Re: F-ckin Leap Seconds, how do they work?
On 7/3/2012 1:53 PM, Owen DeLong wrote: UTC (and the system clock) should not move backwards, but, rather they repeat second 59. UTC goes 58-59-00 most of the time, but during a leap second, it should go 58-59-59-00). It's not so much going backwards as dropping a chime. If they do that, they're doing it wrong, UTC and the system clock should go 58-59-60-00. From the IERS bulletin announcing the leap second just past: http://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat A positive leap second will be introduced at the end of June 2012. The sequence of dates of the UTC second markers will be: 2012 June 30, 23h 59m 59s 2012 June 30, 23h 59m 60s 2012 July 1, 0h 0m 0s
Re: FYI Netflix is down
On 07/02/2012 08:53 AM, Tony McCrory wrote: On 2 July 2012 19:20, Cameron Byrne cb.li...@gmail.com wrote: Make your chaos animal go after sites and regions instead of individual VMs. CB From a previous post mortem http://techblog.netflix.com/2011_04_01_archive.html Create More Failures Currently, Netflix uses a service called Chaos Monkeyhttp://techblog.netflix.com/2010/12/5-lessons-weve-learned-using-aws.html to simulate service failure. Basically, Chaos Monkey is a service that kills other services. We run this service because we want engineering teams to be used to a constant level of failure in the cloud. Services should automatically recover without any manual intervention. We don't however, simulate what happens when an entire AZ goes down and therefore we haven't engineered our systems to automatically deal with those sorts of failures. Internally we are having discussions about doing that and people are already starting to call this service Chaos Gorilla. ** It would seem the Gorilla hasn't quite matured. Tony From conversations with Adrian Cockcroft this weekend it wasn't the result of Chaos Gorilla or Chaos Monkey failing to prepare them adequately. All their automated stuff worked perfectly, the infrastructure tried to self heal. The problem was that yet again Amazon's back-plane / control-plane was unable to cope with the requests. Netflix uses Amazon's ELB to balance the traffic and no back-plane meant they were unable to reconfigure it to route around the problem. Paul
Re: F-ckin Leap Seconds, how do they work?
On 6/30/2012 3:16 PM, Paul WALL wrote: Comments? Drive Slow Paul Not very well if you have a modern box (RHES/CentOS 6) and Java apps running on them. RHES/CentOS 5 merrily ignored it. Worse, just bouncing the Java stack didn't fix it, it required the box to be rebooted. A sizeable number of annoyed sysadmins tweeting about it this afternoon. Paul
Re: Whois data compromised?
On 06/26/2012 11:53 AM, Mark Andrews wrote: In message cadfgf67amjhr+bsdo4klpfzcyzjzw5bx0uscw_9sgrq7rz6...@mail.gmail.com , Eric Rosenberry writes: Not sure where this data got injected into the system (or who knows, perhaps it's a DNS injection attack or something), but this certainly is not right. :-( It's perfectly NORMAL. Just the owners of SWINGINGCOMMUNITY.COM, BEYONDWHOIS.COM, SHQIPHOST.COM, NASHHOST.NET and UNIMUNDI.COM playing games. Probably a stupid question, but what do they gain by doing such? Paul
Re: Patch Management - Windows RHEL/CentOS based on Date
On 06/13/2012 01:47 PM, Wade Peacock wrote: Hi All, Does anyone know of a patch management system that will allow us to control the roll out of patches, specifically for Windows but Linux would be nice too, that can use a date to limit whether a patch is rolled out. Ie. Patch to date set to2012-06-10 So all patches released up to 2012-06-10 will be offer to requesting client. Any patches released after 2012-06-10 will be hidden/not offered until the Patch to Date is moved forward. Wade Peacock Production IT | Vision Critical direct 604.629.9358 mobile 604.363.8137 www.visioncritical.comhttp://www.visioncritical.com/ New York | London | Vancouver | Paris | Sydney | Chicago | San Francisco | Toronto | Montreal | Calgary There are a number of different solutions depending on your environment and how much you might be prepared to spend. A few that spring to mind: PatchLink, works with Windows and RedHat, not sure if they sorted out CentOS support. I've used PatchLink in the past for managing patch deployment to several hundreds of servers, (split up into groups for a final bit of paranoia). ManageEngine have tools, but I believe that's Windows only. RedHat have Satellite that patches and a whole lot more but that comes at a premium. There is also SpaceWalk from them: http://spacewalk.redhat.com/ that manages RedHat, CentOS and Scientific Linux patching. Paul
Re: Dear Linkedin,
On 06/08/2012 09:48 AM, Michael Thomas wrote: Linkedin has a blog post that ends with this sage advice: * Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months. I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember each one of them and dutifully update them every month or two? * Do not use the same password for multiple sites or accounts. So the implication is that I have 100's of passwords all unique and that I must change every one of them to be something new and unique every few months. And remember each of them. And not write them down. * Create a strong password for your account, one that includes letters, numbers, and other characters. And that each of those passwords needs to be really hard to guess that I change to every few months on 100's of web sites. I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible. What's most pathetic about this is that somebody actually believes that we all really deserve this finger wagging. Use a password safe. Simple. Most of them even include secure password generators. That way you only have one password to remember stored in a location you have control over (and is encrypted), and you get to adopt secure practices with websites. The only real inconvenience might be having to log into each of whatever sites it is you're concerned about and changing the password on them. Paul
Re: Dear Linkedin,
On 06/08/2012 10:02 AM, Scott Weeks wrote: --- lyn...@orthanc.ca wrote: From: Lyndon Nerenberglyn...@orthanc.ca On 2012-06-08, at 12:48 PM, Michael Thomas wrote: I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible. t :: https://agilebits.com/onepassword (1Password) is one solution to :: managing web site passwords. Only if you have an OS you have to pay for: apple or ms. scot Use lastpass, or maybe Password Gorilla (uses an encrypted local file but you could stick that on a dropbox space or SpiderOak space).
Re: Dear Linkedin,
On 06/08/2012 10:22 AM, Michael Thomas wrote: On 06/08/2012 12:56 PM, Paul Graydon wrote: Use a password safe. Simple. Most of them even include secure password generators. That way you only have one password to remember stored in a location you have control over (and is encrypted), and you get to adopt secure practices with websites. The only real inconvenience might be having to log into each of whatever sites it is you're concerned about and changing the password on them. Does your password safe know how to change the password on each website every several months? Mike Oh come on.. now you're just being ridiculous, even bordering on childish. LinkedIn are offering solid advice, routed in safe practices. If you don't want to do it that's your problem. Stop bitching just because security is hard.
Re: Password safes c.
In my case I rely on Password Safe (http://passwordsafe.sourceforge.net/), Password Gorilla (https://github.com/zdia/gorilla/wiki/) and Dropbox. PasswordSafe has android and windows clients. The windows client will work under wine on linux if you really want, but it's a bit of a pain. Password Gorilla is a TCL app that is cross-platform that reads PasswordSafe files. There are a number of iPhone clients for passwordsafe mentioned on the Password Gorilla page linked above. Dropbox keeps the safe sync'd between locations (including phone). In each of them adding, fetching or changing a password is simple and involves only a few clicks. I've got somewhere approaching 200+ passwords in mine. On 06/08/2012 11:00 AM, Tyler Haske wrote: KeePass, KeyPassDroid and Dropbox. I'm sure it will just get simpler as time goes on. My mom uses a key database just fine. On Jun 8, 2012 4:49 PM, Andrew Sullivanasulli...@dyn.com wrote: On Fri, Jun 08, 2012 at 01:30:42PM -0700, Michael Thomas wrote: PS: when security is hard, people simply don't do it. I think this is exactly right. The idea that we are going to train everyone on earth to keep eleventy billion distinct passwords in their heads -- or in a password safe that is either (1) under someone else's control because it's a web service or (2) inaccessible half the time because it's on their laptop and they're using their phone now and OMG -- is preposterous. (This without mentioning that they also have to remember the username that goes with it, which is _also_ variable.)
Re: Password safes c.
On 06/08/2012 11:07 AM, Andrew Sullivan wrote: On Fri, Jun 08, 2012 at 05:00:14PM -0400, Tyler Haske wrote: KeePass, KeyPassDroid and Dropbox. Yes, of course, I'll just upload all my passwords to a place totally under the control of someone (well, actually, _two_ other ones) else, and then pray that there never turns out to be a nasty attack against the programs and algorithms I used. (I'm more concerned about the programs. Obviously, if SHA-2 or whatever breaks, we gots bigger problems than all my personal passwords.) I'm not trying to be dismissive. Those are excellent stopgap measures. They're not a solution. Best, A If you don't trust DropBox, try SpiderOak for an added layer of encryption.
Re: Configuration Systems
On 06/07/2012 11:49 AM, valdis.kletni...@vt.edu wrote: On Thu, 07 Jun 2012 11:51:51 -0700, Owen DeLong said: This is a hard problem to solve. Not the least of the difficulties is the fact that if you ask 50 engineers to define Cloud, you will get at least 100 definitions many of which are incompatible to the point of mutually exclusive. cloud == you rented in a colo, but have no clue where. Only if you're talking IaaS, and that's only a very vague and not necessarily accurate description of that too. When you start describing what cloud is you've also got to go into the realms of private clouds (using, for example, openstack), on your own infrastructure in your own datacenter. That's before you even start delving into PaaS, SaaS clouds etc. Cloud is a marketing term, not an engineering one. Paul
Re: Configuration Systems
On 06/07/2012 12:59 PM, valdis.kletni...@vt.edu wrote: On Thu, 07 Jun 2012 12:12:09 -1000, Paul Graydon said: what cloud is you've also got to go into the realms of private clouds (using, for example, openstack), on your own infrastructure in your own datacenter. Same definition. The user I've provisioned still has no idea where I provisioned him. That's before you even start delving into PaaS, SaaS clouds etc. Still the same definition. You have no idea where you're provisioned from. Your original definition: cloud == you rented a colo, but have no clue where. I know exactly where my colo is. I know exactly where my physical servers are. If I run a private cloud on those servers and provision stuff there, I'll still know exactly where my colo is and I'll still know where my cloud infrastructure is deployed (http://en.wikipedia.org/wiki/Cloud_computing#Private_cloud) Even that wiki page doesn't quite go far enough in defining cloud, at least compared to stuff people sell as cloud (as I said, cloud is a marketing term, not an engineering one. Its accuracy is negligible) Paul
Re: Current IPv6 state of US Mobile Phone Carriers
On 05/22/2012 01:21 PM, Cameron Byrne wrote: On May 22, 2012 4:00 PM, Paul Porterpaul.por...@gree.co.jp wrote: Hi NANOG, I'm looking for some information on the four largest US mobile phone carriers and the current state of their IPv6 infrastructure. Specifically, we are trying to figure out: 1. How much of the carrier core and edge for ATT, Verizon. T-Mobile, and Sprint are on IPv6 now? Hi, T-Mobile USA has native ipv6 to all subscribers in all of it's coverage area. But, less than 1% of subscribers use IPv6 because they do not have an IPv6 capable phone. The Nexus S and Galaxy Nexus work well. This device challenge will improve in time. Samsung is doing a good job of bringing IPv6 to Android devices. More info here That's interesting. I have a Galaxy Nexus on T-Mobile USA and it doesn't get an IPv6 address, only IPv4. Works fine with IPv6 over my wireless network at home. Doesn't seem to be anything obvious in the settings to enable or disable that. Paul
Re: Current IPv6 state of US Mobile Phone Carriers
On 05/22/2012 01:40 PM, Paul Graydon wrote: On 05/22/2012 01:21 PM, Cameron Byrne wrote: On May 22, 2012 4:00 PM, Paul Porterpaul.por...@gree.co.jp wrote: Hi NANOG, I'm looking for some information on the four largest US mobile phone carriers and the current state of their IPv6 infrastructure. Specifically, we are trying to figure out: 1. How much of the carrier core and edge for ATT, Verizon. T-Mobile, and Sprint are on IPv6 now? Hi, T-Mobile USA has native ipv6 to all subscribers in all of it's coverage area. But, less than 1% of subscribers use IPv6 because they do not have an IPv6 capable phone. The Nexus S and Galaxy Nexus work well. This device challenge will improve in time. Samsung is doing a good job of bringing IPv6 to Android devices. More info here That's interesting. I have a Galaxy Nexus on T-Mobile USA and it doesn't get an IPv6 address, only IPv4. Works fine with IPv6 over my wireless network at home. Doesn't seem to be anything obvious in the settings to enable or disable that. Paul Cameron contacted me off list and pointed out the steps. Works a treat, NAT64 is handling the IPv4 traffic without any obvious problems, along with IPv6. Smooth and simple. Shame it has to be switched on through some manual steps, but I guess that's understandable for now given it's technically in Beta stage. Paul
Re: Operation Ghost Click
On 04/26/2012 11:44 AM, Andrew Latham wrote: On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aartjer...@mompl.net wrote: Excuse the horrible subject :-) Anyone have anything insightful to say about it? Is it just lots of fuss about nothing or is it an actual substantial problem? http://www.fbi.gov/news/stories/2011/november/malware_110911 Update on March 12, 2012: To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time. -- Earthquake Magnitude: 5.5 Date: Thursday, April 26, 2012 19:21:45 UTC Location: off the west coast of northern Sumatra Latitude: 2.6946; Longitude: 94.5307 Depth: 26.00 km Yes its a major problem for the users unknowingly infected. To them it will look like their Internet connection is down. Expect ISPs to field lots of support calls. Based on conversations on this list a month or so ago, ISPs were contacted with details of which of their IPs had compromised boxes behind them, but it seems the consensus is that ISP were going to just wait for users to phone support when it broke rather than be proactive about it. Paul
Re: SORBS?!
