e they can handle
100gbps, they do it by running the cores in single-thread busywait
loops that eliminate the need for interrupts from the network devices.
This generates lots of heat and consumes lots of electricity.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Sat, Mar 30, 2024 at 9:55 AM Mel Beckman wrote:
> Well, Billie goes both ways :)
Hi Mel,
Billie is usually female while Billy is usually male. Same sound,
different spelling.
Regards,
Bill (Billy in my youth) Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Sat, Mar 30, 2024 at 7:38 AM Josh Luthman
wrote:
> How do you know the poster's gender??
Howdy,
As Josh is an uncommon female name, I'm going to play the odds and say
that like Bill and I, you're male. Am I mistaken?
Regards.
Bill Herrin
--
William Herrin
b...@herrin.us
ht
es. If there's ever an equal routing cost from any one site to two
others, there's a non-zero risk of the failover process failing... and
you won't know it until you need it.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
ls would very suddenly be going to the wrong DHCP
server. Where anycast works, it works because ECMP only rarely comes
into play.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
hey do happen tend to be
persistent, affecting all communication between that client and the
anycast IP address for an extended duration, sometimes weeks or
months.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Mon, Feb 19, 2024 at 10:31 AM Tim Howe wrote:
> On Mon, 19 Feb 2024 10:01:06 -0800
> William Herrin wrote:
> > So when the user wants to run a home server, their IPv4 options are to
> > create a TCP or UDP port forward for a single service port or perhaps
> > creat
is the only "off" setting for the IPv4 firewall.
Correct?
Their IPv6 options *might* include these but also include the option
to turn the IPv6 firewall off. At which point IPv4 is still firewalled
but IPv6 is not and allows all L4 protocols, not just TCP and UDP.
Also correct?
Regards,
On Mon, Feb 19, 2024 at 9:23 AM Hunter Fuller wrote:
> On Mon, Feb 19, 2024 at 11:16 AM William Herrin wrote:
> > > There isn't really an advantage to using v4 NAT.
> > I disagree with that one. Limiting discussion to the original security
> > context (rather than the w
stateful firewall without
NAT) and internal hosts which are not. Security doesn't deal with
"most people," it deals with people savvy enough to find and exploit
the openings and errors in the software most people use.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Mon, Feb 19, 2024 at 8:08 AM Hunter Fuller wrote:
> On Mon, Feb 19, 2024 at 9:17 AM William Herrin wrote:
> > There's also the double-ISP loss scenario that causes Joe to lose all
> > global-scope IP addresses. He can overcome that by deploying ULA
> > addresses (a third
unts
and clipboard with the host.
Regards,
Bill Herrin
>
> Lee
>
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
resses and ports (the entire
internal network is addressible from outside), it has no positive
impact on security the way IPv4's address-overloaded NAT does.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Mon, Feb 19, 2024 at 5:29 AM Howard, Lee via NANOG wrote:
> In the U.S., the largest operators without IPv6 are (in order by size):
> Lumen (CenturyLink)
CenturyLink has IPv6 using 6rd. It works fine.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
d to the comparable
contemporary technology, which was "transparent application layer
gateways." Those behaved like what we now call NAT but did the job a
different way: instead of modifying packets, they terminated the
connection and proxied it.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
for
IPv4.
I especially despised the Cisco PIX/ASA line. I did use Fortinet's WAF
product for a while and it was okay. I only used it as a reverse proxy
to a web server, and then only because it was a security compliance
requirement for that project.
