Re: 44/8
On 07/18, Christopher Morrow wrote: > My guess is that arin needed more than just: "can control routing for > a few bits of time". > I don't really know, but I hope they had more requirements than that :) It certainly doesn't look like it... My understanding is that 44/8 was, very much like different pieces of the radio spectrum, collective common property of amateur radio operators. That an organisation was needed to operate a registry because of the nature of IP address allocation does not amount to ownership or the right to sell anything. This is exactly analogous to the fact that the ARRL (or RAC, or RSGB etc) does not own and cannot sell radio spectrum allocated for amateur use. This is not a legitimate sale. ARIN should reverse the changes in its record, and the ARDC should give the "several million dollars" back to Amazon. Then we can decide, openly and transparently, if, for example, some piece of 44/8 should be returned to IANA for allocation to the RIRs. Greetings, William Waites VE3HW
Re: DOs and DONTs for small ISP
On 06/03, Mel Beckman wrote: > I’m constantly amazed at the number of even medium-sized ISPs that have no > network monitoring. An NMS should go in as the first software component — > before billing starts and the provider is on the hook to deliver. > > The second lacking component is a ticket system, which is silly because > turnkey cloud services are not expensive, and open source solutions abound > for budget-limited operators. It's not enough to have monitoring and a ticket system. You need to pay attention to them, care for them and feed them. I can't count the number of ticket systems full of ancient and irrelevant things or monitoring systems that people have forgotten about or don't know how to add new stuff to. Even the cycle of, 10 we need network monitoring 20 stand up some monitoring system ... 30 ... time passes, the person leaves etc ... 40 ... the network monitoring system is forgotten ... 50 GOTO 10 Cheers, -w
Re: any interesting/useful resources available to IPv6 only?
On 05/03, Jeroen Massar wrote: > > IPv6 is not a darknet, you won't find something hidden and unique there. The Dancing Kame, surely.
Re: Oct. 3, 2018 EAS Presidential Alert test
> I wonder, if there were a real alert, what the odds are that one > wouldn't hear about it in 1 minute, 5 minutes, etc even if they didn't > personally get it. > > Obviously edge cases are possible, you were deep in a cave with your > soccer team, but there must be mathematical modeling of that sort of > information dispersion. > > It would have to account for other possible channels, word of mouth, > facebook, twitter, posts or really any informatonal source you were > on on the internet (e.g., news sites), TV, radio, people screaming in > the streets, etc. You could do this, in principle, but you’d need a whole bunch of assumptions. What you want is a big graph of all people with weighted edges. The weights are the effective bitrates, or the chance per unit time that a message is sent and received along the edge (that’s going to mean guessing at some plausible numbers for each medium). We don’t have such a giant graph so we’d have to construct it and claim that for these purposes it has the right properties and represents the real world. You do this by saying, for each person, make a “word of mouth” edge to another randomly chosen person with a some probability. And so on. There’s more guessing here about those probabilities, but this has been studied quite a bit, at least for real networks where the graph is available (e.g. twitter and facebook are favourites among people who research social networks). Once you’ve got this big graph of all the people and the chance of a message going between any two of them pairwise, you write down a big matrix, Q = [q_ij] which tells you that a message at person i has such and such a chance to go to person j in one time unit. You then pick the people who got the initial message and make a vector x_0 = [x_i] where the entries are 0 if they didn’t get it and 1/n if they did (n is the number of people who got it). Now you can say, x(t) = exp(tQ) * x_0 and ask all the sorts of questions that you ask. That gives you the chance at each time that each person is receiving the message. To answer “what are the chances someone heard about it in one minute”, sum up x*dt for all times from 0 to 1 minute, subtract out x_0 (because they already got it) and add up the probabilities that are left. If Q is very big, this is expensive to compute (matrix exponentials are expensive) but I think you could scale the whole thing down to a representative sample population. It might be fun to do this a little bit more seriously than a hastily written mailing list post but I think it would always rely on a lot of guesses so would have to be taken with a very big grain of salt. As well, this is just one way you could model the process and there are a number of obvious criticisms (memorylessness jumps right out). Cheers, -w
Re: Yet another Quadruple DNS?
> On 2 Apr 2018, at 02:57, Aftab Siddiqui <aftab.siddi...@gmail.com> wrote: > > Here is the update from Geoff himself. I guess they didn't want to publish > it on April 1st (AEST). > https://blog.apnic.net/2018/04/02/apnic-labs-enters-into-a-research-agreement-with-cloudflare/ The research justification for a RIR to do this seems a little thin. Surely we, as a community already know about what happens when a company operates a public resolver. How will yet another one will tell us more? A more interesting question might be, what happens when we let multiple organisations anycast a well-known public resolver address? There are reasons why it might be a bad idea, but at least it’s slightly novel. William Waites Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: Yet another Quadruple DNS?
> > On 30 Mar 2018, at 15:46, Royce Williamswrote: > > 77.77.77.77 - Dadeh Gostar Asr Novin P.J.S. Co. (Iran) | 77.77.64/19 | > recursion-yes Well, that one's a little odd: % host news.bbc.co.uk 77.77.77.77 Using domain server: Name: 77.77.77.77 Address: 77.77.77.77#53 Aliases: news.bbc.co.uk has address 10.10.34.35 signature.asc Description: Message signed with OpenPGP
Re: Please run windows update now
> On May 15, 2017, at 21:17, valdis.kletni...@vt.edu wrote: > >> So for example why does[n’t] a client OS confirm that you really >> meant to run a program on $THRESHOLD files… > How does the operating system detect that and throw a pop-up > *before* that executes? > > It's a lot harder problem than you think. Hint: Fred Cohen's PhD > thesis showed that detecting malware is isomorphic to the Turing > Halting Problem. The general problem might well be that hard, I don’t know, it seems plausible. However Barry’s suggestion doesn’t seem impossible. One strategy is as follows. Have a counter in the kernel about writes to files. Have some sort of log-structured filesystem with checkpoints or whatever. When the counter goes too fast, show Barry’s dialog box and if the user says no, roll back the filesystem to the time just before the process (or its parent, or its parent’s parent, …) started. There are details to be ironed out, of course, but there’s no reason in principle that it couldn’t be done like this. The reason that you don’t have to make the operating system solve the halting problem is because you ask the user. William Waites Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh Informatics Forum 5.38, 10 Crichton St. Edinburgh, EH8 9AB, Scotland The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: gagging *IX directors re snoop/block orders
> On Feb 17, 2017, at 16:46, Patrick W. Gilmore <patr...@ianai.net> wrote: > > There is one problem: The article is factually incorrect on multiple points. It would be interesting to know what points those are, it reads mostly accurately to me. > The proposed constitutional changes are in the public domain. The main problem, though this point may have gotten lost in the very long discussion on the LINX members list, is that the reasoning and motivation for the changes was not made clear. Even when explanatory materials were belatedly provided, they weren’t especially clear. So instead of saying, "we have this new spying law in the UK and we need to rejigg the decision-making at LINX so we will be ready in case we are required to do something that must be kept secret" what was proposed to the membership was, "we have embarked on this long governance journey and this is what we have come up with as the best way to run LINX". Those are two very different propositions, especially for busy people who don’t have time to read in detail and understand all the implications. All that I suggested is that the members be properly informed so that they can make this choice with their eyes open. It is important to have this discussion in the open, and explicitly mark the transition where Internet Exchange Points re-organise themselves to accommodate spying laws and gag orders. William Waites Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh Informatics Forum 5.38, 10 Crichton St. Edinburgh, EH8 9AB, Scotland The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: backbones filtering unsanctioned sites
> Looks like mostly proxy/torrent sites on that IP address. That may be so. Maybe it isn’t particularly objectionable for Cogent to not to carry traffic to some particular destination that they don’t like. As you point out they already only offer a partial view of the Internet. What is very problematic is that they announce that this destination is reachable via them, and then drop traffic. This is a problem for the same reason that hijacking by announcing more specifics is a problem. The bgp tables become no longer a source of truth about reachability. If this kind of behaviour from transit networks becomes the norm, we are in big trouble. William Waites LFCS, School of Informatics, University of Edinburgh The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
cloudflare contact
Could someone from Cloudflare's operations please contact me off-list? Thanks, -w -- William Waites <wwai...@tardis.ed.ac.uk> | School of Informatics https://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh https://hubs.net.uk/ | HUBS AS60241 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: de-peering for security sake
On Sat, 26 Dec 2015 11:14:25 -0500, Joe Abley <jab...@hopcount.ca> said: >> My gauge is volume of obnoxious traffic. When I get lots of >> SSH probes from a /32, I block the /32. > ... without any knowledge of how many end systems are going to > be affected. A significant campus or provider user base behind > a NAT is likely to have more infections in absolute terms, which > means more observed bad behaviour. It also means more > end-systems (again, in absolute terms) that represent collateral > damage. Indeed this is only going to get worse with pressure on IPv4 addressing space. I often see this with small rural providers that have not yet progressed to the level of getting their own address space, and the available space is already insufficient in many cases. Another important scenario where this happens is Tor exit nodes. I have not observed any de-peering or network-layer filtering around exit nodes, but the milder, but still very obnoxious, tactic of application-layer capchas happens a lot. This is a serious problem for privacy or security conscious users (i.e. most of Tor's userbase) that tend not to enable JavaScript unless there is good reason. And a lot of these capcha systems require JavaScript. I see this every day since I live in a country where it would be foolish not to use Tor as a matter of course. Large CDNs like Cloudflare are guilty of this and this exascerbates the problem because it prevents access to a very large set of resources and not just a single web site. It's not nice. It has the effect of turning the privacy-conscious into second-class netizens. Rachel Greenstadt is presenting some research tomorrow at the CCC on the effect this has on excluding contributions to common goods such as Wikipedia: https://events.ccc.de/congress/2015/Fahrplan/events/7324.html -- William Waites <wwai...@tardis.ed.ac.uk> | School of Informatics https://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh https://hubs.net.uk/ | HUBS AS60241 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: interconnection costs
there is also the increasingly common pattern of "remote peering" where you lease a circuit to an exchange point but do not establish a presence in the facility. this can either be done with the last leg on a dedicated cross-connect (so it looks to the exchange operator just like any other connection except that it is to an intermediary and not to you) or multiplexed on a single connection to the exchange operated by a carrier that specialises in facilitating remote peering. to the extent that this practice dramatically decouples the peering graph from the underlying infrastructure graph it is debatable if this is a wise or efficient strategy. on the other hand it significantly widens the operational scope of bgp configuration knobs. but the point is, you can do peering without a physical presence in a location, and it is a common thing to do. cheers, -w -- William Waites <wwai...@tardis.ed.ac.uk> | School of Informatics https://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh https://hubs.net.uk/ | HUBS AS60241 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: AW: /27 the new /24
On Sat, 3 Oct 2015 12:42:01 +0200, Baldur Norddahl <baldur.nordd...@gmail.com> said: > 2 million routes will not be enough if we go full /27. This is > not a scalable solution. Something else is needed to provide > multihoming for small networks (LISP?). It's not too far off though. One way of looking at it is, for each extra bit we allow, we potentially double the table size. So with 500k routes and a /24 limit now, we might expect 4 million with /27. Not exactly because it depends strongly on the distribution of prefix lengths, but probably not a bad guess. Also there are optimisations that I wonder if the vendors are doing to preserve TCAM such as aggregating adjacent networks with the same next hop into the supernet. That would mitigate the impact of wanton deaggregation at least and the algorithm doesn't look too hard. Do the big iron vendors do this? -w -- William Waites <wwai...@tardis.ed.ac.uk> | School of Informatics http://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh https://hubs.net.uk/ | HUBS AS60241 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpQpvBY0HsM0.pgp Description: PGP signature
Mikrotik in the DFZ (Was Re: AW: AW: /27 the new /24)
On Fri, 2 Oct 2015 23:11:47 +, Jürgen Jaritsch <j...@anexia.at> said: > Regarding the words "I have a small router which handles > multiple full tables ...": push and pull a few full tables at > the same time and you'll see what's happening: the CCRs are > SLOW. And why? Because the software is not as good as it could > be: the BGP daemon uses only one core of a 36(?) core CPU. To expand on this, the problem is worse than being single-threaded. I had one of these in the lab and fed it 2x full tables. Sure it wasn't the fastest at accepting them but then I noticed that even in steady state one of the CPUs was pegged. What was happening -- and this was confirmed by Mikrotik -- was that it was recalculating the *entire* FIB for each update. The general background noise of announce / withdraw messages means it is doing this all the time. Any churn and it would have a very hard time. There are other serious bugs such as not doing recursive next hop lookup for IPv6 (it does for IPv4). This makes them unuseable as BGP routers even for partial tables with most non-trivial iBGP topologies. All of which may be fixed one day in version 7 of their operating system, which will inevitably have many bugs as any software project .0 release will, so we'll have to wait for 7.x for it to be reasonably safe to use. That said, we use a lot of Mikrotik kit for our rural networks. They're weird and quirky but you can't beat them on price, port density and power consumption. With 16 ports and 36 cores surely they should be capable of pushing several Gbps of traffic with a few full tables. I wish it were possible today to run different software on their larger boxes. If some like-minded small providers wanted to get together with us to fund a FreeBSD port to the CCR routers that would be great. Please contact me off-list if you are interested in this, I'll coordinate. As it is we don't let them anywhere near the DFZ, that's done with PCs running FreeBSD and BIRD which can easily do the job but is still an order of magnitude more expensive (and an order of magnitude less expensive than what you need if you want 10s of Gbps). -w -- William Waites <wwai...@tardis.ed.ac.uk> | School of Informatics http://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh https://hubs.net.uk/ | HUBS AS60241 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpkqJVGALdoZ.pgp Description: PGP signature
Re: Capital Internet http://www.capitalinternet.com/ down?
Near as I can tell, the network that your nameservers are in, 68.168.144.0/20 is being correctly announced by AS21560 which is "Netstream Communications". I see this announcement here. A traceroute goes as far as, 13 te0-3-1-7.agr22.atl01.atlas.cogentco.com (154.54.47.190) 97.933 ms te0-3-1-7.agr21.atl01.atlas.cogentco.com (154.54.30.94) 114.202 ms be2149.ccr42.jfk02.atlas.cogentco.com (154.54.31.126) 93.931 ms 14 be2112.ccr41.atl01.atlas.cogentco.com (154.54.7.158) 100.736 ms te0-0-2-0.nr11.b000173-2.atl01.atlas.cogentco.com (154.24.14.118) 100.019 ms be2112.ccr41.atl01.atlas.cogentco.com (154.54.7.158) 100.691 ms 15 te0-4-1-7.agr21.atl01.atlas.cogentco.com (154.54.44.178) 101.480 ms te0-3-1-7.agr22.atl01.atlas.cogentco.com (154.54.47.190) 101.860 ms 38.88.191.250 (38.88.191.250) 99.150 ms 16 te0-0-2-3.nr11.b000173-2.atl01.atlas.cogentco.com (154.24.15.10) 102.828 ms looks like something within Netstream or between them and Cogent. Also both your nameservers seem to be right beside each other in the same netblock -- that's not really the best idea for just this sort of reason. It'd be a good idea to have secondary nameservers somewhere else (Esgob do free secondary anycast DNS and they're nice folk). -w -- William Waites <wwai...@tardis.ed.ac.uk> | School of Informatics http://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh https://hubs.net.uk/ | HUBS AS60241 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpAkuRfwtHPi.pgp Description: PGP signature
Re: Dual stack IPv6 for IPv4 depletion
On Sun, 5 Jul 2015 06:13:52 +, Mel Beckman m...@beckman.org said: In fact, I show just how to do this using a $99 Apple Airport Express in my three-hour online course “Build your own IPv6 Lab” An anectode about this, maybe out of date, maybe not. I was helping my friend who likes Apple things connect to the local community network. He wanted to use an Airport as his home gateway rather than the router that we normally use. Turns out these things can *only* do IPv6 with tunnels and cannot do IPv6 on PPPoE. Go figure. So there is not exactly a clear path to native IPv6 for your lab this way. -w pgpxKKvnwwFUV.pgp Description: PGP signature
Re: Dual stack IPv6 for IPv4 depletion
On Sun, 5 Jul 2015 18:25:26 +, Josh Moore jmo...@atcnetworks.net said: So basically what you are telling me is that the NAT gateway needs to be centrally aggregated. If you must do NAT it should be as close to the edge as possible. Today that's usually at the CPE. Maybe tomorrow that's one hop upstream at the distribution router. That way the core remains clean and doesn't accumulate state or have to deal with asymmetries. -w pgp3jSEeqkFZU.pgp Description: PGP signature
Re: eBay is looking for network heavies...
On Thu, 11 Jun 2015 14:24:31 +0200, Ruairi Carroll ruairi.carr...@gmail.com said: What I found is that back in early-mid 00's, the industry was a black box. Unless you knew someone inside of the industry... I suspect this is partly a result of the consolidation that went on. In the mid 1990s when I started, there were tons of small mom and pop ISPs with 28.8 modems stacked on Ikea shelving. The way that I got my first job as a student was literally by hanging around one of them and pestering them until they hired me part time. These small ISPs grew and most were eventually were acquired and people who stuck around through that -- especially the often quite complicated network integration that happens after acquisitions -- learned quite a lot about how the Internet operates at a variety of scales and saw a variety of different architectures and technical strategies. The scale and stability of today's Internet means that path is mostly closed now I think, particularly if what you want to do is get a job at a big company. But not entirely, there are still lots of rich field-learning opportunities on the periphery, in places where large carriers fear to tread... -w pgp0gR1EaUSp2.pgp Description: PGP signature
Re: Low Cost 10G Router
BGP is still atrocious on the CCRs, but that's because the route update process isn't multithreaded. I recently took a close look at this, and that the update process is single-threaded is not the major problem so long as churn is not too great. The problem is that due to a deeper problem the entire forwarding table needs to be recalculated for *each* update. This means that even with the usual background noise in the DFZ the daemon is constantly updating everything. There are other bugs as well such as not supporting recursive next hop (e.g. via OSPF) lookup for IPv6 which means that if you have any iBGP sessions and more than one internal path you're out of luck with no obvious workaround. The stock answer from Mikrotik is that everything will be fixed in the next major release of the OS. When that happens, and how long it takes to shake out the inevitable new bugs is an open question. Personally I give it at least a year before we would even try to use these seriously for BGP. Until then, it's FreeBSD and BIRD. Best, -w -- William Waites wwai...@tardis.ed.ac.uk | School of Informatics http://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh https://hubs.net.uk/ | HUBS AS60241 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpzURxPW91or.pgp Description: PGP signature
Re: Peering and Network Cost
On Sun, 19 Apr 2015 11:23:53 +0200, Baldur Norddahl baldur.nordd...@gmail.com said: So why is IX peering so expensive? But the only service is running an old layer 2 switch. The 40 dix particants should donate 1000 USD once and get a new layer 2 switch. Why does that not happen? This is something like how TORIX was operated at the beginning. The switch was donated by Cisco and rack space by a member with a cage at a convenient spot at 151 Front -- I think this was jlixfeld at look.ca. Fees were a $1/port/year peppercorn. It has been a long time since I was in any way involved in that, but today for a 1Gbps port TORIX charges $1200/year which is more but still not as much as you say for other IXPs. It would be interesting to hear from someone who was involved in TORIX at the time how this transition from $1 to $1200 went and the reasoning behind it. My guess would be moving to its own space and having to pay rent was a major part of it, and possibly acquiring staff? Also note that the LINX exchanges do not charge for the first 1Gbps port (or the n-th at the regional exchanges) though there is a membership fee which makes it roughly equivalent to what TORIX does today. From that point of view you guys in Denmark seem to be paying somewhat over the odds. Cheers, -w -- William Waites wwai...@tardis.ed.ac.uk | School of Informatics http://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh http://www.hubs.net.uk/| HUBS AS60241 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpxHH_APz_go.pgp Description: PGP signature
Re: macomnet weird dns record
Colin, I understand that you would like everyone on the Internet to behave in a way that you consider normal and tailor their reverse DNS so as not to offend your aesthetic sense. It is frustrating when other people do things differently, my deepest sympathies. Also if you have ever used a BSD system you will know that writing netmasks in hex is prefectly normal. -w -- William Waites wwai...@tardis.ed.ac.uk | School of Informatics http://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh http://www.hubs.net.uk/| HUBS AS60241 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpvc6KNCBb0E.pgp Description: PGP signature
Re: Verizon Policy Statement on Net Neutrality
On Fri, 27 Feb 2015 23:24:17 +, Naslund, Steve snasl...@medline.com said: I was an ISP in the 1990s and our first DSL offerings were SDSL symmetric services to replace more expensive T-1 circuits. When we got into residential it was with SDSL and then the consumers wanted more downstream so ADSL was invented. I was there, I know this. So was I and my experience was different. We decided that it would be more profitable as a small ISP to re-sell Bell Canada's ADSL than to try to unbundle central offices all over the place. The arguments from the business side had nothing whatsoever to do with symmetry or lack thereof. The choice of technology was entirely by the ILEC. To that I will just say that if your average user spend as much time videoconferencing as they do watching streaming media then they are probably a business. No, you misunderstand. I don't dispute that the area under end-user traffic statistics graphs is asymmetric. But that the maximum value -- particularly the instantaneous maximum value which you don't see with five minute sampling -- wants to be quite a lot higher than it can be with a very asymmetric circuit. If someone works from home one day a week and has a videoconference or too, we still want that to work well, right? And perfect symmetry is not necessary. Would I notice the difference between 60/60 and 60/40 or even 60/20? Probably not really as long as both numbers are significantly more than the expected peak rate. But 24/1.5, a factor of 16, is a very different story. -w -- William Waites wwai...@tardis.ed.ac.uk | School of Informatics http://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpWCYOnElsmF.pgp Description: PGP signature
Re: Verizon Policy Statement on Net Neutrality
It certainly seems to be Friday. On Fri, 27 Feb 2015 17:27:08 +, Naslund, Steve snasl...@medline.com said: That statement completely confuses me. Why is asymmetry evil? Does that not reflect what Joe Average User actually needs and wants? ... There is no technical reason that it can't be symmetric it is just a reflection of what the market wants. This is a self-fulling prophecy. As long as the edge networks have asymmetry built into them popular programs and services will be developed that are structured to account for this. As long as the popular programs and services are made like this, the average user will not know that they might want something different. It doesn't have to be this way, its an artefact of a choice on the part of the larger (mostly telephone company) ISPs in the 1990s. It also happens to suit capital because it is more obvious how to make money at the expense of the users with an asymmetric network and centralised Web 2.0 style services. Thankfully the cracks are starting to show. I was pleased to hear the surprised and shocked praise when I installed a symmetric radio service to someone in the neighbourhood and it was no longer painful for them to upload their photographs. Multi-party videoconferencing doesn't work well unless at least one participant (or a server) is on good, symmetric bandwidth. These are just boring mundane applications. Imagine the more interesting ones that might emerge if the restriction of asymmetry was no longer commonplace... -w -- /\| William Waites wwai...@tardis.ed.ac.uk \ / ASCII Ribbon Campaign | School of Informatics Xagainst HTML e-mail | University of Edinburgh / \ (still going) | http://tardis.ed.ac.uk/~wwaites/ -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpxjWHpOCKGX.pgp Description: PGP signature
Re: Verizon Policy Statement on Net Neutrality
On Fri, 27 Feb 2015 14:24:54 -0500, Bruce H McIntosh b...@ufl.edu said: What's a lawful web site? Now *there* is a $64,000 question. Even more interesting is, Who gets to decide day to day the answer to that question? :) Over here we have some kind of an answer to that question... And it's not a very good one... -- /\| William Waites wwai...@tardis.ed.ac.uk \ / ASCII Ribbon Campaign | School of Informatics Xagainst HTML e-mail | University of Edinburgh / \ (still going) | http://tardis.ed.ac.uk/~wwaites/ -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpC2sI_oqg4z.pgp Description: PGP signature
[OT] Re: Intellectual Property in Network Design
On Fri, 13 Feb 2015 11:43:14 +1100, Ahad Aboss a...@telcoinabox.com said: In a sense, you are an artist as network architecture is an art in itself. It involves interaction with time, processes, people and things or an intersection between all. This Friday's off-topic post for NANOG: Doing art is creative practice directed to uncover something new and not pre-conceived. Successful acts of art produce something that not only wasn't there before but that nobody thought could be there. The art is the change in thinking that results. Whatever else is left over is residue. An engineer or architect in the usual setting, no matter how skilled, is not doing art because the whole activity is pre-conceived. Even a clean and elegant design is not usually intended to show beautiful connections between ideas the same way poetry or mathematics might. Hiring an engineer for this purpose almost never happens in industry. Rather the purpose is to make a thing that does what it is intended to do. It is craft, or second-order residue. Useful, possibly difficult, but not art. Some people want to claim ownership of a recipe for predictably creating residue of a certain kind. An artist knows that this is not good for doing art because nothing new can come from it. If they are committed to their practice, they will not seek to prevent others from using an old recipe. Why would they? They have already moved on. Some older thoughts on the topic: http://archive.groovy.net/syntac/ pgpnAhVCkiBjX.pgp Description: PGP signature
Re: HTTPS redirects to HTTP for monitoring
On 18 Jan 2015 18:15:09 -, John Levine jo...@iecc.com said: I expect your users would fire you when they found you'd blocked access to Google. Doesn't goog do certificate pinning anyways, at least in their web browser? pgphGF6ZqCQVo.pgp Description: PGP signature
Re: determine relationship between the operators based on import and export statements in aut-num object?
On Tue, 25 Nov 2014 17:36:47 +0200, Martin T m4rtn...@gmail.com said: Last but not least, maybe there is altogether a more reliable way to understand the relationship between the operators than aut-num objects(often not updated) in RIR database? The first thing to do is look and see if the policy of, e.g. AS65133 is consistent with what you see there. I suspect you'll find a lot of mismatches but I don't know if that has been studied systematically, but it should be simple to do. Next, much more data intensive, is trawl through the route views data and see to what extent the actual updates seen are consistent with the RIR objects, and also see what (topological, not financial as Valdis points out) relationships they imply that are not present in the RIR database. -w pgpyra4iyCZND.pgp Description: PGP signature
Re: Multi-homing with multiple ASNs
On Fri, 21 Nov 2014 11:07:49 +0200, Mark Tinka mark.ti...@seacom.mu said: We own an AS number and our IP space but at the last minute learned our state network is advertising our network using two different ASNs (neither ours) This will work, as in the BGP path selection algorithm will work as designed in this situation. But it also means that the routing policy is out of your control which is kind of the point of having an ASN! It also makes it harder to track down who is operationally responsible for that address space since it appears to the outside world to be in two (or three! different places). I'd say don't do this unless you really have no choice. Why aren't you originating your own prefixes and ASN by yourselves, since you own both? Good question. We (AS60241) almost ended up doing similarly for a while. Because of a close association with the universities in Scotland, we discussed the possibility of transit via JANET. This turned out to be difficult because they run a whole bunch of private ASNs internally -- unlike in North America where universities typically have their own real one. So it would have been us - private stuff - AS786 and for some reason that I forget they were unable to remove private ASNs from the path. The best that might have been possible would be to have had them announce our networks with synchronisation on, which would have meant the outside world would have seen them originating in both AS786 and AS60241. Icky. We (mutually) decided against this. Just to say that there are strange, but not completely unreasonable circumstances in which this can happen... -w pgpohqpKewJg4.pgp Description: PGP signature
Re: Scotland ccTLD?
