Re: What do you think about this airline vs 5G brouhaha?

[Michael Loftis]

On Tue, Jan 18, 2022 at 17:49 Jay Hennigan  wrote:

> On 1/18/22 15:51, Brandon Martin wrote:
>
> > Further, it seems that good engineering practice was not used in the
> > design of these vulnerable systems and that they are subject to
> > interference from broad-spectrum "jammers" (i.e. signals that, in terms
> > of modulation and timing, don't necessarily correspond to what they're
> > expecting to receive) transmitting well outside their allocated band (by
> > separation comparable to the entire band in which they operate) let
> > alone outside the expected, tuned frequency of signal reception.  All of
> > these are typically very high on the list of consideration when
> > designing an RF receiver and seem to have been either ignored entirely
> > or at least discounted in the design of these instruments from what I'm
> > hearing.
>
> This simply doesn't make sense. Radar receivers are usually direct
> conversion driven from the same frequency source as the transmitter,
> meaning that they are going to have rather good selectivity with regard
> to frequency.
>
> Furthermore, a radio altimeter used for approach and landing is going to
> have a very short time window. I'm by no means familiar with the
> internal workings of these devices, their specifications, or their
> effective range, but if the altitude to be measured is 5000 feet or less
> the device will send a pulse and then open a receive window of no more
> than about 11 microseconds to look for its return. If you're only
> concerned about being 1000 feet or less above terrain, the window is
> about 2 microseconds. The pulses are presumably sent relatively
> frequently, probably several times a second, and the results averaged.
> In addition, the radar antenna beamwidth is going to be relatively small
> and pointed more or less straight down.


GPWS, and all rescue/medevac/etc helicopter operations also use the RA, and
this is NOT just in the landing/approach of a runway. Think about landing a
helicopter at night on the  freeway or a nearby field. TAWS uses GPS to
locate in space and I don’t know where it’s altitude source is - probably
the baro altimeter until the RA starts getting a return (or thinks it is)


>
> Intentional broadband jamming isn't going to be very effective against
> an airplane as the jammer would need to be directly beneath a fast
> moving target and get the timing exactly right with microsecond accuracy.
>
> Accidental interference from a source at least 220MHz out of band with a
> beam pointed at the horizon is even more far-fetched unless, as you say,
> the radar unit's receiver is complete garbage in which case how did it
> get a TSO in the first place? Avionics equipment that is critical to a
> precision approach isn't, or at least shouldn't be, crap.


They’ve never been required to have immunity. Last spec update was AFAIK
1980s. It’s definitely a stack of problems…part of which is the FCC
auctioning the Spectrum, it puts them in conflict as both the enforcement
and beneficiary. Billions of dollars being the CTIA on one hand. On the
other RTCA, AOPA, and some other small $ fish they stand nothing to gain
from.

Remember that the RA is sub 1W looking for reflected emissions. It’s very
possible the ground equipment for a cell base station to have spurious
harmonics…where they land requires more RF engineering chops than I’ve got,
and would obviously be very system dependent. So yes in my understanding
due to the RF voodoo of how they transmit and receive, and the .. field of
view .. those factors mitigate interference for certain…but why did the FCC
auction that chunk? Why not say ok you’ve got two years to develop a
standard, update that 1980s requirement, and 5 or 10 to implement? Instead
we’re just barely four years on and going to be seeing potentially
interesting deployments.  Interference that only can happen and only
matters in critical flight phases….





>
> --
> Jay Hennigan - j...@west.net
> Network Engineering - CCIE #7880
> 503 897-8550 - WB6RDV
>
-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: What do you think about this airline vs 5G brouhaha?

[Michael Loftis]

New to the public eye but not orgs like AOPA who’ve been fighting since
2020 but there not multi billion dollar lobby groups. US is more affected
because we have more general aviation, and an older fleet overall.

And it’s not cheap to replace these radio altimeters (but that’s kind of
like everything aviation)

On Tue, Jan 18, 2022 at 13:32 Michael Thomas  wrote:

>
> I really don't know anything about it. It seems really late to be having
> this fight now, right?
>
> Mike
>
> --

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: A crazy idea

[Michael Loftis]

On Tue, Jul 20, 2021 at 7:48 AM Michael Loftis  wrote:
>
> (Reply in-line)

My apologies to everyone using an HTML mail client.  Don't try in-line
replies with Google's iOS app.  *sigh*  Really, it's not a blank
reply...

The gist of my reply was.   Don't complain about DNS services when
you're not paying for DNS services.  register.com, godaddy, those are
registrars.  Go look for a managed DNS/authoritative DNS service
provider and almost any of them will happily accept a reverse DNS zone
delegation.  And for IPv4 less-than-boundary (well..I guess you could
use it for v6, but v6 should NEVER be on a less than boundary) see
RFC2317.

Again.  Apologies.  Honestly, it was my mail client that did it! :)

Re: A crazy idea

[Michael Loftis]

(Reply in-line)

On Mon, Jul 19, 2021 at 06:11 Stephen Satchell  wrote:

> First, I know this isn't the right place to propose this; need a pointer
> to where to propose an outlandish idea.
>
> PROBLEM:  IPv6 support is still in its birthing pangs.  I see a problem
> that limits deployment of IPv6 fully:  reverse PTR records in the
> ".in6.arpa." zones.
>
> (Now that I think about it, this may very well be a network operator
> issue.  Who maintains the ".in.arpa." zones delegated by IANA now?)
>
> I've been going 'round and 'round with AT about "static" IPv6
> addresses.  In particular, I can't get a PTR record in the ip6.arpa.
> zone to save my life.  Now, the problem is not really ripe yet, because
> the big reason for PTR records is for mail servers -- best practice
> calls for /PTR agreement, just like for IPv4 the best practice is
> for A/PTR agreement.
>
> The existing DNS providers can support delegation domains, so that I
> don't have to have DNS servers of my own if I don't want to.  It could
> be that one would need to "buy" the delegation domain, but that's a
> front-office consideration.  Personally, I use register.com for my
> domain DNS zones.  I believe strongly that other registrars that offer
> customer zone editing, plus DNS service providers, can support reverse
> delegation zones with a minimum of hassle, and without charging an arm
> and a leg for the service.


They’re not a DNS service provider. That is a registrar. Providing
authoritative DNS is incidental to their business and not their focus. Go
look for managed DNS or authoritative DNS services. There’s still the
problem of getting the  delegation which is largely unsupported for
consumer IP services. And honestly…I don’t really expect consumer (dynamic)
IP services to provide reverse delegation.  Business (definitely needs to)
and static IP services (really should) should provide either delegation of
the reverse zone or PTRs for non boundary ipv4 space per RFC2317.


 From the customers' viewpoint, a GUI would make the maintenance
> relatively painless.
>
> (Keying the information below took a long time.  Any rational DNS admin
> and DNS service provider would have automation in place to take out the
> painful work.)




>
>  > 96-103.194.65.99.in-addr.arpa. NS my-DNS-server-1
>  > 96-103.194.65.99.in-addr.arpa. NS my-DNS-server-2> $GENERATE 96-102 $
> IN CNAME $.96-103.194.65.99.in-addr.arpa.
>
> In my BIND9 zone file, it would look something like this:
>
> > $ORIGIN 96-103.194.65.99.in-addr.arpa.
> > @ SOA ...
> > @ NS my-dns-server-1.
> > @ NS my-dns-server-2.
> > 96 IN PTR server1.example.com.
> > 97 IN PTR server2.example.com.
>

See RFC2317.

>
> The advantage to this system to the number providers is they would have
> one administrative record per customer, instead of having to deal with
> each PTR record individually.  The advantage to customers is they don't
> have to beg and snivel to get PTR records, just beg and snivel once to
> get the delegation.  The advantage to DNS server providers is they have
> something else to sell.
>
> Want to encourage IPv6 adoption?  This would help.




> --

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: South Africa On Lockdown - Coronavirus - Update!

[Michael Loftis]

On Mon, Mar 23, 2020 at 19:25 Owen DeLong  wrote:

>
> I confess I haven’t investigated the implementation details, but is it
> possible for one to issue ubikeys
> to an employee in a secure way with those features disabled?
>

Yes. And changing that setup either requires a separate admin pin or wiping
the associated private key data to reconfigure. It depends on which
application/mode. FIDO I believe is most inflexible here as it can only be
short touch to activate.

I don’t use the HID keyboard mode OTP keying app/feature so I’m not
terribly familiar with that. It might be that it can be configured limited
such that N in X seconds or a replug is required (to circumvent the timer)
but I really do not know. If people are really curious I can grab a spare
key and check.  I use the CCID/smart card type modes. I do know that the
touch OTP key feature requires wiping the associated private key data, or
having it available to reprogram and change options. They’re a shared
secret mode so the yubikey authentication server has those private keys.

>
> It’s the allowing the employee to make a poor choice not necessarily
> desired by the employer thing
> that seems to me is the issue in this case.
>
>
>
> I agree that this abuse of the UBI Key is more an issue of implementation
> than the inherent nature of the
> UBIKEY, but the UBIKEY does allow this kind of abuse in ways that other
> tokens don’t facilitate.
>
>
> That's like saying that cars are worse than bicycles, because cars
> allow you drive into things are a more dangerous speed. I mean, yes,
> but ….
>
>
> Cars are more dangerous than bicycles, but everything is a matter of
> balancing tradeoffs.
>
> In this case, I’m not sure the ubikey offers anything over the Secur-ID to
> balance that increased
> hazard.
>
> Owen
>
>
> --

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: crypto frobs

[Michael Loftis]

On Mon, Mar 23, 2020 at 20:08 Michael Loftis  wrote:

>
>
> On Mon, Mar 23, 2020 at 18:50 William Herrin  wrote:
>
>> On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari  wrote:
>> > Well, yes and no. With a Yubiikey the attacker  has to be local to
>> > physically touch the button[0] - with just an SSH key, anyone who gets
>> > access to the machine can take my key and use it. This puts it in the
>> > "something you have" (not something you are) camp.
>>
>> Hi Warren,
>>
>> They're both "something you have" factors. The yubi key proves
>> possession better than the ssh key just like a long password proves
>> what-you-know better than a 4-digit PIN. But the ssh key and the yubi
>> key are still part of the same authentication factor.
>>
>>
>> > Not really -- if an attacker steals my laptop, they don't have the
>> > yubikey (unless I store it in the USB port).
>>
>> You make a habit of removing your yubi key from the laptop when nature
>> calls? No you don't.
>>
>>
>> > If they *do* steal both,
>> > they can bruteforce the SSH passphrase, but after 5 tries of guessing
>> > the Yubikey PIN it self-destructs.
>>
>> What yubikey are you talking about? I have a password protecting my
>> ssh key but the yubikeys I've used (including the FIPS version) spit
>> out a string of characters when you touch them. No pin.
>>
>
> The yubikey does many things depending on how it’s configured. None of
> mine use the touch to spit out OTP mode, that is the factory mode though
> yes. Other modes can be password protected (it uses the PIN nomenclature
> which is confusing, it definitely accepts ASCII and nay even take binary
> data as a PIN depending on mode of operation) — it can present as industry
> standard smart card ( I have one with a pin/password for code signing in
> Visual Studio f/ex...along with a backup kept locked elsewhere)
>


Replying to myself to clarify a bit... the PKI/SSL private keys are on the
Yubikey, password protected, signing is accomplished by VS passing the bits
to be signed to the smart card application on the yubikey, which requires a
password to enable/unlock. On the yubikey Depending on configuration this
is a just once operation typically. So each signing op requires a password
entry. But it could be configured diffferebtly. By only keeping the private
keys on the yubikey it’s something you have (the yubikey) and something you
know (the password)... the yubikey (barring software bugs obviously) will
not expose the private key, it only does the signing op.