They're still functional, still used by companies but I wouldn't make any observation on them running 'well'. A friend's office IP range got blocked and unblocked recently by them so they do seem to remove entries. Beyond that on NANOG you're pretty much into light blue touch paper and retire to a safe distance territory even mentioning them. There is a good chance you might get a reply from Sorbs here, they almost always seem to respond when things get raised on NANOG. Paul On 04/04/2012 09:53 AM, Chris Conn wrote: Hello, Is anyone from SORBS still listening? We have a few IP addresses here and there that are listed, one in particular that has been for a spam incident from over a year ago. The last spam date is 03/05/2011 according to their lookup tools. We don't have access to their Net Manager even if our ARIN POC corresponds to the account on their system we opened a while ago. We use their ISP feedback form and never get any responses back. Is SORBS still relevant and functional? Sincerely, Chris Conn B2B2C.ca
Re: last mile, regulatory incentives, etc
On 03/23/2012 02:18 PM, Michael Painter wrote: Randy Bush wrote: what a silly question. lining the telcos' pockets. american so called 'broadband' is a joke and a scam. randy Really. This is from the Governor's Hawaii Broadband Initiative speedtest website: The indication of above average or below average is based on a comparison of the actual test result to the current NTIA definition of broadband which is 768 kbps download and 200 kbps upload. Any test result above the NTIA definition is considered above average, and any result below is considered below average. To be fair to the initiative at least its goal is for universal access to 1Gbps by 2018, something they term 'ultra-high-speed' (not sure where that definition comes from): http://hawaii.gov/gov/broadband-policy-outline/ Paul
Re: how to report spam to Yahoo!
The Yahoo form hasn't worked for a while. When you do get to somewhere for reporting spam, a few hours or days later you'll get a response telling you to submit a report on the exact same form you used. If you do you end up with the same response. Repeat ad infinitum. Same goes for their grey-listing/rate limiting report message. I've given up trying to report anything e-mail related to Yahoo, mostly just apologise to end users and suggest they use another e-mail provider. Paul On 03/21/2012 03:27 AM, Chuck Anderson wrote: Yahoo!'s abuse contact from whois: OrgAbuseEmail: network-ab...@cc.yahoo-inc.com now sends an autoresponse that tells you to go to a web form to report spam: http://help.yahoo.com/l/us/yahoo/mail/yahoomail/spam.html but the link doesn't work--it just redirects to a generic Yahoo! help page at: http://help.yahoo.com/kb/index?page=productlocale=en_USy=PROD_MAIL_ML So how does a non-Yahoo! account holder report spam originating from Yahoo!'s network? - Forwarded message from Yahoo! Networknetwork-ab...@cc.yahoo-inc.com - From: Yahoo! Networknetwork-ab...@cc.yahoo-inc.com Date: Wed, 21 Mar 2012 05:59:35 -0700 Reply-To: Yahoo! Networknetwork-ab...@cc.yahoo-inc.com Thank you for your email, but this address is no longer being used for abuse reporting or abuse related questions. To report spam, please use this form: http://help.yahoo.com/l/us/yahoo/mail/yahoomail/spam.html To report other types of abuse or for help with security or abuse related issues, please go to Yahoo! Abuse: http://abuse.yahoo.com For questions about using Yahoo! services, please visit Yahoo Help: http://help.yahoo.com Note: Please do not reply to this email as replies will not be answered. Thank you, - Yahoo! Customer Care Original Message Follows:
Re: Whitelist of update servers
On 03/12/2012 10:05 AM, Maverick wrote: Is there a whitelist that applications have to talk to in order to update themselves? Which applications? What updates?
Re: Whitelist of update servers
On 03/12/2012 10:53 AM, William Herrin wrote: On Mon, Mar 12, 2012 at 4:40 PM, Peter Kristolaitisalte...@alter3d.ca wrote: On 12-03-12 04:34 PM, Maverick wrote: Like list of sites that operating systems or applications installed on your machines go to update themselves. One way could be to go on each vendors site and look at their update servers like microsoft.update.com but it would be good if there is a list of such servers for all OS and applications so that it could be used as a whitelist. I'm trying to determine if this is supposed to be an exercise in How To Annoy Your Sysadmins or How To Do Network Security The Really, Really Wrong Way or some combination of the two Pete, There are scenarios in which it is completely reasonable to provide white listed Web access instead of general Internet access. Consider: PCs in a prison with access to legal library and off-site education web sites. It would be helpful if they could also access automatic updates so they don't get malware but God help the sysadmin if one of the prisoners figures out how to get to child porn. But there are ways of doing that, such as Windows Software Update Services, and a little bit of policy enforcement from a centralised place. That gives you a centralised, controlled place to push updates out from without risking the machines going off to the internet to get them themselves (and an opportunity to try limited roll-out just in case.) For that matter if it's necessary to be talking about blacklisting/whitelisting sites under such conditions as PCs in a prison you're really better off just paying for something like a Websense to take care of it. Paul
Re: Programmers with network engineering skills
On 03/12/2012 09:46 AM, Tei wrote: On 12 March 2012 09:59, Carlos Martinez-Cagnazzocarlosm3...@gmail.com wrote: Hey! On 3/8/12 8:24 PM, Lamar Owen wrote: On Monday, March 05, 2012 09:36:41 PM Jimmy Hess wrote: ... (16) The default gateway's IP address is always 192.168.0.1 (17) The user portion of E-mail addresses never contain special characters like - + $ ~ . ,, [, ] I've just had my ' xx AT cagnazzo.name' email address rejected by a web form saying that 'it is not a valid email address'. So I guess point (17) can be extended to say that 'no email address shall end in anything different that .com, .net or the local ccTLD' :=) Carlos Yea, I don't even know how programmers can get that wrong. The regex is not even hard or anything. (?:[a-z0-9!#$%'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%'*+/=?^_`{|}~-]+)*|(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*)@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\]) It's supposedly a lot harder than that. Try this for strict RFC822 compliance (from http://www.ex-parrot.com/pdw/Mail-RFC822-Address.html): (?:(?:\r\n)?[ \t])*(?:(?:(?:[^()@,;:\\.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t] )+|\Z|(?=[\[()@,;:\\.\[\]]))|(?:[^\\r\\]|\\.|(?:(?:\r\n)?[ \t]))*(?:(?: \r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()@,;:\\.\[\] \000-\031]+(?:(?:( ?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|(?:[^\\r\\]|\\.|(?:(?:\r\n)?[ \t]))*(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()@,;:\\.\[\] \000-\0 31]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|\[([^\[\]\r\\]|\\.)*\ ](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()@,;:\\.\[\] \000-\031]+ (?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|\[([^\[\]\r\\]|\\.)*\](?: (?:\r\n)?[ \t])*))*|(?:[^()@,;:\\.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z |(?=[\[()@,;:\\.\[\]]))|(?:[^\\r\\]|\\.|(?:(?:\r\n)?[ \t]))*(?:(?:\r\n) ?[ \t])*)*\(?:(?:\r\n)?[ \t])*(?:@(?:[^()@,;:\\.\[\] \000-\031]+(?:(?:(?:\ r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()@,;:\\.\[\] \000-\031]+(?:(?:(?:\r\n) ?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t] )*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()@,;:\\.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])* )(?:\.(?:(?:\r\n)?[ \t])*(?:[^()@,;:\\.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t] )+|\Z|(?=[\[()@,;:\\.\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*) *:(?:(?:\r\n)?[ \t])*)?(?:[^()@,;:\\.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ |\Z|(?=[\[()@,;:\\.\[\]]))|(?:[^\\r\\]|\\.|(?:(?:\r\n)?[ \t]))*(?:(?:\r \n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()@,;:\\.\[\] \000-\031]+(?:(?:(?: \r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|(?:[^\\r\\]|\\.|(?:(?:\r\n)?[ \t ]))*(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()@,;:\\.\[\] \000-\031 ]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|\[([^\[\]\r\\]|\\.)*\]( ?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()@,;:\\.\[\] \000-\031]+(? :(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(? :\r\n)?[ \t])*))*\(?:(?:\r\n)?[ \t])*)|(?:[^()@,;:\\.\[\] \000-\031]+(?:(? :(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|(?:[^\\r\\]|\\.|(?:(?:\r\n)? [ \t]))*(?:(?:\r\n)?[ \t])*)*:(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()@,;:\\.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|(?:[^\\r\\]| \\.|(?:(?:\r\n)?[ \t]))*(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^() @,;:\\.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))| (?:[^\\r\\]|\\.|(?:(?:\r\n)?[ \t]))*(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t] )*(?:[^()@,;:\\.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\ .\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(? :[^()@,;:\\.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[ \]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()@,;:\\.\[\] \000- \031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|(?:[^\\r\\]|\\.|( ?:(?:\r\n)?[ \t]))*(?:(?:\r\n)?[ \t])*)*\(?:(?:\r\n)?[ \t])*(?:@(?:[^()@,; :\\.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|\[([ ^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()@,;:\\ .\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|\[([^\[\ ]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()@,;:\\.\ [\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|\[([^\[\]\ r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()@,;:\\.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|\[([^\[\]\r\\] |\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?(?:[^()@,;:\\.\[\] \0 00-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[()@,;:\\.\[\]]))|(?:[^\\r\\]|\\ .|(?:(?:\r\n)?[
Re: Evil Bit and Spread Spectrum IP Addressing - NANOG Source Address Shaping
... Great, that's another filter to add to my mailserver. Paul On 3/4/2012 6:22 AM, Guru NANOG wrote: Common Misconception: One additional bit of IPv4 Addressing will solve world hunger The Evil Bit (or spare unused bit) can be used to store (restore) one bit The Left-Most bit of the 32-bit Source Address Field can be SET to Zero no matter what the original value. The Evil bit can be set IFF the Left-Most bit is **changed**. Setting the Left-Most bit to zero **folds** this table in half. http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt Setting the Left-Most bit to ONE would move return traffic to the upper half of the Spectrum which has vast quantities of unused /8s Wide-spread consensus shows that TWO bits can work. Three bits folds the table to 1/8th. Governments want a 4-bit Return Prefix to their Super-Hubs for IPv6-like intercept. The U.S.FCC is expected to issue the regulations on how Spread Spectrum Source Address Shaping will work in their licensed CPE wireless devices. There are 160-bits in the deprecated header so there are many ways to go. One-Way Broadcast IP Addressing is now available. The Source Address Field is used for the second half of the 64-bit Destination Address. The DF (Did Flip) bit near the Evil Bit is used to note the two halves of the Destination Address have been *flipped*. NANOGers simply route 32 and then 32 after the flip based only on the Destination Field. There is no Source Address, only a channel (port). Keywords: WRT DNSMASQ Tomato WIFI Linux CPE
Re: Reliable Cloud host ?
