you also have to look for not so obvious things like MAC Pause frames sent/received...QoS counters, all sorts of VERY platform specific stuff. Right royal pain, especially since some do not expose these statistics at all. On Tue, Nov 29, 2016 at 3:10 PM, Peter Beckmanwrote: > > On Tue, 29 Nov 2016, TJ Trout wrote: > >> I plan on disabling FC on everything tonight, I've done that before but I >> want to be sure. >> >> Anything that can be done about the 2 x 1G peers trunking to the 10G >> router >> transition that can be fixed? should I be rate limiting the vlan for the >> peers at 1G so the 10G router isn't trying to send more than 1G? > > > This thread reminded me of a blog post that struck me as useful 5 years > ago, and again today. Measuring throughput, when dealing with buffers and > troubleshooting errors and packet loss, must be done at a sub-one-second > sampling rate. > > http://blog.serverfault.com/2011/06/27/per-second-measurements-dont-cut-it/ > > Beckman > --- > Peter Beckman Internet Guy > beck...@angryox.com http://www.angryox.com/ > --- -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: 10G switch drops traffic for a split second
Yes it is absolutely possible to overrun the buffers. Any kind of backpressure (FC) from hosts, or 10G->1G transitions can easily cause it. Even if in a 10s window you're not over 1G if the 10G sender attempts to back to back too many frames in a row (Like say sendfile() API type calls) BOOM, dropping frames in the switch. On Tue, Nov 29, 2016 at 1:28 PM, TJ Troutwrote: > Luke; > > All l2, no l3. only 4 vlans. 2 peers trunked to a router which trunks back > to 2 devices (microwave backhauls). > > Chuck; > > All ports are 10g except the 2 peers are 1g and trunk back to a 10g port > for the router wan > > No TCN's > > Brian; > > I have tried a IBM G8124 and a Ubiquiti ES-16-XG both show same exact drops > across all ports, makes me think it's a config issue. MTU, FC, something. > > Andrew; > > I have tried with FC disabled, but I will try that one more time. > > Mikael; > > Is it possible to over run the buffers of a 320gbps backplane switch with > only 1.5gbps traffic? I think the switch is rated for 140m PPS and I'm only > pushing 100k PPS
Re: [c-nsp] SFP DOM SNMP Polling?
On Tue, Nov 22, 2016 at 6:32 AM, Tim Durackwrote: > I have a vendor that does not support SFP DOM SNMP polling. They state this > is due to EEPROM read life cycle. Constant reads will damage the SFP. Complete and total garbage. Reading from EEPROM and Flash both DO NOT WEAR. It is the erase+write cycle that wears them. Further typical EEPROM life cycle is ~1M erase/write cycles. If you wrote it every minute you could conceivably wear it out in a couple years...but thats flat out not how it works. The EEPROM, if any, is not going to be used for statistics datamaybe fail counts of some kind, lifetime (hours) maybe...that sort of thing. > > We SNMP poll SFP DOM from Cisco equipment without issue. > > Not heard this one before. Trying to see if there is some validity to the > statement. Thoughts? > > Tim:> > ___ > cisco-nsp mailing list cisco-...@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: Standard terminology for a dark fiber path?
IDK what elsewhere uses but strand or (less common) span is the common term I've seen specifically for a passive piece of glass between two points. On Wed, Feb 24, 2016 at 12:55 PM, Fletcher Kittredgewrote: > What is the standard terminology for strands of dark fiber spliced together > to form a continuous path between points A and Z? > > I have seen: > >- *fiber circuit* [but also seen used to denote a connection at the >network layer over a physical fiber connection. This definition of circuit >would include the dark fiber path, the transmitters and receivers and logic >making up the data and network layers.] >- *fiber loop *[ Does a loop define an electrical circuit with two >physically separate positive and negative strands? In that case, is this a >Bellhead remnant? ] > > I am particularly interested in last mile systems, but I don't see any > reason that the term wouldn't be the same in the middle mile. > > thanks, > Fletcher > > -- > Fletcher Kittredge > GWI > 8 Pomerleau Street > Biddeford, ME 04005-9457 > 207-602-1134 -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Fw: new message
Hey! New message, please read <http://startyourdaywithgenius.com/manner.php?lomvd> Michael Loftis
Re: Bandwidth estimation question
On Friday, October 2, 2015, Dylan Ambauenwrote: > ... > Enjoy a worldwide caching reverse proxy with limitless resources, priced > per page view. Maybe someone can recommend a IPv6 capable CDN service. > > Cloudflare. Also does IPv6 on the client facing side while doing IPv4 to you. -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: Level3 NOC Contact
AFAIK theres no longer any way to get their attention unless you're a customer AND have signed up for their online portal system at https://my.level3.com/ - and I wouldn't expect anything stellar then either. You'll likely have to do your own troubleshooting through them as my recent experiences have shown little to no clue or assistance from them. They were happy to do as asked but weren't able, or willing, or whatever to do anything on their own. Make certain you get the problem category right too or you'll be stuck in the wrong team without any of them telling you that. On Friday, June 26, 2015, Nathanael C. Cariaga nathanael.cari...@adec-innovations.com wrote: Hi, Any Level3 NOC contacts on the list? Our link in Irvine has been on and off for few minutes already. Would appreciate replies offline.. Thanks! -nathan -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Google's Safe Browsing Alerts for Network Administrators
My problem with Google's Safe Browsing alerts is that from the admin side they rarely are useful/useable. They make a big loud noisy complaint without ANYTHING to substantiate what the issue is to correct it. You're left searching your own site trying to figure out what in the heck it's complaining about. On Thu, Jan 8, 2015 at 3:54 PM, Frank Bulk frnk...@iname.com wrote: I want to make this forum aware of Google's Safe Browsing Alerts for Network Administrators (https://www.google.com/safebrowsing/alerts/). I've had a link to their diagnostic page for several years (https://www.google.com/safebrowsing/diagnostic?site=AS:hl=it-it, where is your ASN), but I didn't know that Google actually had a way to alert ASN owners of new incidents. I checked NANOG's archive and haven't ever seen it mentioned, so I thought there might be more like me that weren't aware. And while I'm on the subject, I want to make people aware of somewhat related service by ShadowServer (https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwor k). Frank -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Keeping Track of Data Usage in GB Per Port
IPDR under DOCSIS and generally RADIUS or TACACS(+) for DSL. Unclear personally about fiber/FiOS deployments (never been near enough to know) Flow (sflow, nflow, ipfix, etc) generally doesn't scale and is woefully inaccurate. On Wednesday, October 15, 2014, Colton Conor colton.co...@gmail.com wrote: I see in past news articles that cable companies are inaccurately calculating customers data usage for their online GB of usage per month. My question is how do you properly determine how much traffic in bytes a port passes per month? Is it different if we are talking about an ethernet port on a cisco switch vs a DSL port on a DSLAM for example? I would think these access switches would have some sort of stat you can count similar to a utility meter reader on a house. See what it was at last month, see what is is at this month, subtract last months from this months, and the difference is the total amount used for that month. Why are the cable companies having such a hard time? Is it hard to calculate data usage per port? Is it done with SNMP or some other method? What is the best way to monitor a 48 port switch for example, and know how much traffic they used? https://gigaom.com/2013/02/07/more-bad-news-about-broadband-caps-many-meters-are-inaccurate/ -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: GApps admin = rogered
This is 4-5 minutes after the OP emailed On Thursday, October 9, 2014, Mitch Patterson via Outages outa...@outages.org wrote: Shows an issue to me TimeDescription 10/9/14 7:11 PM We're investigating reports of an issue with Admin console. We will provide more information shortly. Users are seeing the Admin console refresh continuously on loading. On Thu, Oct 9, 2014 at 7:07 PM, Blair Trosper via Outages outa...@outages.org javascript:_e(%7B%7D,'cvml','outa...@outages.org'); wrote: Just a heads up to our friends at Google Apps. Despite the status page saying all is peachy: http://www.google.com/appsstatus#hl=env=status ...the administration page for any Google Apps for domains is totally rogered. It's either an endless redirect loop or a deluge of errors. I'd call for premium support, but I can't even see that. Again, a friendly heads up and nudge that perhaps the status page should at least be updated to reflect the fact that it's non-operational. ___ Outages mailing list outa...@outages.org javascript:_e(%7B%7D,'cvml','outa...@outages.org'); https://puck.nether.net/mailman/listinfo/outages -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Link Layer Filtering not supported on popular equipment?