That same yubikey has a separate app and trust store in OpenGPG mode, which
does signing for ssh pubkey auth, with a different private key. Same key
also does FIDO, another application with another key store.

The same key doing all that could also have a “long touch” to spit out an
OTP.



>> Regards,
>> Bill Herrin
>>
>>
>> --
>> William Herrin
>> b...@herrin.us
>> https://bill.herrin.us/
>>
> --

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: crypto frobs

[Michael Loftis]

On Mon, Mar 23, 2020 at 18:50 William Herrin  wrote:

> On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari  wrote:
> > Well, yes and no. With a Yubiikey the attacker  has to be local to
> > physically touch the button[0] - with just an SSH key, anyone who gets
> > access to the machine can take my key and use it. This puts it in the
> > "something you have" (not something you are) camp.
>
> Hi Warren,
>
> They're both "something you have" factors. The yubi key proves
> possession better than the ssh key just like a long password proves
> what-you-know better than a 4-digit PIN. But the ssh key and the yubi
> key are still part of the same authentication factor.
>
>
> > Not really -- if an attacker steals my laptop, they don't have the
> > yubikey (unless I store it in the USB port).
>
> You make a habit of removing your yubi key from the laptop when nature
> calls? No you don't.
>
>
> > If they *do* steal both,
> > they can bruteforce the SSH passphrase, but after 5 tries of guessing
> > the Yubikey PIN it self-destructs.
>
> What yubikey are you talking about? I have a password protecting my
> ssh key but the yubikeys I've used (including the FIPS version) spit
> out a string of characters when you touch them. No pin.
>

The yubikey does many things depending on how it’s configured. None of mine
use the touch to spit out OTP mode, that is the factory mode though yes.
Other modes can be password protected (it uses the PIN nomenclature which
is confusing, it definitely accepts ASCII and nay even take binary data as
a PIN depending on mode of operation) — it can present as industry standard
smart card ( I have one with a pin/password for code signing in Visual
Studio f/ex...along with a backup kept locked elsewhere)

>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/
>
-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: South Africa On Lockdown - Coronavirus - Update!

[Michael Loftis]

On Mon, Mar 23, 2020 at 4:53 PM Sabri Berisha  wrote:
>
> Hi,
>
> In my experience, yubikeys are not very secure. I know of someone in my team 
> who would generate a few hundred tokens during a meeting and save the output 
> in a text file. Then they'd have a small python script which was triggered by 
> a hotkey on my macbook to push "keyboard" input. They did this because the 
> org they were working for would make you use yubikey auth for pretty much 
> everything, including updating a simple internal Jira ticket.
>
> Thanks,

This is an artifact of a poor implementation, not of a yubikey or any
other security.  Yubikeys support MANY methods of authentication.  I
have a number of them, a couple of them are setup for TOTP (using
yubico authenticator), FIDO (native), and use the GPG functionality
for ssh public key auth via agent.  Pre-generating or replaying will
not work with any of those methods.

So saying "Yubikeys are not very secure" is very incorrect.  The
specific deployment decisions weren't great in your specific case.
Any OTP system based on incrementing counters could be abused in this
manner if the OTP keys can be generated rapidly and saved.  TOTP is
the common method for solving this with 2FA.  Yubikeys also support a
number of challenge/response type authentications (which is
effectively what my GPG setup does, and what FIDO sort of does)

Re: power to the internet

[Michael Loftis]

On Wed, Dec 25, 2019 at 19:00 Constantine A. Murenin 
wrote:

> On Wed, 25 Dec 2019 at 19:32, Michael Thomas  wrote:
>
>> On the dark side, this is probably coming to a lot more states and
>> countries due to climate change. Australia. Sigh.
>>
>
> Do you have a source for this?  It would seem that these power issues are
> rather unique to California not because of some "climate change" bogeyman,
> but rather because of a failed public policy at the state level.
>
> It would also seem that these issues of rolling blackouts aren't even new
> to California, either, as, apparently, it's already been the norm during
> 2000/2001:
>


Having lived through the blackouts that was entirely different. 90% Enron
manipulating the markets. There was plenty of capacity both in transmission
and generation, but Enron manipulated prices and apparent supply to make
money and screwed the whole state over. There was just about 2x the
generating capacity, no real shortage.

This time it’s PG all alone, but still fallout from back then. Too much
liability and they’ve not maintained the infrastructure and so they decided
that to reduce the liability costs it’s cheaper to blackout. Same story
again different colors. PG making a mint while people get screwed (PG
was mostly at the getting screwed end in 2000-2001)

>
> * https://en.wikipedia.org/wiki/California_electricity_crisis
>
> C.
>
-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: improving signal to noise ratio from centralized network syslogs

[Michael Loftis]

On Thu, Jan 25, 2018 at 8:11 PM Joe Maimon  wrote:

> Hey All,
>
> Centralized logging is a good thing. However, what happens is that every
> repetitive, annoying but not (usually) important thing fills up the log
> with reams of what you are not looking for.
>
> Networks are a noisy place and silencing every logged condition is
> impractical and sometimes undesirable.
>
> What I am interested in is an automated zoom-in zoom-out tool to mask
> the repetition of "normal" events and allow the unusual to stand out.
>
> Add to that an ability to identify gaps in the background noise. (The
> dog that didnt bark)
>
> What I am not interested in are solutions based upon preconfigured
> filters and definitions and built in analysis for supported
> (prepopulated definitions) platforms, this is all about pattern
> mining/masking and should be self discoverable. Ideally a command tool
> to generate static versions of the analysis coupled with a web platform
> (with zoom +- buttons)  for realtime.
>
> I made a crude run of it with SLCT, using its generated patterns to grep
> -v, and that in and of itself was useful, but needs a bit of work. Also,
> its not quite real time.
>
> Any ideas would be greatly appreciated.


Not cheap, but Splunk comes to mind.

>
>
> Joe
>
-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: Google DNS intermittent ServFail for Disney subdomain

[Michael Loftis]

None of the NS records/delegations are in agreement.  com delegations
don't agree with authoritative in disney.com, and disney.com's
delegations don't agree with studio.disney.com's NSen.

On Fri, Oct 20, 2017 at 7:35 AM, Christopher Morrow
 wrote:
> On Fri, Oct 20, 2017 at 1:10 AM, David Sotnick 
> wrote:
>
>> Well well, it looks like a Direct Connect circuit to Google was leaking the
>> route to this DMZ 153.7.233.0/24 back to Google via BGP.
>>
>> Return traffic from Google (for only some fraction of DNS queries) was
>> passing back across this leaked route, and being dropped on this Direct
>> Connect peering point at Disney.
>>
>> Gotta love it when a problem is solved, by the OP, within an hour of
>> resorting to mailing the NANOG community.
>>
>>
>
> This shows some issues as well, I think?
> http://dnsviz.net/d/studio.disney.com/servers/
>
> $  dig NS disney.com
>
> ;; ANSWER SECTION:
> disney.com. 4676 IN NS huey11.disney.com.
> disney.com. 4676 IN NS huey.disney.com.
> disney.com. 4676 IN NS Orns02.dig.com.
> disney.com. 4676 IN NS Orns01.dig.com.
> disney.com. 4676 IN NS Sens02.dig.com.
> disney.com. 4676 IN NS Sens01.dig.com.
>
> $ dig NS studio.disney.com @huey11.disney.com.
> ;; AUTHORITY SECTION:
> studio.disney.com. 600 IN NS wallyb.pixar.com.
> studio.disney.com. 600 IN NS andre.pixar.com.
> studio.disney.com. 600 IN NS cliff.studio.disney.com.
> studio.disney.com. 600 IN NS norm.studio.disney.com.
>
> $ for d in $(dig +short NS disney.com); do dig +short SOA disney.com @$d;
> done
> huey.disney.com. root.huey.disney.com. 2017102000 3600 900 360 3600
> huey.disney.com. root.huey.disney.com. 2017102000 3600 900 360 3600
> huey.disney.com. root.huey.disney.com. 2017102000 3600 900 360 3600
> huey.disney.com. root.huey.disney.com. 2017102000 3600 900 360 3600
> huey.disney.com. root.huey.disney.com. 2017102000 3600 900 360 3600
> huey.disney.com. root.huey.disney.com. 2017102000 3600 900 360 3600
>
> $ for d in $(dig +short NS studio.disney.com); do dig +short SOA
> studio.disney.com @$d; done
> cliff.studio.disney.com. admin.studio.disney.com. 2017101904 10800 3600
> 604800 86400
> cliff.studio.disney.com. admin.studio.disney.com. 2017101904 10800 3600
> 604800 86400
> cliff.studio.disney.com. admin.studio.disney.com. 2017101904 10800 3600
> 604800 86400
> cliff.studio.disney.com. admin.studio.disney.com. 2017101904 10800 3600
> 604800 86400
> cliff.studio.disney.com. admin.studio.disney.com. 2017101904 10800 3600
> 604800 86400
>
> it looks like the second-level and third-level don't agree with each other
> on whom should be the NS for the third-level?
>
> that shouldn't be fatal, but is something to cleanup.
>
>
> Thanks all, nothing to see here!
>>
>> -David
>>
>> On Thu, Oct 19, 2017 at 8:41 PM, David Sotnick 
>> wrote:
>>
>> > Hi Nanog,
>> >
>> > I am principal network engineer for sister-studio to Disney Studios. They
>> > have been struggling with DNS issues since Thursday 12th October.
>> >
>> > By all accounts it appears as though *some* of the Google DNS resolvers
>> > cannot reach the authoritative nameservers for "studio.disney.com".
>> >
>> > This is causing ~20-30% of all DNS requests against Google Public DNS
>> > 8.8.8.8 / 8.8.4.4 to fail for requests in this subdomain.
>> >
>> > The name servers reside in 153.7.233.0/24.
>> >
>> > Might someone be able to *connect me* with someone at Google to assist my
>> > poor colleagues who are banging their heads against a brick wall here.
>> >
>> > Thank you,
>> > David
>> >
>>



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: Moving fibre trunks: interruptions?

