From rdobbins at arbor.net Tue Nov 1 00:19:15 2011 From: rdobbins at arbor.net (Dobbins, Roland) Date: Tue, 1 Nov 2011 05:19:15 +0000 Subject: Manage an enterprise network? Please fill out my survey - for Science! :-) In-Reply-To: References: <5948995898631926267@unknownmsgid> <4EAF6EFA.5000702@gmail.com> <4EAF71E3.7030406@brightok.net> Message-ID: <4B2F33DF-5B04-4B73-943A-8A818E5C7507@arbor.net> On Nov 1, 2011, at 11:44 AM, Cameron Byrne wrote: > Unfotunately ISPs are deploying many middle boxen, frequently in series, for various reasons...cough cough cgn. This AusNOG presentation touches upon the topic: ----------------------------------------------------------------------- Roland Dobbins // The basis of optimism is sheer terror. -- Oscar Wilde From jbates at brightok.net Tue Nov 1 01:28:53 2011 From: jbates at brightok.net (Jack Bates) Date: Tue, 01 Nov 2011 01:28:53 -0500 Subject: Manage an enterprise network? Please fill out my survey - for Science! :-) In-Reply-To: <4B2F33DF-5B04-4B73-943A-8A818E5C7507@arbor.net> References: <5948995898631926267@unknownmsgid> <4EAF6EFA.5000702@gmail.com> <4EAF71E3.7030406@brightok.net> <4B2F33DF-5B04-4B73-943A-8A818E5C7507@arbor.net> Message-ID: <4EAF91A5.2040505@brightok.net> On 11/1/2011 12:19 AM, Dobbins, Roland wrote: > On Nov 1, 2011, at 11:44 AM, Cameron Byrne wrote: > >> Unfotunately ISPs are deploying many middle boxen, frequently in series, for various reasons...cough cough cgn. > This AusNOG presentation touches upon the topic: > > > > heh, Until IPv6 is a mainstream, I don't think wireless companies (and soon wireline) have much choice on CGN. I believe there are plenty of CGN products that handle as much or more pps than my Juniper MX960 does. My last DDOS killed the egress pps on 2 of my NSP transits. Neither could send 2Mpps of traffic to me (ie, neither was line rate at 43bytes). I'm confused as to the 6to4 gateway state. Last I checked, all my 6to4 is stateless. My load balancers are also stateless. IPS can be deployed sidelined with hardware packet mirroring and remote updates to router ACLs. I recognize that ISPs may not keep DDOS in mind and reduce state when possible, but there is current tech that can limit state and still deploy the same services. CGN is the exception to the rule, and I've yet to see a way around it in a depleted IPv4 Internet (but as stated, most CGN is designed to handle state to the same performance levels as current router tech). Jack From rdobbins at arbor.net Tue Nov 1 01:41:05 2011 From: rdobbins at arbor.net (Dobbins, Roland) Date: Tue, 1 Nov 2011 06:41:05 +0000 Subject: Manage an enterprise network? Please fill out my survey - for Science! :-) In-Reply-To: <4EAF91A5.2040505@brightok.net> References: <5948995898631926267@unknownmsgid> <4EAF6EFA.5000702@gmail.com> <4EAF71E3.7030406@brightok.net> <4B2F33DF-5B04-4B73-943A-8A818E5C7507@arbor.net> <4EAF91A5.2040505@brightok.net> Message-ID: <18FE168D-5D42-40B9-B3DB-27F58781DD95@arbor.net> On Nov 1, 2011, at 1:28 PM, Jack Bates wrote: > I'm confused as to the 6to4 gateway state. Last I checked, all my 6to4 is stateless. Depends upon the technology being used. I probably should've used a different term. > My load balancers are also stateless. Most are not, or aren't configured to be so (i.e., most seem to be set up to handle the outbound server-to-client comms, too). I see them go down like tenpins in trivial DDoS attacks all the time. ----------------------------------------------------------------------- Roland Dobbins // The basis of optimism is sheer terror. -- Oscar Wilde From me at payam124.com Tue Nov 1 01:59:58 2011 From: me at payam124.com (Payam Poursaied) Date: Tue, 1 Nov 2011 10:29:58 +0330 Subject: Network Asset/Service Track/Management Message-ID: <08f701cc9863$e03d74d0$a0b85e70$@com> Hi all I'm looking for a system to keep track of network assets and also periodic services in each pop site. Currently we have about 500 pop-sites. In each site we have DSLAMs, Linecards and also some passive equipments including terminals, racks and .. Also each site may have some recurring fees/services. Something like transit link, power, rental space and . Could you please share your experience with me Best Regards Payam Poursaied -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5605 bytes Desc: not available URL: From babak at farrokhi.net Tue Nov 1 02:38:36 2011 From: babak at farrokhi.net (Babak Farrokhi) Date: Tue, 1 Nov 2011 11:08:36 +0330 Subject: Network Asset/Service Track/Management In-Reply-To: <08f701cc9863$e03d74d0$a0b85e70$@com> References: <08f701cc9863$e03d74d0$a0b85e70$@com> Message-ID: <560B6E25-3AF2-4945-8505-FE2FA38B8BED@farrokhi.net> Hi, I would suggest you use the element management software provided by your vendor. But you may want to take a look at www.ziptie.org for an alternative. Regards, On Nov 1, 2011, at 10:29 AM, Payam Poursaied wrote: > Hi all > > I'm looking for a system to keep track of network assets and also periodic services in each pop site. Currently we have > about 500 pop-sites. In each site we have DSLAMs, Linecards and also some passive equipments including terminals, racks > and .. > > Also each site may have some recurring fees/services. Something like transit link, power, rental space and . > > > > Could you please share your experience with me > > > > Best Regards > > Payam Poursaied > > > -- Babak Farrokhi Network Expert / Unix SA / Security Analyst From mikereedwt at gmail.com Tue Nov 1 04:03:14 2011 From: mikereedwt at gmail.com (Mike Reed) Date: Tue, 1 Nov 2011 09:03:14 +0000 Subject: consumer DSL problems Message-ID: Hi folks, It would seem that my home broadband provider (Orange, formerly known as Wanadoo/Freeserve) have made some networking changes at the weekend. The first I knew of it was when my DSL router refused to connect. It's a vendor-supplied Siemens Gigaset SE572. While it's probably not the best router in the world (most consumer routers are risible), it was generally fine. On complaint, they tell me it's 'old'. Closer inspection reveals it's picking up the DSL carrier signal fine, but failing during LCP negotation Is there a common policy on rendering vendor-supplied CPEs unusable? As a network operator to residential users, would you notify any potentially affected users before making such a change? I am grateful for any insight. Kind regards, Mike From charles at knownelement.com Tue Nov 1 04:22:13 2011 From: charles at knownelement.com (Charles N Wyble) Date: Tue, 01 Nov 2011 04:22:13 -0500 Subject: Network Asset/Service Track/Management In-Reply-To: <560B6E25-3AF2-4945-8505-FE2FA38B8BED@farrokhi.net> References: <08f701cc9863$e03d74d0$a0b85e70$@com> <560B6E25-3AF2-4945-8505-FE2FA38B8BED@farrokhi.net> Message-ID: <4EAFBA45.3070700@knownelement.com> On 11/01/2011 02:38 AM, Babak Farrokhi wrote: > Hi, > > I would suggest you use the element management software provided by your vendor. But you may want to take a look at www.ziptie.org for an alternative. Also nocproject.org From regnauld at nsrc.org Tue Nov 1 04:29:37 2011 From: regnauld at nsrc.org (Phil Regnauld) Date: Tue, 1 Nov 2011 10:29:37 +0100 Subject: Network Asset/Service Track/Management In-Reply-To: <08f701cc9863$e03d74d0$a0b85e70$@com> References: <08f701cc9863$e03d74d0$a0b85e70$@com> Message-ID: <20111101092937.GG10684@macbook.bluepipe.net> Payam Poursaied (me) writes: > Hi all > > I'm looking for a system to keep track of network assets and also periodic services in each pop site. Currently we have > about 500 pop-sites. In each site we have DSLAMs, Linecards and also some passive equipments including terminals, racks > and .. > > Also each site may have some recurring fees/services. Something like transit link, power, rental space and . > > Could you please share your experience with me Hi Payam, Some of what you mention can be handled with Netdot (https://netdot.uoregon.edu). There is built-in support for maintenance contract definitions, but some customization might be required. The good part about netdot is that it will automate some of the inventory management if it has