On 16/09/14 16:26, Jay Ashworth wrote: I see also a suggestion, credited to Dave Eastabrook (sp?) of .ab, which apparently stands for Alba, which I will assume has historical significance (the country name in Scots Gaelic, perhaps?) It has current significance, as Gaelic is recognised as an official (albeit minority) language. This is probably a reasonable suggestion. The irony is that these kinds of infrastructure questions are so far below the radar of the Scottish Government that I wouldn't be surprised at all if its operation were outsourced to Nominet...
Re: NAT IP and Google
On Tue, May 20, 2014 at 10:21:43PM +0800, Pui Edylie wrote: May I know what is the best approach so that Google would not ban our Natted IP from time to time as it suspect it as a bot. IPv6?
Re: NAT IP and Google
On Tue, May 20, 2014 at 10:35:56AM -0400, Harald Koch wrote: Might help if all your hosts have their own IPv6 addresses That was meant to be implied... But... On Tue, May 20, 2014 at 09:10:56AM -0600, Derek Andrew wrote: They take out our campus, both IPv4 and IPv6. That's interesting, I haven't seen this happen with IPv6. Some of the networks I work with do the everything behind NAT thing and get bitten by this. Using a pool of addresses helps but... This is only going to get more painful with more people doing Carrier Grade NAT... -w
Re: WISP or other options
On Wed, Mar 26, 2014 at 10:30:27PM -0500, Nick wrote: Does any have contacts in Edinburgh Scotland who can provide WISP service at the Hopetoun House and Dundas Castle. I would like to have 20-60mpbs to for 2 days of services. There is a *chance* that we (http://hubs.net.uk/) can help. Our network in Edinburgh is mostly constructed for serving areas to the South -- the Lothians, the Borders, etc. and South Queensferry is to the Northwest. So one way of doing this would be to find an intermediate spot and make two links. Briefly consulting a map there are a few candidates, and for some, a temporary relay (the broadband wagon parked on a hilltop) might work. It also looks as though there may be line of sight to Scolocate in South Gyle which is a major datacentre where IX Scotland is -- unfortunately we don't have anything on the roof there at the moment. If the event is for some sort of not for profit or academic related thing other possibilities open up as well, it may be possible to use one of the universities' networks to get most of the way there. There are definitely possibilities, but it may well be too expensive for such a short duration. Send me a mail off list if you want to discuss in more detail. Our company's event planner claims there are no good ISP options in the area and wants us to go with satellite internet which is pricy and has high latency. Its worth noting both locations have ~7mpbs DLS. It would be interesting to talk to this event planner... Another option is bonded ADSL. I'd recommend Andrews and Arnold (http://aa.net.uk/) for that. It's a bit ugly, and any DSL or FTTx is very expensive for real use (BT Wholesale's tarrif for bandwidth on their DSL carrier interconnect for resale is something like -L-40/Mbps plus lots of other charges) but for a temporary situation it's not a bad option. Cheers, -w
Re: WISP or other options
On Thu, Mar 27, 2014 at 03:35:20AM +, Warren Bailey wrote: You are screwed for LOS microwave, 60mbps on a microwave hope requires real life engineering to function correctly. Well now, really. Yes it needs engineering, but nothing spectacularly difficult. The upper bound on distance the OP needs is something like 10 miles which is peanuts. Any of your typical off the shelf 5GHz stuff will do that, you can even just eyeball the alignment. The upper 5GHz band is not very crowded around here. You do need line of sight which means spending a little time with a topo map. You're right that it isn't as simple as just putting up some antennas, leaving the kit at factory defaults and hoping, but that's not a very high bar. towers Rather conveniently there are lots of hills around here. A typical can easily be something made out of standard scaffolding not more than 2.5m tall. You try to build them at the top of steep bits so that people (and sheep) can't easily stand in front of the antennas. If you¹re looking for satellite Satellite is a last resort, and almost always unnecessary even in very remote places. It is also, as you point out, extremely expensive. Best, -w
Re: WISP or other options
On Thu, Mar 27, 2014 at 12:02:30AM -0400, Miles Fidelman wrote: Laser link, and pray for clear weather? You'll have to pray really hard around here, especially in South Queensferry down by the water... We actually have an FSO link between two tall buildings in South Edinburgh. Only about 500m. It works pretty well except when the haar rolls in. Giant pain in the behind to align though, and given that the wind that comes over the top of these tall buildings can be 5x that at ground level, and gales happen several times a year, keeping them aligned is... interesting... -w
Re: WISP or other options
On Thu, Mar 27, 2014 at 05:09:05AM +, Warren Bailey wrote: It's not 802.11 and it doesn't act that way. Actually most of the installations I've seen -- and my day job is working with community networks around Scotland that have built all manner of strange things -- the problems most often have nothing at all to do with the physical layer. More often they're related to doing things with spanning tree that we all learned in networking long ago to not do, or running many layers of NAT because IP routing is not understood. Things like that. The only common RF problem is leaving the channel selection on auto. Which invariably means one radio, like an access point with a sector antenna, can't hear the point to point link coming in to the dish behind it and picks the wrong channel. Again, yes, you're right, you have to understand how this stuff works and think a little bit when you build, but your messages saying It's really really hard are coming across a little like FUD. A pair of Air Fiber is like 3k USD, and at 24ghz you had better know The AF24 are also illegal here. Or rather the lower channel belongs to the police, and the upper channel is limited to a very low output power. We have a pair of these, with a special non-operational license from Ofcom to put them through their paces. They do work, though they are a pain to align and subject to rain fade. They are on the West coast which is very rainy. Right now we're using them to measure rain intensity rather than to carry real traffic (which we can't do with a non-op license anyways). -w
Re: NSA able to compromise Cisco, Juniper, Huawei switches
Is Ken Thompson turning over in his grave yet? I certainly hope not...
Re: The Making of a Router
On Fri, 27 Dec 2013 07:23:36 -0500 (EST), Justin M. Streiner strei...@cluebyfour.org said: You end up combining some of the downsides of a hardware-based router with some of the downsides of a server (new attack vectors, another device that needs to be backed up, patched, and monitored... Might be a good idea to back up, patch and monitor your routers too... Just sayin'
Re: Is there a method or tool(s) to prove network outages?
On Sun, 1 Dec 2013 17:56:51 +0100, Notify Me notify.s...@gmail.com said: I have a very problematic radio link which goes out and back on again every few hours. Is every few hours regular/cyclical? Does the radio link cross a tidal body of water? -w pgpubC2NiHoOH.pgp Description: PGP signature
Re: Is there a method or tool(s) to prove network outages?
On Sun, 1 Dec 2013 20:25:36 +, Sina Owolabi notify.s...@gmail.com said: Its cyclical, but I have not tried to graph/measure its repetition before now... Body of tidal water..could be This is speculation until you have measurements, but if this is the case I'd wager you are having reflected signal interference off of the water. The water acts like a mirror and as it moves up and down the reflected signal will move in and out of phase with the main signal. At certain points you'll get near complete cancellation and the link will fail. See section 4 here for some explanations, fig 5 and 6 for what you could expect the graphs of signal strength, time, link capactity to look like: http://homepages.inf.ed.ac.uk/mmarina/papers/mobicom_winsdr08.pdf But not having access to the RF part you can't measure this directly. If you can get tide tables for a nearby location, what you could do is say that signal strength is 1 if the link is working and 0 if it is not. Measure for a while then scatterplot that against the level of the tide. If the measurements of 0 group tightly together in a few spots then you know definitely what is happening. Perhaps that plot together with a pointer to a nice academic paper would be enough to convince the provider of what is happening. What could you do about this? If you are lucky and the interference does not complete a full cycle from destructive to constructive and back with the largest amplitude of the tides that you experience in that place, you could try moving the antenna up or down. How much depends on the frequency and distances involved but I'd try 25cm increments up to a couple of meters if you can. You'll still get degradation but can hopefully avoid the deep nulls that take the link out completely. If you are able and willing to replace the end-site radios or antennas with your own, and the link uses some sort of 2xN MIMO, you could arrange vertical spacing between the antennas so that you have a good signal at one antenna when the other one is experiencing a null. This should get you on average half the best-case throughput the equipment is capable of but it should get you that consistently. The actual spacing depends on the distances and heights involved. -w pgpQkjUkw4meY.pgp Description: PGP signature
Re: Meraki
On Wed, 20 Nov 2013 14:08:53 -0500, Ray Soucy r...@maine.edu said: I'm very interested in other user experiences with Ubiquity for smaller deployments vs. traditional Cisco APs and WLC. Especially for a collection of rural areas. The price point and software controller are very attractive. I've never used the software controller but we use a lot of Ubiquiti kit in rural Scotland. We use it mostly in transparent bridge mode with more capable routers speaking ethernet - FreeBSD on Soekris boards and Mikrotik mostly. In general the RF part is great, but the software part is buggy. We have been extensively bitten by transparent bridge not being transparent enough and eating multicast packets which of course completely hoses OSPF. Using NBMA and being very careful about which firmware version mostly works. Don't try to make them do anything sophisticated. -w -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Policy-based routing is evil? Discuss.
I'm having a discussion with a small network in a part of the world where bandwidth is scarce and multiple DSL lines are often used for upstream links. The topic is policy-based routing, which is being described as load balancing where end-user traffic is assigned to a line according to source address. In my opinion the main problems with this are: - It's brittle, when a line fails, traffic doesn't re-route - None of the usual debugging tools work properly - Adding a new user is complicated because it has to be done in (at least) two places But I'm having a distinct lack of success locating rants and diatribes or even well-reasoned articles supporting this opinion. Am I out to lunch? -w -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpev3R7hFybU.pgp Description: PGP signature
Re: Policy-based routing is evil? Discuss.
On Fri, 11 Oct 2013 10:41:46 -0700, joel jaeggli joe...@bogus.com said: you take all the useful information that an IGP could be (or is) providing you, and then you ignore it and do something else. Yes, that's another part of the conversation, encouraging the use of an IGP, which has been a source of trouble for them because of broken wireless bridges from a very commonly used vendor that randomly eat multicast packets, so it's not as straightforward as it should be. evil is not a synonym for ugly patch placed over a problem that could be handled better. Ok, fair enough. My first experience with PBR was as a summer intern in the mid-1990s who inherited management of a large ATM network that had a big VPN-esque thing built entirely that way and with no documentation. It certainly felt evil at the time. ;) -w -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpPWoOBe9VGE.pgp Description: PGP signature
Re: Internet Surveillance and Boomerang Routing: A Call for Canadian Network Sovereignty
On Tue, 10 Sep 2013 10:27:15 -0700, Bill Woodcock wo...@pch.net said: or to make an ISP class license requirement that every service provider network deliver traffic that has source and destination addresses within a region, without passing the traffic across the border of the region. That's a technology-neutral way of saying that if you have a customer in a region, and someone else has a customer in the same region, you and they had better figure out a way of delivering that traffic through peering or local transit. That's historically the way it was in Canada, although it was original phrased in terms of the telegraph and persisted up until the beginnings of the commercial Internet when the rule was abolished. It's also the reason why, for example, the old trans-atlantic cables went from the UK to Nova Scotia before New York even though the bulk of the traffic was UK-US. Theoretically, traffic within the empire was not supposed to cross a third border. I believe the rationale behind this was to prevent eavesdropping. I have a pet theory that this rule was one of the main reasons that Canada has such a well developed telecommunications industry -- it was forced by law to develop it indiginously rather than just dumping telephone calls across the border into the 'states, which probably would have made more economic sense. When the rule was abolished in the early 1990s it wasn't clear if it should or should not apply to Internet traffic but leaving the answer entirely to market forces may have stunted the development of East-West capacity within Canada. Is this a good or a bad thing? I can remember back when there was a project in the 'states called Carnivore, and we had some American police -- I believe they were FBI -- come up and ask us politely if we'd like to put some of their machines on our network. Everybody pretty much uniformly said no. Shortly thereafter an American carrier showed up selling gigabit ethernet circuits to NYC for well below what was the going rate at the time and effectively pulled a lot of traffic that would otherwise have remained in country across the border. I've been outside of North America for a while now so I don't know first hand, but from the commentary on this list that trends appears to have continued... -w pgpibCWcrzSSc.pgp Description: PGP signature
Re: I don't need no stinking firewall!
Le 10-01-05 à 21:29, Dobbins, Roland a écrit : Stateful firewalls make absolutely no sense in front of servers, given that by definition, every packet coming into the server is unsolicited (some protocols like ftp work a bit differently in that there're multiple bidirectional/omnidirectional communications sessions, but the key is that the initial connection is always unsolicited). Most hosts are in some measure servers and clients. Sometimes a server might want to make an outbound connection for a legitimate reason (say a DNS lookup or zone transfer). Sometimes it might be tricked into doing so for nefarious reasons (like the old reverse telnet trick of binding a shell to an outbound tcp connection). A properly configured firewall will prevent latter. -w
[OT] Re: Sheriffs and Vigilantes
Le 08-09-29 à 10:40, [EMAIL PROTECTED] [EMAIL PROTECTED] a écrit : It is not vigilantism, it is the common law, rooted in ancient English history, of the shire reeve, who we now call the sheriff. Reeve means called, from the Germanic verb rufen. In other words, this person is someone who is called to the duty by the shire. George Trevelyan's History of England gives the distinct impression that the sheriff was not quite so grass-roots an office as this thread might have one believe. The office was created at the instigation of the Norman monarchs so that they would have a parallel administrative structure from that of the feudal barons. This was to make it harder for the uppity barons to unseat the king as happened regularly in pre-Norman times. In other words, this person checked the property of his peers. He was one of the community which selected him. I wonder if the reeve (gerefa) was thought of as called by the community or by the king. Trevelyan and etymonline suggest the latter. Who, within the community, got to be sheriff was probably the community's choice. But once in office the sheriff was likely answerable to the king. In the absence of a monarch, is NANOG now trying to behave like the North American Regency Council? Hmmm... In Spain, a vigilante is a security guard, almost always unarmed, whose job it is to be vigilant and call the police if something bad happens and take temporary measures if possible in the meantime. That type of vigilante would seem to correspond quite closely with the job of the responsible network security/operations person. Cheers, -w -- William Waites VE2WSW[EMAIL PROTECTED] http://www.irl.styx.org/ +49 30 8894 9942 CD70 0498 8AE4 36EA 1CD7 281C 427A 3F36 2130 E9F5
Re: Mechanisms for a multi-homed host to pick the best router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So, for example, if the server receives the SYN from router R3, it would send the SYN ACK and all subsequent packets for the TCP connection over that same interface R3. ... right idea. works great. see the following: http://www.academ.com/nanog/feb1997/multihoming.html http://www.irbs.net/internet/nanog/9706/0232.html http://gatekeeper.dec.com/pub/misc/vixie/ifdefault/ This approach is particularly useful for host with multiple IPv6 tunnels. Some tunnel providers implement strict RPF, some don't. Where this is the case, having multiple tunnels (cf multiple address ranges) is problematic. Of course these days perhaps perhaps the IPv4 variant could be done with a stateful NAT. Maybe case could be made for IPv6 NAT (and site-local addresses?) in this scnario... - -w - -- William Waites [EMAIL PROTECTED] http://www.irl.styx.org/ +49 30 8894 9942 CD70 0498 8AE4 36EA 1CD7 281C 427A 3F36 2130 E9F5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkjSlsMACgkQQno/NiEw6fWEhACfcVGZ5qEbvESVCWxQibkm/jLp wKsAn1lQWcMO+fk5ZV5V08narSfoC/gF =tlbx -END PGP SIGNATURE-
Re: Is the export policy selective under valley-free?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 08-09-03 à 11:08, Iljitsch van Beijnum a écrit : On 3 sep 2008, at 1:45, Kai Chen wrote: Just want to ask a direct question. Will an AS export all it gets from its customers and itself to its providers? Or even under valley-free, the BGP export policy is also selective? I get the valley-free but not the selective. :-) (guessing) Suppose, C1 P1 \ / A / \ C2 P2 Suppose A has different policies for its two customers, such as, announce C1 routes to P1 but not P2 and announce C2 routes to P2 but not P1 In this case there would be valley-free paths [C1 A P2], [C2 A P1] that are not allowed because of A's policy. Though such a policy might be unusual, this is a case where the set of paths generated from the topology with the valley-free rule contains paths that would not occur in reality. I think that yes, the valley-free property is a necessary but not sufficient criteria for generating the set of in-reality-valid paths on the Internet. Cheers, - -w - -- William Waites [EMAIL PROTECTED] http://www.irl.styx.org/ +49 30 8894 9942 CD70 0498 8AE4 36EA 1CD7 281C 427A 3F36 2130 E9F5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAki+WRAACgkQQno/NiEw6fW/bACeMoPGulTNd0+EiGesbTO8a3cX YfEAn2QOy9b3TVbA0t8CANp6BFPfcp8p =nYb4 -END PGP SIGNATURE-
Re: Is the export policy selective under valley-free?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08-09-03 at 11:40, Randy Bush on holiday and should not be reading nanog, let alone responding wrote : i assure you that the actual topology is not valley free. e.g. there are many backup or political hack transit paths [0] Sorry to further impinge on your vacation, but was there a footnote there? between otherwise peers and there are also backup customer/provider reversals. Perhaps the first case could be called misclassification of the edge by the link-labelling heuristics (and otherwise peers dropped)? But where such a relationship is symmetric it runs into the second case, and I agree that the model breaks down in the mutual transit scenario where a link can look like either c2p or p2c depending on the path being considered. How useful/productive is it to say that any observed path is always, by definition, valley-free and that the labels are not really properties of the graph but properties of the path? I'm not sure. Bonne vacances, - -w - -- William Waites [EMAIL PROTECTED] http://www.irl.styx.org/ +49 30 8894 9942 CD70 0498 8AE4 36EA 1CD7 281C 427A 3F36 2130 E9F5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAki+ZwsACgkQQno/NiEw6fWETwCeMxiDOV+Par8Twua8bPbbUJKg liYAnjhqLfbPD7hjQZSmPnnJHdR9lmUn =5KOT -END PGP SIGNATURE-
Re: GLBX De-Peers Intercage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 08-09-01 à 10:48, Paul Ferguson a écrit : My next question to the peanut gallery is: What do you suggest we should do on other hosting IP blocks are are continuing to host criminal activity, even in the face of abuse reports, etc.? As mentioned in private email, I think where there is *evidence* of *criminal* activity, show this to a judge, get the judge to order ARIN to revoke the ASN/netblock, the traffic then becomes bogon and can/ should be filtered. If there can be a legal procedure established for this it may even be able to be done quickly in specific instances. Of course a parallel procedure would be necessary for each bit of the ROW.. - -w - -- William Waites [EMAIL PROTECTED] http://www.irl.styx.org/ +49 30 8894 9942 CD70 0498 8AE4 36EA 1CD7 281C 427A 3F36 2130 E9F5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAki7vTwACgkQQno/NiEw6fXGVQCgqMoZNjIp5pfPracBrNfFo61g dN8AoKi+f6H7iWgNrG/OIL8yG6WmmTw1 =roam -END PGP SIGNATURE-
Re: GLBX De-Peers Intercage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 08-09-01 à 12:18, Adrian Chadd a écrit : Oh come on, how quickly would that migrate to enforcing copyright infringement? Or if you're especially evil, used by larger companies to bully smaller companies out of precious IPv4 space? With appropriate controls. For example that the entity in question exists entirely or substantially for illegal purposes. Illegal does not mean in violation of an agreement, rather against the law. And such an action should not be possible for a private person to bring. Please find an alternative method of tidying up the trash and don't stir that nest of hornets. Workeable suggestions? So far I've seen, * organized shunning * BGP blacklists Cheers, - -w - -- William Waites [EMAIL PROTECTED] http://www.irl.styx.org/ +49 30 8894 9942 CD70 0498 8AE4 36EA 1CD7 281C 427A 3F36 2130 E9F5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAki7xI8ACgkQQno/NiEw6fXvfgCeO4X0qbRg05VPCMC4jesmvFMd dRAAniTVdxJEVx6ecR+C1Br2INpYJ2pe =6zQj -END PGP SIGNATURE-
Re: GLBX De-Peers Intercage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 08-09-01 à 12:34, Gadi Evron a écrit : Workeable suggestions? So far I've seen, * organized shunning * BGP blacklists I can see the don't be the Internet's firewall bunch jumping up and out of their seats, spilling their coffees. How dare you destroy so many keyboards? I didn't mean to imply that either of those was actually workeable ;) - -w - -- William Waites [EMAIL PROTECTED] http://www.irl.styx.org/ +49 30 8894 9942 CD70 0498 8AE4 36EA 1CD7 281C 427A 3F36 2130 E9F5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAki7xyYACgkQQno/NiEw6fVbjACgx+BrvXakg1X5e2DEzJ2feqdi KGcAn1a7R2CrEmvw755UVRv0lhztz8tU =Ibnk -END PGP SIGNATURE-
Re: [LN20080729.4147] RE: AS 28551
Le 08-08-01 à 15:05, Marshall Eubanks a écrit : I think that 161.164.248.0/21 and AS 28551 may be hijacked. traceroute to 161.164.248.1 (161.164.248.1), 64 hops max, 40 byte packets snip 7 tengige0-3-0-3.auvtr1.Aubervilliers.opentransit.net (193.251.241.253) 78.728 ms 79.154 ms 79.548 ms 8 tengige0-3-0-1.ffttr1.FrankfurtAmMain.opentransit.net (193.251.241.254) 85.894 ms 86.476 ms 86.701 ms 9 64.208.110.229 (64.208.110.229) 86.312 ms 87.509 ms 87.463 ms 10 Alestra-S-De-R-L-De-CV-San-Pedro-Garza.so-0-2-0.ar1.MEX1.gblx.net (208.48.33.78) 266.280 ms Alestra-S-De-R-L-De-CV-Lago- Zurich.so-0-2-2.ar1.MEX1.gblx.net (64.215.25.70) 262.566 ms Alestra-S- De-R-L-De-CV-San-Pedro-Garza.so-1-1-0.ar1.MEX1.gblx.net (208.48.238.98) 473.559 ms 11 host-201-151-29-61.block.alestra.net.mx (201.151.29.61) 260.021 ms 433.502 ms 259.899 ms 12 host-201-151-29-42.block.alestra.net.mx (201.151.29.42) 661.863 ms 256.985 ms 434.032 ms 13 * * * As well AS paths shown from route-views.ip.att.net end with AS11172 (alestra) then AS28551. Perhaps Walmart is providing Internet access for its maquilladoras? ;) Cheers, -w
Re: Arbitrary de-peering
Le 08-07-28 à 17:12, [EMAIL PROTECTED] a écrit : Example: A York University professor was sitting at his desk at work in March 2008 trying to reach an internet website located somewhere in Europe. [...] York’s bandwidth supplier is Cogent which had severed a peering relationship with a bandwidth provider in Europe called Telia [...] which was the bandwidth network provider for the website that the Professor was trying to reach. [...] Cogent did not proactively inform the University of the issue and the loss of connectivity. Unreachability due to arbitrariness in network peering is unacceptable. There must be more to this story. If Cogent de-peered from Telia the traffic would normally just have taken another path. Either there was a configuration error of some sort or else some sort of proactive black-holing on one side or the other. As the latter would be surprising and very heavy handed, I would tend to suspect the former. Peering relationships are made and severed all the time with no particular ill-effects, unless you can point to examples of outright malice (i.e. of the black- holing kind) I don't think there is much basis for any public policy decisions in this example. Unreachability due to configuation error is of course relatively common; perhaps I am wrong, but I don't think the CRTC would really have much to say about that. Cheers, -w
Re: Arbitrary de-peering
Le 08-07-28 à 17:29, Patrick W. Gilmore a écrit : One should check one's assumptions before posting to 10K+ of their not-so-close friends. Firstly I missed the actual incident since I was off the 'net for an extended period about that time, so apologies for any rehash. Neither network has transit. What other path is there to take? http://www.renesys.com/blog/2008/03/he_said_she_said_cogent_vs_tel.shtml Then Cogent de-peered Telia and suddenly Verizon and others started providing a path between the two and their respective customers. Which is as it should be. Then somebody (not clear who) apparently took explicit steps to stop the traffic from taking these other paths. Surprising. Severing a peering relationship is one thing, purposely filtering large swathes of the Internet over other all links is quite another. As I said, this is surprising behaviour, but not simple de-peering. And I'm sure that any Tier 1 has enough peering relationships with enough other Tier 1 networks that they can always buy temporary transit privileges over an existing link. -w
Re: Arbitrary de-peering
Le 08-07-28 à 18:27, Jon Lewis a écrit : Bit bucket path. Evidently. As I said, this is surprising behaviour, but not simple de-peering. And I'm Why is it surprising? Sounds more like a repeat performance to me. Back when Level3 depeered Cogent, it was said that Cogent was already buying transit from Verio to reach at least some networks they weren't peering with. After the depeering, why didn't Cogent get to Level3 (and vice versa) via Verio? Surprising because, Cogent (or Telia, but from what you say here, looks like Cogent), presumably put themselves in a breach of contract position with their (end-user or stub AS) customers who one would imagine have bought Internet service from them. Given that they have some reasonably big/important customers it is surprising that they would take that risk, and even more surprising that it didn't bite them too hard. By maybe I am just easily surprised. Tier 1 has enough peering relationships with enough other Tier 1 networks that they can always buy temporary transit privileges over an existing link. Tier 1 means you don't buy transit, no? Maybe a slightly revised definition of Tier 1 is in order -- a provider that doesn't buy transit and doesn't sell to end-users or stub systems. Doing either of these things would degrade them in the nomenclature by 0.5. Doing both of these things makes a Tier 2 provider which had better have transit from more than one upstream. This way innocents don't suffer the collateral damage from games of chicken among the titans (unless they were silly enough to get their only Internet connection from a Tier 1.5 provider). Oh well. Cheers, -w
IPv6 nameserver glue chez netsol
Hi all, Does anyone have a contact or a known administrative path to get NS glue added to domains registered with Network Solutions? Or is the only choice to move the domains in question to a different registrar? (Perhaps more appropriate for dns-operations, but as it is an operational question and my subscription request is awaiting moderator approval, I hope nobody will mind my posting it here) Cheers, -w
Re: Building a BGP test network
Le 08-07-09 à 19:36, Ariel Biener a écrit : I have been pondering over this issue for some time now (not too much time to invest on it), since I wanted to created a duplicate model of our production network in a test environment, not connected to any outside network (thus cannot peer, same problem as described here). What about http://ipmon.sprint.com/pyrt/ ? It doesn't do everything being designed for the reverse problem -- pulling routes from a live BGP network for analysis. But it does include a BGP speaker and the ability to read and write MRTD files. I imagine with relatively little work it could be coaxed to read an MRTD dump and send the entries to a test peer. -w