[Michael Loftis]

If it is in the railroad RoW they may be restricted to daylight working
only. Check with your provider or OSP crew.


-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: BCM5341x

[Michael Loftis]

The chip really doesn't even function as an Ethernet switch by itself...all
of the behavior is software driven. It's the ... actualization of "software
defined networking" -- It provides a lot of low level constructs inside the
hardware to support your application, but it's really a software defined
switch.

It has many programmable offload functions the idea being you do not handle
packets on the onboard CPU.

ContentAware is their term for L4-L7 I believe I don't think it's much more
than simple pattern matching in the hardware and can be used to apply as
ACL or drive QoS decisions.

The chip can do things like handle limited v4/v6 lookups and routing (but
it's not going to do ARP response... nor LACP...)

It has a huge number of integrated hardware counters, lots are built in but
you can count basically anything the hardware can match (which is basically
anything you can describe in a stateless manner).

So s-flow... probably in hardware it can be programmed to do most or all of
it as it's largely copying a buffer into a header but I don't have the data
sheets so couldn't say for sure.

  MCLAG/MLAG, sure, that's software directed and behaves exactly like LACP
or static lag down at the hardware. Really the hardware doesn't much care
as that all exists above it in the control plane.

I'm not clear at all what depth of v4/v6 classification they support - but
that's usually the basics of QoS and calling it out specifically is
marketing wankery I think.

How big the tables can get I don't know. Nearly two decades ago they had 2k
in the L3 space with 8K in L2 on 24x100+2x1G ... so I can't imagine it's
less than that for table sizes :)  probably like 8k/4K entries range as the
RAMs and TCAMs haven't scaled up in speed very well.

On Sat, Dec 24, 2016 at 15:52 Mike Hammett  wrote:

> I've asked Broadcom directly, but being as though I don't have an intent
> to buy tens of thousands of chips (or any at all), I don't expect I'll hear
> back. I was hoping someone here would have some insight.
>
>
>
> Do any of you know what functionality is available on those chips? That's
> the chip that powers the Ubiquiti 10G switches and I figured I would limit
> my most aggressive feature requests to things they can actually deliver
> with the platform as is.
>
>
>
> Other than things you just assume a managed switch has like 802.1p and
> 802.1q, it mentions an advanced ContentAware™ Engine (which means?),
> IEEE1588 (sync over Ethernet), 802.1ag (OAM stuff), "Enhanced DoS attack
> statistics gathering" (which means?), "IPv4/IPv6 L3 packet classification"
> (which means?), etc.
>
>
>
> I'm sure there's an array of things to ask about, but MLAG and S-Flow are
> at the top of my list at the moment.
>
>
>
>
> https://www.broadcom.com/products/ethernet-connectivity/switch-fabric/bcm5341x/
>
>
>
>
>
>
>
>
>
> -
>
> Mike Hammett
>
> Intelligent Computing Solutions
>
>
>
> Midwest Internet Exchange
>
>
>
> The Brothers WISP
>
>
>
>

Re: 10G switch drops traffic for a split second

[Michael Loftis]

Yeah you also have to look for not so obvious things like MAC Pause
frames sent/received...QoS counters, all sorts of VERY platform
specific stuff.  Right royal pain, especially since some do not expose
these statistics at all.

On Tue, Nov 29, 2016 at 3:10 PM, Peter Beckman  wrote:
>
> On Tue, 29 Nov 2016, TJ Trout wrote:
>
>> I plan on disabling FC on everything tonight, I've done that before but I
>> want to be sure.
>>
>> Anything that can be done about the 2 x 1G peers trunking to the 10G
>> router
>> transition that can be fixed? should I be rate limiting the vlan for the
>> peers at 1G so the 10G router isn't trying to send more than 1G?
>
>
>  This thread reminded me of a blog post that struck me as useful 5 years
>  ago, and again today. Measuring throughput, when dealing with buffers and
>  troubleshooting errors and packet loss, must be done at a sub-one-second
>  sampling rate.
>
>  http://blog.serverfault.com/2011/06/27/per-second-measurements-dont-cut-it/
>
> Beckman
> ---
> Peter Beckman  Internet Guy
> beck...@angryox.com http://www.angryox.com/
> ---



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: 10G switch drops traffic for a split second

[Michael Loftis]

Yes it is absolutely possible to overrun the buffers.  Any kind of
backpressure (FC) from hosts, or 10G->1G transitions can easily cause
it.  Even if in a 10s window you're not over 1G if the 10G sender
attempts to back to back too many frames in a row (Like say sendfile()
API type calls) BOOM, dropping frames in the switch.

On Tue, Nov 29, 2016 at 1:28 PM, TJ Trout  wrote:
> Luke;
>
> All l2, no l3. only 4 vlans. 2 peers trunked to a router which trunks back
> to 2 devices (microwave backhauls).
>
> Chuck;
>
> All ports are 10g except the 2 peers are 1g and trunk back to a 10g port
> for the router wan
>
> No TCN's
>
> Brian;
>
> I have tried a IBM G8124 and a Ubiquiti ES-16-XG both show same exact drops
> across all ports, makes me think it's a config issue. MTU, FC, something.
>
> Andrew;
>
> I have tried with FC disabled, but I will try that one more time.
>
> Mikael;
>
> Is it possible to over run the buffers of a 320gbps backplane switch with
> only 1.5gbps traffic? I think the switch is rated for 140m PPS and I'm only
> pushing 100k PPS

Re: [c-nsp] SFP DOM SNMP Polling?

[Michael Loftis]

On Tue, Nov 22, 2016 at 6:32 AM, Tim Durack  wrote:
> I have a vendor that does not support SFP DOM SNMP polling. They state this
> is due to EEPROM read life cycle. Constant reads will damage the SFP.

Complete and total garbage.  Reading from EEPROM and Flash both DO NOT
WEAR.  It is the erase+write cycle that wears them.  Further typical
EEPROM life cycle is ~1M erase/write cycles.  If you wrote it every
minute you could conceivably wear it out in a couple years...but thats
flat out not how it works.  The EEPROM, if any, is not going to be
used for statistics datamaybe fail counts of some kind, lifetime
(hours) maybe...that sort of thing.


>
> We SNMP poll SFP DOM from Cisco equipment without issue.
>
> Not heard this one before. Trying to see if there is some validity to the
> statement. Thoughts?
>
> Tim:>
> ___
> cisco-nsp mailing list  cisco-...@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: Standard terminology for a dark fiber path?

[Michael Loftis]

IDK what elsewhere uses but strand or (less common) span is the common
term I've seen specifically for a passive piece of glass between two
points.

On Wed, Feb 24, 2016 at 12:55 PM, Fletcher Kittredge  wrote:
> What is the standard terminology for strands of dark fiber spliced together
> to form a continuous path between points A and Z?
>
> I have seen:
>
>- *fiber circuit* [but also seen used to denote a connection at the
>network layer over a physical fiber connection. This definition of circuit
>would include the dark fiber path, the transmitters and receivers and logic
>making up the data and network layers.]
>- *fiber loop *[ Does a loop define an electrical circuit with two
>physically separate positive and negative strands? In that case, is this a
>Bellhead remnant? ]
>
> I am particularly interested in last mile systems, but I don't see any
> reason that the term wouldn't be the same in the middle mile.
>
> thanks,
> Fletcher
>
> --
> Fletcher Kittredge
> GWI
> 8 Pomerleau Street
> Biddeford, ME 04005-9457
> 207-602-1134



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Fw: new message

[Michael Loftis]

Hey!

 

New message, please read <http://startyourdaywithgenius.com/manner.php?lomvd>

 

Michael Loftis

Re: Bandwidth estimation question

[Michael Loftis]

On Friday, October 2, 2015, Dylan Ambauen  wrote:

> ...
> Enjoy a worldwide caching reverse proxy with limitless resources, priced
> per page view. Maybe someone can recommend a IPv6 capable CDN service.
>
>
Cloudflare. Also does IPv6 on the client facing side while doing IPv4 to
you.




-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Re: Level3 NOC Contact

[Michael Loftis]

AFAIK theres no longer any way to get their attention unless you're a
customer AND have signed up for their online portal system at
https://my.level3.com/ - and I wouldn't expect anything stellar
then either. You'll likely have to do your own troubleshooting through them
as my recent experiences have shown little to no clue or assistance from
them. They were happy to do as asked but weren't able, or willing, or
whatever to do anything on their own. Make certain you get the problem
category right too or you'll be stuck in the wrong team without any of them
telling you that.



On Friday, June 26, 2015, Nathanael C. Cariaga 
nathanael.cari...@adec-innovations.com wrote:

 Hi,

 Any Level3 NOC contacts on the list?  Our link in Irvine has been on and
 off for few minutes already.  Would appreciate replies offline..


 Thanks!

 -nathan



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: Google's Safe Browsing Alerts for Network Administrators

[Michael Loftis]

My problem with Google's Safe Browsing alerts is that from the admin
side they rarely are useful/useable.  They make a big loud noisy
complaint without ANYTHING to substantiate what the issue is to
correct it.  You're left searching your own site trying to figure out
what in the heck it's complaining about.

On Thu, Jan 8, 2015 at 3:54 PM, Frank Bulk frnk...@iname.com wrote:
 I want to make this forum aware of Google's Safe Browsing Alerts for
 Network Administrators (https://www.google.com/safebrowsing/alerts/).  I've
 had a link to their diagnostic page for several years
 (https://www.google.com/safebrowsing/diagnostic?site=AS:hl=it-it, where
  is your ASN), but I didn't know that Google actually had a way to alert
 ASN owners of new incidents.  I checked NANOG's archive and haven't ever
 seen it mentioned, so I thought there might be more like me that weren't
 aware.

