Re: 44/8

[William Waites]

On 07/18, Christopher Morrow wrote:

> My guess is that arin needed more than just: "can control routing for
> a few bits of time".
> I don't really know, but I hope they had more requirements than that :)

It certainly doesn't look like it...

My understanding is that 44/8 was, very much like different pieces of the radio
spectrum, collective common property of amateur radio operators. That an
organisation was needed to operate a registry because of the nature of IP
address allocation does not amount to ownership or the right to sell anything.
This is exactly analogous to the fact that the ARRL (or RAC, or RSGB etc) does
not own and cannot sell radio spectrum allocated for amateur use.

This is not a legitimate sale. ARIN should reverse the changes in its record,
and the ARDC should give the "several million dollars" back to Amazon. 

Then we can decide, openly and transparently, if, for example, some piece of
44/8 should be returned to IANA for allocation to the RIRs.

Greetings,
William Waites VE3HW

Re: DOs and DONTs for small ISP

[William Waites]

On 06/03, Mel Beckman wrote:
> I’m constantly amazed at the number of even medium-sized ISPs that have no
> network monitoring. An NMS should go in as the first software component —
> before billing starts and the provider is on the hook to deliver. 
> 
> The second lacking component is a ticket system, which is silly because
> turnkey cloud services are not expensive, and open source solutions abound
> for budget-limited operators.

It's not enough to have monitoring and a ticket system. You need to pay
attention to them, care for them and feed them. I can't count the number
of ticket systems full of ancient and irrelevant things or monitoring 
systems that people have forgotten about or don't know how to add new
stuff to. Even the cycle of,

  10 we need network monitoring
  20 stand up some monitoring system ...
  30 ... time passes, the person leaves etc ...
  40 ... the network monitoring system is forgotten ...
  50 GOTO 10

Cheers,
-w

Re: any interesting/useful resources available to IPv6 only?

[William Waites]

On 05/03, Jeroen Massar wrote:
> 
> IPv6 is not a darknet, you won't find something hidden and unique there.

The Dancing Kame, surely.

Re: Oct. 3, 2018 EAS Presidential Alert test

[William Waites]

> I wonder, if there were a real alert, what the odds are that one
> wouldn't hear about it in 1 minute, 5 minutes, etc even if they didn't
> personally get it.
> 
> Obviously edge cases are possible, you were deep in a cave with your
> soccer team, but there must be mathematical modeling of that sort of
> information dispersion.
> 
> It would have to account for other possible channels, word of mouth,
> facebook, twitter,  posts or really any informatonal source you were
> on on the internet (e.g., news sites), TV, radio, people screaming in
> the streets, etc.

You could do this, in principle, but you’d need a whole bunch of 
assumptions. What you want is a big graph of all people with weighted
edges. The weights are the effective bitrates, or the chance per unit
time that a message is sent and received along the edge (that’s going
to mean guessing at some plausible numbers for each medium).

We don’t have such a giant graph so we’d have to construct it and claim
that for these purposes it has the right properties and represents the
real world. You do this by saying, for each person, make a “word of 
mouth” edge to another randomly chosen person with a some probability.
And so on. There’s more guessing here about those probabilities, but
this has been studied quite a bit, at least for real networks where the
graph is available (e.g. twitter and facebook are favourites among
people who research social networks).

Once you’ve got this big graph of all the people and the chance of a
message going between any two of them pairwise, you write down a big
matrix, Q = [q_ij] which tells you that a message at person i has 
such and such a chance to go to person j in one time unit. You then
pick the people who got the initial message and make a vector x_0 = [x_i]
where the entries are 0 if they didn’t get it and 1/n if they did 
(n is the number of people who got it). Now you can say,

x(t) = exp(tQ) * x_0

and ask all the sorts of questions that you ask. That gives you the
chance at each time that each person is receiving the message. To
answer “what are the chances someone heard about it in one minute”,
sum up x*dt for all times from 0 to 1 minute, subtract out x_0 
(because they already got it) and add up the probabilities that are
left.

If Q is very big, this is expensive to compute (matrix exponentials
are expensive) but I think you could scale the whole thing down to a
representative sample population. It might be fun to do this a little
bit more seriously than a hastily written mailing list post but I think
it would always rely on a lot of guesses so would have to be taken with
a very big grain of salt. As well, this is just one way you could
model the process and there are a number of obvious criticisms
(memorylessness jumps right out).

Cheers,
-w

Re: Yet another Quadruple DNS?

[William Waites]

> On 2 Apr 2018, at 02:57, Aftab Siddiqui <aftab.siddi...@gmail.com> wrote:
> 
> Here is the update from Geoff himself. I guess they didn't want to publish
> it on April 1st (AEST).
> https://blog.apnic.net/2018/04/02/apnic-labs-enters-into-a-research-agreement-with-cloudflare/

The research justification for a RIR to do this seems a little thin.
Surely we, as a community already know about what happens when a company
operates a public resolver. How will yet another one will tell us more?

A more interesting question might be, what happens when we let multiple
organisations anycast a well-known public resolver address? There are
reasons why it might be a bad idea, but at least it’s slightly novel.

William Waites
Laboratory for Foundations of Computer Science
School of Informatics, University of Edinburgh

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: Yet another Quadruple DNS?

[William Waites]

> 
> On 30 Mar 2018, at 15:46, Royce Williams  wrote:
> 
> 77.77.77.77 - Dadeh Gostar Asr Novin P.J.S. Co. (Iran) | 77.77.64/19 |
> recursion-yes

Well, that one's a little odd:

% host news.bbc.co.uk 77.77.77.77
Using domain server:
Name: 77.77.77.77
Address: 77.77.77.77#53
Aliases:

news.bbc.co.uk has address 10.10.34.35


signature.asc
Description: Message signed with OpenPGP

Re: Please run windows update now

[William Waites]

> On May 15, 2017, at 21:17, valdis.kletni...@vt.edu wrote:
> 
>> So for example why does[n’t] a client OS confirm that you really
>> meant to run a program on $THRESHOLD files…

> How does the operating system detect that and throw a pop-up
> *before* that executes?
> 
> It's a lot harder problem than you think.  Hint:  Fred Cohen's PhD
> thesis showed that detecting malware is isomorphic to the Turing
> Halting Problem.

The general problem might well be that hard, I don’t know, it seems
plausible. However Barry’s suggestion doesn’t seem impossible.

One strategy is as follows. Have a counter in the kernel about writes to
files. Have some sort of log-structured filesystem with checkpoints or
whatever. When the counter goes too fast, show Barry’s dialog box and
if the user says no, roll back the filesystem to the time just before the
process (or its parent, or its parent’s parent, …) started. There are 
details to be ironed out, of course, but there’s no reason in principle
that it couldn’t be done like this.

The reason that you don’t have to make the operating system solve
the halting problem is because you ask the user.

William Waites
Laboratory for Foundations of Computer Science
School of Informatics, University of Edinburgh
Informatics Forum 5.38, 10 Crichton St.
Edinburgh, EH8 9AB, Scotland

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: gagging *IX directors re snoop/block orders

[William Waites]

> On Feb 17, 2017, at 16:46, Patrick W. Gilmore <patr...@ianai.net> wrote:
> 
> There is one problem: The article is factually incorrect on multiple points.

It would be interesting to know what points those are, it reads mostly 
accurately
to me.

> The proposed constitutional changes are in the public domain.

The main problem, though this point may have gotten lost in the very long
discussion on the LINX members list, is that the reasoning and motivation for
the changes was not made clear. Even when explanatory materials were
belatedly provided, they weren’t especially clear.