SNMP access to your devices. Asset mgmt support is rather good for Cisco equipment, but would have to be tested for other vendors. Cheers, Phil From doctorchd at gmail.com Tue Nov 1 04:52:49 2011 From: doctorchd at gmail.com (Dmitry Cherkasov) Date: Tue, 1 Nov 2011 11:52:49 +0200 Subject: using IPv6 address block across multiple locations In-Reply-To: References: Message-ID: Thanks to everybody who responded. To summarize it all, these are the guides for non-ISP company to use PI IPv6 addresses: case 1: single POP, no plans to have more - get single /48 from your RIR, announce it to one or multiple ISPs that POP is connected to case 1a: multiple separate POPs (no VPN interconnections) - the same as for case 1 but for each POP independently; each POP has individual AS, btw case 2: extranet like multiple POPs interconnected with VPNs - get greater then /48 block (like /44) so each POP gets its /48 part - each POP announces its corresponding /48 prefix to their local ISPs - decide if you wish that traffic from Internet to some POP passes through some other of your POPs (security or other considerations); if this is desirable you may announce the whole aggregate (like /44) additionally to /48 from all or some of the POPs; optionally you may wish to announce /44 with community 'no-export' As for /48 IPv6 blocks being like /24 for IPv4. It really seems that /48 may be the most popular PI block and this may lead to overcrowding of DFZ. Probably, this is logical consequence of getting bigger address space. We needed more IP addresses and we get them. Anyway getting greater then /48 just because you do not want to pollute DFZ is not justified. Thank you. Dmitry Cherkasov 2011/11/1 Ricky Beam : > On Mon, 31 Oct 2011 05:39:57 -0400, Richard Barnes > wrote: >> >> Couldn't you also advertise the /48 from all the sites, if you're >> willing to sort things out over the inter-site VPNs? > > If we're talking about a site-to-site IPsec VPN "over the internet", then > that's a very bad idea. ?Even if "the internet" in this case is entirely > within the same provider's network. (and it doesn't sound like it is.) > > --Ricky > > From streiner at cluebyfour.org Tue Nov 1 06:10:19 2011 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Tue, 1 Nov 2011 07:10:19 -0400 (EDT) Subject: using IPv6 address block across multiple locations In-Reply-To: References: Message-ID: On Tue, 1 Nov 2011, Dmitry Cherkasov wrote: > case 2: extranet like multiple POPs interconnected with VPNs > - get greater then /48 block (like /44) so each POP gets its /48 part > - each POP announces its corresponding /48 prefix to their local ISPs > - decide if you wish that traffic from Internet to some POP passes > through some other of your POPs (security or other considerations); if > this is desirable you may announce the whole aggregate (like /44) > additionally to /48 from all or some of the POPs; optionally you may > wish to announce /44 with community 'no-export' You really don't need to tag the larger block with no-export. In fact, if the POPs are suitably interconnected on the back end, you really don't need to advertise the /48s all, and just advertise the /44. Depending on your upstreams, you might be able to tag your advertisements with certain BGP communities (will vary from provider to provider) to give you some degree of conrol over traffic distribution. Getting back to the original point, unless someone does something odd with their BGP views, the /48s will be preferred because they're smaller (more specific), and the /44 would only be used if a corresponding /48 prefix doesn't exist in their BGP view. jms From bclark at spectraaccess.com Tue Nov 1 07:05:42 2011 From: bclark at spectraaccess.com (Bret Clark) Date: Tue, 01 Nov 2011 08:05:42 -0400 Subject: consumer DSL problems In-Reply-To: References: Message-ID: <4EAFE096.6090401@spectraaccess.com> On 11/01/2011 05:03 AM, Mike Reed wrote: > > Is there a common policy on rendering vendor-supplied CPEs unusable? Yes if they are old. > As a network operator to residential users, would you notify any > potentially affected users before making such a change? Any responsible provider would make sure to notify users before making the change and then not make the change until all users had been upgraded to a new modem...within reason of course...some customer are hard to reach and never respond, so at some point you just have to make the switch. Regards, Bret From paulooi at takizo.com Tue Nov 1 09:25:37 2011 From: paulooi at takizo.com (takizo) Date: Tue, 1 Nov 2011 22:25:37 +0800 Subject: Network Asset/Service Track/Management In-Reply-To: <20111101092937.GG10684@macbook.bluepipe.net> References: <08f701cc9863$e03d74d0$a0b85e70$@com> <20111101092937.GG10684@macbook.bluepipe.net> Message-ID: <0D0E7EDE-E090-409A-AD41-FD22C1C8C0A9@takizo.com> On Nov 1, 2011, at 5:29 PM, Phil Regnauld wrote: > Payam Poursaied (me) writes: >> Hi all >> >> I'm looking for a system to keep track of network assets and also periodic services in each pop site. Currently we have >> about 500 pop-sites. In each site we have DSLAMs, Linecards and also some passive equipments including terminals, racks >> and .. >> >> Also each site may have some recurring fees/services. Something like transit link, power, rental space and . >> >> Could you please share your experience with me > > Hi Payam, > > Some of what you mention can be handled with Netdot (https://netdot.uoregon.edu). > > There is built-in support for maintenance contract definitions, but some > customization might be required. The good part about netdot is that it > will automate some of the inventory management if it has SNMP access to > your devices. Asset mgmt support is rather good for Cisco equipment, but > would have to be tested for other vendors. > > Cheers, > Phil > +1 on Netdot, it's good stuff ;) From chip.gwyn at gmail.com Tue Nov 1 09:35:52 2011 From: chip.gwyn at gmail.com (chip) Date: Tue, 1 Nov 2011 10:35:52 -0400 Subject: Network Asset/Service Track/Management In-Reply-To: <08f701cc9863$e03d74d0$a0b85e70$@com> References: <08f701cc9863$e03d74d0$a0b85e70$@com> Message-ID: For tracking gear, space, racks, power, assets, etc... Might want to take a look at NetZoomDC by Altima Technologies. They're doing some neat stuff. For the recurring fees and such, not quite sure it will meet your needs but there are customizable categories, elements, and what not you can apply to things and create customer reports and stuff. It all runs on top of Microsoft's SQL server, with Excel and Word for reporting functions. I assume anything you can do in an Excel sheet can be hooked into it. --chip On Tue, Nov 1, 2011 at 2:59 AM, Payam Poursaied wrote: > Hi all > > I'm looking for a system to keep track of network assets and also periodic services in each pop site. Currently we have > about 500 pop-sites. In each site we have DSLAMs, Linecards and also some passive equipments including terminals, racks > and .. > > Also each site may have some recurring fees/services. Something like transit link, power, rental space and . > > > > Could you please share your experience with me > > > > Best Regards > > Payam Poursaied > > > > -- Just my $.02, your mileage may vary,? batteries not included, etc.... From owen at delong.com Tue Nov 1 10:13:32 2011 From: owen at delong.com (Owen DeLong) Date: Tue, 1 Nov 2011 08:13:32 -0700 Subject: using IPv6 address block across multiple locations In-Reply-To: References: Message-ID: <386FD22B-CD9D-4944-BBAE-2C9BAA1CFF11@delong.com> > > As for /48 IPv6 blocks being like /24 for IPv4. > It really seems that /48 may be the most popular PI block and this may > lead to overcrowding of DFZ. Probably, this is logical consequence of > getting bigger address space. We needed more IP addresses and we get > them. Anyway getting greater then /48 just because you do not want to > pollute DFZ is not justified. > I agree with you except this last statement. If you have a need for more than a /48 and you can announce the aggregate and not the more specifics, it is perfectly valid to get more than