On Wed, Mar 26, 2014 at 9:08 AM, hasser css hasserva...@gmail.com wrote: Is there any common equipment that doesn't support this kind of filtering? I have no access to the switches where I work (I am just a CS agent at a smaller service provider), but my boss tells me that they do not support doing this... however, I do not believe this at all. I think that all the switches are all from Dell. Issues are happening as some customers accidentally have rogue DHCP servers running from their routers being connected improperly, and his only solution to this issue is to disable the switch port instead of simply preemptively filtering out this. Any insight? Regards. The supported options vary within the PowerConnect product line. So it depends entirely on WHAT exact switch. Some do support DHCP snooping like that, some don't. Even with it on it can create it's own problems, on the 6248 f/ex this causes the DHCP replies from trusted ports to always get copied to the CPU so it can inspect them and create it's VLAN+MAC+IP bindings databases. All untrusted port DHCP traffic gets punted to CPU. The gist is that this can open up a potential DoS attack on the switch, or, even without that, the DHCP traffic might be too high for the switch to manage. Similar issues with ACLs. There are some options in Cisco (not certain if any of dell's products have this) that basically keep ports from talking to eachother, but allow them to talk to the upstream port (usually a router that can then enforce deeper ACLs and such). All of these additional protection/security methods can have their drawbacks for any particular environment, assuming the hardware even supports them. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Dell Power Volt 124T software
Basically anything. It works as a standard SCSI tape changer device using mtx, my, and your favorite archiving software, tar, Amanda, bacula, arkeia, many others. On Thursday, March 13, 2014, Maxime Godonou Dossou godomu...@gmail.com wrote: Hello all I just want to know someone here is using Dell Power Volt 124T as tape backup. I just get it but I would like to use Linux redhat 6.3 server as OS on my backup server. Can tell me if you know any open source software I can use to drive it . Sent from IPad -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: As path for Junos
http://www.juniper.net/techpubs/en_US/junos13.3/topics/usage-guidelines/policy-configuring-as-path-regular-expressions-to-use-as-routing-policy-match-conditions.html There's no backref support in the regex subset that juniper has chosen to implement, see http://juniper.cluepon.net/index.php/ER_Detect_AS-PATH_prepends - and I don't think Juniper has gone anywhere with that engineering request. On Fri, Mar 7, 2014 at 3:31 AM, Marco Paesani ma...@paesani.it wrote: Hi Everyone, I need a help to transform this Cisco IOS command: ip as-path access-list 50 permit _([0-9]+)_\1_\1_ in Juniper JUNOS policy-options. Best regards, Marco M. +39 348 6019349 -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Peering issue - Possible Juniper to Cisco issue
On Fri, Feb 28, 2014 at 8:58 AM, Philip Lavine source_ro...@yahoo.com wrote: To all, I (ASR1001) had an experience recently where the Telco (Juniper) told me that I was sending them 1000+ routes when I attempted to re-establish a BGP session; subsequently they would not allow this and they refused the session. I had no sync on and a prefix list so I was advertising only one route. Even though I hard reset the session on my end the Telco for some reason kept seeing me send the routes. I finally called them and had them reset their end and the session came up right away. What the ... If you leaked once and they have a teardown setup on the Juniper end w/o a timeout, it won't let the neighbor reconnect until the session is cleared. I've seen in IOS 15.x just a few days ago where it had stuck advertising routes that it shouldn't be, though that was between two Sup720 based pieces of gear, so probably unrelated (just a data point that it can/does happen in IOS in general where it's advertising routes that it insists it isn't) thx Philip -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Leap Second
On Tue, Jul 2, 2013 at 7:23 AM, Todd S t...@borked.ca wrote: We found we got leap seconds added on some systems over the weekend. There were no leap seconds planned ( http://www.usno.navy.mil/USNO/earth-orientation/leap-second-announcement), however some of our systems got one. We run our own s2/s3/s4 system, with only the s2s going to the Internet. We have about 20 servers defined there, but looking through the logs, I can't figure out which one(s) may have been advertising the leap second. I went through all our systems on Friday and Saturday to check for the leap bit, but had nothing, so it must have come out on Sunday. Anyone else run in to this, or have any further intel about servers that advertised the leap second? Had a leap happen here on the 30th. My stratum 1 source is a CDMA timekeeper, I'll ping the operator of it and see if he knows anything or if it logged anything. It's probably not isolated at all since all my S2 machines have some diversity in alternate time sources but still took the leap second. Cheers, Todd. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Leap Second
On Tue, Jul 2, 2013 at 7:35 AM, Michael Loftis mlof...@wgops.com wrote: Had a leap happen here on the 30th. My stratum 1 source is a CDMA timekeeper, I'll ping the operator of it and see if he knows anything or if it logged anything. It's probably not isolated at all since all my S2 machines have some diversity in alternate time sources but still took the leap second. OK he's checked, nothing unusual in logsdata on the box matches NOAA site (16 leaps, 16 future) - and pool.ntp.org/scores thinks that it's all OK/well within norms. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: PDU recommendations
Personally have gotten sick of dealing with basically every other vendors PDU out there but APC. APC PDUs may not have every whiz-bang feature but they work. SNMP or SSH pretty solid. You still probably want them on a closed management network but problems even in the wild 'net with port 22 open in my experience have been rare. Management software upgrades are generally live, load left on/undisturbed. I still schedule them for downtime but (knock on wood) nothing in the last 6-7 years has caused an outage.