So instead of saying, "we have this new spying law in the UK and we need
to rejigg the decision-making at LINX so we will be ready in case we are
required to do something that must be kept secret" what was proposed to
the membership was, "we have embarked on this long governance journey
and this is what we have come up with as the best way to run LINX". Those
are two very different propositions, especially for busy people who don’t have
time to read in detail and understand all the implications.

All that I suggested is that the members be properly informed so that they
can make this choice with their eyes open. It is important to have this
discussion in the open, and explicitly mark the transition where Internet
Exchange Points re-organise themselves to accommodate spying laws and 
gag orders.

William Waites
Laboratory for Foundations of Computer Science
School of Informatics, University of Edinburgh
Informatics Forum 5.38, 10 Crichton St.
Edinburgh, EH8 9AB, Scotland

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: backbones filtering unsanctioned sites

[William Waites]

> Looks like mostly proxy/torrent sites on that IP address.

That may be so. Maybe it isn’t particularly objectionable for Cogent
to not to carry traffic to some particular destination that they don’t like.
As you point out they already only offer a partial view of the Internet. 

What is very problematic is that they announce that this destination
is reachable via them, and then drop traffic. This is a problem for the
same reason that hijacking by announcing more specifics is a problem.
The bgp tables become no longer a source of truth about reachability.
If this kind of behaviour from transit networks becomes the norm, we
are in big trouble.

William Waites
LFCS, School of Informatics, University of Edinburgh

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

cloudflare contact

[William Waites]

Could someone from Cloudflare's operations please contact me off-list?

Thanks,
-w


--
William Waites <wwai...@tardis.ed.ac.uk>  |  School of Informatics
   https://tardis.ed.ac.uk/~wwaites/  | University of Edinburgh
 https://hubs.net.uk/ |  HUBS AS60241

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: de-peering for security sake

[William Waites]

On Sat, 26 Dec 2015 11:14:25 -0500, Joe Abley <jab...@hopcount.ca> said:

>> My gauge is volume of obnoxious traffic.  When I get lots of
>> SSH probes from a /32, I block the /32.

> ... without any knowledge of how many end systems are going to
> be affected.  A significant campus or provider user base behind
> a NAT is likely to have more infections in absolute terms, which
> means more observed bad behaviour. It also means more
> end-systems (again, in absolute terms) that represent collateral
> damage.

Indeed this is only going to get worse with pressure on IPv4
addressing space. I often see this with small rural providers that
have not yet progressed to the level of getting their own address
space, and the available space is already insufficient in many cases.

Another important scenario where this happens is Tor exit nodes. I
have not observed any de-peering or network-layer filtering around
exit nodes, but the milder, but still very obnoxious, tactic of
application-layer capchas happens a lot. This is a serious problem for
privacy or security conscious users (i.e. most of Tor's userbase) that
tend not to enable JavaScript unless there is good reason. And a lot
of these capcha systems require JavaScript.

I see this every day since I live in a country where it would be
foolish not to use Tor as a matter of course. Large CDNs like
Cloudflare are guilty of this and this exascerbates the problem
because it prevents access to a very large set of resources and not
just a single web site. It's not nice. It has the effect of turning
the privacy-conscious into second-class netizens.

Rachel Greenstadt is presenting some research tomorrow at the CCC on
the effect this has on excluding contributions to common goods such as
Wikipedia:

https://events.ccc.de/congress/2015/Fahrplan/events/7324.html


--
William Waites <wwai...@tardis.ed.ac.uk>  |  School of Informatics
   https://tardis.ed.ac.uk/~wwaites/  | University of Edinburgh
 https://hubs.net.uk/ |  HUBS AS60241

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: interconnection costs

[William Waites]

there is also the increasingly common pattern of "remote peering"
where you lease a circuit to an exchange point but do not establish a
presence in the facility. this can either be done with the last leg on
a dedicated cross-connect (so it looks to the exchange operator just
like any other connection except that it is to an intermediary and not
to you) or multiplexed on a single connection to the exchange operated
by a carrier that specialises in facilitating remote peering.

to the extent that this practice dramatically decouples the peering
graph from the underlying infrastructure graph it is debatable if this
is a wise or efficient strategy. on the other hand it significantly
widens the operational scope of bgp configuration knobs.

but the point is, you can do peering without a physical presence in a
location, and it is a common thing to do.

cheers,
-w

--
William Waites <wwai...@tardis.ed.ac.uk>  |  School of Informatics
   https://tardis.ed.ac.uk/~wwaites/  | University of Edinburgh
 https://hubs.net.uk/ |  HUBS AS60241

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: AW: /27 the new /24

[William Waites]

On Sat, 3 Oct 2015 12:42:01 +0200, Baldur Norddahl <baldur.nordd...@gmail.com> 
said:

> 2 million routes will not be enough if we go full /27. This is
> not a scalable solution. Something else is needed to provide
> multihoming for small networks (LISP?).

It's not too far off though. One way of looking at it is, for each
extra bit we allow, we potentially double the table size. So with 500k
routes and a /24 limit now, we might expect 4 million with /27. Not
exactly because it depends strongly on the distribution of prefix
lengths, but probably not a bad guess.

Also there are optimisations that I wonder if the vendors are doing to
preserve TCAM such as aggregating adjacent networks with the same next
hop into the supernet. That would mitigate the impact of wanton
deaggregation at least and the algorithm doesn't look too hard. Do the
big iron vendors do this?

-w

--
William Waites <wwai...@tardis.ed.ac.uk>  |  School of Informatics
   http://tardis.ed.ac.uk/~wwaites/   | University of Edinburgh
 https://hubs.net.uk/ |  HUBS AS60241

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


pgpQpvBY0HsM0.pgp
Description: PGP signature

Mikrotik in the DFZ (Was Re: AW: AW: /27 the new /24)

[William Waites]

On Fri, 2 Oct 2015 23:11:47 +, Jürgen Jaritsch <j...@anexia.at> said:

> Regarding the words "I have a small router which handles
> multiple full tables ...": push and pull a few full tables at
> the same time and you'll see what's happening: the CCRs are
> SLOW. And why? Because the software is not as good as it could
> be: the BGP daemon uses only one core of a 36(?) core CPU.

To expand on this, the problem is worse than being single-threaded. I
had one of these in the lab and fed it 2x full tables. Sure it wasn't
the fastest at accepting them but then I noticed that even in steady
state one of the CPUs was pegged. What was happening -- and this was
confirmed by Mikrotik -- was that it was recalculating the *entire*
FIB for each update. The general background noise of announce /
withdraw messages means it is doing this all the time. Any churn and
it would have a very hard time.

There are other serious bugs such as not doing recursive next hop
lookup for IPv6 (it does for IPv4). This makes them unuseable as BGP
routers even for partial tables with most non-trivial iBGP
topologies. All of which may be fixed one day in version 7 of their
operating system, which will inevitably have many bugs as any software
project .0 release will, so we'll have to wait for 7.x for it to be
reasonably safe to use.

That said, we use a lot of Mikrotik kit for our rural
networks. They're weird and quirky but you can't beat them on price,
port density and power consumption. With 16 ports and 36 cores surely 
they should be capable of pushing several Gbps of traffic with a few
full tables.

I wish it were possible today to run different software on their
larger boxes. If some like-minded small providers wanted to get
together with us to fund a FreeBSD port to the CCR routers that would
be great. Please contact me off-list if you are interested in this,
I'll coordinate.

As it is we don't let them anywhere near the DFZ, that's done with PCs
running FreeBSD and BIRD which can easily do the job but is still an
order of magnitude more expensive (and an order of magnitude less
expensive than what you need if you want 10s of Gbps).

-w

--
William Waites <wwai...@tardis.ed.ac.uk>  |  School of Informatics
   http://tardis.ed.ac.uk/~wwaites/   | University of Edinburgh
 https://hubs.net.uk/ |  HUBS AS60241

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


pgpkqJVGALdoZ.pgp
Description: PGP signature

Re: Capital Internet http://www.capitalinternet.com/ down?

[William Waites]

Near as I can tell, the network that your nameservers are in,
68.168.144.0/20 is being correctly announced by AS21560 which is
"Netstream Communications". I see this announcement here. A traceroute
goes as far as,

13  te0-3-1-7.agr22.atl01.atlas.cogentco.com (154.54.47.190)  97.933 ms
te0-3-1-7.agr21.atl01.atlas.cogentco.com (154.54.30.94)  114.202 ms
be2149.ccr42.jfk02.atlas.cogentco.com (154.54.31.126)  93.931 ms
14  be2112.ccr41.atl01.atlas.cogentco.com (154.54.7.158)  100.736 ms
te0-0-2-0.nr11.b000173-2.atl01.atlas.cogentco.com (154.24.14.118)  100.019 
ms
be2112.ccr41.atl01.atlas.cogentco.com (154.54.7.158)  100.691 ms
15  te0-4-1-7.agr21.atl01.atlas.cogentco.com (154.54.44.178)  101.480 ms
te0-3-1-7.agr22.atl01.atlas.cogentco.com (154.54.47.190)  101.860 ms
38.88.191.250 (38.88.191.250)  99.150 ms
16  te0-0-2-3.nr11.b000173-2.atl01.atlas.cogentco.com (154.24.15.10)  102.828 ms

looks like something within Netstream or between them and Cogent.

Also both your nameservers seem to be right beside each other in the
same netblock -- that's not really the best idea for just this
sort of reason. It'd be a good idea to have secondary nameservers
somewhere else (Esgob do free secondary anycast DNS and they're nice
folk).

-w

--
William Waites <wwai...@tardis.ed.ac.uk>  |  School of Informatics
   http://tardis.ed.ac.uk/~wwaites/   | University of Edinburgh
 https://hubs.net.uk/ |  HUBS AS60241

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.




pgpAkuRfwtHPi.pgp
Description: PGP signature

Re: Dual stack IPv6 for IPv4 depletion

[William Waites]

On Sun, 5 Jul 2015 06:13:52 +, Mel Beckman m...@beckman.org said:

 In fact, I show just how to do this using a $99 Apple Airport
 Express in my three-hour online course “Build your own IPv6 Lab”

An anectode about this, maybe out of date, maybe not. I was helping my
friend who likes Apple things connect to the local community
network. He wanted to use an Airport as his home gateway rather than
the router that we normally use. Turns out these things can *only* do
IPv6 with tunnels and cannot do IPv6 on PPPoE. Go figure. So there is
not exactly a clear path to native IPv6 for your lab this way.

-w


pgpxKKvnwwFUV.pgp
Description: PGP signature

Re: Dual stack IPv6 for IPv4 depletion

[William Waites]

On Sun, 5 Jul 2015 18:25:26 +, Josh Moore jmo...@atcnetworks.net said:

 So basically what you are telling me is that the NAT gateway
 needs to be centrally aggregated.

If you must do NAT it should be as close to the edge as
possible. Today that's usually at the CPE. Maybe tomorrow that's one
hop upstream at the distribution router. That way the core remains
clean and doesn't accumulate state or have to deal with asymmetries.

-w


pgp3jSEeqkFZU.pgp
Description: PGP signature

Re: eBay is looking for network heavies...

[William Waites]

On Thu, 11 Jun 2015 14:24:31 +0200, Ruairi Carroll ruairi.carr...@gmail.com 
said:

 What I found is that back in early-mid 00's, the industry was a
 black box.  Unless you knew someone inside of the industry...

I suspect this is partly a result of the consolidation that went
on. In the mid 1990s when I started, there were tons of small mom and
pop ISPs with 28.8 modems stacked on Ikea shelving. The way that I got
my first job as a student was literally by hanging around one of them
and pestering them until they hired me part time. These small ISPs
grew and most were eventually were acquired and people who stuck
around through that -- especially the often quite complicated network
integration that happens after acquisitions -- learned quite a lot
about how the Internet operates at a variety of scales and saw a
variety of different architectures and technical strategies.

The scale and stability of today's Internet means that path is mostly
closed now I think, particularly if what you want to do is get a job
at a big company. But not entirely, there are still lots of rich
field-learning opportunities on the periphery, in places where large
carriers fear to tread...

-w


pgp0gR1EaUSp2.pgp
Description: PGP signature

Re: Low Cost 10G Router

[William Waites]

 BGP is still atrocious on the CCRs, but that's because the route
 update process isn't multithreaded.

I recently took a close look at this, and that the update process is
single-threaded is not the major problem so long as churn is not too
great. The problem is that due to a deeper problem the entire
forwarding table needs to be recalculated for *each* update. This
means that even with the usual background noise in the DFZ the daemon
is constantly updating everything. There are other bugs as well such
as not supporting recursive next hop (e.g. via OSPF) lookup for IPv6
which means that if you have any iBGP sessions and more than one
internal path you're out of luck with no obvious workaround.

The stock answer from Mikrotik is that everything will be fixed in
the next major release of the OS. When that happens, and how long it
takes to shake out the inevitable new bugs is an open
question. Personally I give it at least a year before we would even
try to use these seriously for BGP. Until then, it's FreeBSD and
BIRD.

Best,
-w
--
William Waites wwai...@tardis.ed.ac.uk  |  School of Informatics
   http://tardis.ed.ac.uk/~wwaites/   | University of Edinburgh
 https://hubs.net.uk/ |  HUBS AS60241

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


pgpzURxPW91or.pgp
Description: PGP signature

Re: Peering and Network Cost

[William Waites]

On Sun, 19 Apr 2015 11:23:53 +0200, Baldur Norddahl baldur.nordd...@gmail.com 
said:

 So why is IX peering so expensive?

 But the only service is running an old layer 2 switch.

 The 40 dix particants should donate 1000 USD once and get a new
 layer 2 switch. Why does that not happen?

This is something like how TORIX was operated at the beginning. The
switch was donated by Cisco and rack space by a member with a cage at
a convenient spot at 151 Front -- I think this was jlixfeld at
look.ca. Fees were a $1/port/year peppercorn.

It has been a long time since I was in any way involved in that, but
today for a 1Gbps port TORIX charges $1200/year which is more but still
not as much as you say for other IXPs. It would be interesting to hear
from someone who was involved in TORIX at the time how this transition
from $1 to $1200 went and the reasoning behind it. My guess would be
moving to its own space and having to pay rent was a major part of it,
and possibly acquiring staff?

Also note that the LINX exchanges do not charge for the first 1Gbps
port (or the n-th at the regional exchanges) though there is a
membership fee which makes it roughly equivalent to what TORIX does
today.

From that point of view you guys in Denmark seem to be paying somewhat
over the odds.

Cheers,
-w
--
William Waites wwai...@tardis.ed.ac.uk  |  School of Informatics
   http://tardis.ed.ac.uk/~wwaites/   | University of Edinburgh
   http://www.hubs.net.uk/|  HUBS AS60241

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


pgpxHH_APz_go.pgp
Description: PGP signature

Re: macomnet weird dns record

[William Waites]

Colin, I understand that you would like everyone on the Internet to
behave in a way that you consider normal and tailor their reverse DNS
so as not to offend your aesthetic sense. It is frustrating when other
people do things differently, my deepest sympathies.

Also if you have ever used a BSD system you will know that writing
netmasks in hex is prefectly normal.

-w
--
William Waites wwai...@tardis.ed.ac.uk  |  School of Informatics
   http://tardis.ed.ac.uk/~wwaites/   | University of Edinburgh
   http://www.hubs.net.uk/|  HUBS AS60241

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


pgpvc6KNCBb0E.pgp
Description: PGP signature

Re: Verizon Policy Statement on Net Neutrality

[William Waites]

On Fri, 27 Feb 2015 23:24:17 +, Naslund, Steve snasl...@medline.com 
said:

 I was an ISP in the 1990s and our first DSL offerings were SDSL
 symmetric services to replace more expensive T-1 circuits.  When
 we got into residential it was with SDSL and then the consumers
 wanted more downstream so ADSL was invented.  I was there, I
 know this.

So was I and my experience was different. We decided that it would be
more profitable as a small ISP to re-sell Bell Canada's ADSL than to
try to unbundle central offices all over the place. The arguments from
the business side had nothing whatsoever to do with symmetry or lack
thereof. The choice of technology was entirely by the ILEC.

 To that I will just say that if your average user spend as much
 time videoconferencing as they do watching streaming media then
 they are probably a business.

No, you misunderstand. I don't dispute that the area under end-user
traffic statistics graphs is asymmetric. But that the maximum value --
particularly the instantaneous maximum value which you don't see with
five minute sampling -- wants to be quite a lot higher than it
can be with a very asymmetric circuit. If someone works from home one
day a week and has a videoconference or too, we still want that to
work well, right?

And perfect symmetry is not necessary. Would I notice the difference
between 60/60 and 60/40 or even 60/20? Probably not really as long as
both numbers are significantly more than the expected peak rate. But
24/1.5, a factor of 16, is a very different story.

-w
--
William Waites wwai...@tardis.ed.ac.uk  |  School of Informatics
   http://tardis.ed.ac.uk/~wwaites/   | University of Edinburgh

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


pgpWCYOnElsmF.pgp
Description: PGP signature

Re: Verizon Policy Statement on Net Neutrality

[William Waites]

It certainly seems to be Friday.

On Fri, 27 Feb 2015 17:27:08 +, Naslund, Steve snasl...@medline.com 
said:

 That statement completely confuses me.  Why is asymmetry evil?
 Does that not reflect what Joe Average User actually needs and
 wants? ... There is no technical reason that it can't be
 symmetric it is just a reflection of what the market wants.

This is a self-fulling prophecy. As long as the edge networks have
asymmetry built into them popular programs and services will be
developed that are structured to account for this. As long as the
popular programs and services are made like this, the average user
will not know that they might want something different.

It doesn't have to be this way, its an artefact of a choice on the
part of the larger (mostly telephone company) ISPs in the 1990s. It
also happens to suit capital because it is more obvious how to make
money at the expense of the users with an asymmetric network and
centralised Web 2.0 style services.

Thankfully the cracks are starting to show. I was pleased to hear the
surprised and shocked praise when I installed a symmetric radio
service to someone in the neighbourhood and it was no longer painful
for them to upload their photographs. Multi-party videoconferencing
doesn't work well unless at least one participant (or a server) is on
good, symmetric bandwidth. These are just boring mundane
applications. Imagine the more interesting ones that might emerge if
the restriction of asymmetry was no longer commonplace...

-w

--
/\| William Waites wwai...@tardis.ed.ac.uk
\ /  ASCII Ribbon Campaign |  School of Informatics
 Xagainst HTML e-mail  | University of Edinburgh
/ \  (still going) | http://tardis.ed.ac.uk/~wwaites/

--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


pgpxjWHpOCKGX.pgp
Description: PGP signature

Re: Verizon Policy Statement on Net Neutrality

[William Waites]

On Fri, 27 Feb 2015 14:24:54 -0500, Bruce H McIntosh b...@ufl.edu said:

 What's a lawful web site?

 Now *there* is a $64,000 question.  Even more interesting is,
 Who gets to decide day to day the answer to that question? :)

Over here we have some kind of an answer to that question... And
it's not a very good one...

--
/\| William Waites wwai...@tardis.ed.ac.uk
\ /  ASCII Ribbon Campaign |  School of Informatics
 Xagainst HTML e-mail  | University of Edinburgh
/ \  (still going) | http://tardis.ed.ac.uk/~wwaites/

--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


pgpC2sI_oqg4z.pgp
Description: PGP signature

[OT] Re: Intellectual Property in Network Design

[William Waites]

On Fri, 13 Feb 2015 11:43:14 +1100, Ahad Aboss a...@telcoinabox.com said:

 In a sense, you are an artist as network architecture
 is an art in itself.  It involves interaction with time,
 processes, people and things or an intersection between all.

This Friday's off-topic post for NANOG:

Doing art is creative practice directed to uncover something new and
not pre-conceived.  Successful acts of art produce something that not
only wasn't there before but that nobody thought could be there. The
art is the change in thinking that results. Whatever else is left over
is residue.

An engineer or architect in the usual setting, no matter how skilled,
is not doing art because the whole activity is pre-conceived. Even a
clean and elegant design is not usually intended to show beautiful
connections between ideas the same way poetry or mathematics
might. Hiring an engineer for this purpose almost never happens in
industry. Rather the purpose is to make a thing that does what it is
intended to do. It is craft, or second-order residue. Useful, possibly
difficult, but not art.

Some people want to claim ownership of a recipe for predictably
creating residue of a certain kind. An artist knows that this is not
good for doing art because nothing new can come from it. If they are
committed to their practice, they will not seek to prevent others from
using an old recipe. Why would they? They have already moved on.

Some older thoughts on the topic: http://archive.groovy.net/syntac/


pgpnAhVCkiBjX.pgp
Description: PGP signature

Re: HTTPS redirects to HTTP for monitoring

[William Waites]

On 18 Jan 2015 18:15:09 -, John Levine jo...@iecc.com said:

 I expect your users would fire you when they found you'd blocked
 access to Google.

Doesn't goog do certificate pinning anyways, at least in their web
browser?


pgphGF6ZqCQVo.pgp
Description: PGP signature

Re: determine relationship between the operators based on import and export statements in aut-num object?

[William Waites]

On Tue, 25 Nov 2014 17:36:47 +0200, Martin T m4rtn...@gmail.com said:

 Last but not least, maybe there is altogether a more reliable
 way to understand the relationship between the operators than
 aut-num objects(often not updated) in RIR database?

The first thing to do is look and see if the policy of, e.g. AS65133
is consistent with what you see there. I suspect you'll find a lot of
mismatches but I don't know if that has been studied systematically,
but it should be simple to do.

Next, much more data intensive, is trawl through the route views data
and see to what extent the actual updates seen are consistent with the
RIR objects, and also see what (topological, not financial as Valdis
points out) relationships they imply that are not present in the RIR
database.

-w


pgpyra4iyCZND.pgp
Description: PGP signature

Re: Multi-homing with multiple ASNs

[William Waites]

On Fri, 21 Nov 2014 11:07:49 +0200, Mark Tinka mark.ti...@seacom.mu said:

  We own an AS number and our IP space but at the last minute
 learned our state network is advertising our network using two
 different ASNs (neither ours)

This will work, as in the BGP path selection algorithm will work as
designed in this situation. But it also means that the routing policy
is out of your control which is kind of the point of having an ASN! It
also makes it harder to track down who is operationally responsible
for that address space since it appears to the outside world to be in
two (or three! different places). I'd say don't do this unless you
really have no choice.

 Why aren't you originating your own prefixes and ASN by
 yourselves, since you own both?

Good question.

We (AS60241) almost ended up doing similarly for a while. Because of a
close association with the universities in Scotland, we discussed the
possibility of transit via JANET. This turned out to be difficult
because they run a whole bunch of private ASNs internally -- unlike in
North America where universities typically have their own real one. So
it would have been us - private stuff - AS786 and for some reason
that I forget they were unable to remove private ASNs from the
path. The best that might have been possible would be to have had them
announce our networks with synchronisation on, which would have meant
the outside world would have seen them originating in both AS786 and
AS60241. Icky. We (mutually) decided against this.

Just to say that there are strange, but not completely unreasonable
circumstances in which this can happen...

-w


pgpohqpKewJg4.pgp
Description: PGP signature

Re: Scotland ccTLD?

[William Waites]

On 16/09/14 16:26, Jay Ashworth wrote:

I see also a suggestion, credited to Dave Eastabrook (sp?) of .ab, which
apparently stands for Alba, which I will assume has historical significance
(the country name in Scots Gaelic, perhaps?)


It has current significance, as Gaelic is recognised as an official
(albeit minority) language. This is probably a reasonable suggestion.

The irony is that these kinds of infrastructure questions are so far
below the radar of the Scottish Government that I wouldn't be
surprised at all if its operation were outsourced to Nominet...

Re: NAT IP and Google

[William Waites]

On Tue, May 20, 2014 at 10:21:43PM +0800, Pui Edylie wrote:
 
 May I know what is the best approach so that Google would not ban our 
 Natted IP from time to time as it suspect it as a bot.

IPv6?

Re: NAT IP and Google

[William Waites]

On Tue, May 20, 2014 at 10:35:56AM -0400, Harald Koch wrote:
 
 Might help if all your hosts have their own IPv6 addresses

That was meant to be implied... But...

On Tue, May 20, 2014 at 09:10:56AM -0600, Derek Andrew wrote:
 They take out our campus, both IPv4 and IPv6.

That's interesting, I haven't seen this happen with IPv6.

Some of the networks I work with do the everything behind NAT thing
and get bitten by this. Using a pool of addresses helps but... This is
only going to get more painful with more people doing Carrier Grade
NAT...

-w

Re: WISP or other options

[William Waites]

On Wed, Mar 26, 2014 at 10:30:27PM -0500, Nick wrote:
 
 Does any have contacts in Edinburgh Scotland who can provide WISP
 service at the Hopetoun House and Dundas Castle. I would like to
 have 20-60mpbs to for 2 days of services.

There is a *chance* that we (http://hubs.net.uk/) can help. Our
network in Edinburgh is mostly constructed for serving areas to the
South -- the Lothians, the Borders, etc. and South Queensferry is to
the Northwest.

So one way of doing this would be to find an intermediate spot and
make two links. Briefly consulting a map there are a few candidates,
and for some, a temporary relay (the broadband wagon parked on a
hilltop) might work. It also looks as though there may be line of
sight to Scolocate in South Gyle which is a major datacentre where IX
Scotland is -- unfortunately we don't have anything on the roof there
at the moment.

If the event is for some sort of not for profit or academic related
thing other possibilities open up as well, it may be possible to use
one of the universities' networks to get most of the way there.

There are definitely possibilities, but it may well be too expensive
for such a short duration. Send me a mail off list if you want to
discuss in more detail.

 Our company's event planner claims there are no good ISP options in
 the area and wants us to go with satellite internet which is pricy
 and has high latency. Its worth noting both locations have ~7mpbs
 DLS.

It would be interesting to talk to this event planner...

Another option is bonded ADSL. I'd recommend Andrews and Arnold
(http://aa.net.uk/) for that. It's a bit ugly, and any DSL or FTTx is
very expensive for real use (BT Wholesale's tarrif for bandwidth on
their DSL carrier interconnect for resale is something like -L-40/Mbps
plus lots of other charges) but for a temporary situation it's not a
bad option.

Cheers,
-w

Re: WISP or other options

[William Waites]

On Thu, Mar 27, 2014 at 03:35:20AM +, Warren Bailey wrote:
 
 You are screwed for LOS microwave, 60mbps on a microwave hope requires
 real life engineering to function correctly.

Well now, really. Yes it needs engineering, but nothing spectacularly
difficult. The upper bound on distance the OP needs is something like
10 miles which is peanuts. Any of your typical off the shelf 5GHz
stuff will do that, you can even just eyeball the alignment. The upper
5GHz band is not very crowded around here. You do need line of sight
which means spending a little time with a topo map.

You're right that it isn't as simple as just putting up some antennas,
leaving the kit at factory defaults and hoping, but that's not a very
high bar.

 towers

Rather conveniently there are lots of hills around here. A typical
can easily be something made out of standard scaffolding not more than
2.5m tall. You try to build them at the top of steep bits so that
people (and sheep) can't easily stand in front of the antennas.

 If you¹re looking for satellite

Satellite is a last resort, and almost always unnecessary even in very
remote places. It is also, as you point out, extremely expensive.

Best,
-w

Re: WISP or other options

[William Waites]

On Thu, Mar 27, 2014 at 12:02:30AM -0400, Miles Fidelman wrote:
 Laser link, and pray for clear weather?

You'll have to pray really hard around here, especially in South
Queensferry down by the water... 

We actually have an FSO link between two tall buildings in South
Edinburgh. Only about 500m. It works pretty well except when the haar
rolls in.

Giant pain in the behind to align though, and given that the wind that
comes over the top of these tall buildings can be 5x that at ground
level, and gales happen several times a year, keeping them aligned
is... interesting...

-w

Re: WISP or other options

[William Waites]

On Thu, Mar 27, 2014 at 05:09:05AM +, Warren Bailey wrote:
 It's not 802.11 and it doesn't act that way.

Actually most of the installations I've seen -- and my day job is
working with community networks around Scotland that have built all
manner of strange things -- the problems most often have nothing at
all to do with the physical layer. More often they're related to doing
things with spanning tree that we all learned in networking long ago
to not do, or running many layers of NAT because IP routing is not
understood. Things like that.

The only common RF problem is leaving the channel selection on
auto. Which invariably means one radio, like an access point with a
sector antenna, can't hear the point to point link coming in to the
dish behind it and picks the wrong channel.

Again, yes, you're right, you have to understand how this stuff works
and think a little bit when you build, but your messages saying It's
really really hard are coming across a little like FUD.

 A pair of Air Fiber is like 3k USD, and at 24ghz you had better know 

The AF24 are also illegal here. Or rather the lower channel belongs to
the police, and the upper channel is limited to a very low output
power. We have a pair of these, with a special non-operational license
from Ofcom to put them through their paces. They do work, though they
are a pain to align and subject to rain fade. They are on the West
coast which is very rainy. Right now we're using them to measure rain
intensity rather than to carry real traffic (which we can't do with a
non-op license anyways).

-w

Re: NSA able to compromise Cisco, Juniper, Huawei switches

[William Waites]

Is Ken Thompson turning over in his grave yet?

I certainly hope not...

Re: The Making of a Router

[William Waites]

On Fri, 27 Dec 2013 07:23:36 -0500 (EST), Justin M. Streiner 
strei...@cluebyfour.org said:

 You end up combining some of the downsides of a hardware-based
 router with some of the downsides of a server (new attack
 vectors, another device that needs to be backed up, patched, and
 monitored...

Might be a good idea to back up, patch and monitor your routers
too... Just sayin'

Re: Is there a method or tool(s) to prove network outages?

[William Waites]

On Sun, 1 Dec 2013 17:56:51 +0100, Notify Me notify.s...@gmail.com said:

 I have a very problematic radio link which goes out and back on
 again every few hours.

Is every few hours regular/cyclical? Does the radio link cross a
tidal body of water?

-w


pgpubC2NiHoOH.pgp
Description: PGP signature

Re: Is there a method or tool(s) to prove network outages?

[William Waites]

On Sun, 1 Dec 2013 20:25:36 +, Sina Owolabi notify.s...@gmail.com said:

 Its cyclical, but I have not tried to graph/measure its
 repetition before now...  Body of tidal water..could be

This is speculation until you have measurements, but if this is the
case I'd wager you are having reflected signal interference off of the
water. The water acts like a mirror and as it moves up and down the
reflected signal will move in and out of phase with the main
signal. At certain points you'll get near complete cancellation and
the link will fail.

See section 4 here for some explanations, fig 5 and 6 for what you
could expect the graphs of signal strength, time, link capactity to
look like:

http://homepages.inf.ed.ac.uk/mmarina/papers/mobicom_winsdr08.pdf

But not having access to the RF part you can't measure this
directly. If you can get tide tables for a nearby location, what you
could do is say that signal strength is 1 if the link is working and 0
if it is not. Measure for a while then scatterplot that against the
level of the tide. If the measurements of 0 group tightly together
in a few spots then you know definitely what is happening. Perhaps
that plot together with a pointer to a nice academic paper would be
enough to convince the provider of what is happening.

What could you do about this?

If you are lucky and the interference does not complete a full cycle
from destructive to constructive and back with the largest amplitude
of the tides that you experience in that place, you could try moving
the antenna up or down. How much depends on the frequency and
distances involved but I'd try 25cm increments up to a couple of
meters if you can. You'll still get degradation but can hopefully
avoid the deep nulls that take the link out completely.

If you are able and willing to replace the end-site radios or antennas
with your own, and the link uses some sort of 2xN MIMO, you could
arrange vertical spacing between the antennas so that you have a good
signal at one antenna when the other one is experiencing a null. This
should get you on average half the best-case throughput the equipment
is capable of but it should get you that consistently. The actual
spacing depends on the distances and heights involved.

-w


pgpQkjUkw4meY.pgp
Description: PGP signature

Re: Meraki

[William Waites]

On Wed, 20 Nov 2013 14:08:53 -0500, Ray Soucy r...@maine.edu said:

 I'm very interested in other user experiences with Ubiquity for
 smaller deployments vs. traditional Cisco APs and WLC.
 Especially for a collection of rural areas.  The price point and
 software controller are very attractive.

I've never used the software controller but we use a lot of Ubiquiti
kit in rural Scotland. We use it mostly in transparent bridge mode
with more capable routers speaking ethernet - FreeBSD on Soekris boards
and Mikrotik mostly. In general the RF part is great, but the software
part is buggy. We have been extensively bitten by transparent bridge
not being transparent enough and eating multicast packets which of
course completely hoses OSPF. Using NBMA and being very careful about
which firmware version mostly works. Don't try to make them do
anything sophisticated.

-w
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Policy-based routing is evil? Discuss.

[William Waites]

I'm having a discussion with a small network in a part of the world
where bandwidth is scarce and multiple DSL lines are often used for
upstream links. The topic is policy-based routing, which is being
described as load balancing where end-user traffic is assigned to a
line according to source address.

In my opinion the main problems with this are:

  - It's brittle, when a line fails, traffic doesn't re-route
  - None of the usual debugging tools work properly
  - Adding a new user is complicated because it has to be done in (at
least) two places

But I'm having a distinct lack of success locating rants and diatribes
or even well-reasoned articles supporting this opinion.

Am I out to lunch?

-w
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


pgpev3R7hFybU.pgp
Description: PGP signature

Re: Policy-based routing is evil? Discuss.

[William Waites]

On Fri, 11 Oct 2013 10:41:46 -0700, joel jaeggli joe...@bogus.com said:

 you take all the useful information that an IGP could be (or is)
 providing you, and then you ignore it and do something else.

Yes, that's another part of the conversation, encouraging the use of
an IGP, which has been a source of trouble for them because of broken
wireless bridges from a very commonly used vendor that randomly eat
multicast packets, so it's not as straightforward as it should be.

 evil is not a synonym for ugly patch placed over a problem that
 could be handled better.

Ok, fair enough. My first experience with PBR was as a summer intern in
the mid-1990s who inherited management of a large ATM network that had
a big VPN-esque thing built entirely that way and with no
documentation. It certainly felt evil at the time. ;)

-w

--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


pgpPWoOBe9VGE.pgp
Description: PGP signature

Re: Internet Surveillance and Boomerang Routing: A Call for Canadian Network Sovereignty

[William Waites]

On Tue, 10 Sep 2013 10:27:15 -0700, Bill Woodcock wo...@pch.net said:

 or to make an ISP class license requirement that every service
 provider network deliver traffic that has source and destination
 addresses within a region, without passing the traffic across
 the border of the region.  That's a technology-neutral way of
 saying that if you have a customer in a region, and someone else
 has a customer in the same region, you and they had better
 figure out a way of delivering that traffic through peering or
 local transit.

That's historically the way it was in Canada, although it was original
phrased in terms of the telegraph and persisted up until the
beginnings of the commercial Internet when the rule was
abolished. It's also the reason why, for example, the old
trans-atlantic cables went from the UK to Nova Scotia before New York
even though the bulk of the traffic was UK-US. Theoretically, traffic
within the empire was not supposed to cross a third border. I believe
the rationale behind this was to prevent eavesdropping.

I have a pet theory that this rule was one of the main reasons that
Canada has such a well developed telecommunications industry -- it was
forced by law to develop it indiginously rather than just dumping
telephone calls across the border into the 'states, which probably
would have made more economic sense. When the rule was abolished in
the early 1990s it wasn't clear if it should or should not apply to
Internet traffic but leaving the answer entirely to market forces
may have stunted the development of East-West capacity within Canada.

Is this a good or a bad thing? I can remember back when there was a
project in the 'states called Carnivore, and we had some American
police -- I believe they were FBI -- come up and ask us politely if
we'd like to put some of their machines on our network. Everybody
pretty much uniformly said no. Shortly thereafter an American carrier
showed up selling gigabit ethernet circuits to NYC for well below what
was the going rate at the time and effectively pulled a lot of traffic
that would otherwise have remained in country across the border. I've
been outside of North America for a while now so I don't know first
hand, but from the commentary on this list that trends appears to have
continued...

-w


pgpibCWcrzSSc.pgp
Description: PGP signature

Re: I don't need no stinking firewall!

[William Waites]

Le 10-01-05 à 21:29, Dobbins, Roland a écrit :

Stateful firewalls make absolutely no sense in front of servers,  
given that by definition, every packet coming into the server is  
unsolicited (some protocols like ftp work a bit differently in that  
there're multiple bidirectional/omnidirectional communications  
sessions, but the key is that the initial connection is always  
unsolicited).


Most hosts are in some measure servers and clients. Sometimes a server
might want to make an outbound connection for a legitimate reason (say
a DNS lookup or zone transfer). Sometimes it might be tricked into doing
so for nefarious reasons (like the old reverse telnet trick of binding
a shell to an outbound tcp connection). A properly configured firewall
will prevent latter.

-w

[OT] Re: Sheriffs and Vigilantes

[William Waites]

Le 08-09-29 à 10:40, [EMAIL PROTECTED] [EMAIL PROTECTED] a  
écrit :



It is not vigilantism, it is the common law, rooted in
ancient English history, of the shire reeve, who we now
call the sheriff.