a /48 and you should do so in a way that allows you to announce only the aggregate so as to avoid polluting the DFZ. DFZ pollution is not about prefix size, it is about the number of prefixes. In all cases, one should attempt to implement the minimum number of prefixes necessary to effect your desired (or needed) routing policy. Prefix size, OTOH, should relate to the number of end-sites served where each end-site gets a /48. Owen From owen at delong.com Tue Nov 1 10:20:40 2011 From: owen at delong.com (Owen DeLong) Date: Tue, 1 Nov 2011 08:20:40 -0700 Subject: using IPv6 address block across multiple locations In-Reply-To: References: Message-ID: On Nov 1, 2011, at 4:10 AM, Justin M. Streiner wrote: > On Tue, 1 Nov 2011, Dmitry Cherkasov wrote: > >> case 2: extranet like multiple POPs interconnected with VPNs >> - get greater then /48 block (like /44) so each POP gets its /48 part >> - each POP announces its corresponding /48 prefix to their local ISPs >> - decide if you wish that traffic from Internet to some POP passes >> through some other of your POPs (security or other considerations); if >> this is desirable you may announce the whole aggregate (like /44) >> additionally to /48 from all or some of the POPs; optionally you may >> wish to announce /44 with community 'no-export' > > You really don't need to tag the larger block with no-export. In fact, > if the POPs are suitably interconnected on the back end, you really > don't need to advertise the /48s all, and just advertise the /44. Depending on your upstreams, you might be able to tag your advertisements with certain BGP communities (will vary from provider to provider) to give you some degree of conrol over traffic distribution. > > Getting back to the original point, unless someone does something odd with their BGP views, the /48s will be preferred because they're smaller (more specific), and the /44 would only be used if a corresponding /48 prefix doesn't exist in their BGP view. > > jms In fact, if you have one or more providers which, in common, serve multiple POPs, it may be desirable to tag the more specifics (/48s) as no-export and leave the /44s exportable. In this way, you can avoid unnecessary DFZ pollution. Owen From lists at mtin.net Tue Nov 1 10:39:46 2011 From: lists at mtin.net (Justin Wilson) Date: Tue, 01 Nov 2011 11:39:46 -0400 Subject: OT:Hotmail mail Admin Message-ID: Hi all, Sorry for the offtopic post. I have a need to talk to a real person at Hotmail regarding a user account. The normal channels aren't getting me what I need. Thanks, Justin From jmaimon at ttec.com Tue Nov 1 11:59:47 2011 From: jmaimon at ttec.com (Joe Maimon) Date: Tue, 01 Nov 2011 12:59:47 -0400 Subject: Verizon ISP mailing list / ATM ports Message-ID: <4EB02583.7050004@ttec.com> Hey All, I am looking for verizon ATM/DSL wholesale DSL ports for NY/NJ latas, and I found some verizon-isp mailing lists, but nothing seems current. Off-list replies are welcome. Thanks, Joe From kloch at kl.net Tue Nov 1 13:22:31 2011 From: kloch at kl.net (Kevin Loch) Date: Tue, 01 Nov 2011 14:22:31 -0400 Subject: Colocation providers and ACL requests In-Reply-To: References: Message-ID: <4EB038E7.4070703@kl.net> Christopher Pilkington wrote: > Is it common in the industry for a colocation provider, when requested to put an egress ACL facing us such as: > > deny udp any a.b.c.d/24 eq 80 > > ?to refuse and tell us we must subscribe to their managed DDOS product? We have always accommodated temporary ACL's for active DDOS attacks. I think that is fairly standard across the ISP/hosting industry. I do feel it is bad practice to regularly implement customer specific ACL's on routers. If a customer wants a managed firewall we have a full range of those services available. - Kevin From carlosm3011 at gmail.com Tue Nov 1 14:20:23 2011 From: carlosm3011 at gmail.com (Carlos Martinez-Cagnazzo) Date: Tue, 1 Nov 2011 17:20:23 -0200 Subject: using IPv6 address block across multiple locations In-Reply-To: References: Message-ID: My take on the issue is that your providers are wise in not wanting to accept prefixes longer than /48s. You should get multiple prefixes, from the same or different RIRs. If there are policies in place which do not allow you to do so, I think it's a good time to discuss them. regards Carlos On Mon, Oct 31, 2011 at 5:56 AM, Dmitry Cherkasov wrote: > Hello, > > Please advice what is the best practice to use IPv6 address block > across distributed locations. > > Recently we obtained our PI /48 from RIPE. The idea was to assign > partial slices from this block to different locations (we have > currently 3 offices in Europe and 2 in USA). All locations are > interconnected with static VPNs. Each location is supposed to > establish BGP session with local ISP. Partial prefix /56 + aggregate > /48 (with long AS PATH) are to be announced by each office. > > The problem we ran across is that ISP in US does not wish to accept > prefixes longer then /48 from us. > Need your advice: is this normal to distribute /48 by /56 parts across > locations or should we obtain separate /48 for each of them? Or maybe > we need /32 that can be split into multiple /48? Anyway we are not ISP > so /48 looks quite reasonable and sufficient for all our needs. > > Thank you. > > Dmitry Cherkasov > > -- -- ========================= Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net ========================= From carlosm3011 at gmail.com Tue Nov 1 14:23:20 2011 From: carlosm3011 at gmail.com (Carlos Martinez-Cagnazzo) Date: Tue, 1 Nov 2011 17:23:20 -0200 Subject: Mexico? In-Reply-To: <00c401cc9521$2ad65250$8082f6f0$@gmail.com> References: <00c401cc9521$2ad65250$8082f6f0$@gmail.com> Message-ID: Mexico-based networks get their IP blocks (v4 and v6) from NIC Mexico (http://www.nic.mx). NIC Mexico and NIC Brasil are the two NIRs within LACNIC's service area. regards Carlos On Fri, Oct 28, 2011 at 1:24 AM, Ryan Finnesey wrote: > If I want to get a block of IP's issued for a network within Mexico who do I > talk with? ?I have been told arin does not cover Mexico. ?It was my > understand arin covers North America. > > > > Cheers > > Ryan > > > > -- -- ========================= Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net ========================= From cjp at 0x1.net Tue Nov 1 14:51:04 2011 From: cjp at 0x1.net (Christopher J. Pilkington) Date: Tue, 1 Nov 2011 15:51:04 -0400 Subject: Random five character string added to URLs? Message-ID: This might be off-topic, my apologies if so. I seeing requests against a server with initial GET requests in the form: GET /[a-zA-Z]{5}/pagename.html pagename.html being optional. The 5 character string seems to be random. This GET always results in a 404, as our servers don't have these paths. The second request seems to always the same without the modified path, which results in a 20. I initially suspected this was something from an attack or DOS tool, but the traffic doesn't fit such a pattern. Is anyone familiar with what device/service behaves in this fashion? Clearly something layer 7 is between the clients and the server. Provider is without clue regarding this. Google results in many GoDaddy users complaining of same; the server in question is not hosted with them, but I suspect they may be doing something similar. Thanks, -cjp From carlosm3011 at gmail.com Tue Nov 1 14:54:05 2011 From: carlosm3011 at gmail.com (Carlos Martinez-Cagnazzo) Date: Tue, 1 Nov 2011 17:54:05 -0200 Subject: Outgoing SMTP Servers In-Reply-To: <5F2E5817-06E1-4822-9405-431098D7902A@drtel.com> References: <4EAED155.8040604@mtcc.com> <201110312119.p9VLJEck099196@mail.r-bonomi.com> <5F2E5817-06E1-4822-9405-431098D7902A@drtel.com> Message-ID: The point to make here is: - if an ISP takes the path of blocking tcp/25, then they MUST communicate this appropiately to customers and other users - they also MUST provide alternatives: SMTP over SSL should be allowed (tcp/465), authenticated relay, but *something*. IMO blocking 25/tcp is a side-effect of the failure of the whole ISP system to decisively deal with