Re: PDU recommendations
No, I only use APC anymore for PDUs. It's the others I've dealt with I don't like. There's quite a few I've never used but after the painfully expensive experiences I've had with Tripp-Lite, Bay tech, MGE (though I think they're part of Schneider or APC now), Liebert (which at the time looked suspiciously the same as the Tripp-Lite's but with a bigger price tag), and a couple others I'm certainly forgetting. I'd heard there were some bad batches that were DOA from APC, but haven't personally experienced any myself. I've had a couple management cards in Symmetra LXes fail, and that same Symmetra chassis had a power/inverter/charger module fail around the same time. On Sun, Jun 23, 2013 at 9:13 AM, Nick Khamis sym...@gmail.com wrote: Hello Michael, does that mean you do not employ PDUs in your network? I.e., found a UPS with sufficient number of outlets in the back. With that in mind, could you make a recommendation for such a UPS-direct for a VM environment. Kind Regards, Nick. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: OC3/STM-1 Line Card
Most modern gear can go all the way to individual DS0's in a single card without a MUX of any kind. OC3/STM-1 is only like 155mbit. On Sun, Jun 9, 2013 at 10:13 AM, Phil Fagan philfa...@gmail.com wrote: Don't you need to drop DS0's out of that STM for signaling? On Sat, Jun 8, 2013 at 9:58 AM, Nick Khamis sym...@gmail.com wrote: Hello Everyone, Anyone know of a way of bypassing the 90K audiocodes mediant 3000 equipped for STM-1 interface using line cards and a linux box :). What we are looking to do is replace our traditional ISDN DS3 equipped for voice using an STM-1/OC3 backbone and our own put together linux box. Again, this will be used for voice signaling... Kind Regards, Nick. -- Phil Fagan Denver, CO 970-480-7618 -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Data Center Installations
On Wed, May 1, 2013 at 4:33 PM, Mike Lyon mike.l...@gmail.com wrote: For bulk velcro, I found Uline to be fairly cheap. I have to ask, is this an April fools joke? ULine isn't cheap for anything. Monoprice, $13, around $25 delivered depending on where you're at and how yu ship it, for 5x black hook and loop 5yd per roll... vs. ULine $28 (1x black hook and loop 75') and probably about same SH. No easy way to get them to quote SH but last time I ordered from them (they're about the only place to get some stuff) ULine is over 2x as much. Oh and Monoprice has it in quite a few colors if you don't care for black. If you're going for pre-made cable wrap type stuff it's a bit more, but still half or less than ULine. ULine is definitely a supplier of last resort, but they've got a lot of different stuff.
Comcast NOC - issues to/from AS13331 (Seattle)
Comcast doesn't appear to have any usable NOC contacts via whois, and this issue is apparently very widespread. Comcast obviously has multiple saturated paths out in this area, so if you're seeing issues getting to your customers on Comcast...well, it's probably Comcast. Sort of an ongoing/me too on last months thread about same... Outbound traffic to Comcast via basically any of our (AS13331) upstreams except Spectrum (AS11404) is experiencing very high packet loss once inside Comcast's network, we suspect a router or link very near to us in Seattle is failing. I've marked out the destination customer IPs but they're available to Comcast engineers if they get in touch with me directly or as n...@metapeer.com -- TIA -- and again, sorry to the list. Below are three failing/high loss traces, and then same three traces from our other DC which is routing out via spectrum. The loss is present on Cogent and L3 outgoing paths at the least, maybe others. As of now I've routed around the problem point for via the good path. fission:~# mtr -s 900 --report --report-cycles 30 1.2.3.4 fission.myfreecams.comSnt: 30Loss% Last Avg Best Wrst StDev ve75-gw1-xmr.metapeer.com 0.0% 0.4 1.4 0.3 11.8 2.9 te0-7-0-15.ccr21.sea02.atlas.cogentco.com 0.0% 0.9 0.6 0.5 0.9 0.1 te-0-5-0-3-pe03.seattle.wa.ibone.comcast.net 6.7% 43.7 42.3 38.8 43.7 1.4 be-13-cr01.seattle.wa.ibone.comcast.net 3.3% 47.7 44.6 41.3 47.7 1.8 pos-0-7-0-0-cr01.denver.co.ibone.comcast.net 3.3% 69.4 68.7 65.0 71.3 1.5 he-5-15-0-0-cr01.350ecermak.il.ibone.comcast 6.7% 92.6 97.3 91.4 102.0 3.8 he-3-15-0-0-ar01.woburn.ma.boston.comcast.ne 10.0% 120.3 119.8 116.3 122.0 1.8 pos-0-1-0-0-ar01.needham.ma.boston.comcast.n 0.0% 122.0 120.5 117.1 123.9 1.8 po-80-ur01.deering.nh.boston.comcast.net 0.0% 121.4 121.3 118.3 133.8 2.8 po-21-ur01.concord.nh.boston.comcast.net 6.7% 119.6 130.1 119.3 272.8 31.8 te-1-0-0-ten01.concord.nh.boston.comcast.net 6.7% 118.7 120.0 117.6 121.4 1.3 ??? 100.0 0.0 0.0 0.0 0.0 0.0 You have new mail in /var/spool/mail/root fission:~# mtr -s 900 --report --report-cycles 30 5.6.7.8 fission.myfreecams.comSnt: 30Loss% Last Avg Best Wrst StDev ve75-gw1-xmr.metapeer.com 0.0% 0.3 0.6 0.3 5.2 0.9 te0-7-0-15.ccr21.sea02.atlas.cogentco.com 0.0% 0.8 0.6 0.5 0.8 0.1 te-0-5-0-3-pe03.seattle.wa.ibone.comcast.net 0.0% 41.4 42.6 38.5 43.8 1.3 be-13-cr01.seattle.wa.ibone.comcast.net 0.0% 45.6 44.1 40.4 46.7 1.8 pos-0-8-0-0-cr01.denver.co.ibone.comcast.net 6.7% 71.2 69.0 65.0 72.1 1.9 he-5-12-0-0-cr01.350ecermak.il.ibone.comcast 3.3% 98.1 96.3 86.4 101.2 3.9 he-0-15-0-0-ar01.pontiac.mi.michigan.comcast 10.0% 93.5 97.3 93.5 100.6 2.3 xe-11-0-0-0-sur01.rochestrhlls.mi.michigan.c 0.0% 97.2 99.1 92.9 141.8 10.4 te-17-10-cdn05.rochestrhlls.mi.michigan.comc 3.3% 118.9 113.2 104.6 118.9 3.5 ??? 