Reeve means called, from the Germanic verb rufen.
In other words, this person is someone who is called
to the duty by the shire.


George Trevelyan's History of England gives the distinct
impression that the sheriff was not quite so grass-roots
an office as this thread might have one believe. The office
was created at the instigation of the Norman monarchs so
that they would have a parallel administrative structure
from that of the feudal barons. This was to make it harder
for the uppity barons to unseat the king as happened regularly
in pre-Norman times.


In other words, this person checked the property of his
peers. He was one of the community which selected him.


I wonder if the reeve (gerefa) was thought of as called
by the community or by the king. Trevelyan and etymonline
suggest the latter. Who, within the community, got to be
sheriff was probably the community's choice. But once in
office the sheriff was likely answerable to the king. In
the absence of a monarch, is NANOG now trying to behave
like the North American Regency Council? Hmmm...

In Spain, a vigilante is a security guard, almost always
unarmed, whose job it is to be vigilant and call the police
if something bad happens and take temporary measures if
possible in the meantime. That type of vigilante would seem
to correspond quite closely with the job of the responsible
network security/operations person.

Cheers,
-w

--
William Waites VE2WSW[EMAIL PROTECTED]
http://www.irl.styx.org/  +49 30 8894 9942
CD70 0498 8AE4 36EA 1CD7  281C 427A 3F36 2130 E9F5

Re: Mechanisms for a multi-homed host to pick the best router

[William Waites]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

So, for example, if the server receives the SYN from router R3, it  
would
send the SYN ACK and all subsequent packets for the TCP connection  
over that

same interface R3.
...


right idea.  works great.  see the following:

http://www.academ.com/nanog/feb1997/multihoming.html
http://www.irbs.net/internet/nanog/9706/0232.html
http://gatekeeper.dec.com/pub/misc/vixie/ifdefault/



This approach is particularly useful for host with multiple IPv6  
tunnels. Some
tunnel providers implement strict RPF, some don't. Where this is the  
case,
having multiple tunnels (cf multiple address ranges) is problematic.  
Of course
these days perhaps perhaps the IPv4 variant could be done with a  
stateful NAT.


Maybe case could be made for IPv6 NAT (and site-local addresses?) in  
this scnario...


- -w
- --
William Waites   [EMAIL PROTECTED]
http://www.irl.styx.org/  +49 30 8894 9942
CD70 0498 8AE4 36EA 1CD7  281C 427A 3F36 2130 E9F5

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkjSlsMACgkQQno/NiEw6fWEhACfcVGZ5qEbvESVCWxQibkm/jLp
wKsAn1lQWcMO+fk5ZV5V08narSfoC/gF
=tlbx
-END PGP SIGNATURE-

Re: Is the export policy selective under valley-free?

[William Waites]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Le 08-09-03 à 11:08, Iljitsch van Beijnum a écrit :


On 3 sep 2008, at 1:45, Kai Chen wrote:

Just want to ask a direct question. Will an AS export all it gets  
from

its customers and itself to its providers? Or even under valley-free,
the BGP export policy is also selective?


I get the valley-free but not the selective.  :-)



(guessing)

Suppose,

C1   P1
  \ /
   A
  / \
C2   P2

Suppose A has different policies for its two customers, such as,  
announce

C1 routes to P1 but not P2 and announce C2 routes to P2 but not P1

In this case there would be valley-free paths [C1 A P2], [C2 A P1]  
that are
not allowed because of A's policy. Though such a policy might be  
unusual,
this is a case where the set of paths generated from the topology with  
the

valley-free rule contains paths that would not occur in reality.

I think that yes, the valley-free property is a necessary but not  
sufficient
criteria for generating the set of in-reality-valid paths on the  
Internet.


Cheers,
- -w
- --
William Waites   [EMAIL PROTECTED]
http://www.irl.styx.org/  +49 30 8894 9942
CD70 0498 8AE4 36EA 1CD7  281C 427A 3F36 2130 E9F5

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAki+WRAACgkQQno/NiEw6fW/bACeMoPGulTNd0+EiGesbTO8a3cX
YfEAn2QOy9b3TVbA0t8CANp6BFPfcp8p
=nYb4
-END PGP SIGNATURE-

Re: Is the export policy selective under valley-free?

[William Waites]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08-09-03 at 11:40, Randy Bush on holiday and should not be
  reading nanog, let alone responding wrote :


i assure you that the actual topology is not valley free.  e.g. there
are many backup or political hack transit paths [0]


Sorry to further impinge on your vacation, but was there a footnote  
there?



between otherwise peers and there are also backup customer/provider
reversals.


Perhaps the first case could be called misclassification of the edge by
the link-labelling heuristics (and otherwise peers dropped)?

But where such a relationship is symmetric it runs into the second
case, and I agree that the model breaks down in the mutual transit
scenario where a link can look like either c2p or p2c depending on
the path being considered.

How useful/productive is it to say that any observed path is always,
by definition, valley-free and that the labels are not really
properties of the graph but properties of the path? I'm not sure.

Bonne vacances,
- -w
- --
William Waites   [EMAIL PROTECTED]
http://www.irl.styx.org/  +49 30 8894 9942
CD70 0498 8AE4 36EA 1CD7  281C 427A 3F36 2130 E9F5

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAki+ZwsACgkQQno/NiEw6fWETwCeMxiDOV+Par8Twua8bPbbUJKg
liYAnjhqLfbPD7hjQZSmPnnJHdR9lmUn
=5KOT
-END PGP SIGNATURE-

Re: GLBX De-Peers Intercage

[William Waites]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Le 08-09-01 à 10:48, Paul Ferguson a écrit :


My next question to the peanut gallery is: What do you
suggest we should do on other hosting IP blocks are are continuing
to host criminal activity, even in the face of abuse reports, etc.?



As mentioned in private email, I think where there is *evidence* of
*criminal* activity, show this to a judge, get the judge to order ARIN
to revoke the ASN/netblock, the traffic then becomes bogon and can/
should be filtered.

If there can be a legal procedure established for this it may even
be able to be done quickly in specific instances.

Of course a parallel procedure would be necessary for each bit of the
ROW..

- -w
- --
William Waites   [EMAIL PROTECTED]
http://www.irl.styx.org/  +49 30 8894 9942
CD70 0498 8AE4 36EA 1CD7  281C 427A 3F36 2130 E9F5

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAki7vTwACgkQQno/NiEw6fXGVQCgqMoZNjIp5pfPracBrNfFo61g
dN8AoKi+f6H7iWgNrG/OIL8yG6WmmTw1
=roam
-END PGP SIGNATURE-

Re: GLBX De-Peers Intercage

[William Waites]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Le 08-09-01 à 12:18, Adrian Chadd a écrit :


Oh come on, how quickly would that migrate to enforcing copyright
infringement? Or if you're especially evil, used by larger companies
to bully smaller companies out of precious IPv4 space?


With appropriate controls. For example that the entity in question  
exists
entirely or substantially for illegal purposes. Illegal does not mean  
in

violation of an agreement, rather against the law. And such an action
should not be possible for a private person to bring.


Please find an alternative method of tidying up the trash and don't
stir that nest of hornets.



Workeable suggestions? So far I've seen,

* organized shunning
* BGP blacklists

Cheers,
- -w
- --
William Waites   [EMAIL PROTECTED]
http://www.irl.styx.org/  +49 30 8894 9942
CD70 0498 8AE4 36EA 1CD7  281C 427A 3F36 2130 E9F5

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAki7xI8ACgkQQno/NiEw6fXvfgCeO4X0qbRg05VPCMC4jesmvFMd
dRAAniTVdxJEVx6ecR+C1Br2INpYJ2pe
=6zQj
-END PGP SIGNATURE-

Re: GLBX De-Peers Intercage

[William Waites]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Le 08-09-01 à 12:34, Gadi Evron a écrit :


Workeable suggestions? So far I've seen,

* organized shunning
* BGP blacklists


I can see the don't be the Internet's firewall bunch jumping up
and out of their seats, spilling their coffees. How dare you destroy
so many keyboards?


I didn't mean to imply that either of those was actually
workeable ;)

- -w
- --
William Waites   [EMAIL PROTECTED]
http://www.irl.styx.org/  +49 30 8894 9942
CD70 0498 8AE4 36EA 1CD7  281C 427A 3F36 2130 E9F5

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAki7xyYACgkQQno/NiEw6fVbjACgx+BrvXakg1X5e2DEzJ2feqdi
KGcAn1a7R2CrEmvw755UVRv0lhztz8tU
=Ibnk
-END PGP SIGNATURE-

Re: [LN20080729.4147] RE: AS 28551

[William Waites]

Le 08-08-01 à 15:05, Marshall Eubanks a écrit :


I think that 161.164.248.0/21 and AS 28551 may be hijacked.


traceroute to 161.164.248.1 (161.164.248.1), 64 hops max, 40 byte  
packets

 snip
 7  tengige0-3-0-3.auvtr1.Aubervilliers.opentransit.net  
(193.251.241.253)  78.728 ms  79.154 ms  79.548 ms
 8  tengige0-3-0-1.ffttr1.FrankfurtAmMain.opentransit.net  
(193.251.241.254)  85.894 ms  86.476 ms  86.701 ms

 9  64.208.110.229 (64.208.110.229)  86.312 ms  87.509 ms  87.463 ms
10  Alestra-S-De-R-L-De-CV-San-Pedro-Garza.so-0-2-0.ar1.MEX1.gblx.net  
(208.48.33.78)  266.280 ms Alestra-S-De-R-L-De-CV-Lago- 
Zurich.so-0-2-2.ar1.MEX1.gblx.net (64.215.25.70)  262.566 ms Alestra-S- 
De-R-L-De-CV-San-Pedro-Garza.so-1-1-0.ar1.MEX1.gblx.net  
(208.48.238.98)  473.559 ms
11  host-201-151-29-61.block.alestra.net.mx (201.151.29.61)  260.021  
ms  433.502 ms  259.899 ms
12  host-201-151-29-42.block.alestra.net.mx (201.151.29.42)  661.863  
ms  256.985 ms  434.032 ms

13  * * *

As well AS paths shown from route-views.ip.att.net end with AS11172  
(alestra) then AS28551.

Perhaps Walmart is providing Internet access for its maquilladoras? ;)

Cheers,
-w

Re: Arbitrary de-peering

[William Waites]

Le 08-07-28 à 17:12, [EMAIL PROTECTED] a écrit :

Example: A York University professor was sitting at his desk at  
work in
March 2008 trying to reach an internet website located somewhere in  
Europe.
[...] York’s bandwidth supplier is Cogent which had severed a  
peering relationship
with a bandwidth provider in Europe called Telia [...] which was the  
bandwidth
network provider for the website that the Professor was trying to  
reach. [...]
Cogent did not proactively inform the University of the issue and  
the loss of
connectivity. Unreachability due to arbitrariness in network peering  
is unacceptable.


There must be more to this story. If Cogent de-peered from Telia the  
traffic would
normally just have taken another path. Either there was a  
configuration error of some
sort or else some sort of proactive black-holing on one side or the  
other. As the
latter would be surprising and very heavy handed, I would tend to  
suspect the former.


Peering relationships are made and severed all the time with no  
particular ill-effects,
unless you can point to examples of outright malice (i.e. of the black- 
holing kind) I
don't think there is much basis for any public policy decisions in  
this example.


Unreachability due to configuation error is of course relatively  
common; perhaps I am
wrong, but I don't think the CRTC would really have much to say about  
that.


Cheers,
-w

Re: Arbitrary de-peering

[William Waites]

Le 08-07-28 à 17:29, Patrick W. Gilmore a écrit :


One should check one's assumptions before posting to 10K+ of their  
not-so-close friends.


Firstly I missed the actual incident since I was off the 'net for an  
extended period about that

time, so apologies for any rehash.


Neither network has transit.  What other path is there to take?


http://www.renesys.com/blog/2008/03/he_said_she_said_cogent_vs_tel.shtml

Then Cogent de-peered Telia and suddenly Verizon and others started  
providing a path

between the two and their respective customers.

Which is as it should be. Then somebody (not clear who) apparently  
took explicit steps
to stop the traffic from taking these other paths. Surprising.  
Severing a peering relationship
is one thing, purposely filtering large swathes of the Internet over  
other all links is quite

another.

As I said, this is surprising behaviour, but not simple de-peering.  
And I'm sure that any
Tier 1 has enough peering relationships with enough other Tier 1  
networks that they can

always buy temporary transit privileges over an existing link.

-w

Re: Arbitrary de-peering

[William Waites]

Le 08-07-28 à 18:27, Jon Lewis a écrit :


Bit bucket path.


Evidently.

As I said, this is surprising behaviour, but not simple de-peering.  
And I'm


Why is it surprising?  Sounds more like a repeat performance to me.

Back when Level3 depeered Cogent, it was said that Cogent was  
already buying transit from Verio to reach at least some networks  
they weren't peering with.  After the depeering, why didn't Cogent  
get to Level3 (and vice versa) via Verio?


Surprising because, Cogent (or Telia, but from what you say here,  
looks like Cogent),
presumably put themselves in a breach of contract position with their  
(end-user or stub
AS) customers who one would imagine have bought Internet service  
from them. Given
that they have some reasonably big/important customers it is  
surprising that they would
take that risk, and even more surprising that it didn't bite them too  
hard. By maybe I am

just easily surprised.

Tier 1 has enough peering relationships with enough other Tier 1  
networks that they can always buy temporary transit privileges over  
an existing link.


Tier 1 means you don't buy transit, no?


Maybe a slightly revised definition of Tier 1 is in order -- a  
provider that doesn't buy transit
and doesn't sell to end-users or stub systems. Doing either of these  
things would degrade
them in the nomenclature by 0.5. Doing both of these things makes a  
Tier 2 provider which
had better have transit from more than one upstream. This way  
innocents don't suffer the
collateral damage from games of chicken among the titans (unless they  
were silly enough
to get their only Internet connection from a Tier 1.5 provider). Oh  
well.


Cheers,
-w

IPv6 nameserver glue chez netsol

[William Waites]

Hi all,

Does anyone have a contact or a known administrative path to get   
NS glue added to
domains registered with Network Solutions? Or is the only choice to  
move the domains in

question to a different registrar?

(Perhaps more appropriate for dns-operations, but as it is an  
operational question and my
subscription request is awaiting moderator approval, I hope nobody  
will mind my posting

it here)

Cheers,
-w

Re: Building a BGP test network

[William Waites]

Le 08-07-09 à 19:36, Ariel Biener a écrit :


I have been pondering over this issue for some time now (not too much
time to invest on it), since I wanted to created a duplicate model  
of our

production network in a test environment, not connected to any outside
network (thus cannot peer, same problem as described here).


What about http://ipmon.sprint.com/pyrt/ ?

It doesn't do everything being designed for the reverse problem --  
pulling routes from a live BGP network for analysis. But it does  
include a BGP speaker and the ability to read and write MRTD files. I  
imagine with relatively little work it could be coaxed to read an MRTD  
dump and send the entries to a test peer.


-w