On Mon, Feb 27, 2012 at 11:19:27AM -0800, George Herbert wrote: On Mon, Feb 27, 2012 at 7:28 AM, William Herrin b...@herrin.us wrote: On Sun, Feb 26, 2012 at 7:02 PM, Randy Carpenter rcar...@network1.net wrote: On Feb 26, 2012, at 4:56 PM, Randy Carpenter wrote: 1. Full redundancy with instant failover to other hypervisor hosts upon hardware failure (I thought this was a given!) This is actually a much harder problem to solve than it sounds, and gets progressively harder depending on what you mean by failover. At the very least, having two physical hosts capable of running your VM requires that your VM be stored on some kind of SAN (usually iSCSI based) storage system. Otherwise, two hosts have no way of accessing your VM's data if one were to die. This makes things an order of magnitude or higher more expensive. This does not have to be true at all. Even having a fully fault-tolerant SAN in addition to spare servers should not cost much more than having separate RAID arrays inside each of the server, when you are talking about 1,000s of server (which Rackspace certainly has) Randy, You're kidding, right? SAN storage costs the better part of an order of magnitude more than server storage, which itself is several times more expensive than workstation storage. That's before you duplicate the SAN and set up the replication process so that cabinet and room level failures don't take you out. This is clearly becoming a not-NANOG-ish thread, however... Failing to have central shared storage (iSCSI, NAS, SAN, whatever you prefer) fails the smell test on a local enterprise-grade virtualization cluster, much less a shared cloud service. Some people have done tricks with distributing the data using one of the research-ish shared filesystems, rather than separate shared storage. That can be made to work if the host OS model and its available shared filesystems work for you. Doesn't work for Vmware Vcenter / Vmotion-ish stuff as far as I know. There are plenty of people doing non-enterprise-grade virtualization. There's no mandate that you have the ability to migrate a virtual to another node in realtime or restart it immediately on another node if the first node dies suddenly. But anyone saying we have a cloud and not providing that type of service, is in marketing not engineering. From a systems architecture point of view, you can't do that. Cloud is utterly meaningless drivel. Your idea of cloud is different from mine, which is different from my co-workers, bosses, people in marketing etc. etc. It's a vague useless term that could mean everything from a bog standard mail server through to full on 'deploy your app' things like Heroku. It would be more accurate to focus on IaaS, PaaS, SaaS et al For what little it's probably worth mentioning, Amazon provides a shared storage platform in the form of EBS, Elastic Block Storage, which you can choose to use as your root device on your server if you so wish (wouldn't advise you do, latency is unpredictable), or you can have it mounted wherever is relevant for your data (the most common route). That's their non-physical server dependent storage provision. If you pay extra it'll replicate, or even replicate between availability zones. You can also choose to have Amazon monitor and ensure sufficient numbers of your server are running through autoscale. Paul
Re: Common operational misconceptions
On 2/17/2012 10:55 PM, Michael Painter wrote: Paul Graydon wrote: Give me someone who can already think and analyse over someone who 'knows' it all, any day. You can be qualified to the hilt but absolutely useless in the real world (I've watched CCNP and higher struggling to figure out why they can't ping a 10.0.0.0/24 address at a customers remote site, not even realising it's a private range, let alone trying to trace the path of the ping,) Hard to believe, but you're obviously serious. What are their job titles? What were they hired to accomplish? Also hard for me to understand that someone could study for CCNx and not get exposed to Private space and 1918...what am I missing? Yes I'm serious, they were CCNP qualified, hired as a NOC engineer for an ISP Hosting company. For the company the NOC team was the top tier of customer support (3rd line+), they looked after routers, switches, firewalls, servers, leased lines, and so on. This individual was perfectly capable of regurgitating all the facts, figures and technical details you can imagine, probably pretty much the entire CCNP syllabus. What they didn't seem that capable of was actually applying that to anything. I'd bet good money that if I'd asked him at the time what the 1918 network ranges are he'd have been able to tell me. This is exactly what we're teaching kids to do these days (makes me feel so old that I've already been saying this for several years and I'm only 31) standardised tests aren't marked based on ability to apply knowledge, just the knowledge itself. Hence my view, give me someone who knows how to think over someone who is qualified to the hilt. These exam cram 'do a CCNP in a week' courses only serve to make it worse. Paul
Re: Common operational misconceptions
On 02/17/2012 04:29 AM, Leo Bicknell wrote: In a message written on Thu, Feb 16, 2012 at 08:50:11PM -1000, Paul Graydon wrote: At the same time, it's shocking how many network people I come across with no real grasp of even what OSI means by each layer, even if it's only in theory. Just having a grasp of that makes all the world of difference when it comes to troubleshooting. Start at layer 1 and work upwards (unless you're able to make appropriate intuitive leaps.) Is it physically connected? Are the link lights flashing? Can traffic route to it, etc. etc. I wouldn't call it a misconception, but I want to echo Paul's comment. I would venture over 90% of the engineers I work with have no idea how to troubleshoot properly. Thinking back to my own education, I don't recall anyone in highschool or college attempting to teach troubleshooting skills. Most classes teach you how to build things, not deal with them when they are broken. The Cisco CCNA syllabus used to emphasise the layer 1-7 approach to troubleshooting. Not sure if they still do, or if trainers even bother to mention it (mine did back when I did it several years ago) The basic skills are probably obvious to someone who might design course material if they sat down and thought about how to teach troubleshooting. However, there is one area that may not be obvious. There's also a group management problem. Many times troubleshooting is done with multiple folks on the phone (say, customer, ISP and vendor). Not only do you have to know how to troubleshoot, but how to get everyone on the same page so every possible cause isn't tested 3 times. Never trust what you can't prove yourself, that includes vendors and customers. Every now and then I forget this and find hours later that I've wasted a whole bunch of time because I trusted when someone said something that it actually was the case. It's really often better to test something a third time even if Vendor and Customer tell you something is a particular way. I think all college level courses should include a break/fix exercise/module after learning how to build something, and much of that should be done in a group enviornment. Definitely. I've learnt more in my time from breaking things than I've ever learnt setting them up; however the education system is focused on breadth of knowledge, not depth. Students are expected to be able to regurgitate ridiculous amounts of facts and figures, so that they pass standardised tests, not understand how to actually use them. Paul
Re: Common operational misconceptions
Give me someone who can already think and analyse over someone who 'knows' it all, any day. You can be qualified to the hilt but absolutely useless in the real world (I've watched CCNP and higher struggling to figure out why they can't ping a 10.0.0.0/24 address at a customers remote site, not even realising it's a private range, let alone trying to trace the path of the ping,) If you're capable of symptoms-synthesis-solution you're of much more use to me. You can pick up technical knowledge on the job, or around the job. It's extremely hard to mold someone's thinking patterns by the time they're adults. When we interview we try to spend more time trying to gauge problem solving capabilities than anything else, after first quickly establishing their technical level. Paul On 2/17/2012 8:43 AM, Kenneth M. Chipps Ph.D. wrote: Exactly right. They have some much information floating around in their heads many of them cannot fit it together. But once they get on the job, all of those little synapses rapidly connect, and then the light comes on. Higher education is just like drivers education. You did not learn to drive in drivers education. You learned how to drive by driving. Higher education gives you the foundation on which to learn. -Original Message- From: Paul Graydon [mailto:p...@paulgraydon.co.uk] Sent: Friday, February 17, 2012 12:33 PM To: nanog@nanog.org Subject: Re: Common operational misconceptions On 02/17/2012 04:29 AM, Leo Bicknell wrote: In a message written on Thu, Feb 16, 2012 at 08:50:11PM -1000, Paul Graydon wrote: At the same time, it's shocking how many network people I come across with no real grasp of even what OSI means by each layer, even if it's only in theory. Just having a grasp of that makes all the world of difference when it comes to troubleshooting. Start at layer 1 and work upwards (unless you're able to make appropriate intuitive leaps.) Is it physically connected? Are the link lights flashing? Can traffic route to it, etc. etc. I wouldn't call it a misconception, but I want to echo Paul's comment. I would venture over 90% of the engineers I work with have no idea how to troubleshoot properly. Thinking back to my own education, I don't recall anyone in highschool or college attempting to teach troubleshooting skills. Most classes teach you how to build things, not deal with them when they are broken. The Cisco CCNA syllabus used to emphasise the layer 1-7 approach to troubleshooting. Not sure if they still do, or if trainers even bother to mention it (mine did back when I did it several years ago) The basic skills are probably obvious to someone who might design course material if they sat down and thought about how to teach troubleshooting. However, there is one area that may not be obvious. There's also a group management problem. Many times troubleshooting is done with multiple folks on the phone (say, customer, ISP and vendor). Not only do you have to know how to troubleshoot, but how to get everyone on the same page so every possible cause isn't tested 3 times. Never trust what you can't prove yourself, that includes vendors and customers. Every now and then I forget this and find hours later that I've wasted a whole bunch of time because I trusted when someone said something that it actually was the case. It's really often better to test something a third time even if Vendor and Customer tell you something is a particular way. I think all college level courses should include a break/fix exercise/module after learning how to build something, and much of that should be done in a group enviornment. Definitely. I've learnt more in my time from breaking things than I've ever learnt setting them up; however the education system is focused on breadth of knowledge, not depth. Students are expected to be able to regurgitate ridiculous amounts of facts and figures, so that they pass standardised tests, not understand how to actually use them. Paul
Re: Hi speed trading - hi speed monitoring
On 2/16/2012 3:03 AM, Hank Nussbacher wrote: Nanosecond Trading Could Make Markets Go Haywire http://www.wired.com/wiredscience/2012/02/high-speed-trading/ Below the 950-millisecond level, where computerized trading occurs so quickly that human traders can't even react, no fewer than 18,520 crashes and spikes occurred. Anyone who has managed a network knows that when you look at your MRTG/Cacti graphs at 5min, 10min ,15min intervals - all looks well. Start looking at 1sec intervals and you will see spikes that hit 100% of capacity - even on networks running at 25% average utilization. I guess trading and networking do have many unseen similarities. -Hank Anecdotally, I had an interview years ago for a small-ish futures trading company based in London. The interviewer had to pause the interview part way through whilst he investigated a 10ms latency spike that the traders were noticing on a short point-to-point fiber link to the London Stock Exchange. He commented that the traders were far better at 'feeling' when an connection was showing even a trace of lag compared to normal than anything he'd set up by way of monitoring (not sure how good his monitoring was, though.) Paul
Re: Common operational misconceptions
On 2/16/2012 8:30 PM, Carsten Bormann wrote: On Feb 16, 2012, at 18:08, Jack Bates wrote: It at first started with trying to explain that vlan based switching is not Layer-3. :( Ah, one of the greatest misconceptions still around in 2012: -- OSI Layer numbers mean something. or -- Somewhere in the sky, there is an exact definition of what is layer 2, layer 3, layer 4, layer 5 (!), layer 7 or -- my definition is righter than yours At the same time, it's shocking how many network people I come across with no real grasp of even what OSI means by each layer, even if it's only in theory. Just having a grasp of that makes all the world of difference when it comes to troubleshooting. Start at layer 1 and work upwards (unless you're able to make appropriate intuitive leaps.) Is it physically connected? Are the link lights flashing? Can traffic route to it, etc. etc. Paul
Re: Megaupload.com seized