100.0 0.0 0.0 0.0 0.0 0.0 fission:~# mtr -s 900 --report --report-cycles 30 a.b.c.d fission.myfreecams.comSnt: 30Loss% Last Avg Best Wrst StDev ve75-gw1-xmr.metapeer.com 0.0% 0.3 2.1 0.3 47.1 8.6 te0-7-0-15.ccr21.sea02.atlas.cogentco.com 0.0% 0.7 0.6 0.5 0.8 0.1 te-0-5-0-3-pe03.seattle.wa.ibone.comcast.net 6.7% 40.6 42.4 39.7 45.2 1.3 be-15-cr01.seattle.wa.ibone.comcast.net 0.0% 47.3 48.2 41.3 54.8 4.3 68.86.92.34 3.3% 43.7 45.5 39.5 101.7 11.6 be-18-ur06.bellevue.wa.seattle.comcast.net0.0% 43.8 43.0 40.2 44.3 1.4 te-3-0-0-ten15.bellevue.wa.seattle.comcast.n 6.7% 42.7 44.1 42.1 45.7 1.1 ??? 100.0 0.0 0.0 0.0 0.0 0.0 mloftis@phobos:~$ mtr -s 900 --report --report-wide --report-cycles 30 1.2.3.4 HOST: phobos Loss% Snt Last Avg Best Wrst StDev 1. 207.229.74.1 0.0%30 0.4 5.1 0.3 132.4 24.1 2. agg1-sea-t7-8.bb.spectrumnet.us 0.0%30 1.5 14.0 1.5 206.4 39.8 3. 23.30.206.33 0.0%30 1.8 2.0 1.7 3.5 0.3 4. be-17-cr01.seattle.wa.ibone.comcast.net 0.0%30 12.6 5.3 2.1 12.6 2.7 5. pos-0-4-0-0-cr01.denver.co.ibone.comcast.net 0.0%30 28.5 29.2 27.2 31.4 1.3 6. he-5-12-0-0-cr01.350ecermak.il.ibone.comcast.net 0.0%30 49.9 52.2 49.9 56.7 2.8 7. he-3-5-0-0-ar01.woburn.ma.boston.comcast.net 0.0%30 78.5 79.5 78.3 81.0 1.0 8. pos-1-12-0-0-ar01.needham.ma.boston.comcast.net 0.0%30 80.2 80.1 78.2 81.7 1.1 9. po-80-ur01.deering.nh.boston.comcast.net 0.0%30 80.0 80.1 79.9 80.4 0.1 10.
Re: Circuit Bandwidth Simulator applet etc
Try http://www.nsnam.org/ (AKA NS2/NS3) whichis GPL/OSS or Tetcos NetSim - http://tetcos.com/ I've never used NetSim FYI, just heard of it. And NS only rarely. On Mon, Feb 25, 2013 at 9:22 AM, JoeSox joe...@gmail.com wrote: I would like a applet or program I can feed it nodes and a network topology, then just set hypothetical transmit speeds at child nodes then have the applet or program display the Parent node bandwidth. Is there any Visio applets or macros out there I wonder? Sorry another tool question but I don't want to start coding something up if I don't have to. I use NetDot but I don't think it has any circuit bandwidth tools like that. I have used GNS3 in the past but that is way more complex for this need I have. -- Thanks, Joe -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Suggestions for managed DNS provider?
On Thu, Feb 14, 2013 at 11:58 AM, David Hubbard dhubb...@dino.hostasaurus.com wrote: Hi all, anyone have suggestions for very stable/reliable managed DNS? Neustar/UltraDNS is an obvious option to look at, just curious about alternatives. Cost effective would be nice, but stable under attack is better. It's not 100% clear what you mean here, resolvers or authoritative DNS, but, in either case, my suggestions are the same, OpenDNS has been reliable for me as a resolver service, and DynDNS (now just Dyn) has been great for authoritative and secondary nameservers for me. For authoritative nameservers I haven't looked for anything to deal with huge numbers of domains, just a few dozen. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Super slow HP ILO 2 web interface
I've had issues with HP, Dell, and Super micro in any higher amounts of broadcast traffic, especially ARP requests. The iDRAC 5 and 6 behave very badly in high broadcast environments, failing to respond to http and local ipmi (ipmitool via the smbus or whatever) interface. That's probably where I would start personally...anything over a couple hundred hosts in the same broadcast domain, especially if those are windows or osx hosts that love to jibber about CIFS and mDNS. Sent from my Motorola Xoom On Jan 23, 2013 6:25 PM, Erik Levinson erik.levin...@uberflip.com wrote: Hi everyone, This is probably an OT question for this list, but I thought someone here may have encountered this. I've been having a really annoying super slow web interface access to ILO 2 on our DL360 G5s and G6s, since day one, on all of them. SSH to ILO is perfectly fine. IPMI is fine. VSP is fine. Everything to do with ILO is fine except the damn web interface, which is slow to load pages intermittently. It kind of works in bursts for a few seconds when it works, so I try to do things quickly. It's hard to characterize exactly what's happening beyond my vague description, but I've looked at the dev tools in Chrome, tried FF, etc. with no luck. One thing I haven't tried in a while is a packet capture of an ILO port to see if it's doing something weird, like trying to do rDNS on the client's IP or on itself, etc. If it helps, our config doesn't use DHCP and otherwise all the boxes are reset to defaults, then have their IP/SM/GW configured and local users configured...nothing fancy. We do use our own SSL certs, but the problem happens without them as well, so I've already ruled that out. Does anyone have any ideas on what obvious thing I could have missed? Thanks Erik
Re: why haven't ethernet connectors changed?