spammers. It's easier to blind-block 25/tcp than to do proper investigations and to collaborate with law enforcement. I have tried to hand reports with *static* IP addresses, contract identifiers and even home, mobile and work phone numbers of known spammers in Uruguay (I happen to have my personal feud with one that sells dog food), only to be shelved by management on the fears of legal action. I have also trouble swallowing the argument of "blocking 25/tcp is great because it avoids us getting into black lists and reduces spam". Yes, sure, but that doesn't prove it's the right approach in the long run, as you are dealing with symptoms and not causes/sources. It's the same thing as having tons of aspirines each time you have a headache. Even if the pain subsides, you might still have other underlying conditions that in fact are being masqueraded by your "solution". So, as it is often the case in society, we all pay the price. On Mon, Oct 31, 2011 at 11:17 PM, Brian Johnson wrote: > > > Sent from my iPad > > On Oct 31, 2011, at 4:17 PM, "Robert Bonomi" > > > >> There is an at-least-somewhat-valid argument against outbound filtering. >> to wit, various receiving systems may have different policies on what is/ >> is-not 'acceptable' traffic. ?They have a better idea of what is acceptable >> to the recipients (their users), than the originating MTA operator does. An >> originating system cannot accomodate that diversity of opinions _without_ >> getting input from all prospective recipients. >> >> And it is, of course, 'not practical' for every email recipient to notify >> every email 'source' network as to what that recpient considers 'acceptable'. >> > > This is not plausible. It also has nothing to do with a network owner protecting his network from his own users. > >> >> There are only a relative handful of things a _residential_ provider can >> use to "reliably" filter outgoing mail. A non-comprehensive list: >> ?1) 'Greylisting' at the origin is as effective at stopping spam as it is >> ? ? at the destination. >> ?2) Checks for certain kinds of standards violations that legitimate mail >> ? ? software does not make. >> ?3) Check for certain kinds of 'lies' in headers -- things that *cannot* >> ? ? occur in legitimate email. >> ?4) 'Rate-limiting' to detect/quarrantine abnormal traffic levels. >> ?5) Tracking SMTP 'MAIL FROM:" and the "From:" (or 'Resent-From:', if >> ? ? present), and quarrantining on abnormal numbers of different putative >> ? ? origins. >> >> There's no point in checking source addresses against any DNSBL, for reasons >> that should be 'obvious'. ?<*GRIN*> >> >> Further, any sort of "content" filters prevent customers from _discussing_ >> scams in e-mail. >> >> There is a 'hard' problem in letting the source 'opt out' of such filtering, >> because an intentional 'bad guy' will request his outgoing mail not be >> monitored, as well as the person who has a 'legitimate' reason for sending >> messages that might trip mindless content filters. >> >> Statistical note: ?Out of the last roughly 6,000 pieces of spam seen here, >> circa 2,700 were caught by checks 2), and 3) above, and another circa 2,600 >> were in character-sets not supported here. ? Incidentally, spam volume, as >> seen here, is running a bit _under_ 2/3 of all email, down from a peak of >> over 95%. >> > > This misses the point of the thread which is not filtering. It is port 25 blocking. Statistically all of he problems exist on TCP port 25. This is why the filtering is largely effective. > > - Brian > -- -- ========================= Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net ========================= From jbates at brightok.net Tue Nov 1 15:19:39 2011 From: jbates at brightok.net (Jack Bates) Date: Tue, 01 Nov 2011 15:19:39 -0500 Subject: Colocation providers and ACL requests In-Reply-To: <4EB038E7.4070703@kl.net> References: <4EB038E7.4070703@kl.net> Message-ID: <4EB0545B.6080900@brightok.net> On 11/1/2011 1:22 PM, Kevin Loch wrote: > Christopher Pilkington wrote: >> Is it common in the industry for a colocation provider, when requested >> to put an egress ACL facing us such as: >> >> deny udp any a.b.c.d/24 eq 80 >> >> ?to refuse and tell us we must subscribe to their managed DDOS product? > > We have always accommodated temporary ACL's for active DDOS attacks. I > think that is fairly standard across the ISP/hosting industry. > > I do feel it is bad practice to regularly implement customer specific > ACL's on routers. If a customer wants a managed firewall we have a > full range of those services available. > And Managed DDOS products better be a LOT more than an ACL. If I'm going to pay someone to manage DDOS, they will scrub the traffic and let all my legitimate traffic through. That's what I'm paying for. null routing an IP or a simple acl isn't worth paying a dime for. Jack From sfouant at shortestpathfirst.net Tue Nov 1 18:05:22 2011 From: sfouant at shortestpathfirst.net (=?utf-8?B?U3RlZmFuIEZvdWFudA==?=) Date: Tue, 01 Nov 2011 19:05:22 -0400 Subject: =?utf-8?B?UmU6IFJhbmRvbSBmaXZlIGNoYXJhY3RlciBzdHJpbmcgYWRkZWQgdG8gVVJMcz8=?= Message-ID: Is there anything perhaps protecting or intercepting the data on its way to the server, perhaps an Arbor device of some type of load balancer? This type of behavior is quite common when protecting web assets to eliminate zombies and such, but its usually something you would see back to the clients, not tp the server. Also, IIRC, the LOIC DoS tool had this ability to create random strings in the URL, and I believe it did so with 5 characters. Might want to do a packet trace and identify if this is coming from LOIC. Regards, Stefan Fouant Technical Trainer, Juniper Networks GPG Key ID: 0xB4C956EC Sent from my HTC EVO. ----- Reply message ----- From: "Christopher J. Pilkington" Date: Tue, Nov 1, 2011 3:51 pm Subject: Random five character string added to URLs? To: This might be off-topic, my apologies if so. I seeing requests against a server with initial GET requests in the form: GET /[a-zA-Z]{5}/pagename.html pagename.html being optional. The 5 character string seems to be random. This GET always results in a 404, as our servers don't have these paths. The second request seems to always the same without the modified path, which results in a 20. I initially suspected this was something from an attack or DOS tool, but the traffic doesn't fit such a pattern. Is anyone familiar with what device/service behaves in this fashion? Clearly something layer 7 is between the clients and the server. Provider is without clue regarding this. Google results in many GoDaddy users complaining of same; the server in question is not hosted with them, but I suspect they may be doing something similar. Thanks, -cjp From mysidia at gmail.com Tue Nov 1 19:00:54 2011 From: mysidia at gmail.com (Jimmy Hess) Date: Tue, 1 Nov 2011 19:00:54 -0500 Subject: Colocation providers and ACL requests In-Reply-To: <4EB038E7.4070703@kl.net> References: <4EB038E7.4070703@kl.net> Message-ID: On Tue, Nov 1, 2011 at 1:22 PM, Kevin Loch wrote: > Christopher Pilkington wrote: > We have always accommodated temporary ACL's for active DDOS attacks. ?I > think that is fairly standard across the ISP/hosting industry. And it's reasonable to accomodate the customer that asks, and reasonable for a customer to ask for a temporary ACL in such situations. However, it's also reasonable for the provider to refuse, and there's nothing wrong with that, unless the provider agreed that they would be willing to do that, and then refused to do something they had already agreed to do. The provider might be especially dissuaded from responding and providing a temporary ACL for free if the DoS is a "small" one based on the provider's definition of small, or if the provider doesn't have or won't allocate the resources to respond, without charging a fee to do so. Or its a cut rate hosting service, and the customer refused to buy the "managed filtering" firewall (or whatever solution). In that case, it's reasonable for the provider to counter the request with "You can buy our such and service, and we will gladly implement that" If this is something you want to be sure you can do, then you should ask the provider about it before signing that colocation contract for IP connectivity, and make sure you have it in writing that the provider will create an ACL on your interface of sufficient length to do what you want.. And be sure you have worked out with the provider how this effects billing in advance. It's quite possible you still have to pay or have said dropped traffic counted against your commit. -- -JH From aservin at lacnic.net Tue Nov 1 19:41:12 2011 From: aservin at lacnic.net (Arturo Servin) Date: Tue, 1 Nov 2011 22:41:12 -0200 Subject: using IPv6 address block across multiple locations In-Reply-To: References:

Message-ID: <0A92D0F6-C7D8-4B24-B208-19DC8BC9E815@lacnic.net> Same from LACNIC. This would have justify a /44 or separate /48s for each site. /as On 31 Oct 2011, at 12:45, Justin M. Streiner wrote: > On Mon, 31 Oct 2011, Owen DeLong wrote: > >> Ideally, you should put a /48 at each location. > > Speaking from my experience with getting v6 space from ARIN earlier this year, as long as your documentation is in pretty good order, a /48 per site is pretty easy to get. > > I don't know if the experience is different with other RIRs. > > jms From edward.avanti at gmail.com Tue Nov 1 20:01:37 2011 From: edward.avanti at gmail.com (Edward avanti) Date: Wed, 2 Nov 2011 11:01:37 +1000 Subject: BGP conf Message-ID: Halo, First, I accept this might not really right list for request, have use nsp cisco list but only first post to was succeed, sent several other for past 4 day and none appear (verified by list archive) so please excuse request. I am in need of a cisco config for BGP setup, we have a require to include IX peering at new location as well as our Verizon link, we like to take full bgp from Verizon and send to IX what they send us, I spend days reading google, and so many conflict web site example, so many example seem insecure no prefix list so on. end result to date is only sore eyes, would someone who do same (not need be Verizon) be kind to send us off list working running config (yes without your password heh) or at least how to apply to BGP router including access/prefix list and interfaces so we have an idea on what do, if you take two full BGP feed from two transit carrierin load share and IX, that good, because that our stage three plan, but I can work without two transit. I am not ignorant with cisco 7201, but am total newby to BGP. Best Thanks Edwardo From MGauvin at dryden.ca Tue Nov 1 20:11:55 2011 From: MGauvin at dryden.ca (Mark Gauvin) Date: Tue, 1 Nov 2011 20:11:55 -0500 Subject: BGP conf In-Reply-To: References: Message-ID: <630EAF96-3375-41ED-A681-F982CCF3A781@dryden.ca> Why would you want to advertise full verizon routes out to the ix? You shoud only be advertising your own network via ix Sent from my iPhone On 2011-11-01, at 7:59 PM, "Edward avanti" wrote: > Halo, > First, I accept this might not really right list for request, have > use nsp > cisco list but only first post to was succeed, sent several other > for past > 4 day and none appear (verified by list archive) so please excuse > request. > > I am in need of a cisco config for BGP setup, we have a require to > include > IX peering at new location as well as our Verizon link, we like to > take > full bgp from Verizon and send to IX what they send us, I spend days > reading google, and so many conflict web site example, so many > example seem > insecure no prefix list so on. end result to date is only sore eyes, > would > someone who do same (not need be Verizon) be kind to send us off list > working running config (yes without your password heh) or at least > how to > apply to BGP router including access/prefix list and interfaces so > we have > an idea on what do, if you take two full BGP feed from two transit > carrierin load share and IX, that good, because that our stage three > plan, > but I can work without two transit. > > I am not ignorant with cisco 7201, but am total newby to BGP. > > Best Thanks > Edwardo From jsw at inconcepts.biz Tue Nov 1 20:17:47 2011 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Tue, 1 Nov 2011 21:17:47 -0400 Subject: BGP conf In-Reply-To: References: Message-ID: On Tue, Nov 1, 2011 at 9:01 PM, Edward avanti wrote: > many example seem > insecure no prefix list so on. ... > I am not ignorant with cisco 7201, but am total newby to BGP. Your concern about a lack of any prefix-lists in the documentation / examples you have read is justified. If you are connecting to an IX it may offer route-servers which have prefix-lists maintained by the IX staff and tools. However, as you may already know, you will only receive the "best path" to each prefix from an IX route-server. This is often a motive (among others) to establish direct eBGP sessions with other IX members. Once you start doing that, you had better filter routes from those neighbors, or you will subject your network to your peers' mistakes and glitches. If you imagine that the IX has other members like yourself, who also do not know much about BGP, then you can understand why you do not want your peers' mistakes to cause outages on your network. Doing a "cut, replace, and paste" from online examples is obviously a bad idea. If I were you, I would find a local consultant (perhaps someone on the staff of the IX or another member) who can assist you with your initial configuration, and help you in the event of a severe emergency. Otherwise, frankly, you are going to be better off by just buying transit from Verizon and being single-homed. The added complexity of BGP is not an asset to an organization that doesn't have adequate expertise. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From edward.avanti at gmail.com Tue Nov 1 20:18:15 2011 From: edward.avanti at gmail.com (Edward avanti) Date: Wed, 2 Nov 2011 11:18:15 +1000 Subject: BGP conf In-Reply-To: <630EAF96-3375-41ED-A681-F982CCF3A781@dryden.ca> References: <630EAF96-3375-41ED-A681-F982CCF3A781@dryden.ca> Message-ID: Halo, I am not, I wish all transit by Verizon, but if traffic come in from IX, it only fair I send trafic to them if they in that IX, they be closest path anyway. On Wed, Nov 2, 2011 at 11:11 AM, Mark Gauvin wrote: > Why would you want to advertise full verizon routes out to the ix? You > shoud only be advertising your own network via ix > > Sent from my iPhone > > On 2011-11-01, at 7:59 PM, "Edward avanti" > wrote: > > > Halo, > > First, I accept this might not really right list for request, have > > use nsp > > cisco list but only first post to was succeed, sent several other > > for past > > 4 day and none appear (verified by list archive) so please excuse > > request. > > > > I am in need of a cisco config for BGP setup, we have a require to > > include > > IX peering at new location as well as our Verizon link, we like to > > take > > full bgp from Verizon and send to IX what they send us, I spend days > > reading google, and so many conflict web site example, so many > > example seem > > insecure no prefix list so on. end result to date is only sore eyes, > > would > > someone who do same (not need be Verizon) be kind to send us off list > > working running config (yes without your password heh) or at least > > how to > > apply to BGP router including access/prefix list and interfaces so > > we have > > an idea on what do, if you take two full BGP feed from two transit > > carrierin load share and IX, that good, because that our stage three > > plan, > > but I can work without two transit. > > > > I am not ignorant with cisco 7201, but am total newby to BGP. > > > > Best Thanks > > Edwardo > From Gabriel.McCall at thyssenkrupp.com Tue Nov 1 21:28:35 2011 From: Gabriel.McCall at thyssenkrupp.com (McCall, Gabriel) Date: Tue, 1 Nov 2011 22:28:35 -0400 Subject: BGP conf In-Reply-To: References: Message-ID: Google for "team cymru secure bgp template" for a good starting point. -----Original message----- From: Edward avanti To: "nanog at nanog.org" Sent: Wed, Nov 2, 2011 01:01:37 GMT+00:00 Subject: BGP conf Halo, First, I accept this might not really right list for request, have use nsp cisco list but only first post to was succeed, sent several other for past 4 day and none appear (verified by list archive) so please excuse request. I am in need of a cisco config for BGP setup, we have a require to include IX peering at new location as well as our Verizon link, we like to take full bgp from Verizon and send to IX what they send us, I spend days reading google, and so many conflict web site example, so many example seem insecure no prefix list so on. end result to date is only sore eyes, would someone who do same (not need be Verizon) be kind to send us off list working running config (yes without your password heh) or at least how to apply to BGP router including access/prefix list and interfaces so we have an idea on what do, if you take two full BGP feed from two transit carrierin load share and IX, that good, because that our stage three plan, but I can work without two transit. I am not ignorant with cisco 7201, but am total newby to BGP. Best Thanks Edwardo From jeff-kell at utc.edu Tue Nov 1 21:42:38 2011 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue, 1 Nov 2011 22:42:38 -0400 Subject: Random five character string added to URLs? In-Reply-To: References: Message-ID: <4EB0AE1E.3090904@utc.edu> On 11/1/2011 7:05 PM, Stefan Fouant wrote: > Is there anything perhaps protecting or intercepting the data on its way to the server, perhaps an Arbor device of some type of load balancer? > > This type of behavior is quite common when protecting web assets to eliminate zombies and such, but its usually something you would see back to the clients, not tp the server. I have seen this in SEO-poisoning type of webpage defacement. They anchor a javascript in the main website "frame" and it generates optimization "links" using a numeric suffix or ?argument so that they appear as separate links. If the crawler is recognized (e.g., googlebot) then the SEO page is returned. Jeff From asr at latency.net Wed Nov 2 10:53:37 2011 From: asr at latency.net (Adam Rothschild) Date: Wed, 2 Nov 2011 11:53:37 -0400 Subject: Colocation providers and ACL requests In-Reply-To: References: <4EB038E7.4070703@kl.net> Message-ID: On Tue, Nov 1, 2011 at 8:00 PM, Jimmy Hess wrote: > On Tue, Nov 1, 2011 at 1:22 PM, Kevin Loch wrote: >> We have always accommodated temporary ACL's for active DDOS attacks. ?I >> think that is fairly standard across the ISP/hosting industry. Indeed. We'll do it; ditto every reputable hosting, collocation, or IP transit shop I've come into contact with. > And it's reasonable to accomodate the customer that asks, and > reasonable for a customer to ask for > a temporary ACL in such situations. > > However, it's also reasonable for the provider to refuse, ?and there's > nothing wrong with that, unless the provider agreed that they would be > willing to do that [...] Disagree. Furthermore, I think providers refusing to implement temporary ACLs should be called out on fora such as NANOG, to aid others in the vendor selection process. This is not to say it's sustainable as a repeat or permanent configuration -- possible up-sell and business drivers aside, TCAM exhaustion, performance implications, and man-hours required for ACL maintenance are all very real concerns -- but denying your customers this type of emergency response is bad for the Internet, and goes against basic tenets of customer service. -a From dholmes at mwdh2o.com Wed Nov 2 10:54:16 2011 From: dholmes at mwdh2o.com (Holmes,David A) Date: Wed, 2 Nov 2011 08:54:16 -0700 Subject: BGP conf In-Reply-To: References:

Message-ID: <922ACC42D498884AA02B3565688AF99533FF197C1D@USEXMBS01.mwd.h2o> This is a perfect example of why it is crucial that inbound route filters be scrupulously maintained in upstream BGP providers. Who knows who is out there. -----Original Message----- From: McCall, Gabriel [mailto:Gabriel.McCall at thyssenkrupp.com] Sent: Tuesday, November 01, 2011 7:29 PM To: Edward avanti; nanog at nanog.org Subject: Re: BGP conf Google for "team cymru secure bgp template" for a good starting point. -----Original message----- From: Edward avanti To: "nanog at nanog.org" Sent: Wed, Nov 2, 2011 01:01:37 GMT+00:00 Subject: BGP conf Halo, First, I accept this might not really right list for request, have use nsp cisco list but only first post to was succeed, sent several other for past 4 day and none appear (verified by list archive) so please excuse request. I am in need of a cisco config for BGP setup, we have a require to include IX peering at new location as well as our Verizon link, we like to take full bgp from Verizon and send to IX what they send us, I spend days reading google, and so many conflict web site example, so many example seem insecure no prefix list so on. end result to date is only sore eyes, would someone who do same (not need be Verizon) be kind to send us off list working running config (yes without your password heh) or at least how to apply to BGP router including access/prefix list and interfaces so we have an idea on what do, if you take two full BGP feed from two transit carrierin load share and IX, that good, because that our stage three plan, but I can work without two transit. I am not ignorant with cisco 7201, but am total newby to BGP. Best Thanks Edwardo This communication, together with any attachments or embedded links, is for the sole use of the intended recipient(s) and may contain information that is confidential or legally protected. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, dissemination, distribution or use of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by return e-mail message and delete the original and all copies of the communication, along with any attachments or embedded links, from your system. From bhuffake at caida.org Wed Nov 2 12:31:51 2011 From: bhuffake at caida.org (Bradley Huffaker) Date: Wed, 2 Nov 2011 10:31:51 -0700 Subject: Mexico? In-Reply-To: <00c401cc9521$2ad65250$8082f6f0$@gmail.com> References: <00c401cc9521$2ad65250$8082f6f0$@gmail.com> Message-ID: <20111102173151.GB23566@caida.org> LACNIC http://lacnic.net/en/index.html On Thu, Oct 27, 2011 at 11:24:54PM -0400, Ryan Finnesey wrote: > If I want to get a block of IP's issued for a network within Mexico who do I > talk with? I have been told arin does not cover Mexico. It was my > understand arin covers North America. > > > > Cheers > > Ryan > > -- true liberty is the right to be wrong From itsmemattchung at gmail.com Wed Nov 2 16:57:37 2011 From: itsmemattchung at gmail.com (Matt Chung) Date: Wed, 2 Nov 2011 14:57:37 -0700 Subject: Performance Issues - PTR Records Message-ID: I work for a regional ISP and very recently there has been an influx of calls reporting "slowness" when accessing certain websites (i.e google.com/voice/b) via HTTP. After performing a tcpdump and analyzing the session, I have been able to pinpoint the latency at the application layer. After the tcp session has been established, it takes up to 15-20 seconds before the application begins sending data. The root of the problem was that the PTR record for our customer(s) address does not exist. As soon as the record is created, latency from the application is eliminated. This is analogous to latency when accessing a server over SSH when no PTR is available. A seperate packet capture from another customer exhibiting similar performance behavior showed many TCP retransmissions. At first glance, I assumed this was network related however this correlates with the application not responding and inducing retransmissions at the TCP layer (different symptoms, same problem). Historically, there was no compelling reason to create PTR records for our CPE however more and more applications seem to be dependent on it. Although we will be assigning a record for each address, my question is why is the application (specifically HTTP) dependent on a reverse record ? What is the purpose? Hope this is helpful as well -- -Matt Chung From jeffw at