On 01/20/2012 09:11 AM, Ricky Beam wrote: On Thu, 19 Jan 2012 22:34:33 -0500, Michael Painter tvhaw...@shaka.com wrote: I quickly read through the indictment, but the gov't claims that when given a takedown notice, MU would only remove the *link* and not the file itself. That's actually a standard practice. It allows the uploader to file a counterclaim and have the content restored. One cannot restore what has already been deleted. However, never going back and cleaning up the undisputed content is a whole other mess of dead monkeys. From what I understand about MegaUpload's approach, they created a hash of every file that they stored. If they'd already got a copy of the file that was to be uploaded they'd just put an appropriate link in a users space, saving them storage space, and bandwidth for both parties. Fairly straight forward. Whenever they received a DMCA take-down they would remove the link, not the underlying file, so even though they knew that a file was illegally hosted, they never actually removed it. That comes up for some argument about the ways the company should be practically enforcing a DMCA take-down notice, whether each take-down should apply to just an individual user's link to a file or whether the file itself should be removed. That could be different from circumstance to circumstance. Paul
Re: Megaupload.com seized
On 01/19/2012 12:41 PM, Ryan Gelobter wrote: The megaupload.com domain was seized today, has anyone noticed significant drops in network traffic as a result? http://www.scribd.com/doc/78786408/Mega-Indictment http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ Ars Technica are implying it was quite a source of bandwidth usage within companies. I'm curious, are any interesting charts on an ISP side? http://arstechnica.com/business/news/2012/01/before-shutdown-megaupload-ate-up-more-corporate-bandwidth-than-dropbox.ars
Re: Linux Centralized Administration
On 01/12/2012 03:51 PM, chaim.rie...@gmail.com wrote: On 1/12/2012 4:43 PM, Jimmy Hess wrote: On Thu, Jan 12, 2012 at 3:02 PM, Paul Stewartp...@paulstewart.org wrote: Today, we manually do YUM updates to all the CentOS servers . just an example but a good one. I have heard there are some open source solutions similar to that of Red Hat Network? Something to think about before attempting to centrally manage, your systems actually have to be centrally manageable -- that doesn't happen automatically and requires extra work. this is why i never update. i would rather build a new image and deploy it to the thousands of servers than worry about updates. be it an openssh security notice, or new ntp configuration, for me it is easier to rebuild servers than update config files. .. you never update? How frequently do you rebuild your entire server stack, weekly? Paul
Re: Linux Centralized Administration
On 01/12/2012 03:51 PM, chaim.rie...@gmail.com wrote: On 1/12/2012 4:43 PM, Jimmy Hess wrote: On Thu, Jan 12, 2012 at 3:02 PM, Paul Stewartp...@paulstewart.org wrote: Today, we manually do YUM updates to all the CentOS servers . just an example but a good one. I have heard there are some open source solutions similar to that of Red Hat Network? Something to think about before attempting to centrally manage, your systems actually have to be centrally manageable -- that doesn't happen automatically and requires extra work. this is why i never update. i would rather build a new image and deploy it to the thousands of servers than worry about updates. be it an openssh security notice, or new ntp configuration, for me it is easier to rebuild servers than update config files. For that matter, imaging is a bad way to go about handling this, you'd be better served by setting up something like Puppet or Chef and have them handle configuration management for you centrally, along with necessary software packages. Paul
Re: Internet Edge and Defense in Depth
On 12/06/2011 11:16 AM, Holmes,David A wrote: Some firewall vendors are proposing to collapse all Internet edge functions into a single device (border router, firewall, IPS, caching engine, proxy, etc.). A general Internet edge design principle has been the defense in depth concept. Is anyone collapsing all Internet edge functions into one device? Regards, David Yikes... single point of failure. I really dislike the notion that all the security comes down to a single potentially compromisable point. Our security functions like IPS run separate to centralised logging, etc. etc. so that if someone does happen to break in to a particular point there are still further things they need to try to compromise before they can have their wicked way, or whatever it is they want to do. Sure the economies of a centralised box and the convenience are probably tempting, and it's better than nothing, but I can't picture it actually being an improvement over split out functions. Paul
Re: IP addresses are now assets
On 12/1/2011 7:20 PM, John Curran wrote: Wayne - Your subject line (IP addresses are now assets) could mislead folks, so I'd advise waiting to review the actual sale order once approved by the court before making summary conclusions. ARIN holds that IP address space is not property but is managed as a public resource. Address holders may have certain rights (such as the right to be the registrant of the address block, the right to transfer the registration, etc.) but these rights intersect with additional rights to the same address blocks which are held by the community (such as the right of visibility to the public portion of registrations). The registry policies (set by the community via open and transparent processes) govern the intersection and application of these rights. For this reason, ARIN works with parties transferring their rights in IP address space to make sure that the documents reflect that sales of rights are subject to the transfer policies in the region, including in this particular case. A party may transfer their rights to IP addresses, and such rights may have value to an estate, but this does not make the IP addresses property per se. Thanks! /John Why'd you have to spoil the fun? You're supposed to wait a few days, let the pointless righteous fury build up and then step in and try to do the firefighting thing. It's must have been all but a month since the last time this flared up, it's surely about time it flared up again? Wouldn't want anyone to miss out on the fun ;) Paul
Re: Welcome to the Marketing mailing list
On 11/17/2011 10:47 AM, Jay Ashworth wrote: My, but there are a lot of people, in my best friend's favorite phrase, spring loaded to the pissed-off position. I didn't think NANOGers were quite so prone to recreational indignation... Cheers, -- jra NANOG where no day is complete without a bit of righteous indignation. Paul
Re: Comcast IPv6 Update
On 11/09/2011 06:32 AM, Brzozowski, John wrote: Update from http://www.comcast6.net IPv6 Pilot Market Deployment Begins Wednesday, November 9, 2011 Comcast has started our first pilot market deployment of IPv6 in limited areas of California and Colorado. This first phase supports directly connected CPE, where a single computer is directly connected to a cable device. A subsequent phase will support home gateway devices. To learn more, check out FAQs on the pilot market deploymenthttp://www.comcast6.net/pilotfaq.php and the announcementhttp://blog.comcast.com/2011/11/ipv6-deployment.html and technical detailshttp://blog.comcast.com/2011/11/ipv6-deployment-technology.html on our blog. John Good to hear, thanks John. Hopefully Comcast's marketing/sales team can run productively with this. It might start to encourage some of the other major and minor ISPs to jump on board. Paul
Re: Colocation providers and ACL requests
On 10/25/2011 08:43 AM, Christopher Pilkington wrote: Is it common in the industry for a colocation provider, when requested to put an egress ACL facing us such as: deny udp any a.b.c.d/24 eq 80 …to refuse and tell us we must subscribe to their managed DDOS product? -cjp For colo? No, filtering is the customers concern, unless failure to do so is causing a problem for the colo network. Such services are almost always paid for add-ons to a colo package. The colocation business is usually fairly low on the profit margin with most companies trying to get away with the bare minimum possible over and above the basics.
Re: Did Internap lose all clue?
On 10/20/2011 10:48 AM, bas wrote: Recently I was contacted by an Internap sales person. The third line of the email read: As you know well, BGP makes all routing decisions simply based on HOP COUNT I blinked my eyes a couple of times.. Yes it really said hop count. Then I replied to the guy that if he tries to sell a technical product to technical people he should get his info straight. But he replied BGP actually makes decisions based on hop count. He even sent an URL from the internap website that states this http://www.internap.com/it-iq/route-optimization-miro/ On that page there is also this gem: BGP relies on the premise that hops are responsible for packet loss and congestion, and therefore a route with fewer hops is inherently better. I can imagine blatant misinformation like this from a shady startup trying to trick some sales with smoke and mirrors, but from Internap? -- Bas Reply with a link to wikipedia? http://en.wikipedia.org/wiki/BGP Possibly better still, Cisco's docwiki about it, assuming he might consider Cisco a bit more of an authoritative source: http://docwiki.cisco.com/wiki/Border_Gateway_Protocol#BGP_Attributes Paul
Re: Telus mail server admin
On 10/6/2011 8:02 PM, John Levine wrote: DISCLAIMER:... Wow. I was thinking about answering the question, but now I don't dare. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly PS: I spent ten years as an elected official with no disclaimer in my e-mail, and lived! That's nice for you, but some of us are stuck with a corporate policy that requires us to use such disclaimers, or face disciplinary actions. The legality and practicality might be questionable but short of quitting and finding other employment over something utterly trivial, what can you do if protests fall on deaf ears? Paul
Re: Telus mail server admin
On 10/7/2011 5:30 AM, Joel jaeggli wrote: On 10/7/11 08:26 , Paul Graydon wrote: On 10/6/2011 8:02 PM, John Levine wrote: DISCLAIMER:... Wow. I was thinking about answering the question, but now I don't dare. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly PS: I spent ten years as an elected official with no disclaimer in my e-mail, and lived! That's nice for you, but some of us are stuck with a corporate policy that requires us to use such disclaimers, or face disciplinary actions. The legality and practicality might be questionable but short of quitting and finding other employment over something utterly trivial, what can you do if protests fall on deaf ears? Subscribe from your personal account. Which I do. But note the original complaint was not about using ridiculously long disclaimers on a mailing list, it was about the ridiculously long disclaimer, full stop. Paul
Re: Steve Jobs has died
On 10/6/2011 4:02 PM, Wayne E Bouchard wrote: On Wed, Oct 05, 2011 at 08:15:02PM -0400, Alex Rubenstein wrote: Not entirely on-list-topic, but still relevant. http://news.cnet.com/8301-13579_3-20116336-37/apple-co-founder-chairman-steve-jobs-dies/?tag=cnetRiver In some circles, he's being compared to Thomas Edison. Apply your own opinion there whether you feel that's accurate or not. I'll just state this: Both men were pasionate about what they did. They each changed the world and left it better than they found it. It's probably not a bad analogy, like Ford and many other champions of industry he didn't invent groundbreaking technology (Edison's only invention was the phonograph IIRC, all else was improvements on existing technology). They took what was already in existence and did something amazing with it: made it accessible, be it through price, ease of use or whatever. Paul
Re: New Natural Disaster! 8/27/2011 Hurricane Irene
On 8/28/2011 6:01 AM, andrew.wallace wrote: It looks like the DHS, FEMA got this emergency wrong... by the time it got to NYC it was the equivalent of a normal day in Scotland.I live in Scotland... Andrew I'm sure the rest of the East Coast will be particularly appreciative of that sentiment whilst they deal with billions of dollars of damage from the wake of Irene.
Re: New Natural Disaster! 8/27/2011 Hurricane Irene
Sure, but it's not appropriately filtered to avoid contaminants, spikes and dips in the flow. Paul On 8/27/2011 6:16 AM, Kenton A. Hoover wrote: The hurricane provides its own redundant water. Text and URLs mangled by theiPhone Kenton A. Hoover +1.415.830.5843 ken...@nemersonhoover.org On Aug 26, 2011, at 19:56, Paulp...@paulgraydon.co.uk wrote: I'm assuming he also has fully redundant water sources, fertilisers etc, along with a contract for replenishment and resupply. Can't be too safe. Scott Morriss...@emanon.com wrote: Did you have backup tomatoes? On 8/26/11 10:05 PM, Chris wrote: Irene is already past me. I'm outside of Jacksonville, Florida by the coast. Irene snapped my tomato plant in half overnight Wednesday.
Re: What do you do when your Home ISP is down?
On 8/19/2011 7:56 AM, Jason LeBlanc wrote: This is why I love my mom and pop DSL provider, I can call and get someone who speaks packets and listens and understands. I may not have the speed some cable providers offer (if you actually get it..) but it is reliable and I can get resolution quickly. Short of that, tether the laptop to my phone can get my by in a pinch. Jason It's one of the things I appreciate about the ISP I use at work being local. Their first line are rarely that technical, do a great job of quickly and painlessly filtering out users with basic problems, and quickly escalate. If needs be I have a direct phone number for the CEO and founder of the company, someone who is CCIE qualified.
Re: IPv6 Real World Maturity (was re: How long is your rack?)
On 8/14/2011 2:43 PM, Tim Wilde wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/14/2011 8:36 PM, Charles N Wyble wrote: Can someone explain the operational relevance of the never ending v6 threads that are the EXACT SAME ARGUMENTS over and over and over again? :) Yes, they prove that IPv6 is not a viable technology as it currently stands and we should be working on the next big thing, of course! IPv42, here I come! On a serious note, though, really, what DOES it say about the real-world maturity / actual chances of adoption for IPv6 that Charles' statement above is, in fact, true? Not trying to be anti-IPv6 or start a flamewar (well, okay, I am trying to start a flamewar, that's what Sunday nights are for :)), it's honestly something that puzzles me. It just doesn't feel right... It doesn't say all that much, just that nothing ever changes in the world. Protocols have never been perfect, and probably never will be. Engineers and Ops have always struggled to make something that suits both worlds. Paul
Re: NANOGers home data centers - What's in your closet?