Regards,
Bill Herrin
--
William Herrin
b...@her
On Sat, Feb 17, 2024 at 10:03 AM Michael Thomas wrote:
> On 2/16/24 5:37 PM, William Herrin wrote:
> > What is there to address? I already said that NAT's security
> > enhancement comes into play when a -mistake- is made with the network
> > configuration. You want me to say
ork becomes wide open. When NAT is accidentally
unconfigured, the network stops functioning entirely. The gate is
closed.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
the fence. Can you secure the place without the
barbed wire? Of course. Can an intruder defeat the barbed wire? Of
course. Is it more secure -with- the barbed wire? Obviously.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
ndeed, when Gauntlet was
released, IP addresses were still available from
hostmas...@internic.net at zero cost and without any significant
documentation. And Gauntlet was expensive: folks who couldn't easily
obtain public IP addresses also couldn't afford it.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
/64
be 199.33.224.0/24, make 2602:815:600::1 be 199.33.225.1 and make
2602:815:6001::4 be 199.33.224.4, it would be the exact same example
with the exact same network security impact.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
me to say it again? Okay, I've said it again.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Fri, Feb 16, 2024 at 5:22 PM Michael Thomas wrote:
> On 2/16/24 5:05 PM, William Herrin wrote:
> > Now, I make a mistake on my firewall. I insert a rule intended to
> > allow packets outbound from 2602:815:6001::4 but I fat-finger it and
> > so it allows them inbound to
68.55.4. What happens? The packet STILL doesn't reach my
firewall because that IP address doesn't go anywhere on the Internet.
See the difference? Accessible versus accessible and addressable. Not
addressable enhances security.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
de in
the hands of the people inside -- so that most of the common mistakes
with firewall configuration don't cause the internal hosts to -become-
accessible.
The distinction doesn't seem that subtle to me, but a lot of folks
making statements about network security on this list don't appear to
g
ilable *everywhere*
> within a month.
If only a couple of large businesses would slit their throats by
refusing to service a large swath of their paying customers, IPv6
deployment would surely accelerate.
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
sses
at the current market prices, you don't belong here. Your presence
with a /24 will collectively cost us more than you spent, just in the
first year.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
ively judge that a situation is zero-sum,
even when this is not the case. This bias promotes zero-sum fallacies,
false beliefs that situations are zero-sum. Such fallacies can cause
other false judgements and poor decisions."
https://en.wikipedia.org/wiki/Zero-sum_thinking
Regards,
Bill Herrin
--
ly warranted.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
neral Internet use they'll want to see studies and
experiments which demonstrate that it's usable enough on the public
Internet to be usefully deployed there.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Wed, Jan 31, 2024 at 1:46 PM Warren Kumari wrote:
> On Wed, Jan 31, 2024 at 3:56 PM, William Herrin wrote:
>> On Wed, Jan 31, 2024 at 12:30 PM Warren Kumari wrote:
>> Your router won't announce 192.0.2.0/24 unless it knows a route to
>> 192.0.2.0/24 or has been config
announcement for 192.0.2.0/24. This is a bad idea for obvious reasons,
so best practice was to put a low priority route to discard as a
fall-back if the ethernet port briefly lost carrier.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Wed, Jan 24, 2024 at 8:39 AM James Jun wrote:
> On Wed, Jan 24, 2024 at 08:16:56AM -0800, William Herrin wrote:
> > Sophistry. I buy IP transit from 3 providers, one of which has a 3 AS
> > path to 3356.
>
> Again you omit context.
What you're calling context, I call dece
ne of which has a 3 AS
path to 3356.
-Bill
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Wed, Jan 24, 2024 at 5:23 AM Chris Adams wrote:
> Once upon a time, William Herrin said:
> > On Tue, Jan 23, 2024 at 4:00 PM Chris Adams wrote:
> > > Once upon a time, William Herrin said:
> > > > Nevertheless, in the protocol's design, the one expressed in the
_ packets along the scenic route, you have done a bad job.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
t's not
unexpected, but it is disappointing.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Tue, Jan 23, 2024 at 4:00 PM Chris Adams wrote:
> Once upon a time, William Herrin said:
> > Nevertheless, in the protocol's design, the one expressed in the
> > RFC's, AS path length = distance.
>
> The RFC doesn't make any equivalence between AS path length and
> di
000 miles.
Nevertheless, in the protocol's design, the one expressed in the
RFC's, AS path length = distance.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
ridden that with a localpref so that it DOES NOT
take distance into account. Which rather defeats the function of a
distance vector protocol.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
; does.