he.net Wed Nov 2 17:02:57 2011 From: jeffw at he.net (Jeff Walter) Date: Wed, 02 Nov 2011 15:02:57 -0700 Subject: Performance Issues - PTR Records In-Reply-To: References: Message-ID: <4EB1BE11.7050600@he.net> On 11/2/2011 2:57 PM, Matt Chung wrote: > > Although we will be assigning a record for each address, my question is why > is the application (specifically HTTP) dependent on a reverse record ? > What is the purpose? HTTP has no requirement that the connecting client have reverse DNS setup. Some servers have reverse lookups enabled, and some of those undoubtedly block until the record has been retrieved or all avenues of discovery have been exhausted... and this is likely where the issue exists. As to why the server or the script/application its running needs the record, you'd have to ask the developer. -- Jeff Walter Network Engineer Hurricane Electric, AS6939 -------------- next part -------------- A non-text attachment was scrubbed... Name: jeffw.vcf Type: text/x-vcard Size: 314 bytes Desc: not available URL: From tayeb.meftah at gmail.com Tue Nov 1 15:36:29 2011 From: tayeb.meftah at gmail.com (Meftah Tayeb) Date: Tue, 1 Nov 2011 22:36:29 +0200 Subject: IPV6 6to4 and 6In4 Lab Message-ID: <189B79EF119C4BEA96374EAAD13D8594@work> Hello folks, i'm posting this Message to both nanog and afnog lists preferably if i can get one from afnog to work with me a bit for routing IPV6 prefixs over him using at least static or OSPFv3 or BGP (at you like) i want to anounce my /48 optained from a friend as number) and 2002::/16 (6to4 prefixs=) at least for 10min to see real IPV6 traffic. if someone want to help me, please contact me thank you Meftah Tayeb IT Consulting http://www.tmvoip.com/ phone: +21321656139 Mobile: +213660347746 __________ Information from ESET NOD32 Antivirus, version of virus signature database 6596 (20111102) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From dhubbard at dino.hostasaurus.com Wed Nov 2 17:12:21 2011 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Wed, 2 Nov 2011 18:12:21 -0400 Subject: Performance Issues - PTR Records Message-ID: From: Matt Chung [mailto:itsmemattchung at gmail.com] > > Historically, there was no compelling reason to create PTR > records for our CPE however more and more applications seem > to be dependent on it. Although we will be assigning a > record for each address, my question is why > is the application (specifically HTTP) dependent on a reverse record ? > What is the purpose? > As a web host, we frequently find customers who have added Apache rules to their ecommerce sites to block undesirable traffic, such as credit card scammers, etc. Not knowing any better, they often do this by just blocking anything that ends in .in to block Indonesia for example. Well, once you choose to block by resolved name, now that site has to do a dns lookup for every incoming request to see if it resolves to a name that should be blocked. Just one example, but I'm sure there are countless others that also impede performance for IP addresses without a PTR record. David From arturo.servin at gmail.com Wed Nov 2 17:37:29 2011 From: arturo.servin at gmail.com (Arturo Servin) Date: Wed, 2 Nov 2011 20:37:29 -0200 Subject: IPV6 6to4 and 6In4 Lab In-Reply-To: <189B79EF119C4BEA96374EAAD13D8594@work> References: <189B79EF119C4BEA96374EAAD13D8594@work> Message-ID: <8E119D82-A02D-4B1F-87F8-D6BA00178F5D@gmail.com> Why don't you use just a tunnelbroker? I would take just a few minutes to setup a tunnel. From there, you can do a lot of stuff inside your network. My 2 cents /as On 1 Nov 2011, at 18:36, Meftah Tayeb wrote: > Hello folks, > i'm posting this Message to both nanog and afnog lists > preferably if i can get one from afnog to work with me a bit for routing IPV6 prefixs over him using at least static or OSPFv3 or BGP (at you like) > i want to anounce my /48 optained from a friend as number) and 2002::/16 (6to4 prefixs=) at least for 10min to see real IPV6 traffic. > if someone want to help me, please contact me > thank you > Meftah Tayeb > IT Consulting > http://www.tmvoip.com/ > phone: +21321656139 > Mobile: +213660347746 > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 6596 (20111102) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com From tayeb.meftah at gmail.com Tue Nov 1 16:03:47 2011 From: tayeb.meftah at gmail.com (Meftah Tayeb) Date: Tue, 1 Nov 2011 23:03:47 +0200 Subject: IPV6 6to4 and 6In4 Lab References: <189B79EF119C4BEA96374EAAD13D8594@work> <8E119D82-A02D-4B1F-87F8-D6BA00178F5D@gmail.com> Message-ID: <10C73E92DC014C21A2F42E32ED5F7628@work> like i say, no routing HE.Nett won accept me cause i don't have a AS number ----- Original Message ----- From: "Arturo Servin" To: "Meftah Tayeb" Cc: ; Sent: Thursday, November 03, 2011 12:37 AM Subject: Re: IPV6 6to4 and 6In4 Lab Why don't you use just a tunnelbroker? I would take just a few minutes to setup a tunnel. From there, you can do a lot of stuff inside your network. My 2 cents /as On 1 Nov 2011, at 18:36, Meftah Tayeb wrote: > Hello folks, > i'm posting this Message to both nanog and afnog lists > preferably if i can get one from afnog to work with me a bit for routing > IPV6 prefixs over him using at least static or OSPFv3 or BGP (at you like) > i want to anounce my /48 optained from a friend as number) and 2002::/16 > (6to4 prefixs=) at least for 10min to see real IPV6 traffic. > if someone want to help me, please contact me > thank you > Meftah Tayeb > IT Consulting > http://www.tmvoip.com/ > phone: +21321656139 > Mobile: +213660347746 > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6596 (20111102) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 6596 (20111102) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 6596 (20111102) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From mpalmer at hezmatt.org Wed Nov 2 18:02:15 2011 From: mpalmer at hezmatt.org (Matthew Palmer) Date: Thu, 3 Nov 2011 10:02:15 +1100 Subject: Performance Issues - PTR Records In-Reply-To: References: Message-ID: <20111102230215.GM3297@hezmatt.org> On Wed, Nov 02, 2011 at 06:12:21PM -0400, David Hubbard wrote: > From: Matt Chung [mailto:itsmemattchung at gmail.com] > > Historically, there was no compelling reason to create PTR > > records for our CPE however more and more applications seem > > to be dependent on it. Although we will be assigning a > > record for each address, my question is why > > is the application (specifically HTTP) dependent on a reverse record ? > > What is the purpose? > > As a web host, we frequently find customers who have > added Apache rules to their ecommerce sites to block > undesirable traffic, such as credit card scammers, etc. > Not knowing any better, they often do this by just > blocking anything that ends in .in to block Indonesia > for example. That's even less effective than you'd naively expect, given that Indonesia's TLD is .id... - Matt From dhubbard at dino.hostasaurus.com Wed Nov 2 18:05:04 2011 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Wed, 2 Nov 2011 19:05:04 -0400 Subject: Performance Issues - PTR Records Message-ID: From: Matthew Palmer [mailto:mpalmer at hezmatt.org] > > That's even less effective than you'd naively expect, given > that Indonesia's > TLD is .id... > Umm yeah, simple typo, but I appreciate the help. From bzs at world.std.com Wed Nov 2 18:08:47 2011 From: bzs at world.std.com (Barry Shein) Date: Wed, 2 Nov 2011 19:08:47 -0400 Subject: Performance Issues - PTR Records In-Reply-To: References: Message-ID: <20145.52607.535238.692116@world.std.com> > As a web host, we frequently find customers who have > added Apache rules to their ecommerce sites to block > undesirable traffic, such as credit card scammers, etc. > Not knowing any better, they often do this by just > blocking anything that ends in .in to block Indonesia > for example. Well, once you choose to block by > resolved name, now that site has to do a dns lookup > for every incoming request to see if it resolves to a > name that should be blocked. Another practical problem with this approach is that .IN is India