On 08/12/2011 01:28 PM, Charles N Wyble wrote: Hey all, I'm curious what other NANOGers have in their home compute centers? On the extreme end of course we have mr morris :) with his uber lab: http://smorris.uber-geek.net/lab.htm Call me lazy, skinflint or otherwise, but I don't have much equipment at home and only very occasionally wish I had something extra. Mind you I'm more sysadmin than network and mostly my fiddling stuff is server side rather than network. Straight forward setup, get internet with our TV over cable. Linksys WRT54GL running DD-WRT, set up to provide us with an HE IPv6 tunnel and wifi for a roku, my wife's laptop, my desktop machine and cell-phone. DD-WRT gives me sufficient balance between working 'out-of-the-box' and flexibility to do what I like. If I've spent all day arguing with software/servers the last thing I want to do is argue with a router. Besides which, if something should happen I don't want to have to spend time getting it up and working. It's quick to factory reset it and then tack the extra functions on afterwards over time. We've also got a cheap Synology home NAS device plugged into the back of the router which we use primarily for backups and the odd bit of file sharing. Again, I'm quite capable of building something like that from scratch myself but it works out-of-the-box, is expandable for storage, fairly low power, nearly silent and is extremely flexible running some form of embedded linux distribution that you can access if you need to. Paul
Re: US internet providers hijacking users' search queries
On 08/05/2011 02:53 PM, Brielle wrote: Until they start MitM the ssl traffic, fake certs and all. Didn't a certain repressive regime already do this tactic with facebook or some other major site? Syria did: https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebookhttps://www.facebook.com/note.php?note_id=10150178983622358comments
Re: [BULK] Re: SORBS contact
On 7/30/2011 2:33 PM, Michelle Sullivan wrote: Ken Chase wrote: On Sat, Jul 30, 2011 at 02:57:12PM +0200, Michelle Sullivan said: Ok I'll accept that reference..I must admit I didn't know that RFC/STD existed so I learnt something today. ;-) That's pretty rich. You enforce people to adopt standards that are part of proposed RFC's, not official by any standard, jump through 18 other hoops, and still won't delist them because some bit in their named replies is the wrong number of electronvolts on your wire, and then claim you dont know an RFC? p.k.b. /kc What's the current RFC/BCP and STDs count? I'm sure you remember at least 95% of them by heart and can recite them word for word, just like me..! Whilst you have a reasonable point, and there are a fair number of them to keep track of, you are providing a service based around a subset of them. Would you not agree that it would be reasonable to assume that you (or your product designers) would know and understand all the standards appropriate to your product, and are ensuring your own compliance? Paul
Re: SORBS contact
On 07/29/2011 12:24 PM, Nick Hilliard wrote: On 29/07/2011 22:55, Michelle Sullivan wrote: Friendly or non friendly response is usually gaugable in advance by the tone of the initial email. Which is usually gaugeable in advance by the tone of the customer complaints that precipitated contact with SORBS in the first place. Email is such a lousy medium for this. We're all much more decent people in person than over snarky emails. Nick It's pretty much customer service 101 to ensure that you keep your communications as neutral and polite as possible, regardless of how frustrated or vilified you feel by the person you're supporting, and regardless of how tired you are of accusatory tickets. Being snarky back gains little, if anything, and just helps promote a bad reputation. People forget good customer service (unless it surpasses that to brilliant), but remember bad service.
Re: NetFlix Down
On 7/17/2011 12:36 PM, Scott, Robert D. wrote: There appears to be a login issue at Netflix. Calls to their 1-866-579-7113 number only yields a recording that they are experiencing a higher than normal call volume, try again later. Widespread? Likewise from Hawaii. Guess this'll be another thing added to Chaos Monkey: http://www.codinghorror.com/blog/2011/04/working-with-the-chaos-monkey.html _ NANOG mailing list NANOG@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog
Re: Spam?
OMG can't you people run proper spam filtering on your own mail servers that filter out the nanog messages that are spam?! I think I've had two messages in the last month, while others of you are talking about dozens? Do you need to buy some hosting for your email accounts? My filtering works great, thanks. It's just that I'd whitelisted Nanog as a reliable source of e-mail. Under the mailman setup where only subscribers were allowed to post that wasn't a problem. With the new format it was and a good half dozen e-mails got through to me (I certainly didn't see dozens). Does make me rather curious what the rejection stats are like for the old Mailman setup. Paul
Spam?
New location means we now get spam on Nanog? Could we go back to the old place?
Re: Wacky Weekend: NERC to relax power grid frequency strictures
On 6/25/2011 12:32 PM, Seth Mattinen wrote: On 6/25/2011 15:12, Leo Bicknell wrote: I have never seen a generator that syncs to the utility for live, no break transfer. I'm sure such a thing exists, but that sounds crazy dangerous to me. Generators sync to each other, not the utility. Most of these come in open, delayed, or closed transition models: http://www.gedigitalenergy.com/powerquality/ATSHome.htm For open and closed transitions you'll most certainly want to sync to utility to transition between the two. For the delayed transition model it'll stop at the intermediate open point for a configurable amount of time during which the load is disconnected from everything (i.e. let all the motors spin down first). ~Seth Take a guess what the datacenter our equipment is currently hosted in uses. Yet another reason to be glad of a datacenter move that's coming up.
Re: IPv6 words
On 06/23/2011 12:10 PM, Jeroen van Aart wrote: I am sure it has come up a number of times, but with IPv6 you can make up fancy addresses that are (almost) complete words or phrases. Making it almost as easy to remember as the resolved name. It'd be nice in a weird geek sort of way (but totally impractical) to be able to request IPv6 blocks that have some sort of fancy name of your choice. 2001:db8:dead:beef:: dead:beef:: dead::beef As seen on http://en.wikipedia.org/wiki/Magic_number_%28programming%29 DEADBEEF Famously used on IBM systems such as the RS/6000, also used in the original Mac OS operating systems, OPENSTEP Enterprise, and the Commodore Amiga. On Sun Microsystems' Solaris, marks freed kernel memory (KMEM_FREE_PATTERN) Bonus points if your organisation's name only contains HEX characters. Greetings, Jeroen Not quite dead beef, but spotted this when testing connectivity using a site from one of the rackspace guys: ipv6.icanhazip.com.7200IN 2001:470:1f10:d57:feed:beef:cafe:d00d Paul
Re: ICANN to allow commercial gTLDs
On 06/17/2011 11:33 AM, David Conrad wrote: On Jun 17, 2011, at 11:23 AM, Jay Ashworth wrote: http://tech.slashdot.org/story/11/06/17/202245/ You just learned about this now? In fact I did. I certainly haven't seen it mentioned on NANOG in the last 6 months or so; where should I have seen it? New TLDs have been discussed now for over a decade. Press (both technical and popular) on ICANN activities have ratcheted up significantly recently, particularly with the approval of .XXX (which was recently discussed here on NANOG: http://mailman.nanog.org/pipermail/nanog/2011-March/034488.html). Not blaming/accusing, just surprised this would be a surprise. I guess I've been living in the layer9 cloud too long Regards, -drc I've seen the stuff about adding a few extra TLDs, like XXX. I haven't seen any references until now of them considering doing it on a commercial basis. I don't mind new TLDs, but company ones are crazy and going to lead to a confusing and messy internet. Paul
Re: IPv6 day fun is beginning!
I've done the same at home, HE tunnel for IPv6. I've got a Linksys WRT54GL running DD-WRT so getting it set up was relatively straight forward though I really need to fix the automatic startup script that's misbehaving. Work was another matter, one big headache, to the point where I'm wondering if something is interfering. OpenBSD box running pf acts as a router for us, HE tunnel comes up easily and works fine from box. rtadvd starts advertising the network range and every machine in the office picked it up. Briefly those workstations running Windows 7 in the office were able to use the tunnel (5 mins give or take). From then on I could see outbound and inbound IPv6 traffic on the BSD box, but it never seemed to reach the workstations. Tearing down, reconfiguring, checking out every guide under the sun, nothing worked :) Gave up in the end, I'll tackle it later when I've got time to waste. Would be nice if my $isp would sort out an IPv6 address range for us to use properly. Paul On 6/8/2011 1:40 AM, Jamie Bowden wrote: Thanks to HE's tunnel broker service, I've got fully functional dual stack at home (well, mostly, like most folks, VZ gives me a single address and I live behind that with NATv4, but otherwise, I loves me some FiOS) and yesterday went by for me without a hitch, including accessing Facebook (I'd hear from the wife and kid really quickly if they weren't working). For a working tunnel, I put my DIR-825 as the DMZ host behind the cheesy Actiontec router VZ requires, forward all traffic with zero firewalling to it, and let the D-Link appliance handle all my firewall needs (and it terminates my v6 tunnel obviously). The one thing I haven't quite figured out how to make it do (and maybe it's just not capable) is use the /48 HE routes to me. The box insists that the internal interface be on the same subnet as the external, and it hands out v6 addresses from that /64. Jamie -Original Message- From: Jared Mauch [mailto:ja...@puck.nether.net] Sent: Tuesday, June 07, 2011 7:15 PM To: Iljitsch van Beijnum Cc: NANOG list Subject: Re: IPv6 day fun is beginning! On Jun 7, 2011, at 7:13 PM, Iljitsch van Beijnum wrote: www.facebook.com has but doesn't load for me over IPv6, it does for others though If you go to www.v6.facebook.com it works, but it seems they have some problem on their main site. I am seeing some issues reaching them over IPv6. - Jared
Re: IPv6 day fun is beginning!
Not cook islands. I am in Hawaii though so not a huge distance away. I'd got dual boot debian/windows and I had the tzlocation set wrong under Debian (GMT instead of local time). Boot back into Windows to test something and sent a few e-mails without noticing the time stamp was wrong. Paul On 6/8/2011 9:41 AM, Ryan Pavely wrote: Are you really on Cook Island in the Pacific or is your email headers date timezone string set incorrectly -1000. Your message won't be read by me until tonight shortly after 12:19 am. Sadly you'll miss IPv6 day :( Ryan Pavely Net Access Corporation http://www.nac.net/ On 6/9/2011 12:19 AM, Paul Graydon wrote: I've done the same at home, HE tunnel for IPv6. I've got a Linksys WRT54GL running DD-WRT so getting it set up was relatively straight forward though I really need to fix the automatic startup script that's misbehaving. Work was another matter, one big headache, to the point where I'm wondering if something is interfering. OpenBSD box running pf acts as a router for us, HE tunnel comes up easily and works fine from box. rtadvd starts advertising the network range and every machine in the office picked it up. Briefly those workstations running Windows 7 in the office were able to use the tunnel (5 mins give or take). From then on I could see outbound and inbound IPv6 traffic on the BSD box, but it never seemed to reach the workstations. Tearing down, reconfiguring, checking out every guide under the sun, nothing worked :) Gave up in the end, I'll tackle it later when I've got time to waste. Would be nice if my $isp would sort out an IPv6 address range for us to use properly. Paul On 6/8/2011 1:40 AM, Jamie Bowden wrote: Thanks to HE's tunnel broker service, I've got fully functional dual stack at home (well, mostly, like most folks, VZ gives me a single address and I live behind that with NATv4, but otherwise, I loves me some FiOS) and yesterday went by for me without a hitch, including accessing Facebook (I'd hear from the wife and kid really quickly if they weren't working). For a working tunnel, I put my DIR-825 as the DMZ host behind the cheesy Actiontec router VZ requires, forward all traffic with zero firewalling to it, and let the D-Link appliance handle all my firewall needs (and it terminates my v6 tunnel obviously). The one thing I haven't quite figured out how to make it do (and maybe it's just not capable) is use the /48 HE routes to me. The box insists that the internal interface be on the same subnet as the external, and it hands out v6 addresses from that /64. Jamie -Original Message- From: Jared Mauch [mailto:ja...@puck.nether.net] Sent: Tuesday, June 07, 2011 7:15 PM To: Iljitsch van Beijnum Cc: NANOG list Subject: Re: IPv6 day fun is beginning! On Jun 7, 2011, at 7:13 PM, Iljitsch van Beijnum wrote: www.facebook.com has but doesn't load for me over IPv6, it does for others though If you go to www.v6.facebook.com it works, but it seems they have some problem on their main site. I am seeing some issues reaching them over IPv6. - Jared
Re: World IPv6 Only Day.
Dumb question.. what does the switch (L2) have to do with IPv6 (L3), or is it one of those 'somewhere in between the two' things? Paul On 6/8/2011 1:08 PM, fredrik danerklint wrote: Well, that's another problem. To make a long story short, the network (not mine and I don't have any kind of control over that either) that my customers (including me) are using, did put in new equipment (a switch) over a year ago and after that I lost my IPv6 connection that I had previously. That switch does not support IPv6 it turns out. This is exactly the things that the customers really need to better understand and why it's not gonna work for them. You did miss a thing: $ dig mx fredan.se ;; ANSWER SECTION: fredan.se. 3597IN MX 10 mail.fredan.se. ;; ADDITIONAL SECTION: mail.fredan.se. 3597IN A 77.105.235.102 mail.fredan.se. 3597IN 2001:4db8:e001::2::17 So I do have a IPv6 connection but not to my customers. How about that one? (Please reply to the mailing list only) You wouldn't be posting to the list... :-) Received: from [77.105.232.43] (port=53699 helo=fredan-pc.localnet) by mail.fredan.se with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.71) (envelope-fromfredan-na...@fredan.se) id 1QURHg-0004ZJ-4d for nanog@nanog.org; Thu, 09 Jun 2011 00:31:32 +0200
Re: Microsoft's participation in World IPv6 day
On 06/02/2011 12:45 PM, david raistrick wrote: On Thu, 2 Jun 2011, Bill Woodcock wrote: http://support.microsoft.com/kb/2533454/ Uh... snicker. snicker. lol. rofl. we'll fix our ipv6 support by, well, not using it! It's not Microsoft's IPv6 support they're fixing, which works fine from my experience with it, they're making sure you can access sites if your ISP or Router's IPv6 handling is screwed up. Paul
Re: Had an idea - looking for a math buff to tell me if it's possible?with today's technology.