6. Pollute the DFZ because in light of what "every large transit
provider does," that's the solution that actually works.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
istant routes arrive from
customers. I'll remember that the next time folks complain about the
size of the routing table. This one you did to yourselves.
Regards,
Bill
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Mon, Jan 22, 2024 at 6:43 PM William Herrin wrote:
> On Mon, Jan 22, 2024 at 5:59 PM James Jun wrote:
> > CL is choosing 3356 47787[x3] 53356 11875[x3] over better path via 1299:
> >This is not a Lumen/CenturyLink/Level 3 problem.
> > What you need to be doing is
>
>
table so that my one prefix now consumes three routes. If you and the
others defending Centurylink's behavior are satisfied with that
solution, then we're done here.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Mon, Jan 22, 2024 at 4:16 PM Alex Le Heux wrote:
> > On Jan 23, 2024, at 00:43, William Herrin wrote:
> > Every packet has two customers: the one sending it and the one
> > receiving it. 3356 is providing a service to its customers. ALL of its
> > customers. Not just 4
er on both ends. 3356's choice to route
my packet via 47787 serves me poorly.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
om
you. They're just using your AS number at the front of the path when
they announce the addresses.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
prefixes instead of one,
and you get to pay for the extra two TCAM slots.
It offends my pride to handle it this way, but -you- shoulder the cost.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
resses in their portal and they handle everything else with the
expectation that their AS is the sole origin for the prefix in
question. At least that's how the AWS offering works. I presume GCP is
the same. They're not acting as a general-purpose ISP.
Regards,
Bill Herrin
--
William Herrin
b...@her
On Mon, Jan 22, 2024 at 1:11 PM Andrew Hoyos wrote:
> On Jan 22, 2024, at 14:35, William Herrin wrote:
>> The best path to me from Centurylink is: 3356 1299 20473 11875
>
>> The path Centurylink chose is: 3356 47787 47787 47787 47787 53356
>> 11875 11875 11875
>
>
The path Centurylink chose is: 3356 47787 47787 47787 47787 53356
11875 11875 11875
Do you want to tell me again how that's a reasonable path selection,
or how I'm supposed to pass communities to either 20473 or 53356 which
tell 3356 to behave itself?
Regards,
Bill Herrin
--
William Herrin
b...@herrin
hough I told you with prepends that they are not leaves me with few
knobs I can turn.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
wasn't your paying customer. That
seems... backwards.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
e management.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
ss
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Mon, Jan 15, 2024 at 7:14 AM wrote:
> I’m more interested in how you lose six chillers all at once.
Extreme cold. If the transfer temperature is too low, they can reach a
state where the refrigerant liquifies too soon, damaging the
compressor.
Regards,
Bill Herrin
--
William Herri
ate where I'd have had to be carefully
measuring before and after to detect it.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
ing the right thing. Abe isn't.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
is not an unreasonable expectation: if you merely want to
continue the current conversation without going off on a new tangent
then there's no need for a different subject line.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
o keep track of the discussion. I also don't believe
> I'm the first one to raise this either.
He has indeed been asked to do so before but is too rude to comply.
Stop feeding the troll.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
er- ones?
I don't know the best number, but I suspect the speed at which packets
clear an interface is probably a factor in the equation, so that the
reasonable buffer depth in ms when a packet clears in 1ms is probably
different than the reasonable buffer depth when a packet clears in 1
us.
Regards,
talked about taking a default route via BGP
rather than a full table.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
ations for Facebook going IPv6-only internally.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
to do L2 retransmission, so they express
packet loss as jitter (random change in latency) instead of actual
loss. If you're seeing loss, it's generally on a wired segment.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
ly use it is not a
challenging task. A man-week from zero to working. Maybe two.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
ho
hasn't at least implemented that much is just being lazy.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
contracts. But that's my pet peeve, like latency is yours. And if I
pitch that, it'll rightly be seen as a pet issue.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Wed, Nov 22, 2023 at 11:22 AM o...@delong.com wrote:
> > On Nov 21, 2023, at 01:38, William Herrin wrote:
> > Disadvantages: Expensive IRR. No RPKI. No vote in ARIN elections. No
> > legal clarity regarding the status of your resources.
>
> Expensive IRR? ALTDB is free
egards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
g
themselves as attractive to criminals.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
s.
Hi Allan,
Careful. Statistics don't mean much when separated from their context.
Spamhaus doesn't appear to have published the raw numbers for anything
except the "top ten."
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
et/.org have a different/better
vulnerability profile to these third party link shorteners?
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
d that they had a
location they didn't know about.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
e done.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
e lied to you.
Incidentally, if you're worried about N+1 redundancy, I assume you're
hosted at more than one data center from more than one vendor?
Buildings and vendors are single points of failure too. Even when
built right, stuff happens.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
anding that an AS0 ROA will not, as a
practical matter, accomplish the thing it was designed to do.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
ot be used in a routing context.
And is it your belief that this addresses the described attack vector?
AFAICT, it does not.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Sun, Oct 22, 2023 at 9:10 AM William Herrin wrote:
> In essence, this means that a ROA to AS0 doesn't work as intended.
Let me ground it a bit:
He's saying that someone could come along and advertise 0.0.0.0/1 and
128.0.0.0/1 and by doing so they'd hijack every unrouted address bl
he RIR space
larger than any allocation. Since your subnet is intentionally absent
from the Internet, that larger route draws the packets allowing a
hijack of your address space.
In essence, this means that a ROA to AS0 doesn't work as intended.
Regards,
Bill Herrin
--
William Herrin
b...@her
cause there's no alignment with the RIR allocation, it's not
possible to express this invalidity in RPKI.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
data for a day or so, I figured it was time to put a
second provider back in my mix. Imagine my surprise this week when I
went ahead and bought service, went back to the activation page, and
it didn't work.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
the model without wifi was solely a bridge.
The knobs, as such, were: change the password and reboot the modem.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
el knobs to turn.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
down.
I gave up and installed the app. User name, password, cable modem's
mac address. And now it's activated.
I know it's bad form to bring this sort of thing to NANOG, but come on
guys: get your act together.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
unt/account-selector?execution=e4s1 ->
https://login.xfinity.com/login
Access Denied
You don't have permission to access "http://login.xfinity.com/login?;
on this server.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
are represented.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
ped up on the screen, but no noise.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
o minimum
since forever. It's not a handful of networks, it's nearly everybody.
So, if you'd like to make a wager on /25 and more specifics becoming a
real thing on the backbone, I'll be happy to take your money.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
be smart enough to always do the right
thing on its own. The exceptions deal with knobs where the operator is
not just likely shoot themselves in the foot but likely shoot other
people too. That doesn't apply here.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
ckholing traffic because the relevant next-hops aren't
> present in the FIB to be looked up as "degradation" I guess?
Come on man, go re-read the post. The two paragraphs you cut literally
explained what happens -instead of- routes dropping out of the FIB or
being black holed.
Regard
where those came from if you google "BGP FIB compression paper."
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
net gain in your
equipment's capability versus no compression.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
rds,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
e next field, this is a
cakewalk.
It doesn't actually get complicated until you want to do more than
just joining adjacent address blocks.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
is latter version, however, is not straightforward. Bugs that escape
QC are quite a bit more likely.
Will Juniper stop with the simplest version of FIB compression where
not much can go wrong? Not if it works and customers like it.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
On Fri, Sep 29, 2023 at 3:26 PM Owen DeLong wrote:
> > On Sep 29, 2023, at 15:14, William Herrin wrote:
> > I'm less assuming it and more reading it from this SIGCOMM paper:
> > https://people.csail.mit.edu/ghobadi/papers/trio_sigcomm_2022.pdf
>
> Fair enough, bu
se CPU. Architecturally I mean. Obviously it's
optimized for a different task than a GPU.
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
OMM paper:
https://people.csail.mit.edu/ghobadi/papers/trio_sigcomm_2022.pdf
Regards,
Bill Herrin
--
William Herrin
b...@herrin.us
https://bill.herrin.us/
1 - 100 of 1899 matches
Mail list logo