It's not all about density. You *Must* have positive retention and alignment. None of the USB nor firewire standards provide for positive retention. eSATA does sort of in some variants but the connectors for USB are especially delicate and easy to break off and destroy. There's the size of the Cat5/5e/6 cable to be considered too. Then you must consider that the standard must allow for local termination, the RJ45 (And it's relatives) are pretty good at this. Fast, reliable, repeatable termination with a single simple tool that requires only a little bit of mechanical input from the user of the tool. On Thu, Dec 20, 2012 at 10:20 AM, Michael Thomas m...@mtcc.com wrote: I was looking at a Raspberry Pi board and was struck with how large the ethernet connector is in comparison to the board as a whole. It strikes me: ethernet connectors haven't changed that I'm aware in pretty much 25 years. Every other cable has changed several times in that time frame. I imaging that if anybody cared, ethernet cables could be many times smaller. Looking at wiring closets, etc, it seems like it might be a big win for density too. So why, oh why, nanog the omniscient do we still use rj45's? Mike -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Google/Youtube problems
On Mon, Nov 19, 2012 at 6:30 AM, Leo Bicknell bickn...@ufp.org wrote: In a message written on Mon, Nov 19, 2012 at 03:59:22PM +0200, Saku Ytti wrote: What I'm trying to say, I can't see youtube generating anywhere nearly enough revenue who shift 10% (or more) of Internet. And to explain this conundrum to myself, I've speculated accounting magic (which I'd frown upon) and leveraging market position to get free capacity (which is ok, I'd do the same, had I the leverage) I suspect you're thinking about revenue in terms of say, the advertisements they run with the videos. I beleive you're right, that would never pay the bills. Consider a different model. Google checks out your gmail account, and discovers you really like Red Bull and from your YouTube profile knows you watch a lot of Ke$ha videos. It also discovers there are a lot more folks with the same profile. They can now sell that data to a marketing firm, that there is a strong link between energy drinks and Ke$ha videos. Actually GOOG doesn't allow this as policy. Different BUs are rather quite restricted on how they can obtain other BUs data. In general if you can't do it as XYZ corp, you can't do it from inside of GOOG either -- there's a sort of privacy/policy watchdog group inside of the puzzle palace with at least a few people who are *very* concerned with privacy and data protection. I know this just because I've met a handful of them over the years. The ones in the group charged with making sure your data isn't opened up to everyone and their brother, even inside of google, to this sort of thing are pretty fanatical too. Ads can't use any data in any other way than anyone else could from GMail. Same goes with search. They can (and clearly do) share technology, software, infrastructure, and methodologies, but, the actual data is a pretty touchy subject between BUs due to their own policy. Even if they disband the group, everyone I've ever met with any responsibility towards user data shared the attitude that doing something many of us would consider icky would be somethign they'd block against internally. (such as just opening up the gmail to any advertiser that came along, aggregating data between BUs to sell individual preferences, etc) Will this be the case forever? Dunno. The ethos/culture is what keeps all this in check right now and culture is known to change. All that said, they're quite profitable now, and so I don't know that there's a pressure from profit motive to improve that revenue stream by doing dirty pool. Especially if the world governments decide they're playing dirty pool and go looking. GOOG-411 - building a corpus of voice data for Android's voice recognition. ReCaptcha - improving visual recognition for their book scanning process. Most of the free services are simply the cheapest way to get the data needed for some other service that can make much more money. It may seem weird to write off all the costs of YouTube as data aquisition costs, but there's far more money to be made selling marketing data than ads against streaming videos...
Re: time-b.netgear.com/time-c.netgear.com dns queries
On Fri, Sep 7, 2012 at 7:36 PM, valdis.kletni...@vt.edu wrote: Interestingly enough, the *hostname* is still in use (by another machine under my desk) - and it gets near zero hits. So it's all hardcoded IP addrs not hostnames. And for NTP implementations that use DNS they also often only check DNS on startup too...and lots of people do not maintain their servers...well, except netgear, which just hammers the bugger out of everything (See OP) -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: raging bulls
On Wed, Aug 8, 2012 at 8:08 AM, Brett Frankenberger rbf+na...@panix.com wrote: Even if you execute the trades based on a GPS timestamp (I'm ignoring all the logistics of preventing cheating here), it doesn't matter, because the computer that got the information first will make the trading decision first. -- Brett Such a system would be pretty complicated because it would also have to prevent intentional 'backdating' of trades as well. Then you've got the market data itself (as just mentioned) -- getting the information first is a big part of the latency problem for the quants. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: airFiber
On Sat, Mar 31, 2012 at 7:14 AM, ML m...@kenweb.org wrote: Often such a feature is an option within the radio configuration. Where wired side link follows wireless link. To me that never seemed like a good idea because I need to get into the radio during a wireless link-down situation. Maybe if there was an OOB ethernet port it could work but I haven't seen them on any radio I've touched. These have an 100MB OOB management port, a 1GigE port, and a RJ45 for a speaker/tone device for aiding alignment. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: events
On Fri, Sep 30, 2011 at 11:21 AM, Brandon Kim brandon@brandontek.com wrote: Is it really that expensive, and WORTH the expense? IMO, from price quotes I've gotten in the past, it's astronomically expensive. As for worth it...depends. If you're dealing with events for say payment processing systems, it might be. But as a general use tool, it's way outside of being worth it. You license based on the incoming bytes of logging data. But you still have to buy the hardware to process it. They also expect you to pay for that license time and time again.
Re: Home computer rooms
I've got a Danby portable type dual hose unit which works very well for my office. The single hose units are really no good for getting a room cool as they continually pull in outside air. It's pretty quiet, a lot quieter than the cheaper no-name unit it replaced. 12000BTU - it does really need it's own 15A/120V circuit because of the size. On Sat, Aug 13, 2011 at 4:52 PM, Chris Adams cmad...@hiwaay.net wrote: Once upon a time, Charles N Wyble char...@knownelement.com said: Related to my thread about home data centers, what are folks using to store compute gear in? Mine sits in two racks in my second bedroom. Cooled by ambient AC. I have an old pdp-8 rack (I didn't get the actual computer, just the rack, but it does still have the DEC faceplate), and the room is cooled by the regular central A/C. I've considered dedicated A/C for this room (just a small spare bedroom really), but I haven't found anything that is economical and quiet. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler
Re: Experience with Open Source load balancers?
On Mon, May 16, 2011 at 5:15 PM, Welch, Bryan bryan.we...@arrisi.com wrote: Greetings all. I've been tasked with comparing the use of open source load balancing software against commercially available off the shelf hardware such as F5, which is what we currently use. We use the load balancers for traditional load balancing, full proxy for http/ssl traffic, ssl termination and certificate management, ssl and http header manipulation, nat, high availability of the physical hardware and stateful failover of the tcp sessions. These units will be placed at the customer prem supporting our applications and services and we'll need to support them accordingly. Now my knee jerk reaction to this is that it's a really bad idea. It is the heart and soul of our data center network after all. However, once I started to think about it I realized that I hadn't had any real experience with this solution beyond tinkering with it at home and reading about it in years past. Can anyone offer any operational insight and real world experiences with these solutions? Honestly I think to get *all* those features you're much better off with commercial solutions like the ones you're already using from F5, or something from Cisco, Coyote Point, Brocade, or others. You can absolutely put together a solution based on any number of open source products, but you won't get the single integrated front end for management and configuration that any of the commercial options will provide, you may be missing features, and ultimately, you're on the hook for making it work. In particular the stateful failover has been problematic in open source solutions in my experience. They've come a VERY long way, but it is a hard problem to tackle. I've worked with open source and commercial solutions, and while the open source systems were almost always far more flexible, and cheaper up front, they certainly required more work to get going.. Once setup and running though both types of solutions had pretty equal amounts of maintenance, with the commercial solutions requiring somewhat less time/babysitting for upgrades and to enable or use new features or functionality.
Re: gmail issues ?
On Tue, Mar 15, 2011 at 3:13 PM, Mike Tancsa m...@sentex.net wrote: Anyone seeing gmail issues ? I checked at http://www.google.com/appsstatus#hl=en I've been having massively delayed incoming mail since about Sunday (2011/03/13) some email taking days to come in, some still hasn't (Amazon Order status updates for example from Monday still haven't shown up yet)
Re: Old Annex question
Never used those but on some gear from that era it had to.be repeated 3x like the Hayes +++ attention sequence. On Feb 12, 2011 9:02 PM, Brian Feeny bfe...@mac.com wrote: Sad but true, I still have a few of these in operation as terminal servers. In reading the documentation I could find it wasn't clear to me how to solve my issue. I use these to manage Cisco routers. How can I connect to a server, and then drop back to the CLI, so I can then connect to another server, and keep switching back and forth? I thought I could just set the attn_string to say ^A and then I could just hit that and it would work, but it doesn't seem to. I basically want to emulate the same functionality you can get when you do ^^x on a Cisco terminal server (2509/2511/etc). here is how its configured right now: %rotary host1: 1@172.16.1.10 host2: 2@172.16.1.10 host3: 3@172.16.1.10 %gateway annex 172.16.1.10 net default gateway 172.16.1.1 metric 1 hardwired end So I connect to my annex by telnetting to 172.16.1.10, then I type say host1, but I want to drop back to the CLI, any ideas how to escape to CLI once connected? I figured that since many of you are from my same era and these were popular with ISP's of the day, someone here may know.. Brian
Re: SmartNet Alternatives
Cisco is making noises that they'll eventually be restricting software access to ONLY those devices which have an active SmartNet contract associated to your CCO account. I don't know where this currently stands, and it sure will be a huge pain in my rear if/when it happens. On Fri, Feb 11, 2011 at 1:41 PM, John Macleod jmacl...@alentus.com wrote: Just interested in other peoples experience to companies offering alternatives to SmartNet? Pros/Cons/Tradeoffs? We currently have a mix of SmartNet and internal parts supply. John __ John Macleod Alentus UK Limited Seymour House South Street Bromley BR1 1RH +44 (0)208 315 5800 +44 (0)208 315 5801 fax alentus.co.uk | alentus.com Please consider the environment before printing this e-mail This e-mail (and/or any attachment) contains information, which is confidential and intended solely for the attention and use of the named addressee(s). If you are not the intended recipient you must not copy, distribute or use it for any purpose or disclose the contents to any person. If you have received this e-mail in error, please immediately notify the sender. The information contained in this e-mail (and any attachments) is supplied in good faith, but the sender shall not be under any liability in damages or otherwise for any reliance that may be placed upon it by the recipient, nor does it constitute a contract in any way. Any comments or opinions expressed are those of the originator not of Alentus Corporation unless otherwise expressly stated.
Re: IPv6 filtering
On Tue, Jan 25, 2011 at 10:49 PM, Mark D. Nagel mna...@willingminds.com wrote: This can bite you in unexpected ways, too. For example, on a Cisco ASA, if you add a system-level 'icmpv6 permit' line and if this does not include ND, then you break ND responses to the ASA. This is much unlike ARP, which is unaffected by 'icmp permit' statements for IPv4. And, the default with no such lines is to permit all ICMP/ICMPv6 to the ASA. This seems so obvious in retrospect, but at the time was a bit of a head-scratcher. ARP is a seperate protocol supporting IPv4 ... For IPv6 ND is done using ICMPv6 messages. A bit confusing transitioning from IPv4/ARP for sure. Mark
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy r...@maine.edu wrote: Many cite concerns of potential DoS attacks by doing sweeps of IPv6 networks. I don't think this will be a common or wide-spread problem. The general feeling is that there is simply too much address space for it to be done in any reasonable amount of time, and there is almost nothing to be gained from it. The problem I see is the opening of a new, simple, DoS/DDoS scenario. By repetitively sweeping a targets /64 you can cause EVERYTHING in that /64 to stop working by overflowing the ND/ND cache, depending on the specific ND cache implementation and how big it is/etc. Routers can also act as amplifiers too, DDoSing every host within a multicast ND directed solicitation group (and THAT is even assuming a correctly functioning switch thats limiting the multicast travel) Add to it the assumption that every router gets certain things right (like everything correctly decrementing TTLs as assumed in RFC 4861 11.2 in order for hosts to detect off-link RA/ND messages and guard themselves against those), in these ways it's certainly at least somewhat worse than ARP. If you're able to bring down, or severely limit, a site by sending a couple thousand PPS towards the /64 it's on, or by varying the upper parts of the /64 to flood all the hosts with multicast traffic while simultaneously floodign the routers LRU ND cache well thats a cheap and easy attack and it WILL be used, and that can be done with the protocols working as designed, at least from my reading. Granted I don't have an IPv6 lab to test any of this. But I'd be willing to bet this exact scenario is readily and easily possible, it already is with ARP tables (and it DOES happen, it's just harder to make happen with ARP and IPv4 since the space is so small, esp when compared to a /64) IPv6 ND LRU Caches/tables aren't going to be anywhere near big enough to handle a single /64's worth of hosts. And if they're any significant amt smaller then it'd be trivial to cause a DoS by sweeping the address space. It would depend on the ND table limits/sizes, and any implementation specific timers/etc and garbage collection, and a some other details I don't have, but, I bet it'd be a really small flow in the scheme of things to completely stomp out a /64someone I'm sure knows more about the implementations, and I'm betting this has been brought up before about IPv6/ND... So I pretty strongly disagree about your statement. Repetitively sweeping an IPv6 network to DoS/DDoS the ND protocol thereby flooding the ND cache/LRUs could be extremely effective and if not payed serious attention will cause serious issues.
Re: IPv6 - real vs theoretical problems
On Fri, Jan 7, 2011 at 3:44 PM, Owen DeLong o...@delong.com wrote: snip There are multiple purposes to /48s to residential end users. DHCP-PD allows a lot of future innovations not yet available. Imagine a house where the border router receives a /48 from the ISP and delegates /64s or /60s or whatever to other routers within the house. Each home entertainment cluster may be one group of networks with its own router. The appliance network(s) may have their own router(s). RFID tags on groceries may lead to a time when your home automation server can gather up data from your refrigerator, pantries, etc. and present the inventory on your mobile phone while you're at the grocery store. No more need to maintain a shopping list, just query the inventory from the store. These are just the things that could easily be done with the technology we already know about. Imagine what we might think of once we get more used to having prefix abundance. snip Having more address space won't help most of these uses, and as for why, take a look at the proposed situation with for example home media serving/sharing systems by TiVo, Apple, etc. They all require that the units be within the same broadcast domain or that there be a configured bridge of some sort if they even allow that topology. They (actually rightfully) assume that the network topology is flat, single broadcast domain, and mroe and more use Multicast DNS (which I've seen called a bunch of different things) More to the point, your average home user can not technically fathom anything more complicated than plug it in -- and many begin to fail to set something up properly when its extended to something as complicated as plug it in, push a button or plug it in, type some numbers into the device Your average home user has no reason at all for anything more than a PtP to his/her gateway, and a single prefix routed to that gateway. There are most certainly a few (which includes I'm sure 99% of the NANOGers!) subscribers who can and will use more space than that, and ISPs most definitely should make /48s readily and easily available for those customers, but giving each and every customer a /48 (or really, even a pair of /64s, one for the PtP, one delegated) is almost certainly overkill. The devices won't use the extra space unless there's some automagic way of them communicating the desire to eachother, and appropriately configuring themselves, and it would have to be very widely accepted. But there's no technical gain. A typical household would probably have less than about 50, maybe 100 devices, even if we start networking appliances like toasters, hair dryers and every single radio, tv, and light switch. Just my 2 cents worth.
Re: POE bump-in-the-wire conversion
On Fri, Dec 31, 2010 at 10:49 AM, Robert E. Seastrom r...@seastrom.com wrote: I was aware of this device (being a big Ubiquiti fan), but have yet to find anyone who has direct experience with using them on a 3524-PWR. Have you actually tried this (on a 3524-PWR, not a 3550 or anything later-but-pre-standard)? The equipment will be quite happy with 16v... I've actually used them in other applications. They're a standard 802.3af device, and they just step-down to 16V @ 0.8A (max) though they seemed to get a bit warm at 0.8A but worked fine, haven't had one die yet. To the switch they are a 100% 802.3af device so may not work with the 3524-PWR. I've not tried any 802.3af devices with the 3524-PWR, I have gone the other way (802.3af injector/switch with pre-standard devices that accepted 48V) -- You might be better off upgrading to an 802.3af switch or using a seperate 802.3af power injector device/devices, enterasys for example makes a 20 port injector (last I checked) among others. Most almost all 802.3af units will also do a Cisco compatible 'pre standard' mode for the older 7900 series phones that aren't 802.3af. Pre standard cisco POE is limited to about 10W, as IIRC, it uses only one pair (pins 1,2) for DC power, the device has a low pass filter to get rid of the DC component for the ethernet receiver hardware. 802.3af doesn't define which wires/pins to use but generally will use the unused pairs, 4,5 and 7,8 for DC+ and DC-, unless it's gig-e, then it uses 1,2 and 3,6 (again this is just my experience with some Netgear and HP gear and doesn't necessarily represent anything else). The use of pins 1,2 for power is possibly also why you don't see pre-standard to 802.3af because there's far less available power, AND, you'd have to build a low pass filter and possibly regenerate the Ethernet signal to make it work too. Combine that with cheap 802.3af injectors (either rack/multiport units, or single units) there's not a lot of incentive for hardware manufacturers to build such devices either. -r Philip Dorr tagn...@gmail.com writes: The Ubuquti Instant 802.3af seems to do what you want (as long as the equipment can handle 16v) http://ubnt.com/8023af http://ubnt.com/downloads/instant8023af.pdf On Fri, Dec 31, 2010 at 9:00 AM, Robert E. Seastrom r...@seastrom.com wrote: Perhaps someone from this august list can offer a clue here. Have: Cisco 3524-PWR (paleo-POE, pre-802.3af Cisco standard). It runs the 7960Gs great. Have: Wireless AP stuff that wants 12v on the unused pairs for passive POE. 48v will let the magic smoke out. Might buy: phone that does 802.3af Want to run these with the 3524-PWR. I can't imagine that nobody makes a bump-in-the-wire converter for this application, but haven't been able to find anything other than 802.3af to the passive POE use case. Anyone got a pointer for me? Thanks, -r
Re: Want to move to all 208V for server racks
On Fri, Dec 3, 2010 at 10:33 PM, Jay Ashworth j...@baylink.com wrote: And in fact, much carrier class equipment can be had with -48V power, there are ATX and similar power supplies for PCs that are -48, and I *think* I've commercial small UPSs (3kVa) that give with -48 as well... using 48V battery strings, obviously. Take a look at the Solar/Renewable energy systems, Xantrex (Schneider actually) makes the XW series inverter/chargers which use 48V battery strings and can be paralleled up to a rated total of about 1...@120/240. This is done by paralleling 3x 6kW inverter/chargers. They've an integrated transfer switch, load shaving/sharing (IE if you've got say 6kW of generator, but 12kW of Inverter, the system capacity is up to 12kW, with battery assist). And that's just one option, Magnasine makes parallel inverter/charger and inverter systems up to around 12kW, also using 48VDC (or 24VDC) strings. Both of these are sinewave inverters. There's also a telco oriented 48V inverter rack system thats escaping my mind at the moment. It can be setup with A/B 48V strings, and you plug in inverter modules up to IIRC around 8kW. Not parallel capable between racks AFAIK.
Re: Want to move to all 208V for server racks
On Sat, Dec 4, 2010 at 12:45 PM, Jay Ashworth j...@baylink.com wrote: I phrased my comment poorly, which mislead you. I was suggesting a UPS which took 208VAC on on the charge side, and charged 48VDC batteries with it, providing -48 to a rack full of equipment which took that. People actually call those 48VDC UPSs, though in fact they're just Little Teeny Battery Plants. :-) Ah, well, the XW (6048's) *do* have a 100A charger each (so up to 300A @ ~48VDC) so they could be used for that too :D-- but that same industry segment, solar/renewable, makes 48VDC charger only/rectifier only systems as well. So my answer still sort of stands :D Cheers, -- jra
Re: Low end, cool CPE.
On Fri, Nov 12, 2010 at 8:36 AM, Matthew Kaufman matt...@matthew.at wrote: On 11/11/2010 10:55 PM, Michael Loftis wrote: I have sort of recently gone from a little netscreen 5 to a mikrotik rb750g. Happily running for about 4 months. Way more of a power user or net admin than consumer oriented device. Fast though, loads faster than the netscreen I would recommend their products except for one thing: They have quite a few different models which experience a still-unfixed problem where the Ethernet port(s) simply go silent for 5-20 minutes and then come back all on their own (or with a reboot). Totally unacceptable, and their support forums are filled with others having the same problem *and* no confirmation of what the company is doing to fix it. And hard to debug, I'm sure, because the problem is one of those happens every other day for 4 days, then not again for 3 weeks kinds of bugs. I've never actually had that problem, and wasn't even aware of it until reading your message just now. It might be that I use the thing in a completely different manner (I've a bridge+vlan tagging setup). Being as I work from home it gets used very thoroughly so if it had had the issue I would've noticed. I'm wondering if some units are having thermal issues, seems to be a common thread/problem lately with embedded devices. Newer gen processors are starting to see thermal and PSU loads (on account of lower voltages) that haven't been dealt with much by these hardware makers. Or I could just be lucky, or my office is cooler than others. I've heard a lot of people having thermal issues with the global tech guruplug server plus wall wart units, and while the two I have do get very hot, I haven't had any crashes. But they are still way too hot for me to ever recommend them for anything. The RB750G though doesn't ever seem to warm up or anything so it's very odd that there's issues. I'm running the 4.x stable releases though too, not 5.x, I'll have to look into the forum posts on this. Good to know about!