On 05/20/2011 08:53 AM, Brett Frankenberger wrote: On Fri, May 20, 2011 at 06:46:45PM +, Eu-Ming Lee wrote: To do this, you only need 2 numbers: the nth digit of pi and the number of digits. Simply convert your message into a single extremely long integer. Somewhere, in the digits of pi, you will find a matching series of digits the same as your integer! Decompressing the number is relatively easy after some sort-of recent advances in our understanding of pi. Finding out what those 2 numbers are--- well, we still have a ways to go on that. Even if those problems were solved, you'd need (on average) just as many bits to represent which digit of pi to start with as you'd need to represent the original message. -- Brett Not quite sure I follow that. Start at position xyz, carry on for 1 bits shouldn't be as long as telling it all 1 bits? Paul
Re: Experience with Open Source load balancers?
On 05/17/2011 08:23 AM, Tom Hill wrote: I've worked with open source and commercial solutions, and while the open source systems were almost always far more flexible, and cheaper up front, they certainly required more work to get going.. Once setup and running though both types of solutions had pretty equal amounts of maintenance, with the commercial solutions requiring somewhat less time/babysitting for upgrades and to enable or use new features or functionality. I worry far more about upgrades to proprietary appliances (where it's often the whole system image), than I do about a few package updates on a Linux machine (followed by a service restart, or two). But still, pretty well worded. :) Tom Can't speak for other brands these days but F5s have two hard disks in them. You can upgrade the software on the hot-spare, boot off that and confirm everything is working. If it isn't you can just switch back. Paul
Re: Amazon diagnosis
On 05/02/2011 09:27 AM, Jeroen van Aart wrote: Jeff Wheeler wrote: IT managers would do well to understand that a few smart programmers, who understand how all their tools (web servers, databases, filesystems, load-balancers, etc.) actually work, can often do more to I fully agree. But much to my dismay and surprise I have learned that developers know very little above and beyond their field of interest, say java programming. And I bet this is vice versa. It surprised me because I, perhaps naively, assumed IT workers in general have a rather broad knowledge because in general they're interested in many aspects of IT, try to find out as much as possible and if they do not know something they make an effort learning it. Also considering many (practical) things just aren't taught in university, which is to be expected since the idea is to develop an academic way of thinking. I work with a bunch of developers, we're a primarily java based company, but I've got more than enough on my plate trying to keep up with everything practical as a sysadmin, from networks to hardware to audit needs, to even start to think about adding in Java skills to my repertoire! Especially given I'm the only sysadmin here and our infrastructure needs are quite diverse. I've learned to interpret java stack traces that get sent to me 24x7 on our critical mailing list so that I can identify whether is code or infrastructure but that's as far as I go with java. I don't particularly see that I need to either. I strive to work with//developers, no 'them vs us' attitudes, no arrogant my way or the highway. I can't conceive why anyone would even consider maintaining those kind of attitudes but unfortunately have seen them frequently, and it seems so often to be the normal rather than the abnormal. Programming is not something I'd consider myself to be any good at. I'll happily and reasonably competently script stuff in perl, python or bash for sysadmin purposes, but I'd never make any pretence at it being 'good' and well done scripting. It's just not the way my mind works. I have my specialisms and they have theirs, more productive use of time is to work with those who excel at that kind of thing. Here they don't make assumptions about my end of things, and I don't make assumptions about theirs. We ask each other questions, and work together to figure out how best to proceed. Thankfully we're a relatively small enough operation that management isn't too much of a burden. Smart IT managers, in my book, work to take advantage of all the skills that their workers have and provide an efficient framework for them to work together. What it seems we see more often than not are IT managers that persist in seeing Sysadmin and Development as 'ops' and 'dev' separately rather than combined, perpetuating the 'them' vs 'us' attitudes rather than throwing them out for the inefficient, financially wasteful things they are. Paul
Re: Amazon diagnosis
On 5/1/2011 9:29 AM, Jeff Wheeler wrote: On Sun, May 1, 2011 at 2:18 PM, Andrew Kirchtrel...@trelane.net wrote: Sure they can, but as a thought exercise fully 2n redundancy is difficult on a small scale for anything web facing. I've seen a very simple implementation for a website requiring 5 9's that consumed over $50k in equipment, and this wasn't even geographically diverse. I have What it really boils down to is this: if application developers are doing their jobs, a given service can be easy and inexpensive to distribute to unrelated systems/networks without a huge infrastructure expense. If the developers are not, you end up spending a lot of money on infrastructure to make up for code, databases, and APIs which were not designed with this in mind. These same developers who do not design and implement services with diversity and redundancy in mind will fare little better with AWS than any other platform. Look at Reddit, for example. This is an application/service which is utterly trivial to implement in a cheap, distributed manner, yet they have failed to do so for years, and suffer repeated, long-duration outages as a result. They probably buy a lot more AWS services than would otherwise be needed, and truly have a more complex infrastructure than such a simple service should. IT managers would do well to understand that a few smart programmers, who understand how all their tools (web servers, databases, filesystems, load-balancers, etc.) actually work, can often do more to keep infrastructure cost under control, and improve the reliability of services, than any other investment in IT resources. If you want a perfect example of this, consider Netflix. Their infrastructure runs on AWS and we didn't see any downtime with them throughout the entire affair. One of the interesting things they've done to try and enforce reliability of services is an in house service called Chaos Monkey who's sole purpose is to randomly kill instances and services inside the infrastructure. Courtesy of Chaos Monkey and the defensive programming it enforces, nothing is dependent on each other, you will always get at least some form of a service. For example if the recommendation engine dies, then the application is smart enough to catch that and instead return a list of the most popular movies, and so on. There is an interesting blog from their Director of Engineering about what they learned on their migration to AWS, including using less chatty APIs to reduce the impact of typical AWS latency: http://techblog.netflix.com/2010/12/5-lessons-weve-learned-using-aws.html Paul
Re: 365x24x7
On 4/15/2011 3:14 AM, harbor235 wrote: If I were going to provide a 365x24x7 NOC, how many teams of personnel do I need to fully cover operations? I assume minimally you need 3 teams to cover the required 24 hr coverage, but there is off time and schedule rotation? thoughts, experience? Mike For what it's worth, was part of a datacenter operations department that had a 24x7 team. 4 shifts, 4 staff on each shift (1 was supervisor who did same work as the rest, 1 'point of contact' who stayed in the office). 4 days on, 4 days off, 12 hour shifts, 8-8. Shift teams would alternate between day and night (so 4 day, 4 off, 4 night, 4 off, repeat ad infinitum). During the day that was bolstered by 6 day-staff, Monday to Friday, who would have a staggered start through the day (IIRC 2 start at 8, 2 at 9, 2 at 11)
Re: Syngenta space
On 04/13/2011 09:48 AM, Christopher Morrow wrote: On Wed, Apr 13, 2011 at 9:44 PM, Randy Bushra...@psg.com wrote: sorry for the noise, but my contact at Syngenta says they have 147.0.0.0/8 168.0.0.0/8 and 172.0.0.0/8, and pigs fly indeed, an impressive claim, how much for it all? *checks pockets* $5 and some lint?
Re: Paul Baran, RIP.
On 03/28/2011 03:14 AM, Jay Ashworth wrote: - Original Message - From: Roland Dobbinsrdobb...@arbor.net http://www.networkworld.com/news/2011/032811-paul-baran-packet-switching-obit.html Oh hell; now we'll *never* lay the ghost of packet switching was invented to create a nuclear-war-survivable network. [ reads obit ] See? Happy Landings, Dr B. If it's good enough to use as a source for Wikipedia, who's to tell what is and what isn't factual.
The growth of municipal broadband networks
http://arstechnica.com/tech-policy/news/2011/03/133-us-cities-now-run-their-own-broadband-networks.ars Ars Technica has a short article up about the growth of municipal networks, but principally a nice little 'hey check out this website' (http://www.muninetworks.org/communitymap) The whole scenario around municipal broadband networks in a hopefully unbiased nutshell: Increasing numbers cities and counties seem to be getting frustrated with what they see as the lack of progress in broadband speeds from their incumbent provider(s) (even after incumbent provider(s) have been approached requesting faster speeds) and are deciding to do it themselves. Chattanooga, Tennessee has become the poster child for the idea, able to offer 1Gbps to users and businesses at competitive prices ($150 pcm.) I'm curious how the feeling is on NANOG about shifting such provision towards municipal instead of corporations? I guess a rough summary of the competing views I've heard so far are: + It's fair and valid competition in the market, which is encouraging major ISPs to innovate instead of resting on their laurels and trying to do the bare minimum necessary to maintain their position and profits, an attitude that is stifling other economic growth? - Local government is sticking its nose in where it shouldn't, providing unfair competition and stifling normal market processes. Municipalities are operating on the false belief that large bandwidth will automatically bring silicon valley to them, without understanding the bigger picture. That it's time, money and resources better spent on tax incentives or other means of encouraging businesses. Paul
Re: OT: Question/Netflix issues?
On 03/23/2011 09:41 AM, sillywiz...@rs4668.com wrote: Lyndon Nerenberg (VE6BBM/VE7TFX)lyn...@orthanc.ca wrote: Guess that move to Amazon EC2 wasn't such a good idea. First reddit, now netflix. http://techblog.netflix.com/2010/12/four-reasons-we-choose-amazons-cloud-as.html FWIW, at $DAYJOB we haven't been able to run out a pool of a couple of dozen EC2 instances for more than two weeks (since last June) without at least one of them going down. The same number of hardware servers we ran ourselves in Peer1 ran for a couple of years with no unplanned outages. Amortized over five years, Peer1 colo + hardware is also cheaper than the equivalent EC2 cost. Hey everyone! Join the cloud, and stand in the pissing rain. --lyndon Interesting, because we run 120 with almost no issues whatsoever (3 failures over the past 12 months, none of which caused downtime). I've never had an EBS volume fail in the 18 months we've used them. IMHO, the issues with the cloud are almost always at a layer above the infrastructure. --L Reddit has routinely had EBS volumes either outright fail (2 major outages in the last month/month and a half, both caused by several EBSs vanishing), or show some not insignificant degradation in performance, and it seems barely a month goes by when I don't hear someone on twitter talking about similar with their infrastructures. Most of the problems I've heard about do seem to revolve around EBS, however, rather than their other services. It may be just the nature of people to pick on and shout about the biggest targets, but I'm reasonably sure almost all the problems I hear about relating to cloud services revolve around Amazon and rarely their competitors. http://highscalability.com/blog/2010/12/20/netflix-use-less-chatty-protocols-in-the-cloud-plus-26-fixes.html When it comes to other layers in the infrastructure probably one of the most talked about problems is network latency between instances. Netflix had to specifically re-engineer their platform because of it (and other major users talk of similar changes). There is almost certainly an argument to be made that the outcome of the forced re-engineering is a good thing as it's generally boosting resilience, but that it's been forced on them in such a way surely should also be of some cause for concern also. Reddit seem to be working hard to make their platform as resilient as possible to their routine problems cause by the infrastructure. One of their outgoing dev's gave a pretty interesting read on the problems they'd experience with Amazon: http://www.reddit.com/r/blog/comments/g66f0/why_reddit_was_down_for_6_of_the_last_24_hours/c1l6ykx I absolutely do think cloud hosting / virtual servers have value and use and shouldn't be underestimated or written off as a fad, but I'm also not entirely convinced at the moment that Amazon is a vendor to particularly trust with such services, I'd probably also argue that anyone keeping their eggs in one basket and relying on a single vendor for such services is taking a significant risk. There are plenty of tools and libraries out there to help provide a standard API for rolling out servers on different platforms. It seems crazy not to take advantage of the flexibility the cloud offers to remove as many SPOFs as possible. Paul
Re: SORBS contact?
On 03/22/2011 09:07 AM, Chris Conn wrote: Hello, Thank you to all that answered, all helpful info. Surprisingly minutes after my Nanog post, a couple of my tickets saw action and the /24 was finally removed a short while later. Thanks again, Chris Woah... *collapses on the floor in shock* SORBS actually did something?! Quick, buy a lottery ticket before your luck changes! Paul (one of many fed up of dealing with SORBS)
Re: SORBS contact?
On 03/22/2011 12:24 PM, Franck Martin wrote: +1 They know the challenges, aware of the issues and I have seen some progress. I'm glad to hear that, one less extortion racket on the 'net is no bad thing. They might do better by rebranding though. SORBS has one heck of an amount of negative karma for them to get past. - Original Message - From: Steve Atkinsst...@blighty.com To: nanog@nanog.org Sent: Wednesday, 23 March, 2011 9:56:20 AM Subject: Re: SORBS contact? On Mar 22, 2011, at 12:21 PM, Mike wrote: On 03/22/2011 12:14 PM, Paul Graydon wrote: On 03/22/2011 09:07 AM, Chris Conn wrote: Hello, Thank you to all that answered, all helpful info. Surprisingly minutes after my Nanog post, a couple of my tickets saw action and the /24 was finally removed a short while later. Thanks again, Chris Woah... *collapses on the floor in shock* SORBS actually did something?! Quick, buy a lottery ticket before your luck changes! Paul (one of many fed up of dealing with SORBS) Yeah +1 to that. What we need an RBL that lists any mail server that USES sorbs for filtering decisions. Cut GFI a little slack, at least for a few more weeks. They seem to have made some decent decisions w.r.t. SORBS very recently and it's likely that things will be improving, at least as far as SORBS policies and support responsiveness are concerned. They may yet screw it up, but give them a chance to demonstrate otherwise. Cheers, Steve
Re: CSI New York fake IPv6
On 3/20/2011 11:44 AM, Skeeve Stevens wrote: All, I just thought this is amusing that in CSI: New York – Season 7, Episode 17, they do a 'Remote Desktop' hack and they enter in the following details… http://www.eintellego.net/public/CSINY.s07e17-fakev6.jpg Promoting IPv6 = Win! Dodgy Address = Fail! But seriously… That a major TV show is actually using IPv6 addressing (or pretending to) is an awesome thing in my opinion. Makes a good change from a 5 octet IP number I remember them using in one episode revolving around an adult webcam website. Paul
Re: gmail issues ?
On 3/15/2011 2:07 PM, Michael Loftis wrote: On Tue, Mar 15, 2011 at 3:13 PM, Mike Tancsam...@sentex.net wrote: Anyone seeing gmail issues ? I checked at http://www.google.com/appsstatus#hl=en I've been having massively delayed incoming mail since about Sunday (2011/03/13) some email taking days to come in, some still hasn't (Amazon Order status updates for example from Monday still haven't shown up yet) I've been having problems with gmail sending to my works domain for a couple of months now. All e-mails that come via the gmail infrastructure are being delayed by up to an hour between two hops in their infrastructure. In typical fashion Google's support are utterly non-communicative. I've even had a friend who works for them pass on details internally to see whether that would help but no joy. The conversations I've had or heard over the last couple of years regarding their support quality leaves me reluctant to ever consider Google's Apps for Business as anything even remotely approaching suitable for such. Paul
Re: IPv6? Why, you are the first one to ask for it!
On 03/01/2011 07:39 AM, George Bonser wrote: Fairly major global network provider likes to call themselves a Tier 1. Asking about native IPv6 in one of their colo facilities in the UK. They say their US facilities won't be v6 capable until Q4 2011. The UK rep acted like it was the first he'd ever heard of it and implied we were the very first to ask for it. Note to providers: That might have worked a couple of years ago but when we hear that today, we know it is false. Please be honest in your responses to that question. If you aren't going to deploy it for another year or two, just say so. The notion that we are the very first ones to ever ask for it from a global provider in a major country is just lame. George Having worked both inside and outside the ISP industry, I wouldn't necessarily trust a salesman to know a DSL from a leased line, let alone IPv6 vs IPv4, nor to have remembered being asked about it before. That's stuff for pre-sales engineers to handle, not the salesman.
Re: Sunday Funnies: Using a smart phone as a diagnostic tool
On 2/27/2011 4:00 PM, Jay Ashworth wrote: Do you have a smartphone? Blackberry? iPhone? Android? Android, a Nexus One. Do you use it as a technical tool in your work, either for accessing devices or testing connectivity -- or something else? If so, what kind of phone, and what (if you don't mind letting on) are your magic apps for this sort of work? Absolutely, I use it on a regular basis. ConnectbotSSH is small, simple and just works. Integrated VPN on the OS enables me to get in safe and secure, then I can ssh to whatever box I need to. There are various password safe types of programs with native smartphone apps (mostly Android and iPhone as far as I'm aware). USB Tethering and Wireless Hotspot ability (currently no extra charge on T-Mobile network) also enable me to do a quick bit of easy checking from outside infrastructure without need for a separate 3G dongle or similar. (My motivation? Well, um, Lee, I'm looking at buying an HTC Thunderbolt, if everyone can get their thumbs out, and I want to get a feeling for the lanscape, if you'll pardon the pun. :-) I think ultimately I'd prefer a physical keyboard on my phone. Most of the time it's fine with a touch-screen keyboard, texting, e-mailing and surfing, when the keyboard can predict what you're typing (alternative keyboard swiftkey is excellent and learns from SMSs etc.) However with ssh it can occasionally be a little irritating (alternative keyboard Full Keyboard helps.) I'd be a lot faster with a physical keyboard. I often still keep my old Nokia Internet Tablet around, just in case, then pair it to my phone using wifi. Paul
Re: Graph Utils (Open-Source)
On 02/18/2011 09:13 AM, Max Pierson wrote: Hi List, Anyone out there using something other than rrdtool for creating graphs?? I have a project that will need a trend taken, and unfortunately rrdtool doesn't fit the bill. All of the scripting, data collection, database archival, etc will be custom written or is already done (with some hacks of course :). So really what i'm looking for is something along the lines of GNUplot. Has anyone used it before and would like to share experiences?? Seems like it will be able to my plot data accordingly, but wanted to see if there were any other popular tools I've yet to come across. (Open-Source only please) TIA, M If you're comfortable with Python, Graphite is gaining some serious traction http://graphite.wikidot.com/ Paul
Re: Graph Utils (Open-Source)
Mostly I've heard bad things about matplotlib under Python. Lots of good features, but buggy and a bit of a memory hog. How did you find it? On 02/18/2011 10:34 AM, Peter A. Friend wrote: I've used gnuplot for several projects and found it very flexible. Gnuplot is also handy because it's easy to feed it commands over a pipe. I also recommend the Gnuplot In Action book - it saved me a ton of time. I have also used matplotlib within Python. For more interactive graphs I've played with the Processing environment a bit, but not enough to provide a useful comparison with the other tools. Peter On Feb 18, 2011, at 11:13 AM, Max Pierson wrote: Hi List, Anyone out there using something other than rrdtool for creating graphs?? I have a project that will need a trend taken, and unfortunately rrdtool doesn't fit the bill. All of the scripting, data collection, database archival, etc will be custom written or is already done (with some hacks of course :). So really what i'm looking for is something along the lines of GNUplot. Has anyone used it before and would like to share experiences?? Seems like it will be able to my plot data accordingly, but wanted to see if there were any other popular tools I've yet to come across. (Open-Source only please) TIA, M
Re: IPv6 is on the marketers radar
On 02/11/2011 10:46 AM, J.D. Falk wrote: On Feb 11, 2011, at 12:21 PM, Franck Martin wrote: http://www.marketingvox.com/under-the-microscope-what-the-end-of-ipv4-means-for-marketers-048657/ I can hear people, say oh no Interesting to see that marketers do not like CGNAT. Hmm, I recognize a lot of that article. If imitation is the sincerest form of flattery, what's heavy quoting and paraphrasing? http://www.returnpath.net/blog/received/2011/02/end-of-ipv4/ (I don't mind, really -- the word needs to get out, and marketers always resist technology unless there's either guaranteed ROI or guaranteed FUD.) These are Internet marketers you're talking about, hardly the most honest souls in the world ;) Paul p.s. with apologies to any honest marketers. All 2 of you..
Re: External sanity checks
On 02/03/2011 08:04 AM, Philip Lavine wrote: To all, Does any one know a Vendor (NOT Keynote) that can do sanity checks against your web/smtp/ftp farms with pings, traceroutes, latency checks as well as application checks (GET, POST, ESMTP, etc) Thank you, Philip Slight hijack, I'm interested in the answer to this question, but I'm also wondering about a service that will actually phone you (or is there a reliable text/e-mail-phone call service?) I'd appreciate actually being phoned overnight if something dies drastically to the outside world!
Re: quietly....
On 02/02/2011 06:31 PM, Jay Ashworth wrote: - Original Message - From: david raistrickdr...@icantclick.org On Tue, 1 Feb 2011, Dave Israel wrote: responsibility. If they want to use DHCPv6, or NAT, or Packet over Avian Carrier to achieve that, let them. If using them causes them problems, then they should not use them. It really isn't the community's place to force people not to use tools they find useful because we do not like them. Not to mention that when you take tools -away- from people that solve an existing problem, you'll get a lot of pushback. I, personally, have been waiting to hear what happens when network techs discover that they can't carry IP addresses around in their heads anymore. That sounds trivial, perhaps, but I don't think it will be. Absolutely, it's certainly one thing I'm dreading. I know, DNS is awesome, but DNS also breaks (SysAdmin mantra: It's a DNS problem, because if something is behaving in an unusual fashion, it's usually DNS that's at fault). I guess I'll routinely be storing a copy of the zone file in my DropBox or something as a precaution so I can access it from my phone. Paul
Re: My upstream ISP does not support IPv6
On 02/03/2011 05:04 PM, Franck Martin wrote: The biggest complaint that I hear from ISPs, is that their upstream ISP does not support IPv6 or will not provide them with a native IPv6 circuit. Is that bull? I thought the whole backbone is IPv6 now, and it is only the residential ISPs that are still figuring it out because CPE are still not there yet. Where can I get more information? Any list of peering ISPs that have IPv6 as part of their products? It seems to me the typical answer sales people say when asked about IPv6: Gosh, this is the first time I'm asked this one. I've just been trying to persuade our upstream provider that they can actually get IPv6 addresses. They seem to be operating under the belief that they can only get IPv6 addresses once they're running out of IPv4 before going through the usual justification business. It seems bizarre that they've specifically gone to the extent of testing and changing their infrastructure to ensure it's fully IPv6 capable, yet not go all the way and actually get a range or poll customers to find out if they're interested in one. I sent them this link : https://www.arin.net/resources/request/ipv6_initial_alloc.html and brought their attention to point 1. Yet to hear back from them.. Paul
Re: quietly....
On 02/01/2011 10:08 AM, david raistrick wrote: On Tue, 1 Feb 2011, Iljitsch van Beijnum wrote: What's the point of switching to IPv6 if it repeats all the IPv4 mistakes only with bigger addresses? If you like NAT IPv4 is the place to be, it'll only get more and more. It's argument like this that has lead to this moment. Instead of discussing how can the next generation addressing scheme support the needs of Internet consumers today and tomorrow we tell people if you don't like it, use v4 Guess what? We're still using v4. ..david We're still using v4 because we can, because there has been no compelling business case to justify spending time on something that isn't necessary just right now, especially given the not insignificant changes between v4 and v6. There is nothing on line that isn't accessible over IPv4 so there has been no critical app outside the infrastructure to spur such changes yet either. We can all sit here and say Hey we're running out of addresses, we must switch but until we've run out you're not going to convince the large majority of operators, who lets face it are traditionally lazy^W^W cautious people , to do anything. Paul
Re: quietly....