 And while I'm on the subject, I want to make people aware of somewhat
 related service by ShadowServer
 (https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwor
 k).

 Frank




-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: Keeping Track of Data Usage in GB Per Port

[Michael Loftis]

IPDR under DOCSIS and generally RADIUS or TACACS(+) for DSL. Unclear
personally about fiber/FiOS deployments (never been near enough to know)

Flow (sflow, nflow, ipfix, etc) generally doesn't scale and is woefully
inaccurate.

On Wednesday, October 15, 2014, Colton Conor colton.co...@gmail.com wrote:

 I see in past news articles that cable companies are inaccurately
 calculating customers data usage for their online GB of usage per month. My
 question is how do you properly determine how much traffic in bytes a port
 passes per month? Is it different if we are talking about an ethernet port
 on a cisco switch vs a DSL port on a DSLAM for example? I would think these
 access switches would have some sort of stat you can count similar to a
 utility meter reader on a house. See what it was at last month, see what is
 is at this month, subtract last months from this months, and the difference
 is the total amount used for that month.

 Why are the cable companies having such a hard time? Is it hard to
 calculate data usage per port? Is it done with SNMP or some other method?

 What is the best way to monitor a 48 port switch for example, and know how
 much traffic they used?


 https://gigaom.com/2013/02/07/more-bad-news-about-broadband-caps-many-meters-are-inaccurate/



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: GApps admin = rogered

[Michael Loftis]

This is 4-5 minutes after the OP emailed

On Thursday, October 9, 2014, Mitch Patterson via Outages 
outa...@outages.org wrote:

 Shows an issue to me

 TimeDescription
 10/9/14 7:11 PM
 We're investigating reports of an issue with Admin console. We will
 provide more information shortly.
 Users are seeing the Admin console refresh continuously on loading.

 On Thu, Oct 9, 2014 at 7:07 PM, Blair Trosper via Outages 
 outa...@outages.org javascript:_e(%7B%7D,'cvml','outa...@outages.org');
 wrote:

 Just a heads up to our friends at Google Apps.

 Despite the status page saying all is peachy:
 http://www.google.com/appsstatus#hl=env=status

 ...the administration page for any Google Apps for domains is totally
 rogered.  It's either an endless redirect loop or a deluge of errors.

 I'd call for premium support, but I can't even see that.

 Again, a friendly heads up and nudge that perhaps the status page should
 at least be updated to reflect the fact that it's non-operational.

 ___
 Outages mailing list
 outa...@outages.org javascript:_e(%7B%7D,'cvml','outa...@outages.org');
 https://puck.nether.net/mailman/listinfo/outages




-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: Link Layer Filtering not supported on popular equipment?

[Michael Loftis]

On Wed, Mar 26, 2014 at 9:08 AM, hasser css hasserva...@gmail.com wrote:
 Is there any common equipment that doesn't support this kind of filtering?
 I have no access to the switches where I work (I am just a CS agent at a
 smaller service provider), but my boss tells me that they do not support
 doing this... however, I do not believe this at all. I think that all the
 switches are all from Dell. Issues are happening as some customers
 accidentally have rogue DHCP servers running from their routers being
 connected improperly, and his only solution to this issue is to disable the
 switch port instead of simply preemptively filtering out this.

 Any insight? Regards.

The supported options vary within the PowerConnect product line.  So
it depends entirely on WHAT exact switch.  Some do support DHCP
snooping like that, some don't.  Even with it on it can create it's
own problems, on the 6248 f/ex this causes the DHCP replies from
trusted ports to always get copied to the CPU so it can inspect them
and create it's VLAN+MAC+IP bindings databases.  All untrusted port
DHCP traffic gets punted to CPU.  The gist is that this can open up a
potential DoS attack on the switch, or, even without that, the DHCP
traffic might be too high for the switch to manage.

Similar issues with ACLs.  There are some options in Cisco (not
certain if any of dell's products have this) that basically keep ports
from talking to eachother, but allow them to talk to the upstream port
(usually a router that can then enforce deeper ACLs and such).

All of these additional protection/security methods can have their
drawbacks for any particular environment, assuming the hardware even
supports them.

-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: Dell Power Volt 124T software

[Michael Loftis]

Basically anything. It works as a standard SCSI tape changer device using
mtx, my, and your favorite archiving software, tar, Amanda, bacula, arkeia,
many others.

On Thursday, March 13, 2014, Maxime Godonou Dossou godomu...@gmail.com
wrote:

 Hello all
 I just want to know someone here is using Dell Power Volt 124T as tape
 backup.
 I just get it but I would like to use Linux redhat 6.3 server as OS on my
 backup server.
 Can tell me if you know any open source software I can use to drive it .

 Sent from IPad



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: As path for Junos

[Michael Loftis]

http://www.juniper.net/techpubs/en_US/junos13.3/topics/usage-guidelines/policy-configuring-as-path-regular-expressions-to-use-as-routing-policy-match-conditions.html

There's no backref support in the regex subset that juniper has chosen
to implement, see
http://juniper.cluepon.net/index.php/ER_Detect_AS-PATH_prepends

- and I don't think Juniper has gone anywhere with that engineering request.

On Fri, Mar 7, 2014 at 3:31 AM, Marco Paesani ma...@paesani.it wrote:
 Hi Everyone,
 I need a help to transform this Cisco IOS command:

 ip as-path access-list 50 permit _([0-9]+)_\1_\1_

 in Juniper JUNOS policy-options.
 Best regards,
 Marco
 M. +39 348 6019349



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: Peering issue - Possible Juniper to Cisco issue

[Michael Loftis]

On Fri, Feb 28, 2014 at 8:58 AM, Philip Lavine source_ro...@yahoo.com wrote:
 To all,

 I (ASR1001) had an experience recently where the Telco (Juniper) told me that 
 I was sending them 1000+ routes when I attempted to re-establish a BGP 
 session; subsequently they would not allow this and they refused the session.

 I had no sync on and a prefix list so I was advertising only one route. Even 
 though I hard reset the session on my end the Telco for some reason kept 
 seeing me send the routes. I finally called them and had them reset their end 
 and the session came up right away.

 What the ...

If you leaked once and they have a teardown setup on the Juniper end
w/o a timeout, it won't let the neighbor reconnect until the session
is cleared.  I've seen in IOS 15.x just a few days ago where it had
stuck advertising routes that it shouldn't be, though that was between
two Sup720 based pieces of gear, so probably unrelated (just a data
point that it can/does happen in IOS in general where it's advertising
routes that it insists it isn't)



 thx

 Philip




-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: Leap Second

[Michael Loftis]

On Tue, Jul 2, 2013 at 7:23 AM, Todd S t...@borked.ca wrote:

 We found we got leap seconds added on some systems over the weekend.  There
 were no leap seconds planned (
 http://www.usno.navy.mil/USNO/earth-orientation/leap-second-announcement),
 however some of our systems got one.

 We run our own s2/s3/s4 system, with only the s2s going to the Internet.
  We have about 20 servers defined there, but looking through the logs, I
 can't figure out which one(s) may have been advertising the leap second.  I
 went through all our systems on Friday and Saturday to check for the leap
 bit, but had nothing, so it must have come out on Sunday.

 Anyone else run in to this, or have any further intel about servers that
 advertised the leap second?


Had a leap happen here on the 30th.  My stratum 1 source is a CDMA
timekeeper, I'll ping the operator of it and see if he knows anything or if
it logged anything.  It's probably not isolated at all since all my S2
machines have some diversity in alternate time sources but still took the
leap second.



 Cheers,

 Todd.




-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: Leap Second

[Michael Loftis]

On Tue, Jul 2, 2013 at 7:35 AM, Michael Loftis mlof...@wgops.com wrote:



 Had a leap happen here on the 30th.  My stratum 1 source is a CDMA
 timekeeper, I'll ping the operator of it and see if he knows anything or if
 it logged anything.  It's probably not isolated at all since all my S2
 machines have some diversity in alternate time sources but still took the
 leap second.


OK he's checked, nothing unusual in logsdata on the box matches NOAA
site (16 leaps, 16 future) - and pool.ntp.org/scores thinks that it's all
OK/well within norms.


-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: PDU recommendations

[Michael Loftis]

Personally have gotten sick of dealing with basically every other
vendors PDU out there but APC.  APC PDUs may not have every whiz-bang
feature but they work.  SNMP or SSH pretty solid.  You still probably
want them on a closed management network but problems even in the wild
'net with port 22 open in my experience have been rare.  Management
software upgrades are generally live, load left on/undisturbed.  I
still schedule them for downtime but (knock on wood) nothing in the
last 6-7 years has caused an outage.

Re: PDU recommendations

[Michael Loftis]

No, I only use APC anymore for PDUs.  It's the others I've dealt with
I don't like.  There's quite a few I've never used but after the
painfully expensive experiences I've had with Tripp-Lite, Bay tech,
MGE (though I think they're part of Schneider or APC now), Liebert
(which at the time looked suspiciously the same as the Tripp-Lite's
but with a bigger price tag), and a couple others I'm certainly
forgetting.

I'd heard there were some bad batches that were DOA from APC, but
haven't personally experienced any myself.  I've had a couple
management cards in Symmetra LXes fail, and that same Symmetra chassis
had a power/inverter/charger module fail around the same time.

On Sun, Jun 23, 2013 at 9:13 AM, Nick Khamis sym...@gmail.com wrote:
 Hello Michael, does that mean you do not employ PDUs in your network?
 I.e., found a UPS with sufficient number of outlets in the back. With
 that in mind, could you make a recommendation for such a UPS-direct
 for a VM environment.

 Kind Regards,

 Nick.



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: OC3/STM-1 Line Card

[Michael Loftis]

Most modern gear can go all the way to individual DS0's in a single
card without a MUX of any kind.  OC3/STM-1 is only like 155mbit.

On Sun, Jun 9, 2013 at 10:13 AM, Phil Fagan philfa...@gmail.com wrote:
 Don't you need to drop DS0's out of that STM for signaling?


 On Sat, Jun 8, 2013 at 9:58 AM, Nick Khamis sym...@gmail.com wrote:

 Hello Everyone,

 Anyone know of a way of bypassing the 90K audiocodes mediant 3000
 equipped for STM-1 interface using line cards and a linux box :).

 What we are looking to do is replace our traditional ISDN DS3 equipped
 for voice using an STM-1/OC3 backbone and our own put together linux
 box. Again, this will be used for voice signaling...

 Kind Regards,

 Nick.