Re: Low end, cool CPE.
I have sort of recently gone from a little netscreen 5 to a mikrotik rb750g. Happily running for about 4 months. Way more of a power user or net admin than consumer oriented device. Fast though, loads faster than the netscreen On Nov 11, 2010 6:41 PM, Leo Bicknell bickn...@ufp.org wrote: I've run into a number of low end CPE situations lately where I haven't found anything that does what I want, but I have to believe it is out there. I'm hoping NANOG can help. Basically think about a sophisticated home user, or a 1-5 person small office. Think DSL, Cable Modem, maybe Cell Card or ISDN as backups. Looking for an appliance, very much fire and forget. I probably won't get all the features that I want, but in no particular order: - Able to load balance over 2 links (probably via NAT). - IPv6 support, native or tunnel to tunnelbroker.net type thing. - Able to deal with backup connectivity, eg. Cell Cards which you only want to use if the primary is down. - User friendly features, e.g. UPNP, NAT-PMP, etc. - Good manageability. ssh to a cli would be a huge bonus, at least the ability to backup a config. - Able to handle decent througput, probably 20Mbps/sec min, 50 would be nice. _ Nice firewall features. - IDS features are cool. WiFi is not strictly required, but would be cool. Things like guest WiFi would be an added bonus. Something a NANOGer might want at home would be a good baseline. I realize the exact product may differ depending on DSL/Cable/Cell/ISDN, that's ok, let's get some various good solutions going here. What is the state of the art, and who has it? -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Re: Current trends in capacity planning and oversubscription
On Tue, Nov 9, 2010 at 10:26 PM, Sean Donelan s...@donelan.com wrote: While the answer is always it depends, I was wondering what the current rules of thumb university network engineers are using for capacity planning and oversubscription for resnets and admin networks? For K-12, SETDA (http://www.setda.org/web/guest/2020/broadband) is recommending: - An external Internet connection to the Internet Service Provider of at least 100 Mbps per 1,000 students/staff - Internal wide area network connections from the district to each school and between schools of at least 1 Gbps per 1,000 students/staff How does that compare with university and enterprise network rules of thumb? As someone else has said I've never seen K-12 with remotely that high of a ratio, or, really, any educational institution. UofM here in Missoula, MT doesn't have anywhere near those ratios for internet services nor for the campus network. I don't have any exact details but I'm pretty certain there's no 10 Gig-E there. I'm not even sure if the building-to-building links are 1 Gig-E in all cases. Actually...I'm not sure anywhere has that high of a ratio here in the states, at least for wired connectivity. The carriers here all keep the prices nice and high to preserve their profit margins in the face of losing their long distance and traditional POTS cash cows as people move more to cell phones and other non POTS carriers.
Re: Current trends in capacity planning and oversubscription
On Wed, Nov 10, 2010 at 10:31 AM, Steve Meuse sme...@mara.org wrote: Michael Loftis expunged (mlof...@wgops.com): Actually...I'm not sure anywhere has that high of a ratio here in the states, at least for wired connectivity. I would say that's highly dependent on your geographical location. In Montana I could see that as being true, but not in NYC, for example... It might be more dependent upon the level of competition int he bandwidth market. Here in the mountain west (MT included) you either pay the ILEC their exorbitant fees for your last mile, or, you pay to trench. Only a couple years ago Qwest was quoting $8k+/mo for a DS3, and this was where their Cisco ONS 15454 was in the same room. I don't even want to know how much they'd charge you if you had to pay any real line mileage. Luckily int hat particular building there were/are other options, but almost any other place, you don't (that building has a lot of antennae on top, a couple placed by myself) -Steve
Re: do you use SPF TXT RRs? (RFC4408)
--On Monday, October 04, 2010 9:54 AM -0700 John Adams j...@retina.net wrote: Without proper SPF records your mail stands little chance of making it through some of the larger providers, like gmail, if you are sending in any high volume. You should be using SPF, DK, and DKIM signing. I don't really understand how your security company related SPF to DoS though. They're unrelated, with the exception of backscatter. FUD most likely, that's the stock in trade for almost all security audit firms. -j
Re: Inquiries to Acquire IPs
Makes one wonder what dead:beef::/32 and c0ff:ee00::/32 will go for? :) --On Friday, July 02, 2010 9:48 PM +0100 Rob Evans internetplum...@gmail.com wrote: I saw a few reports of those today and wrote a short note to forewarn some other European RE networks, plus our customers. http://webmedia.company.ja.net/edlabblogs/developmenteye/2010/07/03/wante d-memorable-24-for-us5k/ Yup, I know the date on the blog is off by one. :) Cheers, Rob
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
--On Sunday, December 13, 2009 9:17 AM -0800 Joel Jaeggli joe...@bogus.com wrote: UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT. wishful thinking. you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it. Amen indeed. Consumers do not care if its a good idea or not. And honestly in a home network, well, its not as frightening. In a business of any kind (including home based) it is bad. You should have a DMZ with carefully controlled open ports lists. But that's preaching to the choir here. IPv6 doesn't magically negate the need for UPnP, UPnP is not tied to NAT. It's a way for applications to ask the firewall to selectively open ports up to them. Intelligent stateful firewalls can do that for limited applications, perhaps with some sort of policy control even. Though Joe/Jill Gamer (which is what UPnP is for) won't know anything about any of that. They define a gateway as functioning or not. I really am honestly sick of people thinking IPv6 is a panacea. It isn't. UPnP is rather a bit of a hack for sure, protocols should be better designed, but in this modern age of Peer To Peer you need a way for applications to ask the firewall to selectively open incoming ports.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
--On Wednesday, December 02, 2009 6:23 PM -0800 Mehmet Akcin meh...@akcin.net wrote: Would you consider Juniper SSG5 as a Consumer Grade router? They do IPv6 and they are pretty good in general, and cheap as well. Not as usable in the consumer space due to lack of UPnP (and Juniper is NOT interested in implementing it). They also lack some other customer friendly features. Price point is also probably 3x-5x what most are willing to pay for CPE.