On 02/01/2011 10:32 AM, Majdi S. Abbas wrote: On Tue, Feb 01, 2011 at 10:27:45AM -1000, Paul Graydon wrote: insignificant changes between v4 and v6. There is nothing on line that isn't accessible over IPv4 so there has been no critical app outside the infrastructure to spur such changes yet either. Paul, You're speaking for yourself here, as some of us have hosts with no A record. If your business requires connectivity, you're not going to have a choice, so you might as well get with the program. It's less about making a business case for v6, and more about risk management at this point. It's not as if we haven't had 15 years to get it together... Cheers, --msa I should emphasise I'm a sysadmin rather than a service provider, and I'm mostly speaking generically based on conversations with a number of sysadmins. I've been trying to get my service provider to sort out IPv6 for a while now (they tell me their infrastructure is ready, but they're being lazy about getting blocks sorted out) and already done as much preparation as I can with my infrastructure to ensure its ready for it. That said there are no services we use that are IPv6 only, nor are there likely to be for a while that I can tell as none of our service partners are talking about it, and nor are we getting reports of anyone unable to access our services due to lack of IPv6 on the front end. I know how ugly that sounds, I really do, but that's the way most people will see it. You have to provide incentive to make a change, and It's better rarely is enough. People won't be able to access our site sure helps but being unable to put a date on it still reduces incentive (especially when Management get involved, and especially if there is a financial outlay involving firewalls etc.). People bury their heads in the sand and will continue to pretend there is nothing wrong until they're /forced/ to change. As much as it was a hideous and inaccurate article, that Fox news story that was posted on list the other day came up was great for fighting for change. The grossly inaccurate end-of-the-world text provides a good hook for getting the lumbering beast moving in the right direction. The White House's push for IPv6 amongst federal agencies is currently my best guess at what will probably see the first thing to transition to it from my perspective at work, though I sincerely hope we'll be on IPv6 long before that happens. As for when we'll switch internally? No idea.. all machines have IPv6 so some local traffic probably uses it, but most are still based on IPv4 and until I have time / money to make some other infrastructure changes will remain that way (our office environment equipment can't handle IPv6, unlike our production environment) I'm sure there are some cases with IPv6, yourself as an example, and I know an ISP I worked for in the UK had a customer several years ago who had a critical need for it, but that's still in the minority. In every case as soon as there is a business reason for it and its compelling enough people will take the time to make the transition. Paul
Re: quietly....
On 02/01/2011 04:11 PM, Owen DeLong wrote: On Feb 1, 2011, at 3:54 PM, Lee Howard wrote: People won't be able to access our site sure helps but being unable to put a date on it still reduces incentive (especially when Management get involved, and especially if there is a financial outlay involving firewalls etc.). Geoff generously provided a probabilistic sense for RIR runout: http://www.potaroo.net/tools/ipv4/rir.jpg Pick your RIR and plot its runout date. If it's ARIN, then the first ISP is out of IPv4 addresses at most three months later (since ARIN now allocates for three months' need). Of course, if demand increases, these dates might change. Will users be unable to reach your content on $RIR_runout_date + 3? They might have to get there through large-scale NAT. That might bother management if you rely on IP geo-location, or need to initiate connections downstream, or rate limit per IP address, or have anti-DOS techniques measuring hits per source IP address, or have employees VPN in, or need to report intrusions, or any of the many problems widely documented. Oh, and when I said to pick your RIR, I meant the RIR of users who access your content. Lee I think there is a key problem with Geoff's graph. I think it fails to take into account the transitive probability of requests among the largest 3 regions. I agree that APNIC will probably run just about exactly as he predicts. I think, however, that the runout at APNIC will create a higher demand in ARIN and RIPE. Once that happens, their runout dates will get moved up much closer to the runout date of APNIC. As soon as the second of the three runs out, the remaining one will get another burst of acceleration. It does not appear to me that this probability is accounted for in the plots. Owen (Including Geoff because it's not fair to criticize his work behind his back) Are there any expectations of a Gold Rush for the remaining addresses? I would expect to see at least see some kind of escalation. Paul
Re: Found: Who is responsible for no more IP addresses
I consider it to be very much part of the general attitude of news organisations towards the online content. It seems in general that very little editorial oversight takes place with online content, compared to what might appear in print. Often seems rather much like the content comes direct from the journalists, which any editor will tell you is generally a bad idea! Part of the problem has been perfectly demonstrated by this article. Having published something inaccurate and had lots of people jump on them in the comments, they've since updated and fixed the faults. Never mind that there are who knows how many people who have read it already and now have the wrong idea, as long as it's correct now, right? Paul On 01/27/2011 10:26 AM, Mark Keymer wrote: What I don't understand is I can only guess they must have a IT team. And Maybe even 1 or more people that view this list. Why don't they just talk to there own staff about the issues? Maybe one of the IT guess saw the issues talked about the articles and contacted the news team about the bad info. I donno. I agree they kind of did a poor job on this. If you work at FOX maybe you should help get the news guys on the right page. :) Sincerely, Mark On 1/27/2011 11:51 AM, George, Wes E [NTK] wrote: -Original Message- From: Jay Ashworth [mailto:j...@baylink.com] Sent: Thursday, January 27, 2011 2:06 PM To: NANOG Subject: Re: Found: Who is responsible for no more IP addresses - Original Message - From: Brian Johnsonbjohn...@drtel.com To be clear, FOX screwed this up big time, but that doesn't mean we all need to get out our personal/political pitchforks and run them out of town. Take your Ritalin. :-) Fox didn't screw up, for a change, and Vint's quote appears in many other news sources. Apparently, I'm the only one on Nanog who knows about this new thing called The Google. :-) Thinking that Fox News is not a reputable news source is not, indeed, an opinion attributable *solely* to non-Republicans, and indeed, it's easy to prove in a documentary, non-partisan fashion. [WES] Don't kid yourself, defending a reputable news organization for not properly checking their facts on a technical story before publishing is politically motivated too, especially when you try to imply that being willing to call out inaccurate (technical) info in the news is somehow related to one's political party. The article that everyone is causing everyone to make fun of Fox news for says nothing about Vint. Fox news has posted two separate articles, both of which have been factually incorrect. http://www.foxnews.com/scitech/2011/01/26/internet-run-ip-addresses-happens-anyones-guess/ and http://www.foxnews.com/scitech/2010/07/26/world-run-internet-addresses-year-experts-predict/ They at least corrected the first one - Editors' Note: An earlier version of this story erroneously described an IP address as consisting of four digits, rather than four sets of digits, and inaccurately described the IP address. This story has been updated to reflect the correction. But this gem still exists in the first article: Web developers have compensated for this problem by creating IPv6. At least there's *probably* some web developers at IETF that might have had a hand in creating IPv6, so that one's not technically incorrect... The second one from several months ago is still borked: IPv4, ... the unique 32-digit number used to identify each computer, website or internet-connected device. ... The solution to the problem is IPv6, which uses a 128-digit address. So, first it was 32 digits, then it was 4 digits... FWIW, Marketplace (on NPR) did a story the other night too. It wasn't necessarily incorrect, but it was so dumbed down that they managed to talk about IPv4 exhaustion without mentioning the words IPv4 or IPv6 http://marketplace.publicradio.org/display/web/2011/01/25/pm-internet-running-out-of-digital-addresses/ Wes George
Re: Connectivity status for Egypt
I'd suspect it's got a lot more to do with the open rioting on the streets, government shooting people, the numbers involved in protests, what happened in Tunisia next door etc. etc. Loss of Internet connectivity is relatively minor in comparison. Any investor with even half a brain is going to twig that's just not a good market to have money in right now. On 01/27/2011 02:53 PM, Craig V wrote: Some interesting financial news... Unsure if this is related the outages, but interesting. http://www.marketwatch.com/story/egypt-market-slumps-as-mideast-turmoil-spreads-2011-01-27 EGYPT: Stock market stumbles amid nationwide turbulencehttp://latimesblogs.latimes.com/babylonbeyond/2011/01/egypt-stock-market-stumbles-amidst-nationwide-turbulence.html http://www.marketwatch.com/story/egypt-market-slumps-as-mideast-turmoil-spreads-2011-01-27 http://latimesblogs.latimes.com/babylonbeyond/2011/01/egypt-stock-market-stumbles-amidst-nationwide-turbulence.html http://latimesblogs.latimes.com/babylonbeyond/2011/01/egypt-stock-market-stumbles-amidst-nationwide-turbulence.html On Thu, Jan 27, 2011 at 7:10 PM, Christophercal...@gmail.com wrote: I have a server with CityNet Host in Cairo. The server and ISP are completely offline
Re: Software DNS hghi availability and load balancer solution
On 01/18/2011 07:42 AM, Sergey Voropaev wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. I know that it is possible by BIND with set of script. But we are trying to find more usable solution with frendly interface. Thanks a lot. If you want to get fancy you could try an Anycast DNS setup, using GNU's Zebra tool to automatically alter routing tables. http://www.netlinxinc.com/netlinx-blog/45-dns/118-introduction-to-anycast-dns.html Paul
Re: Skype info
On 12/22/2010 10:24 AM, Tim Connolly wrote: Any word as to the root cause of the skype outage(s)? Tim Connolly Director of IT Details are on their blog: http://bit.ly/edtjxB Essentially the supernodes clients connected to started dying, so they're setting up temporary mega-supernodes whilst the supernodes are fixed. Paul
Re: Some truth about Comcast - WikiLeaks style
On 12/16/2010 09:38 AM, Daniel Seagraves wrote: On Dec 16, 2010, at 11:53 AM, Backdoor Parrot wrote: Earlier this morning a Comcast peering manager had the following things to say about the recent NANOG thread, in a public IRC channel with many witnesses: (snip) With all due respect, logs or GTFO. I can find no mention of this outside of your email. I would expect there to be quite a few mentions of such a statement made in a public IRC channel with many witnesses. So far this whole thing disturbs me. We've gone from Backdoor Santa dropping graphs that we can't specifically attribute to Comcast, through to Backdoor Parrot now adding IRC communication that yet again we can't attribute to Comcast. In the former case we've gone from disbelief through to academic what if, swiftly moving on to damning accusation without there being /any /supporting evidence, as far as I can see, that the graphs are anything to do with Comcast. I fear we're likely to see the same results from these IRC logs. All we're ending up with is what is mostly hearsay being treated as facts. Paul
Re: Some truth about Comcast - WikiLeaks style
On 12/15/2010 05:09 AM, ML wrote: According to: http://en.wikipedia.org/wiki/Comcast Comcast has 15.930 million high-speed internet customers If a 10G port for transit is paid by comcast $30/Mbit/s monthly that's 0.19 cent/internet customer/month for a new 10G port to properly desaturate this particular link. Did I compute something wrong? Laurent Assuming that I did my math right. It's actually 1.9 cents/month/per customer. Assuming they pay $30/meg... Probably preaching to the choir here but there are a lot more costs than that involved. It's all right having the bandwidth at transit points, but you've got to be able to get the bandwidth to the customers locations. With no idea of what Comcast's distribution is like for all we know the graph could be one transit point in one area of the country and indicative of poor localised behaviour rather than centralised. Virgin Media were notorious in various cities in the UK for over-saturating the local network. Out in the towns and smaller cities you'd be okay and have no problem saturating a 20Mb line, but often whole areas of London, Manchester and the like would suffer high latency, packet loss and so on during 'peak' hours because they would over sell their infrastructure (12am-10am fine, then steadily worse until unusable come the evening). They only seemed to add more capacity to the areas when enough people complained. IMO two network graphs are next to useless out of context. Paul
Re: [Operational] Internet Police
On 12/10/2010 07:45 AM, George Bonser wrote: From: William McCall Sent: Friday, December 10, 2010 8:45 AM To: Lamar Owen Cc: nanog@nanog.org Subject: Re: [Operational] Internet Police To the folks out there that presently work for an SP, if someone called you (or the relevant department) and gave you a list of end-user IPs that were DDoSing this person/entity, how long would you take to verify and stop the end user's stream of crap? Furthermore, what is the actual incentive to do something about it? The behavior is no different than a street gang who would attempt to influence the behavior of a local merchant by threatening damage to the store. In the case of internet operations, we seem to tolerate the behavior or simply assume little can be done so many don't even try. If an ISP were to actively disconnect clients who were infected with a bot (intentionally infected or not), the end users themselves might be a little more vigilant at keeping their systems free of them. *But* any ISP doing that would also have to be prepared to invest some effort in trying to help absolutely clueless people (in many cases) remove these bots from their systems. It can quickly become a huge time swamp. Not to mention the risk of lost business for customers that just can't be bothered to fix broken machines. Paul
Re: [Operational] Internet Police
On 12/10/2010 07:59 AM, George Bonser wrote: Not to mention the risk of lost business for customers that just can't be bothered to fix broken machines. Paul That supposes that another ISP would accept their bot-infected machine. It would require some cooperation among the providers. And should some ISP get the reputation of being a bot-haven, then maybe their customers might notice connectivity issues. Unless you can get every company to sign up to an agreement it will never work. Even then you'll still find unscrupulous companies that are far more interested in revenue than reputation. There are a number of hosting companies I'm sure most network professionals are aware of that are regular bases for C'n'C servers.