 --
 Phil Fagan
 Denver, CO
 970-480-7618



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: Data Center Installations

[Michael Loftis]

On Wed, May 1, 2013 at 4:33 PM, Mike Lyon mike.l...@gmail.com wrote:
 For bulk velcro, I found Uline to be fairly cheap.

I have to ask, is this an April fools joke?  ULine isn't cheap for
anything.  Monoprice, $13, around $25 delivered depending on where
you're at and how yu ship it, for 5x black hook and loop 5yd per
roll... vs. ULine $28 (1x black hook and loop 75') and probably about
same SH.  No easy way to get them to quote SH but last time I
ordered from them (they're about the only place to get some stuff)
ULine is over 2x as much.  Oh and Monoprice has it in quite a few
colors if you don't care for black.  If you're going for pre-made
cable wrap type stuff it's a bit more, but still half or less than
ULine.

ULine is definitely a supplier of last resort, but they've got a lot
of different stuff.

Comcast NOC - issues to/from AS13331 (Seattle)

[Michael Loftis]

Comcast doesn't appear to have any usable NOC contacts via whois, and
this issue is apparently very widespread.  Comcast obviously has
multiple saturated paths out in this area, so if you're seeing issues
getting to your customers on Comcast...well, it's probably Comcast.
Sort of an ongoing/me too on last months thread about same...


Outbound traffic to Comcast via basically any of our (AS13331)
upstreams except Spectrum (AS11404) is experiencing very high packet
loss once inside Comcast's network, we suspect a router or link very
near to us in Seattle is failing.  I've marked out the destination
customer IPs but they're available to Comcast engineers if they get in
touch with me directly or as n...@metapeer.com -- TIA  -- and again,
sorry to the list.

Below are three failing/high loss traces, and then same three traces
from our other DC which is routing out via spectrum.  The loss is
present on Cogent and L3 outgoing paths at the least, maybe others.
As of now I've routed around the problem point for via the good path.

fission:~# mtr -s 900 --report --report-cycles 30 1.2.3.4
fission.myfreecams.comSnt: 30Loss%  Last   Avg  Best  Wrst StDev
ve75-gw1-xmr.metapeer.com 0.0%   0.4   1.4   0.3  11.8   2.9
te0-7-0-15.ccr21.sea02.atlas.cogentco.com 0.0%   0.9   0.6   0.5   0.9   0.1
te-0-5-0-3-pe03.seattle.wa.ibone.comcast.net  6.7%  43.7  42.3  38.8  43.7   1.4
be-13-cr01.seattle.wa.ibone.comcast.net   3.3%  47.7  44.6  41.3  47.7   1.8
pos-0-7-0-0-cr01.denver.co.ibone.comcast.net  3.3%  69.4  68.7  65.0  71.3   1.5
he-5-15-0-0-cr01.350ecermak.il.ibone.comcast  6.7%  92.6  97.3  91.4 102.0   3.8
he-3-15-0-0-ar01.woburn.ma.boston.comcast.ne 10.0% 120.3 119.8 116.3 122.0   1.8
pos-0-1-0-0-ar01.needham.ma.boston.comcast.n  0.0% 122.0 120.5 117.1 123.9   1.8
po-80-ur01.deering.nh.boston.comcast.net  0.0% 121.4 121.3 118.3 133.8   2.8
po-21-ur01.concord.nh.boston.comcast.net  6.7% 119.6 130.1 119.3 272.8  31.8
te-1-0-0-ten01.concord.nh.boston.comcast.net  6.7% 118.7 120.0 117.6 121.4   1.3
???  100.0   0.0   0.0   0.0   0.0   0.0
You have new mail in /var/spool/mail/root
fission:~# mtr -s 900 --report --report-cycles 30 5.6.7.8
fission.myfreecams.comSnt: 30Loss%  Last   Avg  Best  Wrst StDev
ve75-gw1-xmr.metapeer.com 0.0%   0.3   0.6   0.3   5.2   0.9
te0-7-0-15.ccr21.sea02.atlas.cogentco.com 0.0%   0.8   0.6   0.5   0.8   0.1
te-0-5-0-3-pe03.seattle.wa.ibone.comcast.net  0.0%  41.4  42.6  38.5  43.8   1.3
be-13-cr01.seattle.wa.ibone.comcast.net   0.0%  45.6  44.1  40.4  46.7   1.8
pos-0-8-0-0-cr01.denver.co.ibone.comcast.net  6.7%  71.2  69.0  65.0  72.1   1.9
he-5-12-0-0-cr01.350ecermak.il.ibone.comcast  3.3%  98.1  96.3  86.4 101.2   3.9
he-0-15-0-0-ar01.pontiac.mi.michigan.comcast 10.0%  93.5  97.3  93.5 100.6   2.3
xe-11-0-0-0-sur01.rochestrhlls.mi.michigan.c  0.0%  97.2  99.1  92.9 141.8  10.4
te-17-10-cdn05.rochestrhlls.mi.michigan.comc  3.3% 118.9 113.2 104.6 118.9   3.5
???  100.0   0.0   0.0   0.0   0.0   0.0
fission:~# mtr -s 900 --report --report-cycles 30 a.b.c.d
fission.myfreecams.comSnt: 30Loss%  Last   Avg  Best  Wrst StDev
ve75-gw1-xmr.metapeer.com 0.0%   0.3   2.1   0.3  47.1   8.6
te0-7-0-15.ccr21.sea02.atlas.cogentco.com 0.0%   0.7   0.6   0.5   0.8   0.1
te-0-5-0-3-pe03.seattle.wa.ibone.comcast.net  6.7%  40.6  42.4  39.7  45.2   1.3
be-15-cr01.seattle.wa.ibone.comcast.net   0.0%  47.3  48.2  41.3  54.8   4.3
68.86.92.34   3.3%  43.7  45.5  39.5 101.7  11.6
be-18-ur06.bellevue.wa.seattle.comcast.net0.0%  43.8  43.0  40.2  44.3   1.4
te-3-0-0-ten15.bellevue.wa.seattle.comcast.n  6.7%  42.7  44.1  42.1  45.7   1.1
???  100.0   0.0   0.0   0.0   0.0   0.0








mloftis@phobos:~$ mtr -s 900 --report --report-wide --report-cycles 30 1.2.3.4
HOST: phobos   Loss%   Snt
Last   Avg  Best  Wrst StDev
  1. 207.229.74.1  0.0%30
0.4   5.1   0.3 132.4  24.1
  2. agg1-sea-t7-8.bb.spectrumnet.us   0.0%30
1.5  14.0   1.5 206.4  39.8
  3. 23.30.206.33  0.0%30
1.8   2.0   1.7   3.5   0.3
  4. be-17-cr01.seattle.wa.ibone.comcast.net   0.0%30
12.6   5.3   2.1  12.6   2.7
  5. pos-0-4-0-0-cr01.denver.co.ibone.comcast.net  0.0%30
28.5  29.2  27.2  31.4   1.3
  6. he-5-12-0-0-cr01.350ecermak.il.ibone.comcast.net  0.0%30
49.9  52.2  49.9  56.7   2.8
  7. he-3-5-0-0-ar01.woburn.ma.boston.comcast.net  0.0%30
78.5  79.5  78.3  81.0   1.0
  8. pos-1-12-0-0-ar01.needham.ma.boston.comcast.net   0.0%30
80.2  80.1  78.2  81.7   1.1
  9. po-80-ur01.deering.nh.boston.comcast.net  0.0%30
80.0  80.1  79.9  80.4   0.1
 10. 

Re: Circuit Bandwidth Simulator applet etc

[Michael Loftis]

Try http://www.nsnam.org/ (AKA NS2/NS3) whichis GPL/OSS or Tetcos
NetSim - http://tetcos.com/

I've never used NetSim FYI, just heard of it.  And NS only rarely.

On Mon, Feb 25, 2013 at 9:22 AM, JoeSox joe...@gmail.com wrote:
 I would like a applet or program I can feed it nodes and a network
 topology, then just set hypothetical transmit speeds at child nodes
 then have the applet or program display the Parent node bandwidth.  Is
 there any Visio applets or macros out there I wonder?

 Sorry another tool question but I don't want to start coding something
 up if I don't have to.
 I use NetDot but I don't think it has any circuit bandwidth tools like
 that.  I have used GNS3 in the past but that is way more complex for
 this need I have.
 --
 Thanks, Joe




--

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: Suggestions for managed DNS provider?

[Michael Loftis]

On Thu, Feb 14, 2013 at 11:58 AM, David Hubbard
dhubb...@dino.hostasaurus.com wrote:
 Hi all, anyone have suggestions for very stable/reliable managed DNS?
 Neustar/UltraDNS is an obvious option to look at, just curious about
 alternatives.  Cost effective would be nice, but stable under attack is
 better.

It's not 100% clear what you mean here, resolvers or authoritative
DNS, but, in either case, my suggestions are the same, OpenDNS has
been reliable for me as a resolver service, and DynDNS (now just Dyn)
has been great for authoritative and secondary nameservers for me.
For authoritative nameservers I haven't looked for anything to deal
with huge numbers of domains, just a few dozen.


-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: Super slow HP ILO 2 web interface

[Michael Loftis]

I've had issues with HP, Dell, and Super micro in any higher amounts of
broadcast traffic, especially ARP requests. The iDRAC 5 and 6 behave very
badly in high broadcast environments, failing to respond to http and local
ipmi (ipmitool via the smbus or whatever) interface.  That's probably where
I would start personally...anything over a couple hundred hosts in the same
broadcast domain, especially if those are windows or osx hosts that love to
jibber about CIFS and mDNS.



Sent from my Motorola Xoom
On Jan 23, 2013 6:25 PM, Erik Levinson erik.levin...@uberflip.com wrote:

 Hi everyone,

 This is probably an OT question for this list, but I thought someone here
 may have encountered this.

 I've been having a really annoying super slow web interface access to ILO
 2 on our DL360 G5s and G6s, since day one, on all of them. SSH to ILO is
 perfectly fine. IPMI is fine. VSP is fine. Everything to do with ILO is
 fine except the damn web interface, which is slow to load pages
 intermittently. It kind of works in bursts for a few seconds when it works,
 so I try to do things quickly. It's hard to characterize exactly what's
 happening beyond my vague description, but I've looked at the dev tools in
 Chrome, tried FF, etc. with no luck.

 One thing I haven't tried in a while is a packet capture of an ILO port to
 see if it's doing something weird, like trying to do rDNS on the client's
 IP or on itself, etc.

 If it helps, our config doesn't use DHCP and otherwise all the boxes are
 reset to defaults, then have their IP/SM/GW configured and local users
 configured...nothing fancy. We do use our own SSL certs, but the problem
 happens without them as well, so I've already ruled that out.


 Does anyone have any ideas on what obvious thing I could have missed?


 Thanks

 Erik

Re: why haven't ethernet connectors changed?

[Michael Loftis]

It's not all about density.  You *Must* have positive retention and
alignment.  None of the USB nor firewire standards provide for positive
retention.  eSATA does sort of in some variants but the connectors for USB
are especially delicate and easy to break off and destroy.  There's the
size of the Cat5/5e/6 cable to be considered too.

Then you must consider that the standard must allow for local termination,
the RJ45 (And it's relatives) are pretty good at this.  Fast, reliable,
repeatable termination with a single simple tool that requires only a
little bit of mechanical input from the user of the tool.


On Thu, Dec 20, 2012 at 10:20 AM, Michael Thomas m...@mtcc.com wrote:

 I was looking at a Raspberry Pi board and was struck with how large the
 ethernet
 connector is in comparison to the board as a whole. It strikes me: ethernet
 connectors haven't changed that I'm aware in pretty much 25 years. Every
 other
 cable has changed several times in that time frame. I imaging that if
 anybody
 cared, ethernet cables could be many times smaller. Looking at wiring
 closets,
 etc, it seems like it might be a big win for density too.

 So why, oh why, nanog the omniscient do we still use rj45's?

 Mike




-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: Google/Youtube problems

[Michael Loftis]

On Mon, Nov 19, 2012 at 6:30 AM, Leo Bicknell bickn...@ufp.org wrote:

 In a message written on Mon, Nov 19, 2012 at 03:59:22PM +0200, Saku Ytti
 wrote:
  What I'm trying to say, I can't see youtube generating anywhere nearly
  enough revenue who shift 10% (or more) of Internet. And to explain this
  conundrum to myself, I've speculated accounting magic (which I'd frown
  upon) and leveraging market position to get free capacity (which is ok,
 I'd
  do the same, had I the leverage)

 I suspect you're thinking about revenue in terms of say, the
 advertisements they run with the videos.  I beleive you're right, that
 would never pay the bills.

 Consider a different model.  Google checks out your gmail account, and
 discovers you really like Red Bull and from your YouTube profile knows
 you watch a lot of Ke$ha videos.  It also discovers there are a lot more
 folks with the same profile.  They can now sell that data to a marketing
 firm, that there is a strong link between energy drinks and Ke$ha
 videos.


Actually GOOG doesn't allow this as policy.  Different BUs are rather quite
restricted on how they can obtain other BUs data.  In general if you can't
do it as XYZ corp, you can't do it from inside of GOOG either -- there's a
sort of privacy/policy watchdog group inside of the puzzle palace with at
least a few people who are *very* concerned with privacy and data
protection.  I know this just because I've met a handful of them over the
years.  The ones in the group charged with making sure your data isn't
opened up to everyone and their brother, even inside of google, to this
sort of thing are pretty fanatical too.  Ads can't use any data in any
other way than anyone else could from GMail.  Same goes with search.  They
can (and clearly do) share technology, software, infrastructure, and
methodologies, but, the actual data is a pretty touchy subject between BUs
due to their own policy.  Even if they disband the group, everyone I've
ever met with any responsibility towards user data shared the attitude that
doing something many of us would consider icky would be somethign they'd
block against internally.   (such as just opening up the gmail to any
advertiser that came along, aggregating data between BUs to sell individual
preferences, etc)

Will this be the case forever?  Dunno.  The ethos/culture is what keeps all
this in check right now and culture is known to change.  All that said,
they're quite profitable now, and so I don't know that there's a pressure
from profit motive to improve that revenue stream by doing dirty pool.
 Especially if the world governments decide they're playing dirty pool and
go looking.




 GOOG-411 - building a corpus of voice data for Android's voice
 recognition.

 ReCaptcha - improving visual recognition for their book scanning
 process.

 Most of the free services are simply the cheapest way to get the data
 needed for some other service that can make much more money.  It may
 seem weird to write off all the costs of YouTube as data aquisition
 costs, but there's far more money to be made selling marketing data than
 ads against streaming videos...

Re: time-b.netgear.com/time-c.netgear.com dns queries

[Michael Loftis]

On Fri, Sep 7, 2012 at 7:36 PM,  valdis.kletni...@vt.edu wrote:

 Interestingly enough, the *hostname* is still in use (by another machine under
 my desk) - and it gets near zero hits.  So it's all hardcoded IP addrs not
 hostnames.

And for NTP implementations that use DNS they also often only check
DNS on startup too...and lots of people do not maintain their
servers...well, except netgear, which just hammers the bugger out of
everything (See OP)



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: raging bulls

[Michael Loftis]

On Wed, Aug 8, 2012 at 8:08 AM, Brett Frankenberger rbf+na...@panix.com wrote:

 Even if you execute the trades based on a GPS timestamp (I'm ignoring
 all the logistics of preventing cheating here), it doesn't matter,
 because the computer that got the information first will make the
 trading decision first.

  -- Brett


Such a system would be pretty complicated because it would also have
to prevent intentional 'backdating' of trades as well.  Then you've
got the market data itself (as just mentioned) -- getting the
information first is a big part of the latency problem for the quants.



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: airFiber

[Michael Loftis]

On Sat, Mar 31, 2012 at 7:14 AM, ML m...@kenweb.org wrote:
 Often such a feature is an option within the radio configuration. Where
 wired side
 link follows wireless link.  To me that never seemed like a good idea
 because I need
 to get into the radio during a wireless link-down situation.  Maybe if there
 was
 an OOB ethernet port it could work but I haven't seen them on any radio I've
 touched.


These have an 100MB OOB management port, a 1GigE port, and a RJ45 for
a speaker/tone device for aiding alignment.

-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: events

[Michael Loftis]

On Fri, Sep 30, 2011 at 11:21 AM, Brandon Kim
brandon@brandontek.com wrote:

 Is it really that expensive, and WORTH the expense?

IMO, from price quotes I've gotten in the past, it's astronomically
expensive.  As for worth it...depends.  If you're dealing with events
for say payment processing systems, it might be.  But as a general use
tool, it's way outside of being worth it.  You license based on the
incoming bytes of logging data.  But you still have to buy the
hardware to process it.  They also expect you to pay for that license
time and time again.

Re: Home computer rooms

[Michael Loftis]

I've got a Danby portable type dual hose unit which works very well
for my office.  The single hose units are really no good for getting a
room cool as they continually pull in outside air.  It's pretty quiet,
a lot quieter than the cheaper no-name unit it replaced.  12000BTU -
it does really need it's own 15A/120V circuit because of the size.

On Sat, Aug 13, 2011 at 4:52 PM, Chris Adams cmad...@hiwaay.net wrote:
 Once upon a time, Charles N Wyble char...@knownelement.com said:
 Related to my thread about home data centers, what are folks using to
 store compute gear in?

 Mine sits in two racks in my second bedroom. Cooled by ambient AC.

 I have an old pdp-8 rack (I didn't get the actual computer, just the
 rack, but it does still have the DEC faceplate), and the room is cooled
 by the regular central A/C.  I've considered dedicated A/C for this room
 (just a small spare bedroom really), but I haven't found anything that
 is economical and quiet.

 --
 Chris Adams cmad...@hiwaay.net
 Systems and Network Administrator - HiWAAY Internet Services
 I don't speak for anybody but myself - that's enough trouble.





-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: Experience with Open Source load balancers?

[Michael Loftis]

On Mon, May 16, 2011 at 5:15 PM, Welch, Bryan bryan.we...@arrisi.com wrote:
 Greetings all.

 I've been tasked with comparing the use of open source load balancing 
 software against commercially available off the shelf hardware such as F5, 
 which is what we currently use.  We use the load balancers for traditional 
 load balancing, full proxy for http/ssl traffic, ssl termination and 
 certificate management, ssl and http header manipulation, nat, high 
 availability of the physical hardware and stateful failover of the tcp 
 sessions.  These units will be placed at the customer prem supporting our 
 applications and services and we'll need to support them accordingly.

 Now my knee jerk reaction to this is that it's a really bad idea.  It is 
 the heart and soul of our data center network after all.  However, once I 
 started to think about it I realized that I hadn't had any real experience 
 with this solution beyond tinkering with it at home and reading about it in 
 years past.

 Can anyone offer any operational insight and real world experiences with 
 these solutions?

Honestly I think to get *all* those features you're much better off
with commercial solutions like the ones you're already using from F5,
or something from Cisco, Coyote Point, Brocade, or others.  You can
absolutely put together a solution based on any number of open source
products, but you won't get the single integrated front end for
management and configuration that any of the commercial options will
provide, you may be missing features, and ultimately, you're on the
hook for making it work.  In particular the stateful failover has been
problematic in open source solutions in my experience.  They've come a
VERY long way, but it is a hard problem to tackle.

I've worked with open source and commercial solutions, and while the
open source systems were almost always far more flexible, and cheaper
up front, they certainly required more work to get going..  Once setup
and running though both types of solutions had pretty equal amounts of
maintenance, with the commercial solutions requiring somewhat less
time/babysitting for upgrades and to enable or use new features or
functionality.

Re: gmail issues ?

[Michael Loftis]

On Tue, Mar 15, 2011 at 3:13 PM, Mike Tancsa m...@sentex.net wrote:
 Anyone seeing gmail issues ? I checked at
 http://www.google.com/appsstatus#hl=en

I've been having massively delayed incoming mail since about Sunday
(2011/03/13)  some email taking days to come in, some still hasn't
(Amazon Order status updates for example from Monday still haven't
shown up yet)

Re: Old Annex question

[Michael Loftis]

Never used those but on some gear from that era it had to.be repeated 3x
like the Hayes +++ attention sequence.
On Feb 12, 2011 9:02 PM, Brian Feeny bfe...@mac.com wrote:

 Sad but true, I still have a few of these in operation as terminal
servers. In reading the documentation I could find it wasn't clear to me how
to solve my issue. I use these to manage Cisco routers.

 How can I connect to a server, and then drop back to the CLI, so I can
then connect to another server, and keep switching back and forth? I thought
I could just set the attn_string to say ^A and then I could just hit that
and it would work, but it doesn't seem to. I basically want to emulate the
same functionality you can get when you do ^^x on a Cisco terminal server
(2509/2511/etc).

 here is how its configured right now:

 %rotary
 host1: 1@172.16.1.10
 host2: 2@172.16.1.10
 host3: 3@172.16.1.10
 %gateway
 annex 172.16.1.10
 net default gateway 172.16.1.1 metric 1 hardwired
 end

 So I connect to my annex by telnetting to 172.16.1.10, then I type say
host1, but I want to drop back to the CLI, any ideas how to escape to CLI
once connected?

 I figured that since many of you are from my same era and these were
popular with ISP's of the day, someone here may know..

 Brian

Re: SmartNet Alternatives

[Michael Loftis]

Cisco is making noises that they'll eventually be restricting software
access to ONLY those devices which have an active SmartNet contract
associated to your CCO account.  I don't know where this currently
stands, and it sure will be a huge pain in my rear if/when it happens.

On Fri, Feb 11, 2011 at 1:41 PM, John Macleod jmacl...@alentus.com wrote:
 Just interested in other peoples experience to companies offering 
 alternatives to SmartNet?

 Pros/Cons/Tradeoffs?

 We currently have a mix of SmartNet and internal parts supply.

 John


 __
 John Macleod
 Alentus UK Limited
 Seymour House
 South Street
 Bromley
 BR1 1RH
  +44 (0)208 315 5800
  +44 (0)208 315 5801 fax
 alentus.co.uk  |  alentus.com

 Please consider the environment before printing this e-mail

 This e-mail (and/or any attachment) contains information, which is 
 confidential and intended solely for the attention and use of the named 
 addressee(s). If you are not the intended recipient you must not copy, 
 distribute or use it for any purpose or disclose the contents to any person. 
 If you have received this e-mail in error, please immediately notify the 
 sender. The information contained in this e-mail (and any attachments) is 
 supplied in good faith, but the sender shall not be under any liability in 
 damages or otherwise for any reliance that may be placed upon it by the 
 recipient, nor does it constitute a contract in any way. Any comments or 
 opinions expressed are those of the originator not of Alentus Corporation 
 unless otherwise expressly stated.

Re: IPv6 filtering

[Michael Loftis]

On Tue, Jan 25, 2011 at 10:49 PM, Mark D. Nagel mna...@willingminds.com wrote:

 This can bite you in unexpected ways, too.  For example, on a Cisco ASA,
 if you add a system-level 'icmpv6 permit' line and if this does not
 include ND, then you break ND responses to the ASA.  This is much unlike
 ARP, which is unaffected by 'icmp permit' statements for IPv4.  And, the
 default with no such lines is to permit all ICMP/ICMPv6 to the ASA. This
 seems so obvious in retrospect, but at the time was a bit of a
 head-scratcher.


ARP is a seperate protocol supporting IPv4 ... For IPv6 ND is done
using ICMPv6 messages.  A bit confusing transitioning from IPv4/ARP
for sure.

 Mark

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

[Michael Loftis]

On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy r...@maine.edu wrote:

 Many cite concerns of potential DoS attacks by doing sweeps of IPv6
 networks.  I don't think this will be a common or wide-spread problem.
  The general feeling is that there is simply too much address space
 for it to be done in any reasonable amount of time, and there is
 almost nothing to be gained from it.

The problem I see is the opening of a new, simple, DoS/DDoS scenario.
By repetitively sweeping a targets /64 you can cause EVERYTHING in
that /64 to stop working by overflowing the ND/ND cache, depending on
the specific ND cache implementation and how big it is/etc.  Routers
can also act as amplifiers too, DDoSing every host within a multicast
ND directed solicitation group (and THAT is even assuming a correctly
functioning switch thats limiting the multicast travel)

Add to it the assumption that every router gets certain things right
(like everything correctly decrementing TTLs as assumed in RFC 4861
11.2 in order for hosts to detect off-link RA/ND messages and guard
themselves against those), in these ways it's certainly at least
somewhat worse than ARP.

If you're able to bring down, or severely limit, a site by sending a
couple thousand PPS towards the /64 it's on, or by varying the upper
parts of the /64 to flood all the hosts with multicast traffic while
simultaneously floodign the routers LRU ND cache well thats a cheap
and easy attack and it WILL be used, and that can be done with the
protocols working as designed, at least from my reading.  Granted I
don't have an IPv6 lab to test any of this.  But I'd be willing to bet
this exact scenario is readily and easily possible, it already is with
ARP tables (and it DOES happen, it's just harder to make happen with
ARP  and IPv4 since the space is so small, esp when compared to a /64)
 IPv6 ND LRU Caches/tables aren't going to be anywhere near big enough
to handle a single /64's worth of hosts.  And if they're any
significant amt smaller then it'd be trivial to cause a DoS by
sweeping the address space.  It would depend on the ND table
limits/sizes, and any implementation specific timers/etc and garbage
collection, and a some other details I don't have, but, I bet it'd be
a really small flow in the scheme of things to completely stomp out a
/64someone I'm sure knows more about the implementations, and I'm
betting this has been brought up before about IPv6/ND...

So I pretty strongly disagree about your statement.  Repetitively
sweeping an IPv6 network to DoS/DDoS the ND protocol thereby flooding
the ND cache/LRUs could be extremely effective and if not payed
serious attention will cause serious issues.

Re: IPv6 - real vs theoretical problems

[Michael Loftis]

On Fri, Jan 7, 2011 at 3:44 PM, Owen DeLong o...@delong.com wrote:
snip
 There are multiple purposes to /48s to residential end users.

 DHCP-PD allows a lot of future innovations not yet available.

        Imagine a house where the border router receives a /48
        from the ISP and delegates /64s or /60s or whatever to
        other routers within the house.

        Each home entertainment cluster may be one group of
        networks with its own router.

        The appliance network(s) may have their own router(s).

        RFID tags on groceries may lead to a time when your
        home automation server can gather up data from your
        refrigerator, pantries, etc. and present the inventory
        on your mobile phone while you're at the grocery store.
        No more need to maintain a shopping list, just query
        the inventory from the store.

 These are just the things that could easily be done with the
 technology we already know about. Imagine what we might
 think of once we get more used to having prefix abundance.
snip

Having more address space won't help most of these uses, and as for
why, take a look at the proposed situation with for example home media
serving/sharing systems by TiVo, Apple, etc. They all require that the
units be within the same broadcast domain or that there be a
configured bridge of some sort if they even allow that topology.  They
(actually rightfully) assume that the network topology is flat, single
broadcast domain, and mroe and more use Multicast DNS (which I've seen
called a bunch of different things)  More to the point, your average
home user can not technically fathom anything more complicated than
plug it in -- and many begin to fail to set something up properly
when its extended to something as complicated as plug it in, push a
button or plug it in, type some numbers into the device

Your average home user has no reason at all for anything more than a
PtP to his/her gateway, and a single prefix routed to that gateway.
There are most certainly a few (which includes I'm sure 99% of the
NANOGers!) subscribers who can and will use more space than that, and
ISPs most definitely should make /48s readily and easily available for
those customers, but giving each and every customer a /48 (or really,
even a pair of /64s, one for the PtP, one delegated) is almost
certainly overkill.  The devices won't use the extra space unless
there's some automagic way of them communicating the desire to
eachother, and appropriately configuring themselves, and it would have
to be very widely accepted.  But there's no technical gain.  A typical
household would probably have less than about 50, maybe 100 devices,
even if we start networking appliances like toasters, hair dryers and
every single radio, tv, and light switch.

Just my 2 cents worth.

Re: POE bump-in-the-wire conversion

[Michael Loftis]

On Fri, Dec 31, 2010 at 10:49 AM, Robert E. Seastrom r...@seastrom.com wrote:

 I was aware of this device (being a big Ubiquiti fan), but have yet to
 find anyone who has direct experience with using them on a 3524-PWR.

 Have you actually tried this (on a 3524-PWR, not a 3550 or anything
 later-but-pre-standard)?  The equipment will be quite happy with
 16v...

I've actually used them in other applications.  They're a standard
802.3af device, and they just step-down to 16V @ 0.8A (max) though
they seemed to get a bit warm at 0.8A but worked fine, haven't had one
die yet.  To the switch they are a 100% 802.3af device so may not work
with the 3524-PWR.  I've not tried any 802.3af devices with the
3524-PWR, I have gone the other way (802.3af injector/switch with
pre-standard devices that accepted 48V) -- You might be better off
upgrading to an 802.3af switch or using a seperate 802.3af power
injector device/devices, enterasys for example makes a 20 port
injector (last I checked) among others.  Most almost all 802.3af units
will also do a Cisco compatible 'pre standard' mode for the older 7900
series phones that aren't 802.3af.  Pre standard cisco POE is limited
to about 10W, as IIRC, it uses only one pair (pins 1,2) for DC power,
the device has a low pass filter to get rid of the DC component for
the ethernet receiver hardware.  802.3af doesn't define which
wires/pins to use but generally will use the unused pairs, 4,5 and 7,8
for DC+ and DC-, unless it's gig-e, then it uses 1,2 and 3,6 (again
this is just my experience with some Netgear and HP gear and doesn't
necessarily represent anything else).

The use of pins 1,2 for power is possibly also why you don't see
pre-standard to 802.3af because there's far less available power, AND,
you'd have to build a low pass filter and possibly regenerate the
Ethernet signal to make it work too.  Combine that with cheap 802.3af
injectors (either rack/multiport units, or single units) there's not a
lot of incentive for hardware manufacturers to build such devices
either.


 -r

 Philip Dorr tagn...@gmail.com writes:

 The Ubuquti Instant 802.3af seems to do what you want (as long as the
 equipment can handle 16v)

 http://ubnt.com/8023af
 http://ubnt.com/downloads/instant8023af.pdf

 On Fri, Dec 31, 2010 at 9:00 AM, Robert E. Seastrom r...@seastrom.com 
 wrote:

 Perhaps someone from this august list can offer a clue here.

 Have:  Cisco 3524-PWR  (paleo-POE, pre-802.3af Cisco standard).

 It runs the 7960Gs great.

 Have:  Wireless AP stuff that wants 12v on the unused pairs for
 passive POE.  48v will let the magic smoke out.

 Might buy:  phone that does 802.3af

 Want to run these with the 3524-PWR.

 I can't imagine that nobody makes a bump-in-the-wire converter for
 this application, but haven't been able to find anything other than
 802.3af to the passive POE use case.

 Anyone got a pointer for me?

 Thanks,

 -r

Re: Want to move to all 208V for server racks

[Michael Loftis]

On Fri, Dec 3, 2010 at 10:33 PM, Jay Ashworth j...@baylink.com wrote:
 And in fact, much carrier class equipment can be had with -48V power, there
 are ATX and similar power supplies for PCs that are -48, and I *think* I've
 commercial small UPSs (3kVa) that give with -48 as well... using 48V
 battery strings, obviously.


Take a look at the Solar/Renewable energy systems, Xantrex (Schneider
actually) makes the XW series inverter/chargers which use 48V  battery
strings and can be paralleled up to a rated total of about
1...@120/240.  This is done by paralleling 3x 6kW inverter/chargers.
They've an integrated transfer switch, load shaving/sharing (IE if
you've got say 6kW of generator, but 12kW of Inverter, the system
capacity is up to 12kW, with battery assist).

And that's just one option, Magnasine makes parallel inverter/charger
and inverter systems up to around 12kW, also using 48VDC (or 24VDC)
strings.

Both of these are sinewave inverters.

There's also a telco oriented 48V inverter rack system thats escaping
my mind at the moment.  It can be setup with A/B 48V strings, and you
plug in inverter modules up to IIRC around 8kW.  Not parallel capable
between racks AFAIK.

Re: Want to move to all 208V for server racks

[Michael Loftis]

On Sat, Dec 4, 2010 at 12:45 PM, Jay Ashworth j...@baylink.com wrote:

 I phrased my comment poorly, which mislead you.  I was suggesting a UPS which
 took 208VAC on on the charge side, and charged 48VDC batteries with it,
 providing -48 to a rack full of equipment which took that.

 People actually call those 48VDC UPSs, though in fact they're just
 Little Teeny Battery Plants.  :-)

Ah, well, the XW (6048's) *do* have a 100A charger each (so up to 300A
@ ~48VDC) so they could be used for that too :D-- but that same
industry segment, solar/renewable, makes 48VDC charger only/rectifier
only systems as well.  So my answer still sort of stands :D



 Cheers,
 -- jra

Re: Low end, cool CPE.

[Michael Loftis]

On Fri, Nov 12, 2010 at 8:36 AM, Matthew Kaufman matt...@matthew.at wrote:
 On 11/11/2010 10:55 PM, Michael Loftis wrote:

 I have sort of recently gone from a little netscreen 5 to a mikrotik
 rb750g.
 Happily running for about 4 months. Way more of a power user or net admin
 than consumer oriented device. Fast though, loads faster than the
 netscreen

 I would recommend their products except for one thing: They have quite a few
 different models which experience a still-unfixed problem where the Ethernet
 port(s) simply go silent for 5-20 minutes and then come back all on their
 own (or with a reboot). Totally unacceptable, and their support forums are
 filled with others having the same problem *and* no confirmation of what the
 company is doing to fix it.

 And hard to debug, I'm sure, because the problem is one of those happens
 every other day for 4 days, then not again for 3 weeks kinds of bugs.

I've never actually had that problem, and wasn't even aware of it
until reading your message just now.  It might be that I use the thing
in a completely different manner (I've a bridge+vlan tagging setup).
Being as I work from home it gets used very thoroughly so if it had
had the issue I would've noticed.  I'm wondering if some units are
having thermal issues, seems to be a common thread/problem lately with
embedded devices.  Newer gen processors are starting to see thermal
and PSU loads (on account of lower voltages) that haven't been dealt
with much by these hardware makers.

Or I could just be lucky, or my office is cooler than others.  I've
heard a lot of people having thermal issues with the global tech
guruplug server plus wall wart units, and while the two I have do get
very hot, I haven't had any crashes.  But they are still way too hot
for me to ever recommend them for anything.  The RB750G though doesn't
ever seem to warm up or anything so it's very odd that there's issues.
 I'm running the 4.x stable releases though too, not 5.x, I'll have to
look into the forum posts on this.

Good to know about!

Re: Low end, cool CPE.

[Michael Loftis]

I have sort of recently gone from a little netscreen 5 to a mikrotik rb750g.
Happily running for about 4 months. Way more of a power user or net admin
than consumer oriented device. Fast though, loads faster than the netscreen
On Nov 11, 2010 6:41 PM, Leo Bicknell bickn...@ufp.org wrote:

 I've run into a number of low end CPE situations lately where I
 haven't found anything that does what I want, but I have to believe
 it is out there. I'm hoping NANOG can help.

 Basically think about a sophisticated home user, or a 1-5 person
 small office. Think DSL, Cable Modem, maybe Cell Card or ISDN as
 backups. Looking for an appliance, very much fire and forget. I
 probably won't get all the features that I want, but in no particular
 order:

 - Able to load balance over 2 links (probably via NAT).
 - IPv6 support, native or tunnel to tunnelbroker.net type thing.
 - Able to deal with backup connectivity, eg. Cell Cards which you
 only want to use if the primary is down.
 - User friendly features, e.g. UPNP, NAT-PMP, etc.
 - Good manageability. ssh to a cli would be a huge bonus, at least
 the ability to backup a config.
 - Able to handle decent througput, probably 20Mbps/sec min, 50 would
 be nice.
 _ Nice firewall features.
 - IDS features are cool.

 WiFi is not strictly required, but would be cool. Things like guest
 WiFi would be an added bonus.

 Something a NANOGer might want at home would be a good baseline.
 I realize the exact product may differ depending on DSL/Cable/Cell/ISDN,
 that's ok, let's get some various good solutions going here.

 What is the state of the art, and who has it?

 --
 Leo Bicknell - bickn...@ufp.org - CCIE 3440
 PGP keys at http://www.ufp.org/~bicknell/

Re: Current trends in capacity planning and oversubscription

[Michael Loftis]

On Tue, Nov 9, 2010 at 10:26 PM, Sean Donelan s...@donelan.com wrote:
 While the answer is always it depends, I was wondering what the current
 rules of thumb university network engineers are using for capacity planning
 and oversubscription for resnets and admin networks?

 For K-12, SETDA (http://www.setda.org/web/guest/2020/broadband) is
 recommending:

 - An external Internet connection to the Internet Service Provider of at
 least 100 Mbps per 1,000 students/staff
 - Internal wide area network connections from the district to each school
 and between schools of at least 1 Gbps per 1,000 students/staff

 How does that compare with university and enterprise network rules of thumb?



As someone else has said I've never seen K-12 with remotely that high
of a ratio, or, really, any educational institution.  UofM here in
Missoula, MT doesn't have anywhere near those ratios for internet
services nor for the campus network.  I don't have any exact details
but I'm pretty certain there's no 10 Gig-E there.  I'm not even sure
if the building-to-building links are 1 Gig-E in all cases.

Actually...I'm not sure anywhere has that high of a ratio here in the
states, at least for wired connectivity.  The carriers here all keep
the prices nice and high to preserve their profit margins in the face
of losing their long distance and traditional POTS cash cows as people
move more to cell phones and other non POTS carriers.

Re: Current trends in capacity planning and oversubscription

[Michael Loftis]

On Wed, Nov 10, 2010 at 10:31 AM, Steve Meuse sme...@mara.org wrote:
 Michael Loftis expunged (mlof...@wgops.com):

 Actually...I'm not sure anywhere has that high of a ratio here in the
 states, at least for wired connectivity.

 I would say that's highly dependent on your geographical location. In Montana 
 I could see that as being true, but not in NYC, for example...

It might be more dependent upon the level of competition int he
bandwidth market.  Here in the mountain west (MT included) you either
pay the ILEC their exorbitant fees for your last mile, or, you pay to
trench.  Only a couple years ago Qwest was quoting $8k+/mo for a DS3,
and this was where their Cisco ONS 15454 was in the same room.  I
don't even want to know how much they'd charge you if you had to pay
any real line mileage.  Luckily int hat particular building there
were/are other options, but almost any other place, you don't (that
building has a lot of antennae on top, a couple placed by myself)


 -Steve

Re: do you use SPF TXT RRs? (RFC4408)

[Michael Loftis]

--On Monday, October 04, 2010 9:54 AM -0700 John Adams j...@retina.net 
wrote:



Without proper SPF records your mail stands little chance of making it
through some of the larger providers, like gmail, if you are sending
in any high volume. You should be using SPF, DK, and DKIM signing.

I don't really understand how your security company related SPF to DoS
though. They're unrelated, with the exception of backscatter.


FUD most likely, that's the stock in trade for almost all security audit 
firms.




-j

Re: Inquiries to Acquire IPs

[Michael Loftis]

Makes one wonder what dead:beef::/32 and c0ff:ee00::/32 will go for? :)

--On Friday, July 02, 2010 9:48 PM +0100 Rob Evans 
internetplum...@gmail.com wrote:



I saw a few reports of those today and wrote a short note to forewarn
some other European RE networks, plus our customers.

http://webmedia.company.ja.net/edlabblogs/developmenteye/2010/07/03/wante
d-memorable-24-for-us5k/

Yup, I know the date on the blog is off by one. :)

Cheers,
Rob

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Michael Loftis]

--On Sunday, December 13, 2009 9:17 AM -0800 Joel Jaeggli 
joe...@bogus.com wrote:




UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.

You don't need UPnP if you'r not doing NAT.


wishful thinking.

you're likely to still have a staeful firewall and in the consumer space
someone is likely to want to punch holes in it.


Amen indeed.  Consumers do not care if its a good idea or not.  And 
honestly in a home network, well, its not as frightening.  In a business of 
any kind (including home based) it is bad.  You should have a DMZ with 
carefully controlled open ports lists.  But that's preaching to the choir 
here.


IPv6 doesn't magically negate the need for UPnP, UPnP is not tied to NAT. 
It's a way for applications to ask the firewall to selectively open ports 
up to them.  Intelligent stateful firewalls can do that for limited 
applications, perhaps with some sort of policy control even.  Though 
Joe/Jill Gamer (which is what UPnP is for) won't know anything about any of 
that.  They define a gateway as functioning or not.


I really am honestly sick of people thinking IPv6 is a panacea.  It isn't. 
UPnP is rather a bit of a hack for sure, protocols should be better 
designed, but in this modern age of Peer To Peer you need a way for 
applications to ask the firewall to selectively open incoming ports.

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Michael Loftis]

--On Wednesday, December 02, 2009 6:23 PM -0800 Mehmet Akcin 
meh...@akcin.net wrote:



Would you consider Juniper SSG5 as a Consumer Grade router?

They do IPv6 and they are pretty good in general, and cheap as well.



Not as usable in the consumer space due to lack of UPnP (and Juniper is NOT 
interested in implementing it).  They also lack some other customer 
friendly features.


Price point is also probably 3x-5x what most are willing to pay for CPE.