but hey, at least it blocks something :-) -- -Barry Shein, that'd be .ID for Indonesia The World | bzs at TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo* From ben at bjencks.net Wed Nov 2 18:19:37 2011 From: ben at bjencks.net (Ben Jencks) Date: Wed, 2 Nov 2011 19:19:37 -0400 Subject: Performance Issues - PTR Records In-Reply-To: References: Message-ID: <25ECCB35-6EE1-40BE-8B35-6A6994318C80@bjencks.net> On Nov 2, 2011, at 5:57 PM, Matt Chung wrote: > I work for a regional ISP and very recently there has been an influx of > calls reporting "slowness" when accessing certain websites (i.e > google.com/voice/b) via HTTP. After performing a tcpdump and analyzing the > session, I have been able to pinpoint the latency at the application > layer. After the tcp session has been established, it takes up to 15-20 > seconds before the application begins sending data. The root of the > problem was that the PTR record for our customer(s) address does not > exist. As soon as the record is created, latency from the application is > eliminated. This is analogous to latency when accessing a server over SSH > when no PTR is available. > > A seperate packet capture from another customer exhibiting similar > performance behavior showed many TCP retransmissions. At first glance, I > assumed this was network related however this correlates with the > application not responding and inducing retransmissions at the TCP layer > (different symptoms, same problem). > > Historically, there was no compelling reason to create PTR records for our > CPE however more and more applications seem to be dependent on it. > Although we will be assigning a record for each address, my question is why > is the application (specifically HTTP) dependent on a reverse record ? > What is the purpose? You're returning NXDOMAIN, right? If they're doing a reverse lookup and you return NXDOMAIN it should fail quickly, or else the application is even more horribly broken than just doing reverse lookups would imply. On the other hand, if you're not responding to the PTR request then that could be causing the timeout. -Ben From edward.avanti at gmail.com Wed Nov 2 18:50:59 2011 From: edward.avanti at gmail.com (Edward avanti) Date: Thu, 3 Nov 2011 09:50:59 +1000 Subject: BGP conf In-Reply-To: <922ACC42D498884AA02B3565688AF99533FF197C1D@USEXMBS01.mwd.h2o> References:

<922ACC42D498884AA02B3565688AF99533FF197C1D@USEXMBS01.mwd.h2o> Message-ID: Halo, sorry, my english not so perfect, at no time I mean send to IX what Verizon send me, I'm not THAT stupid hehe I mean if destination/origin is via IX, then send THAT traffic only by IX and not Verizon. On Thu, Nov 3, 2011 at 1:54 AM, Holmes,David A wrote: > This is a perfect example of why it is crucial that inbound route filters > be scrupulously maintained in upstream BGP providers. Who knows who is out > there. > > -----Original Message----- > From: McCall, Gabriel [mailto:Gabriel.McCall at thyssenkrupp.com] > Sent: Tuesday, November 01, 2011 7:29 PM > To: Edward avanti; nanog at nanog.org > Subject: Re: BGP conf > > Google for "team cymru secure bgp template" for a good starting point. > > > -----Original message----- > From: Edward avanti > To: "nanog at nanog.org" > Sent: Wed, Nov 2, 2011 01:01:37 GMT+00:00 > Subject: BGP conf > > Halo, > First, I accept this might not really right list for request, have use nsp > cisco list but only first post to was succeed, sent several other for past > 4 day and none appear (verified by list archive) so please excuse request. > > I am in need of a cisco config for BGP setup, we have a require to include > IX peering at new location as well as our Verizon link, we like to take > full bgp from Verizon and send to IX what they send us, I spend days > reading google, and so many conflict web site example, so many example seem > insecure no prefix list so on. end result to date is only sore eyes, would > someone who do same (not need be Verizon) be kind to send us off list > working running config (yes without your password heh) or at least how to > apply to BGP router including access/prefix list and interfaces so we have > an idea on what do, if you take two full BGP feed from two transit > carrierin load share and IX, that good, because that our stage three plan, > but I can work without two transit. > > I am not ignorant with cisco 7201, but am total newby to BGP. > > Best Thanks > Edwardo > > > This communication, together with any attachments or embedded links, is > for the sole use of the intended recipient(s) and may contain information > that is confidential or legally protected. If you are not the intended > recipient, you are hereby notified that any review, disclosure, copying, > dissemination, distribution or use of this communication is strictly > prohibited. If you have received this communication in error, please notify > the sender immediately by return e-mail message and delete the original and > all copies of the communication, along with any attachments or embedded > links, from your system. > From jsw at inconcepts.biz Wed Nov 2 19:01:05 2011 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Wed, 2 Nov 2011 20:01:05 -0400 Subject: BGP conf In-Reply-To: References:

<922ACC42D498884AA02B3565688AF99533FF197C1D@USEXMBS01.mwd.h2o> Message-ID: On Wed, Nov 2, 2011 at 7:50 PM, Edward avanti wrote: > sorry, my english not so perfect, at no time I mean send to IX what Verizon > send me, I'm not THAT stupid hehe > I mean if destination/origin is via IX, then send THAT traffic only by IX > and not Verizon. I understood what you mean. The recommendations in my earlier reply are still the best ones you've received: 1) hire a consultant to assist you both now and with any future problems or 2) do not worry about being multi-homed, because the extra complexity will do you more harm than good Imagine if you took your car to a shop and asked for new tires, and the mechanic said, "well, I have never changed tires before and I'm not sure I have the right tools, but if you give me a couple of days I think I can read about it on the Internet and figure it out." Of course you would not buy tires from him, you would go to another shop. That mechanic would quickly find that, if he wants to sell tires, he needs to learn how to install them or hire someone to do it for him. What you are asking your boss/company to do is trust you to put tires on their car without the right tools or knowledge. The result of that is probably how your network will end up: "a wreck." -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From mysidia at gmail.com Wed Nov 2 19:38:30 2011 From: mysidia at gmail.com (Jimmy Hess) Date: Wed, 2 Nov 2011 19:38:30 -0500 Subject: Performance Issues - PTR Records In-Reply-To: <20145.52607.535238.692116@world.std.com> References: <20145.52607.535238.692116@world.std.com> Message-ID: On Wed, Nov 2, 2011 at 6:08 PM, Barry Shein wrote: > Another practical problem with this approach is that .IN is India but > hey, at least it blocks something :-) There are also some services out there that block connections entirely, if the user doesn't have a PTR record. I'm thinking IRC servers, MUDs, and some other services with strange security policies that check for a port 113 IDENT response and RDNS to make a dark magic security decision to block a user who has no PTR. But in the modern world... more commonly, MTAs such as sendmail are often configured to require a valid PTR record. So as an ISP, you may be breaking your user's local MTA if you don't have the correct PTR for their IP addresses. So I would say following the RFCs and implementing the proper PTRs will help with that performance issue as a side-effect of having a valid zone, and head off other issues with possibly less popular services that are still blocking connections based on lack of proper PTR. :) > -- > ? ? ? ?-Barry Shein, that'd be .ID for Indonesia -- -JH From jbates at brightok.net Wed Nov 2 19:44:48 2011 From: jbates at brightok.net (Jack Bates) Date: Wed, 02 Nov 2011 19:44:48 -0500 Subject: BGP conf In-Reply-To: References: