From mohta at necom830.hpcl.titech.ac.jp Sun Jan 1 06:21:38 2012 From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta) Date: Sun, 01 Jan 2012 21:21:38 +0900 Subject: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF14814.2080709@bowenvale.co.nz> <4F214584-12C3-42BC-A38B-13D991B9B4A0@muada.com> <4EFB09D8.3000107@necom830.hpcl.titech.ac.jp> <4EFB11F3.1090007@necom830.hpcl.titech.ac.jp> <14160.1325099085@turing-police.cc.vt.edu> <4EFC611E.70601@necom830.hpcl.titech.ac.jp> Message-ID: <4F004FD2.5090504@necom830.hpcl.titech.ac.jp> Christian Esteve wrote: > May be there is some light with Multipath TCP: > http://www.ietf.org/proceedings/75/slides/mptcp-0.pdf > http://datatracker.ietf.org/wg/mptcp/charter/ Not bad. > If you can live without UDP and other issues discussed in this bizarre > discussion... UDP connection, if any, by definition, totally depends on users (applications) that handling of multiple addresses must depend on application protocols. A good news is that DNS, the most major application over UDP, supports multiple addresses of name servers from the beginning. Anyway, you can still live with applications over UDP without support for multiple addresses. Masataka Ohta From mohta at necom830.hpcl.titech.ac.jp Sun Jan 1 06:38:59 2012 From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta) Date: Sun, 01 Jan 2012 21:38:59 +0900 Subject: L3 consequences of WLAN offload in cellular networks (was - endless DHCPv6 thread) In-Reply-To: <201112301415.32955.a.harrowell@gmail.com> References: <201112301415.32955.a.harrowell@gmail.com> Message-ID: <4F0053E3.6050404@necom830.hpcl.titech.ac.jp> Alexander Harrowell wrote: > Alternatively, you can work on the assumption that the WLAN > is solely for nomadic use rather than true mobility, but a > lot of devices will prefer the WLAN whenever possible. > > Thoughts/experiences? It depends on applications. If mobile devices act as clients to 3G servers, what is important is not IP addresses but 3G IDs, which must be authenticated even if the mobile devices use WLAN. On the other hand, if mobile devices act as servers to clients in the Internet, fixed IP addresses, not necessarily IETF standard mobile IP, are required. Application developers with their own IP address spaces may bundle services for fixed IP addresses with their applications requiring fixed IP addresses. The applications may use, to maintain the fixed IP addresses, their own protocols at the application layer, or IETF standard mobile IP at the IP layer. Masataka Ohta From mohta at necom830.hpcl.titech.ac.jp Sun Jan 1 06:59:31 2012 From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta) Date: Sun, 01 Jan 2012 21:59:31 +0900 Subject: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF14814.2080709@bowenvale.co.nz> <4F214584-12C3-42BC-A38B-13D991B9B4A0@muada.com> <4EFB09D8.3000107@necom830.hpcl.titech.ac.jp> <4EFB11F3.1090007@necom830.hpcl.titech.ac.jp> <14160.1325099085@turing-police.cc.vt.edu> <4EFBD594.2000604@necom830.hpcl.titech.ac.jp> <30391.1325139437@turing-police.cc.vt.edu> <82ipkzwxhv.fsf@mid.bfk.de> <38375.1325160093@turing-police.cc.vt.edu> <4EFC62C9.9030101@necom830.hpcl.titech.ac.jp> <44691.1325175089@turing-police.cc.vt.edu> <4EFCE9F8.2040604@necom830.hpcl.titech.ac.jp> <4EFD893C.8010907@necom830.hpcl.titech.ac.jp> Message-ID: <4F0058B3.4040302@necom830.hpcl.titech.ac.jp> Ray Soucy wrote: > Well, it seems now you've also added the requirement that we also > dramatically re-write all software that makes use of networking. > Seemingly for the sake of never admitting that you can be wrong. Thank you for failing to point out where I am wrong. > You seem to think that the OSI model is this nice and clean model that > cleanly separates everything and that you can just freely replace > chunks of it. Not at all. Instead, IPv6 is damaged a lot because of ATM based on so nice and clean OSI model. > Again, it's like you live in a > theoretical world where physical limitations and operational realities > don't exist. A physical limitation and an operational reality is that we can not remember 16B addresses. > Go off and write up the RFCs to make this all work, and come back when > you have an model implementation we can all look at. As I warned that IPv6, as was, is not operational about ten years ago, it's not my responsibility to try to make IPv6 operational within a decade or two. Instead, I am interested in the fact that IPv4 scales well forever with end to end transparency, if port numbers, which may be 16b, 32b or 48b long, are used for routing. My most recent research result is how to modify client IPv4 stack to achieve end to end transparency for clients behind UPnP capable NAT. Masataka Ohta From jsmith4112003 at yahoo.co.uk Sun Jan 1 18:12:18 2012 From: jsmith4112003 at yahoo.co.uk (John Smith) Date: Mon, 2 Jan 2012 00:12:18 +0000 (GMT) Subject: Does anybody out there use Authentication Header (AH)? Message-ID: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> Hi, I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? Regards, John From tshaw at oitc.com Sun Jan 1 18:27:27 2012 From: tshaw at oitc.com (TR Shaw) Date: Sun, 1 Jan 2012 19:27:27 -0500 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> Message-ID: <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> On Jan 1, 2012, at 7:12 PM, John Smith wrote: > Hi, > > I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. > > Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? > > Regards, > John AH provides for connectionless integrity and data origin authentication and provides protection against replay attacks. Many US Gov departments that have to follow NIST and do not understand what this means require it between internal point-to-point routers between one portion of their organization and another adding more expense for no increase in operational security. If you are following NIST or DCID-63, this is required to meet certain integrity requirements ESP provides confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and limited traffic flow confidentiality. EG AH portion provides for the integrity requirement and the ESP encryption provides for the confidentiality requirement of NIST. Think of AH that it is like just signing a PGPMail and ESP as signing and encrypting a PGPMail. There are reasons for both. Tom From glen.kent at gmail.com Sun Jan 1 18:29:22 2012 From: glen.kent at gmail.com (Glen Kent) Date: Mon, 2 Jan 2012 05:59:22 +0530 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> Message-ID: (Sigh) Here we go again. AH is a liability and a baggage that we're carrying over our weary shoulders. IMO we should have gotten rid of it long time back. There have been enough emails on multiple forums over this and google is probably your friend here. The only reason(s) we have AH is because (i) circa early 1990s, US had export restrictions on encryption keys > 40 bits and ESP thus had restrictions on how it could be used. AH otoh, only did authentication, for which the rules were much more relaxed AND (ii) people earlier naively believed that AH protected the IP header and ESP couldnt. AH is a mess if you have NATs deployed, as AH breaks NAT. IPv6 proponents thus saw AH as a tool to push IPv6, since they hated NATs (till someone discovered IPv6 NAT-PT, but thats a different story). Most people think ESP as "encryption" - they forget that it can be used for data integrity verification without encryption as well. Glen On Mon, Jan 2, 2012 at 5:42 AM, John Smith wrote: > Hi, > > I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. > > Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? > > Regards, > John From jsmith4112003 at yahoo.co.uk Sun Jan 1 18:32:08 2012 From: jsmith4112003 at yahoo.co.uk (John Smith) Date: Mon, 2 Jan 2012 00:32:08 +0000 (GMT) Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> Message-ID: <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> Hi Tom, Thanks for the reply. Why cant we use ESP/NULL for meeting the NIST requirement? Is there something extra that AH offers here? Regards,? John ________________________________ From: TR Shaw To: John Smith Cc: "nanog at nanog.org" Sent: Monday, 2 January 2012, 5:57 Subject: Re: Does anybody out there use Authentication Header (AH)? On Jan 1, 2012, at 7:12 PM, John Smith wrote: > Hi, > > I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. > > Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? > > Regards, > John AH provides for? connectionless integrity and data origin authentication and provides protection against replay attacks.? Many US Gov departments that have to follow NIST and do not understand what this means require it between internal point-to-point routers between one portion of their organization and another adding more expense for no increase in operational security. If you are following NIST or DCID-63, this is required to meet certain integrity requirements ESP provides confidentiality,? data origin authentication,? connectionless integrity,? an anti-replay service,? and limited traffic flow confidentiality.? EG AH portion provides for the integrity requirement and the ESP encryption provides for the confidentiality requirement of NIST. Think of AH that it is like just signing a PGPMail and ESP as signing and encrypting a PGPMail. There are reasons for both. Tom From thegameiam at yahoo.com Sun Jan 1 18:36:24 2012 From: thegameiam at yahoo.com (David Barak) Date: Sun, 1 Jan 2012 16:36:24 -0800 (PST) Subject: Does anybody out there use Authentication Header (AH)? Message-ID: <1325464584.87152.YahooMailMobile@web31804.mail.mud.yahoo.com> It can be used to prevent NAT on an intermediate path, which can be useful under certain circumstances. I have seen it in the wild, both in Internet and private networking contexts. David Barak From cra at WPI.EDU Sun Jan 1 18:57:54 2012 From: cra at WPI.EDU (Chuck Anderson) Date: Sun, 1 Jan 2012 19:57:54 -0500 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <1325464584.87152.YahooMailMobile@web31804.mail.mud.yahoo.com> References: <1325464584.87152.YahooMailMobile@web31804.mail.mud.yahoo.com> Message-ID: <20120102005754.GR14970@angus.ind.WPI.EDU> I'm using AH for OSPFv2 and OSPFv3 authentication. For OSPFv3, there is no other option than some kind of IPsec for authentication. I'm also using it for OSPFv2 so I don't have to maintain multiple authentication methods and keys for the different protocols. From glen.kent at gmail.com Sun Jan 1 19:04:56 2012 From: glen.kent at gmail.com (Glen Kent) Date: Mon, 2 Jan 2012 06:34:56 +0530 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <20120102005754.GR14970@angus.ind.WPI.EDU> References: <1325464584.87152.YahooMailMobile@web31804.mail.mud.yahoo.com> <20120102005754.GR14970@angus.ind.WPI.EDU> Message-ID: On Mon, Jan 2, 2012 at 6:27 AM, Chuck Anderson wrote: > I'm using AH for OSPFv2 and OSPFv3 authentication. ?For OSPFv3, there > is no other option than some kind of IPsec for authentication. ?I'm > also using it for OSPFv2 so I don't have to maintain multiple > authentication methods and keys for the different protocols. OSPF WG has come out with a mechanism that can be used to secure OSPFv3 without IPsec - http://tools.ietf.org/html/draft-ietf-ospf-auth-trailer-ospfv3-11 It should get published as an RFC any time now. BTW, there isnt any standard for using IPsec with OSPFv2, so youre probably using a proprietary solution. I think a better solution is to move to OSPFv3-AT, as its very similar to OSPFv2 authentication. Glen From tshaw at oitc.com Sun Jan 1 19:34:28 2012 From: tshaw at oitc.com (TR Shaw) Date: Sun, 1 Jan 2012 20:34:28 -0500 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> Message-ID: <78609533-6DDA-4A50-BFD4-DB4499178A80@oitc.com> John, Unlike AH, ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. Thus, you need AH to authenticate the integrity of the outer header packet information. Again, just like PGPMail as I explained before, Tom On Jan 1, 2012, at 7:32 PM, John Smith wrote: > Hi Tom, > > Thanks for the reply. > > Why cant we use ESP/NULL for meeting the NIST requirement? Is there something extra that AH offers here? > > Regards, > John > > From: TR Shaw > To: John Smith > Cc: "nanog at nanog.org" > Sent: Monday, 2 January 2012, 5:57 > Subject: Re: Does anybody out there use Authentication Header (AH)? > > > On Jan 1, 2012, at 7:12 PM, John Smith wrote: > > > Hi, > > > > I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. > > > > Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? > > > > Regards, > > John > > AH provides for connectionless integrity and data origin authentication and provides protection against replay attacks. Many US Gov departments that have to follow NIST and do not understand what this means require it between internal point-to-point routers between one portion of their organization and another adding more expense for no increase in operational security. > > If you are following NIST or DCID-63, this is required to meet certain integrity requirements > > ESP provides confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and limited traffic flow confidentiality. EG AH portion provides for the integrity requirement and the ESP encryption provides for the confidentiality requirement of NIST. > > Think of AH that it is like just signing a PGPMail and ESP as signing and encrypting a PGPMail. > > There are reasons for both. > > Tom > > > From smb at cs.columbia.edu Sun Jan 1 19:50:29 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Sun, 1 Jan 2012 20:50:29 -0500 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <78609533-6DDA-4A50-BFD4-DB4499178A80@oitc.com> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> <78609533-6DDA-4A50-BFD4-DB4499178A80@oitc.com> Message-ID: <97DDC358-2C4A-4AAD-B176-72F2BC64A47B@cs.columbia.edu> On Jan 1, 2012, at 8:34 PM, TR Shaw wrote: > John, > > Unlike AH, ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. Thus, you need AH to authenticate the integrity of the outer header packet information. Not quite. While the cryptographic integrity check does not cover the source and destination addresses -- the really interesting part of the outer header -- they're bound to the security association, and hence checked separately. Below is a note I sent to the IPsec mailing list in 1999. That, however, is not the question that is being asked here. The IPsecme working group has been over those issues repeatedly; your (non)-issue and (slightly) more substantive issues about IPv6 have been rehashed ad nauseum. The questions on the table now are, first, are operators using AH, and if so is ESP with NULL encryption an option? --Steve Bellovin, https://www.cs.columbia.edu/~smb One of the biggest reasons we have AH is because there _are_ some things in the middle of the "IP header" that need to be authenticated for them to be simultaneously safe and useful. The biggest example of this is source routing. In my opinion -- and I've posted this before -- there's nothing in the IP header that's both interesting and protected. You can't protect the source routing option, since the next-hop pointer changes en route. Appendix A of the AH draft recognizes that, and lists it as 'mutable -- zeroed'. When you look over the list of IP header fields and options that are either immutable or predictable, you find that the only things that are really of interest are the source and destination addresses and the security label. To the extent that we want to protect the addresses -- a point that's very unclear to me -- they're bound to the security association. The security label certainly should be. If you're using security labels (almost no one does) and you don't have the facilities to bind it at key management time, use tunnel mode and be done with it. I'll admit that I've never been in the operations business, but I've been told that source routing is a very useful tool for diagnosing some classes of problems. AH allows source routing to be useful again w/o opening the holes it opens. Well, yes, but not for the reason you specify. The problem with source routing is that it makes address-spoofing trivial. With AH, people will either verify certificate names -- the right way to do things -- or they'll bind a certificate to the source address, and use AH to verify the legitimacy of it. The route specified has nothing to do with it, and ESP with null encryption does the same thing. I don't like AH, either in concept or design (and in particular I don't like the way it commits layer violations). Its only real use, as I see it, is to answer Greg Minshall's objections -- it leaves the port numbers in the clear, and visible in a context-independent fashion. With null encryption, the monitoring station has to know that that was selected. But I'm very far from convinced that these issues are important enough to justify AH. All that notwithstanding, this is not a new issue. We've been over this ground before in the working group. Several of us, myself included, suggested deleting AH. We lost. Fine; so be it. Let's ship the documents and be done with it. From kohn.jack at gmail.com Sun Jan 1 19:56:51 2012 From: kohn.jack at gmail.com (Jack Kohn) Date: Mon, 2 Jan 2012 07:26:51 +0530 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <97DDC358-2C4A-4AAD-B176-72F2BC64A47B@cs.columbia.edu> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> <78609533-6DDA-4A50-BFD4-DB4499178A80@oitc.com> <97DDC358-2C4A-4AAD-B176-72F2BC64A47B@cs.columbia.edu> Message-ID: The __exact__ same discussion happening on IPsecME WG right now. http://www.ietf.org/mail-archive/web/ipsec/current/msg07346.html It seems there is yet another effort being made to "retire" AH so that we have less # of options to deal with. This time there is some support for it .. Jack On Mon, Jan 2, 2012 at 7:20 AM, Steven Bellovin wrote: > > On Jan 1, 2012, at 8:34 PM, TR Shaw wrote: > >> John, >> >> Unlike AH, ?ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, ?in Tunnel Mode, ?where the entire original IP packet is encapsulated with a new packet header added, ?ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. ?Thus, you need AH to authenticate the integrity of the outer header packet information. > > > Not quite. ?While the cryptographic integrity check does not cover the source and destination addresses -- the really interesting part of the outer header -- they're bound to the security association, and hence checked separately. ?Below is a note I sent to the IPsec mailing list in 1999. > > That, however, is not the question that is being asked here. ?The IPsecme working group has been over those issues repeatedly; your (non)-issue and (slightly) more substantive issues about IPv6 have been rehashed ad nauseum. ?The questions on the table now are, first, are operators using AH, and if so is ESP with NULL encryption an option? > > ? ? ? ? ? ? ? ?--Steve Bellovin, https://www.cs.columbia.edu/~smb > > > ? ? ? ?One of the biggest reasons we have AH is because there _are_ > ? ? ? ?some things in the middle of the "IP header" that need to be > ? ? ? ?authenticated for them to be simultaneously safe and useful. > ? ? ? ?The biggest example of this is source routing. > > In my opinion -- and I've posted this before -- there's nothing in the > IP header that's both interesting and protected. ?You can't protect the > source routing option, since the next-hop pointer changes en route. > Appendix A of the AH draft recognizes that, and lists it as 'mutable -- > zeroed'. > > When you look over the list of IP header fields and options that are > either immutable or predictable, you find that the only things that are > really of interest are the source and destination addresses and the > security label. ?To the extent that we want to protect the addresses -- > a point that's very unclear to me -- they're bound to the security > association. ?The security label certainly should be. ?If you're using > security labels (almost no one does) and you don't have the facilities > to bind it at key management time, use tunnel mode and be done with it. > > ? ? ? ?I'll admit that I've never been in the operations business, but > ? ? ? ?I've been told that source routing is a very useful tool for > ? ? ? ?diagnosing some classes of problems. ?AH allows source routing > ? ? ? ?to be useful again w/o opening the holes it opens. > > Well, yes, but not for the reason you specify. ?The problem with source > routing is that it makes address-spoofing trivial. ?With AH, people > will either verify certificate names -- the right way to do things -- > or they'll bind a certificate to the source address, and use AH to > verify the legitimacy of it. ?The route specified has nothing to do > with it, and ESP with null encryption does the same thing. > > I don't like AH, either in concept or design (and in particular I don't > like the way it commits layer violations). ?Its only real use, as I see > it, is to answer Greg Minshall's objections -- it leaves the port > numbers in the clear, and visible in a context-independent fashion. > With null encryption, the monitoring station has to know that that was > selected. ?But I'm very far from convinced that these issues are > important enough to justify AH. > > All that notwithstanding, this is not a new issue. ?We've been over > this ground before in the working group. ?Several of us, myself > included, suggested deleting AH. ?We lost. ?Fine; so be it. ?Let's ship > the documents and be done with it. From smb at cs.columbia.edu Sun Jan 1 20:03:02 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Sun, 1 Jan 2012 21:03:02 -0500 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> <78609533-6DDA-4A50-BFD4-DB4499178A80@oitc.com> <97DDC358-2C4A-4AAD-B176-72F2BC64A47B@cs.columbia.edu> Message-ID: <042E9E42-4D3B-4F0D-B1C6-DBBE9F3AD4FE@cs.columbia.edu> Yes, I know; I'm on that list. John Smith decided to see if reality matched theory -- always a good thing to do -- and asked here. Btw, it's not just "this time there is some support for it"; AH was downgraded to "MAY" in RFC 4301 in 2005. On Jan 1, 2012, at 8:56 PM, Jack Kohn wrote: > The __exact__ same discussion happening on IPsecME WG right now. > > http://www.ietf.org/mail-archive/web/ipsec/current/msg07346.html > > It seems there is yet another effort being made to "retire" AH so that > we have less # of options to deal with. This time there is some > support for it .. > > Jack > > On Mon, Jan 2, 2012 at 7:20 AM, Steven Bellovin wrote: >> >> On Jan 1, 2012, at 8:34 PM, TR Shaw wrote: >> >>> John, >>> >>> Unlike AH, ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. Thus, you need AH to authenticate the integrity of the outer header packet information. >> >> >> Not quite. While the cryptographic integrity check does not cover the source and destination addresses -- the really interesting part of the outer header -- they're bound to the security association, and hence checked separately. Below is a note I sent to the IPsec mailing list in 1999. >> >> That, however, is not the question that is being asked here. The IPsecme working group has been over those issues repeatedly; your (non)-issue and (slightly) more substantive issues about IPv6 have been rehashed ad nauseum. The questions on the table now are, first, are operators using AH, and if so is ESP with NULL encryption an option? >> >> --Steve Bellovin, https://www.cs.columbia.edu/~smb >> >> >> One of the biggest reasons we have AH is because there _are_ >> some things in the middle of the "IP header" that need to be >> authenticated for them to be simultaneously safe and useful. >> The biggest example of this is source routing. >> >> In my opinion -- and I've posted this before -- there's nothing in the >> IP header that's both interesting and protected. You can't protect the >> source routing option, since the next-hop pointer changes en route. >> Appendix A of the AH draft recognizes that, and lists it as 'mutable -- >> zeroed'. >> >> When you look over the list of IP header fields and options that are >> either immutable or predictable, you find that the only things that are >> really of interest are the source and destination addresses and the >> security label. To the extent that we want to protect the addresses -- >> a point that's very unclear to me -- they're bound to the security >> association. The security label certainly should be. If you're using >> security labels (almost no one does) and you don't have the facilities >> to bind it at key management time, use tunnel mode and be done with it. >> >> I'll admit that I've never been in the operations business, but >> I've been told that source routing is a very useful tool for >> diagnosing some classes of problems. AH allows source routing >> to be useful again w/o opening the holes it opens. >> >> Well, yes, but not for the reason you specify. The problem with source >> routing is that it makes address-spoofing trivial. With AH, people >> will either verify certificate names -- the right way to do things -- >> or they'll bind a certificate to the source address, and use AH to >> verify the legitimacy of it. The route specified has nothing to do >> with it, and ESP with null encryption does the same thing. >> >> I don't like AH, either in concept or design (and in particular I don't >> like the way it commits layer violations). Its only real use, as I see >> it, is to answer Greg Minshall's objections -- it leaves the port >> numbers in the clear, and visible in a context-independent fashion. >> With null encryption, the monitoring station has to know that that was >> selected. But I'm very far from convinced that these issues are >> important enough to justify AH. >> >> All that notwithstanding, this is not a new issue. We've been over >> this ground before in the working group. Several of us, myself >> included, suggested deleting AH. We lost. Fine; so be it. Let's ship >> the documents and be done with it. > --Steve Bellovin, https://www.cs.columbia.edu/~smb From up at 3.am Sun Jan 1 20:03:53 2012 From: up at 3.am (James Smallacombe) Date: Sun, 1 Jan 2012 21:03:53 -0500 Subject: Hotmail / MSN blacklisting policies. Message-ID: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> The IP address of our mail server was recently blacklisted by MSN/Hotmail. When I went through their steps for delisting, it was denied based on "reputation". AFAIK, we have not had a spam problem for several months. When we did it was due to a few accounts having been successfully phished. Since then our customers have been far more savvy and I have not seen the problem. I manually delisted us from all the known BLs back then and all has been ok. A current multi DNSBL lookup only shows 3 out of a couple hundred BLs listing us. You may be familiar with the ones that did (blackholes.five-ten-sg.com for example). No major, reputable, widely used DNSBL lists the IP. I have been doing this for 16 years. It has always been SOP to provide an offending email, with full headers to the complaint recipient, if not in advance of such blacklisting, then at least upon request. They sure require it of me when I report abuse of their servers. They flat out refuse to do this, claiming they have no access to this. I had this same issue with Cloudmark's BL a couple of months ago (which Comcast and other major providers use), so I suspect this is some kind of outsourced blacklist that does a poor job of updating their listings or one of my regular customers is sending out emails that are being incorrectly reported as spam. I have seen the latter happen several times with other servers I've worked with that auto generate legitimate emails of reports that customers pay for, but aggressive filters such as AOL's auto-report as spam (to be fair, AOL is excellent at resolving these). We do have SPF records for our main domains, but no DKIM or other whitelisting/authentication mechanisms. Is this sort of thing going to be widely required? From jfpn at clearfield.com Sun Jan 1 20:29:13 2012 From: jfpn at clearfield.com (Jean-Francois Pirus) Date: Mon, 02 Jan 2012 15:29:13 +1300 Subject: Hotmail / MSN blacklisting policies. In-Reply-To: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> References: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> Message-ID: <1325471353.11559.7.camel@caffeine> On Sun, 2012-01-01 at 21:03 -0500, James Smallacombe wrote: > The IP address of our mail server was recently blacklisted by MSN/Hotmail. When I went through their steps for delisting, it was denied based on "reputation". AFAIK, we have not had a spam problem for several months. When we did it was due to a few accounts having been successfully phished. Since then our customers have been far more savvy and I have not seen the problem. I manually delisted us from all the known BLs back then and all has been ok. > > A current multi DNSBL lookup only shows 3 out of a couple hundred BLs listing us. You may be familiar with the ones that did (blackholes.five-ten-sg.com for example). No major, reputable, widely used DNSBL lists the IP. > > I have been doing this for 16 years. It has always been SOP to provide an offending email, with full headers to the complaint recipient, if not in advance of such blacklisting, then at least upon request. They sure require it of me when I report abuse of their servers. They flat out refuse to do this, claiming they have no access to this. I had this same issue with Cloudmark's BL a couple of months ago (which Comcast and other major providers use), so I suspect this is some kind of outsourced blacklist that does a poor job of updating their listings or one of my regular customers is sending out emails that are being incorrectly reported as spam. I have seen the latter happen several times with other servers I've worked with that auto generate legitimate emails of reports that customers pay for, but aggressive filters such as AOL's auto-report as spam (to be fair, AOL is excellent at resolving these). > > We do have SPF records for our main domains, but no DKIM or other whitelisting/authentication mechanisms. Is this sort of thing going to be widely required? Yes. Also make sure your reverse dns doesn't look like XXX.XXX.XXX.XXX.mydomain.com. (where XXX is the reverse IP, that gives you a bad score.) This are the steps I went thought for Hotmail: Publish SPF and DKIM records Open a hotmail account login https://support.msn.com/ Register with the following "Programs" SenderID - Register you SPF records Sender Information for Hotmail Delivery - Tell them you want to send them emails Junk Mail Reporting Partner Program - Register an address that complaints about your emails will go to. #Register your IP address at https://postmaster.live.com/snds/index.aspx Then view data about your IP address at https://postmaster.live.com/snds/data.aspx -- Jean-Francois Pirus | Technical Manager francois at clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401 Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com From jlewis at lewis.org Sun Jan 1 20:35:15 2012 From: jlewis at lewis.org (Jon Lewis) Date: Sun, 1 Jan 2012 21:35:15 -0500 (EST) Subject: Hotmail / MSN blacklisting policies. In-Reply-To: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> References: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> Message-ID: On Sun, 1 Jan 2012, James Smallacombe wrote: > I have been doing this for 16 years. It has always been SOP to provide > an offending email, with full headers to the complaint recipient, if not > in advance of such blacklisting, then at least upon request. There are/have been a number of well respected (not to mention most of the private ones) anti-spam BLs that either don't always or never provide "offending email" evidence to support listings, and I'm not aware of any that ever made it SOP to provide such evidence in advance of listing an IP. Hotmail listing one of your servers for no obvious reason is certainly the pot calling the kettle black. I get a pretty regular stream of pills spam from hotmail servers, most of which should trivially be blocked by the sender if they gave even the slightest damn about their outgoing spam. > They flat out refuse to do this, claiming they have no access to this. With an org the size of hotmail, it's quite conceivable that the people dealing with you don't have access to the information you seek, assuming such information was even kept. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From tshaw at oitc.com Mon Jan 2 06:24:15 2012 From: tshaw at oitc.com (TR Shaw) Date: Mon, 2 Jan 2012 07:24:15 -0500 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <042E9E42-4D3B-4F0D-B1C6-DBBE9F3AD4FE@cs.columbia.edu> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> <78609533-6DDA-4A50-BFD4-DB4499178A80@oitc.com> <97DDC358-2C4A-4AAD-B176-72F2BC64A47B@cs.columbia.edu> <042E9E42-4D3B-4F0D-B1C6-DBBE9F3AD4FE@cs.columbia.edu> Message-ID: As far as real world examples, I know of none that use AH only. All the operational uses I have seen in use are tunnels. I would guess that if there are any it would be because some minimally technical COI rep thought that by using it it would provide some minimalist support of their interpretation of FISMA. Tom On Jan 1, 2012, at 9:03 PM, Steven Bellovin wrote: > Yes, I know; I'm on that list. John Smith decided to see if > reality matched theory -- always a good thing to do -- and asked > here. > > Btw, it's not just "this time there is some support for it"; AH > was downgraded to "MAY" in RFC 4301 in 2005. > > > On Jan 1, 2012, at 8:56 PM, Jack Kohn wrote: > >> The __exact__ same discussion happening on IPsecME WG right now. >> >> http://www.ietf.org/mail-archive/web/ipsec/current/msg07346.html >> >> It seems there is yet another effort being made to "retire" AH so that >> we have less # of options to deal with. This time there is some >> support for it .. >> >> Jack >> >> On Mon, Jan 2, 2012 at 7:20 AM, Steven Bellovin wrote: >>> >>> On Jan 1, 2012, at 8:34 PM, TR Shaw wrote: >>> >>>> John, >>>> >>>> Unlike AH, ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. Thus, you need AH to authenticate the integrity of the outer header packet information. >>> >>> >>> Not quite. While the cryptographic integrity check does not cover the source and destination addresses -- the really interesting part of the outer header -- they're bound to the security association, and hence checked separately. Below is a note I sent to the IPsec mailing list in 1999. >>> >>> That, however, is not the question that is being asked here. The IPsecme working group has been over those issues repeatedly; your (non)-issue and (slightly) more substantive issues about IPv6 have been rehashed ad nauseum. The questions on the table now are, first, are operators using AH, and if so is ESP with NULL encryption an option? >>> >>> --Steve Bellovin, https://www.cs.columbia.edu/~smb >>> >>> >>> One of the biggest reasons we have AH is because there _are_ >>> some things in the middle of the "IP header" that need to be >>> authenticated for them to be simultaneously safe and useful. >>> The biggest example of this is source routing. >>> >>> In my opinion -- and I've posted this before -- there's nothing in the >>> IP header that's both interesting and protected. You can't protect the >>> source routing option, since the next-hop pointer changes en route. >>> Appendix A of the AH draft recognizes that, and lists it as 'mutable -- >>> zeroed'. >>> >>> When you look over the list of IP header fields and options that are >>> either immutable or predictable, you find that the only things that are >>> really of interest are the source and destination addresses and the >>> security label. To the extent that we want to protect the addresses -- >>> a point that's very unclear to me -- they're bound to the security >>> association. The security label certainly should be. If you're using >>> security labels (almost no one does) and you don't have the facilities >>> to bind it at key management time, use tunnel mode and be done with it. >>> >>> I'll admit that I've never been in the operations business, but >>> I've been told that source routing is a very useful tool for >>> diagnosing some classes of problems. AH allows source routing >>> to be useful again w/o opening the holes it opens. >>> >>> Well, yes, but not for the reason you specify. The problem with source >>> routing is that it makes address-spoofing trivial. With AH, people >>> will either verify certificate names -- the right way to do things -- >>> or they'll bind a certificate to the source address, and use AH to >>> verify the legitimacy of it. The route specified has nothing to do >>> with it, and ESP with null encryption does the same thing. >>> >>> I don't like AH, either in concept or design (and in particular I don't >>> like the way it commits layer violations). Its only real use, as I see >>> it, is to answer Greg Minshall's objections -- it leaves the port >>> numbers in the clear, and visible in a context-independent fashion. >>> With null encryption, the monitoring station has to know that that was >>> selected. But I'm very far from convinced that these issues are >>> important enough to justify AH. >>> >>> All that notwithstanding, this is not a new issue. We've been over >>> this ground before in the working group. Several of us, myself >>> included, suggested deleting AH. We lost. Fine; so be it. Let's ship >>> the documents and be done with it. >> > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > > From o.calvano at gmail.com Mon Jan 2 07:30:47 2012 From: o.calvano at gmail.com (Olivier CALVANO) Date: Mon, 2 Jan 2012 14:30:47 +0100 Subject: Ethernet From China to Singapor or Hong Kong ? Message-ID: Hi anyone have contact of a operator (CHina Telecom ? CPC ?) that can provide L2 Link from China to Singapor or if not direct link, China to Hong Kong. Thanks Olivier From rsk at gsp.org Mon Jan 2 07:53:25 2012 From: rsk at gsp.org (Rich Kulawiec) Date: Mon, 2 Jan 2012 08:53:25 -0500 Subject: Hotmail / MSN blacklisting policies. In-Reply-To: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> References: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> Message-ID: <20120102135325.GA15441@gsp.org> First, this should probably be on mailop instead of here. Second, given the unceasing torrent of spam emitted by Hotmail/MSN on a systemic, chronic basis, it's ironic that they'd block *anyone*. ---rsk From rol at witbe.net Mon Jan 2 08:05:12 2012 From: rol at witbe.net (Paul Rolland (=?UTF-8?B?44Od44O844Or44O744Ot44Op44Oz?=)) Date: Mon, 2 Jan 2012 15:05:12 +0100 Subject: Ethernet From China to Singapor or Hong Kong ? In-Reply-To: References: Message-ID: <20120102150512.72e71946@tux.DEF.witbe.net> Hello, On Mon, 2 Jan 2012 14:30:47 +0100 Olivier CALVANO wrote: > anyone have contact of a operator (CHina Telecom ? CPC ?) that can provide > L2 Link > from China to Singapor or if not direct link, China to Hong Kong. PCCW ? Paul -- TelcoTV Awards 2011 - Witbe winner in "Innovation in Test & Measurement" Paul Rolland E-Mail : rol(at)witbe.net CTO - Witbe.net SA Tel. +33 (0)1 47 67 77 77 Les Collines de l'Arche Fax. +33 (0)1 47 67 77 99 F-92057 Paris La Defense RIPE : PR12-RIPE LinkedIn : http://www.linkedin.com/in/paulrolland Skype : rollandpaul "I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet?'" --Mike Godwin, Electronic Frontier Foundation -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From leigh.porter at ukbroadband.com Mon Jan 2 10:22:30 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Mon, 2 Jan 2012 16:22:30 +0000 Subject: Ethernet From China to Singapor or Hong Kong ? In-Reply-To: <20120102150512.72e71946@tux.DEF.witbe.net> References: , <20120102150512.72e71946@tux.DEF.witbe.net> Message-ID: I'd second PCCW. I have contacts there if you drop me a mail off list. -- Leigh Porter UKBroadband PCCW... On 2 Jan 2012, at 14:08, "Paul Rolland" wrote: > Hello, > > On Mon, 2 Jan 2012 14:30:47 +0100 > Olivier CALVANO wrote: > >> anyone have contact of a operator (CHina Telecom ? CPC ?) that can provide >> L2 Link >> from China to Singapor or if not direct link, China to Hong Kong. > > PCCW ? > > Paul > > -- > TelcoTV Awards 2011 - Witbe winner in "Innovation in Test & Measurement" > > Paul Rolland E-Mail : rol(at)witbe.net > CTO - Witbe.net SA Tel. +33 (0)1 47 67 77 77 > Les Collines de l'Arche Fax. +33 (0)1 47 67 77 99 > F-92057 Paris La Defense RIPE : PR12-RIPE > > LinkedIn : http://www.linkedin.com/in/paulrolland > Skype : rollandpaul > > "I worry about my child and the Internet all the time, even though she's > too young to have logged on yet. Here's what I worry about. I worry that 10 > or 15 years from now, she will come to me and say 'Daddy, where were you > when they took freedom of the press away from the Internet?'" > --Mike Godwin, Electronic Frontier Foundation > > ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From copraphage at gmail.com Mon Jan 2 10:33:17 2012 From: copraphage at gmail.com (Chris McDonald) Date: Mon, 2 Jan 2012 11:33:17 -0500 Subject: Ethernet From China to Singapor or Hong Kong ? In-Reply-To: References: <20120102150512.72e71946@tux.DEF.witbe.net> Message-ID: Third and I also work there :) On Monday, January 2, 2012, Leigh Porter wrote: > I'd second PCCW. I have contacts there if you drop me a mail off list. > > > -- > Leigh Porter > UKBroadband PCCW... > > > > On 2 Jan 2012, at 14:08, "Paul Rolland" wrote: > >> Hello, >> >> On Mon, 2 Jan 2012 14:30:47 +0100 >> Olivier CALVANO wrote: >> >>> anyone have contact of a operator (CHina Telecom ? CPC ?) that can provide >>> L2 Link >>> from China to Singapor or if not direct link, China to Hong Kong. >> >> PCCW ? >> >> Paul >> >> -- >> TelcoTV Awards 2011 - Witbe winner in "Innovation in Test & Measurement" >> >> Paul Rolland E-Mail : rol(at)witbe.net >> CTO - Witbe.net SA Tel. +33 (0)1 47 67 77 77 >> Les Collines de l'Arche Fax. +33 (0)1 47 67 77 99 >> F-92057 Paris La Defense RIPE : PR12-RIPE >> >> LinkedIn : http://www.linkedin.com/in/paulrolland >> Skype : rollandpaul >> >> "I worry about my child and the Internet all the time, even though she's >> too young to have logged on yet. Here's what I worry about. I worry that 10 >> or 15 years from now, she will come to me and say 'Daddy, where were you >> when they took freedom of the press away from the Internet?'" >> --Mike Godwin, Electronic Frontier Foundation >> >> > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > > From morrowc.lists at gmail.com Mon Jan 2 11:39:40 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Mon, 2 Jan 2012 12:39:40 -0500 Subject: L3 consequences of WLAN offload in cellular networks (was - endless DHCPv6 thread) In-Reply-To: References: <201112301415.32955.a.harrowell@gmail.com> Message-ID: On Fri, Dec 30, 2011 at 9:34 AM, Cameron Byrne wrote: > The state of the industry is the support of nomadic mobility from cellular > to / from Wi-Fi , there is nearly no support of mobile IP that I have seen. > > It is going more and more in this direction. At T-Mobile USA we have > evolved our wifi calling features from fully mobile UMA / GAN to non-mobile > IMS wifi calling. great! is that now available on all tmo-us handsets? :) /troll From tom at ninjabadger.net Mon Jan 2 12:08:31 2012 From: tom at ninjabadger.net (Tom Hill) Date: Mon, 02 Jan 2012 18:08:31 +0000 Subject: next-best-transport! down with ethernet! In-Reply-To: References: <1325188667.2646.4.camel@teh-desktop> Message-ID: <1325527711.2404.4.camel@teh-desktop> On Fri, 2011-12-30 at 07:24 -0500, Ray Soucy wrote: > The speed of light is such a drag. It could be worse... You could've been born on a larger planet. From BEJones at semprautilities.com Mon Jan 2 14:27:34 2012 From: BEJones at semprautilities.com (Jones, Barry) Date: Mon, 2 Jan 2012 12:27:34 -0800 Subject: AD and enforced password policies Message-ID: Hello all. Happy New Year. I have a requirement to enforce password policies on AD (a tacacs and windows domain). I don't have a great deal of Windows AD knowledge - so a newbie ;-) this is a little off topic, but I thought I'd ask... Specifically, I need to enforce the use of length, special characters, and be able to validate the enforcement of such. Looking at Nfront, Quest, etc..., and wanted to see if anyone out there had thoughts? Thank you. From rluethje at gmail.com Mon Jan 2 15:09:25 2012 From: rluethje at gmail.com (Robert Luethje) Date: Mon, 2 Jan 2012 16:09:25 -0500 Subject: AD and enforced password policies References: Message-ID: <006f01ccc992$cf87bf50$0201a8c0@knightmareserv> You would set those in users section of AD. AD can be very quirky when it wants to. Robert ----- Original Message ----- From: "Jones, Barry" To: Sent: Monday, January 02, 2012 3:27 PM Subject: AD and enforced password policies Hello all. Happy New Year. I have a requirement to enforce password policies on AD (a tacacs and windows domain). I don't have a great deal of Windows AD knowledge - so a newbie ;-) this is a little off topic, but I thought I'd ask... Specifically, I need to enforce the use of length, special characters, and be able to validate the enforcement of such. Looking at Nfront, Quest, etc..., and wanted to see if anyone out there had thoughts? Thank you. From mysidia at gmail.com Mon Jan 2 16:32:54 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Mon, 2 Jan 2012 16:32:54 -0600 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: On Mon, Jan 2, 2012 at 2:27 PM, Jones, Barry wrote: > I have a requirement to enforce password policies on AD (a tacacs and > windows domain). I don't have a great deal of Windows AD knowledge - so a > newbie ;-) this is a little off topic, but I thought I'd ask... > This is very basic built-in functionality of AD, that those maintaining an AD implementation really ought to already be aware of; to implement it, you edit or create applicable group policy to apply a Password policy in the security section of the applicable group policy for the Computer account configuration at the domain level, specify the minimum length and, either check the "password must meet complexity requirements box", or supply a custom filter -- http://technet.microsoft.com/en-us/library/cc875814.aspx#ECAA http://technet.microsoft.com/en-us/library/cc786468%28WS.10%29.aspx My recommendation would be to not go too far with password policies. Implement only the least restrictive requirements in AD to achieve the best security benefits per unit of user annoyance; e.g. a minimum length of 8 is a good choice; if you try and force users to pick a minimum of 15, with complexity, and expire their password every 10 days, you'll actually get users with simple passwords (or password sticky notes on the monitor). The sole root cause for "easily guessable passwords" is not lack of technical restrictions. It's also: lazy or limited memory humans who need passwords that they can remember. Firstname1234! is very easy to guess, and meets complexity and usual length requirements. There are password filters on the market that can perform a simple dictionary check, which is a better check to perform than number of character classes. Use the custom password filter and a 30 minute account lockout after the 3th failed login attempt, to prevent most password guessing attacks. An event log monitoring tool should be used to alert a sysadmin. Specifically, I need to enforce the use of length, special characters, and > be able to validate the enforcement of such. You can ensure the enforcement by putting the password policy into effect; make sure it is enforced on all domain controllers. And then at a later date check the "must change password at next login" checkbox for all users you need to enforce against, and utilize the GPResult command for each user to ensure that the policy is applied. The last password change date will verify the user has updated their password at the time the policy was in effect Another thing to consider is to have user passwords expiring once every 365 days, with checks to prevent reuse of previously used passwords; then typical scripts to monitor applied policy and last password change times can be utilized to verify compliance. -- -JH From blake at pfankuch.me Mon Jan 2 17:15:08 2012 From: blake at pfankuch.me (Blake T. Pfankuch) Date: Mon, 2 Jan 2012 23:15:08 +0000 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: I would very much agree with this as far as the "user annoyance" side. We have had customers enforce 12 characters and complexity for all users, and you end up with sticky notes under the keyboard or other objects on the desk. I would also make sure to set a reasonable timeout to force a workstation locking as well. However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. Depending on your AD structure, you can easily enforce different policies for different types of users. Meaning you can give your average minion a 8 character password with 90 day expiration, 4 password history and 3 of 4 groups for characters. Then you can give your domain admin accounts (your normal support staff doesn't have domain admin on their day to day accounts do they??) a more restrictive policy like 12+ characters, 30 day expiration 24 history and full complexity (via third party modules). -- Blake -----Original Message----- From: Jimmy Hess [mailto:mysidia at gmail.com] Sent: Monday, January 02, 2012 3:33 PM To: Jones, Barry Cc: Nanog at nanog.org Subject: Re: AD and enforced password policies On Mon, Jan 2, 2012 at 2:27 PM, Jones, Barry wrote: > I have a requirement to enforce password policies on AD (a tacacs and > windows domain). I don't have a great deal of Windows AD knowledge - > so a newbie ;-) this is a little off topic, but I thought I'd ask... > This is very basic built-in functionality of AD, that those maintaining an AD implementation really ought to already be aware of; to implement it, you edit or create applicable group policy to apply a Password policy in the security section of the applicable group policy for the Computer account configuration at the domain level, specify the minimum length and, either check the "password must meet complexity requirements box", or supply a custom filter -- http://technet.microsoft.com/en-us/library/cc875814.aspx#ECAA http://technet.microsoft.com/en-us/library/cc786468%28WS.10%29.aspx My recommendation would be to not go too far with password policies. Implement only the least restrictive requirements in AD to achieve the best security benefits per unit of user annoyance; e.g. a minimum length of 8 is a good choice; if you try and force users to pick a minimum of 15, with complexity, and expire their password every 10 days, you'll actually get users with simple passwords (or password sticky notes on the monitor). The sole root cause for "easily guessable passwords" is not lack of technical restrictions. It's also: lazy or limited memory humans who need passwords that they can remember. Firstname1234! is very easy to guess, and meets complexity and usual length requirements. There are password filters on the market that can perform a simple dictionary check, which is a better check to perform than number of character classes. Use the custom password filter and a 30 minute account lockout after the 3th failed login attempt, to prevent most password guessing attacks. An event log monitoring tool should be used to alert a sysadmin. Specifically, I need to enforce the use of length, special characters, and > be able to validate the enforcement of such. You can ensure the enforcement by putting the password policy into effect; make sure it is enforced on all domain controllers. And then at a later date check the "must change password at next login" checkbox for all users you need to enforce against, and utilize the GPResult command for each user to ensure that the policy is applied. The last password change date will verify the user has updated their password at the time the policy was in effect Another thing to consider is to have user passwords expiring once every 365 days, with checks to prevent reuse of previously used passwords; then typical scripts to monitor applied policy and last password change times can be utilized to verify compliance. -- -JH From gary.buhrmaster at gmail.com Mon Jan 2 18:05:00 2012 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Tue, 3 Jan 2012 00:05:00 +0000 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: On Mon, Jan 2, 2012 at 22:32, Jimmy Hess wrote: .... > The sole root cause for "easily guessable passwords" is not lack of > technical restrictions. It's also: lazy or limited memory humans who need > passwords that they can remember. > > Firstname1234! ? ?is very easy to guess, and meets complexity and usual > length requirements. Obligatory xkcd reference: http://xkcd.com/936/ Gary From nick at foobar.org Mon Jan 2 18:21:12 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 03 Jan 2012 00:21:12 +0000 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: <4F0249F8.4050305@foobar.org> On 02/01/2012 20:27, Jones, Barry wrote: > Specifically, I need to enforce the use of length, special characters, > and be able to validate the enforcement of such. I always like to look at policies like this from an analytical point of view. Let's take a look at some numbers. Let's say that you insist on mixed case, numbers, punctuation, 8 characters. I find anything more than 8 characters really difficult to remember; probably lots of other people too, which is why they all write them down on post-it notes if they're longer - and then stick them to their monitors. This creates a pool of 26 + 26 + 10 + 10 = 72 possible characters. So in theory you're talking about a pool of 72^8 = 7.2*10^15 possibly passwords. Thing is, your password policy insists on punctuation, which means that your actual password pool is now 10*72^7. i.e. one character is pulled from the pool of 10 punctuation chars, and the rest are anything at all. And if you insist on at least one number + one item of punctuation, it's 10*10*72^6 - same reasoning. But really, you're also insisting that you use at least one upper case + one lower case letter, which means that your password pool becomes 10(punctuation)*10(number)*26(upper case)*26(lower case)*72^4 = 1.8*10^13. In other words, by enforcing a strict password policy on your users, you've just reduced your potential password pool size by a factor of 400, which means that your password is 400 times easier to brute-force. The next step in this process is to take a look around at the current capabilities of GPU based hash generators. E.g. whitepixel currently claims to be able to handle 3.3*10^11 md5 hashes per second (unsalted) on a computer with a very small capital outlay. If for some odd reason you were storing your passwords as unsalted md5 hashes, your entire password set would be cracked within about 1 minute. But real life is different; we don't use md5, we do use salt, and we don't choose stupid password policies. Oh but wait, we do. So the real question you need to ask yourself is this: "what is the intention of my password policy?" Is it to create a sequence of characters which is effectively impossible to brute-force? Or is it to create a sequence of hieroglyphics which your users will find difficult to remember and will cause them to grind their teeth in anger every time they are forced to type it in? At best, these hieroglyphics provide an elevated sense of security. At worst, they are a mockery of actual security. My favourite choice is "Pa$$w0rd". It scores top marks on pretty much all password strength checkers that I've ever tried it on. And every time the policy requires a change, I prepend a digit which apparently makes it secure for another 6 months. If you are more interested in creating passwords which are difficult to brute force and easier to remember, one useful approach is to take a list of a couple of thousand short-ish words, and to use a random list of five or six of these words for a password. Much easier for people to remember; gets around silly mistakes with typos; and there's no requirement for mixed case, punctuation and all those other silly things which look great on paper but serve only to confuse and annoy. Nick From smb at cs.columbia.edu Mon Jan 2 19:45:29 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Mon, 2 Jan 2012 20:45:29 -0500 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: On Jan 2, 2012, at 7:05 PM, Gary Buhrmaster wrote: > On Mon, Jan 2, 2012 at 22:32, Jimmy Hess wrote: > .... >> The sole root cause for "easily guessable passwords" is not lack of >> technical restrictions. It's also: lazy or limited memory humans who need >> passwords that they can remember. >> >> Firstname1234! is very easy to guess, and meets complexity and usual >> length requirements. > > Obligatory xkcd reference: http://xkcd.com/936/ > Thanks; you saved me the trouble. There's a discussion of the topic going on right now on a cryptography mailing list; check out http://lists.randombit.net/mailman/listinfo/cryptography if you want. Also see my (mostly tongue in cheek) blog post at https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-27.html and the very serious followup at https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-28.html I should add that except for targeted attacks, strong passwords are greatly overrated; neither phishing attacks nor keystroke loggers care how good your password is. I just went through some calculations for a (government) site that has the following rules: Minimum Length : 8 Maximum Length : 12 Maximum Repeated Characters : 2 Minimum Alphabetic Characters Required : 1 Minimum Numeric Characters Required : 1 Starts with a Numeric Character No User Name No past passwords At least one character must be ~!@#$%^&*()-_+\verb!+={}[]\|;:/?.,<>"'`! Under the plausible assumption that very many people will start with a string of digits, continue with a string of lower-case letters to reach seven characters, and then add a period, there are only ~5,000,000,000 choices. That's not many at all -- but the rules look just fine... --Steve Bellovin, https://www.cs.columbia.edu/~smb From lyndon at orthanc.ca Mon Jan 2 20:10:33 2012 From: lyndon at orthanc.ca (Lyndon Nerenberg) Date: Mon, 2 Jan 2012 18:10:33 -0800 (PST) Subject: AD and enforced password policies In-Reply-To: References: Message-ID: > I just went through some calculations for a (government) site that has the > following rules: [...] > Under the plausible assumption that very many people will start with a string > of digits, continue with a string of lower-case letters to reach seven characters, > and then add a period, there are only ~5,000,000,000 choices. That's not many at > all -- but the rules look just fine... 1234;lkj rolls off the fingers quite nicely, don't you think? From smb at cs.columbia.edu Mon Jan 2 20:16:28 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Mon, 2 Jan 2012 21:16:28 -0500 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: On Jan 2, 2012, at 9:10 PM, Lyndon Nerenberg wrote: >> I just went through some calculations for a (government) site that has the >> following rules: > [...] >> Under the plausible assumption that very many people will start with a string >> of digits, continue with a string of lower-case letters to reach seven characters, >> and then add a period, there are only ~5,000,000,000 choices. That's not many at >> all -- but the rules look just fine... > > 1234;lkj rolls off the fingers quite nicely, don't you think? > OK -- let's let the set of punctuation be .,; and allow seven choices for where it goes. That increases the work factor by 21 -- still not that large a space for someone with a good botnet. The real question is what you're trying to protect. If the attacker's goal is to get *some* password, then I think he or she will get succeed, because I think that very many people will follow my assumed pattern -- enough that the attacker has a good chance of winning. Sure, some people will pick stronger ones -- but that isn't the point of the exercise. Passwords and password rules are the *enemy* to most people. --Steve Bellovin, https://www.cs.columbia.edu/~smb From mysidia at gmail.com Mon Jan 2 22:34:45 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Mon, 2 Jan 2012 22:34:45 -0600 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: On Mon, Jan 2, 2012 at 8:16 PM, Steven Bellovin wrote: > On Jan 2, 2012, at 9:10 PM, Lyndon Nerenberg wrote: > OK -- let's let the set of punctuation be .,; and allow seven choices for > where > it goes. That increases the work factor by 21 -- still not that large a > space > for someone with a good botnet. Should an attacker get to the point of being able to mount a brute force attack, with only character class and length requirements, that means they have basically already won the battle for basic user level access --- user passwords do not have cryptographic strength, he chance that some passwords are guessed is so high, that you can legitimately treat the probability that no passwords are discovered by an informed attack is a 0% chance. Assuming you have a policy of account lockout after multiple attempts; the fact they a brute force attack can be mounted, indicates implementation of your account lockout policy failed, or the attacker stole the password hashes. If you have LANMAN hashes enabled or your passwords hashed with MD5 instead of PBKDF2 with 10000 or more rounds; the attacker has the keys to the kingdom, they are almost certain to guess some passwords very quickly. Not all passwords are equally likely to be chosen by a human given the task of setting their password. How some luser is going to respond to password complexity: pick a name or standard dictionary word, make the first letter capital, append a single digit or some well known number (such as the current year, a birthdate, anniversary, address, SSN, or other known quantity), add a period or ! to the end, to meet the punctuation mark requirement. Eminently guessable by methods other than brute force. It doesn't matter that 10 different punctuation marks are actually available to the user --- human chosen passwords have low entropy, you can anticipate the average human has higher chance of picking certain punctuation marks than others, based on where they are located on the keyboard, and the user's level of familiarity with the punctuation mark. ~ and _ may be valid choices; but the average english speaker is more familiar with ! . , ' ; & + - -- -JH From mtinka at globaltransit.net Tue Jan 3 02:40:07 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 3 Jan 2012 16:40:07 +0800 Subject: next-best-transport! down with ethernet! In-Reply-To: References: <1325188667.2646.4.camel@teh-desktop> Message-ID: <201201031640.10340.mtinka@globaltransit.net> On Friday, December 30, 2011 05:58:38 PM Vitkovsky, Adam wrote: > Actually an a Cisco presentation on Nexus 7k I asked > whether it's possible to transport the FCoE over let's > say EoMPLS or VPLS and did not get a straight answer > though that was half a year ago -but it would be really > cool to connect hard-drives directly over continents We looked at doing this back in 2010, and the problems are still the same - synchronous replications (which is the majority of your garden-variety fibre channel deployments) are very sensitive to latency and low bandwidth, and don't generally tend to exist outside the data centre or short- distance DWDM fibre channel networks. FCIP was the solution proposed for extending SAN's over IP (which invariably means over MPLS as well). But FCIP tends to work best with asynchronous replications, which is the only way to get around higher latency and lower bandwidth network properties. I know Brocade and Cisco both have boxes that support FCIP. I did come across a vendor, Orckit-Corrigent - http://www.orckit.com/ - that claimed they support FCoMPLS (I forget what their exact solution was, but it had to do with some buffering trickery if memory serves), but we didn't get a chance to test these as FCoDWDM ending up winning anyway. Come to think of it, maybe their solution was FCIP inside MPLS :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mansaxel at besserwisser.org Tue Jan 3 02:44:11 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Tue, 3 Jan 2012 09:44:11 +0100 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: <20120103084411.GN7491@besserwisser.org> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me): > However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. If you force me to change a password every three months, I'm going to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, you lose. Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc, and we're all doomed, or they will be lucky and guess. None of these attack modes will be mitigated by the 3-month scheme; success/fail as seen by the bad guys will be a lot quicker than three months. If they do not get lucky with john or rainbow tables, they'll move on. (Some scenarios still are affected by this, of course, but there is a lot to be done to stop bad things from happening like not getting your hashes stolen etc. On-line repeated login failures aren't going to work because you'll detect that, right? ) Either way, expiring often is the first and most effective step at making the lusers hate you and will only bring the Post-It(tm) makers happy. If your password crypto is NSA KW-26 or similar, OTOH, just don the Navy blues and start swapping punchcards at 0000 ZULU. (http://en.wikipedia.org/wiki/File:Kw-26.jpg) -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From kompella at cs.purdue.edu Tue Jan 3 02:57:09 2012 From: kompella at cs.purdue.edu (Ramana Kompella) Date: Tue, 3 Jan 2012 14:27:09 +0530 Subject: HotICE 2012 -- paper registration deadline Friday Jan 6, 2012 In-Reply-To: <8EAAFC63-4899-41D3-9C62-3D70707F64B8@PURDUE.EDU> References: <8EAAFC63-4899-41D3-9C62-3D70707F64B8@PURDUE.EDU> Message-ID: <2C1BE052-9100-4623-9B43-AA18576381F2@cs.purdue.edu> [Apologies if you received multiple copies of this CFP] The 2nd USENIX Workshop on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services (Hot-ICE '12) Program Co-Chairs invite you to contribute to the refereed papers. The Hot-ICE workshop seeks to bring together researchers and practitioners working on network and service management in the Internet, cloud, and enterprise domains. Paper registration is due *January 6, 2012*, by 11:59 p.m. PST (i.e. Friday !). Complete paper submissions are due January 13, 2012, by 11:59 p.m. PST. For more information and the submission guidelines, please visit http://www.usenix.org/hotice12/cfpa. Hot-ICE '12 will be held on April 24, 2012, in San Jose, CA, and will be co-located with NSDI '12: http://www.usenix.org/nsdi12 On behalf of the Hot-ICE '12 Program Committee, Olivier Bonaventure, Universite catholique de Louvain Ramana Kompella, Purdue University From os10rules at gmail.com Tue Jan 3 07:09:19 2012 From: os10rules at gmail.com (Greg Ihnen) Date: Tue, 3 Jan 2012 08:39:19 -0430 Subject: AD and enforced password policies In-Reply-To: <20120103084411.GN7491@besserwisser.org> References: <20120103084411.GN7491@besserwisser.org> Message-ID: <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> On Jan 3, 2012, at 4:14 AM, M?ns Nilsson wrote: > Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me): > >> However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. > > If you force me to change a password every three months, I'm going > to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, > you lose. > > Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc, > and we're all doomed, or they will be lucky and guess. None of these > attack modes will be mitigated by the 3-month scheme; success/fail as > seen by the bad guys will be a lot quicker than three months. If they > do not get lucky with john or rainbow tables, they'll move on. > > (Some scenarios still are affected by this, of course, but there is a > lot to be done to stop bad things from happening like not getting your > hashes stolen etc. On-line repeated login failures aren't going to work > because you'll detect that, right? ) > > Either way, expiring often is the first and most effective step at making > the lusers hate you and will only bring the Post-It(tm) makers happy. > > If your password crypto is NSA KW-26 or similar, OTOH, just > don the Navy blues and start swapping punchcards at 0000 ZULU. > (http://en.wikipedia.org/wiki/File:Kw-26.jpg) > > -- > M?ns Nilsson primary/secondary/besserwisser/machina > MN-1334-RIPE +46 705 989668 > Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!! A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. Greg From toddunder at gmail.com Tue Jan 3 07:22:09 2012 From: toddunder at gmail.com (Todd Underwood) Date: Tue, 3 Jan 2012 08:22:09 -0500 Subject: AD and enforced password policies In-Reply-To: <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> Message-ID: http://www.diceware.com/ works well. has plausible analysis of the entropy of the passphrases created. it's 100% prescriptive and deterministic so can be used for large, unevenly skilled userbases. the passphrases are easy to remember and type for english speakers (and there are alternative dictionaries). and it wouldn't pass any of these silly requirements. what people really need to be doing is deploying: http://en.wikipedia.org/wiki/HOTP there are free apps for android and iphone to generate sequences as a 2nd factor. t On Tue, Jan 3, 2012 at 8:09 AM, Greg Ihnen wrote: > > On Jan 3, 2012, at 4:14 AM, M?ns Nilsson wrote: > >> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me): >> >>> However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. >> >> If you force me to change a password every three months, I'm going >> to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, >> you lose. >> >> Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc, >> and we're all doomed, or they will be lucky and guess. None of these >> attack modes will be mitigated by the 3-month scheme; success/fail as >> seen by the bad guys will be a lot quicker than three months. If they >> do not get lucky with john or rainbow tables, they'll move on. >> >> (Some scenarios still are affected by this, of course, but there is a >> lot to be done to stop bad things from happening like not getting your >> hashes stolen etc. On-line repeated login failures aren't going to work >> because you'll detect that, right? ) >> >> Either way, expiring often is the first and most effective step at making >> the lusers hate you and will only bring the Post-It(tm) makers happy. >> >> If your password crypto is NSA KW-26 or similar, OTOH, just >> don the Navy blues and start swapping punchcards at 0000 ZULU. >> ? ? ? (http://en.wikipedia.org/wiki/File:Kw-26.jpg) >> >> -- >> M?ns Nilsson ? ? primary/secondary/besserwisser/machina >> MN-1334-RIPE ? ? ? ? ? ? ? ? ? ? ? ? ? ? +46 705 989668 >> Life is a POPULARITY CONTEST! ?I'm REFRESHINGLY CANDID!! > > > A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. ?I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. > > Greg From mike at mtcc.com Tue Jan 3 07:31:12 2012 From: mike at mtcc.com (Michael Thomas) Date: Tue, 03 Jan 2012 05:31:12 -0800 Subject: AD and enforced password policies In-Reply-To: <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> Message-ID: <4F030320.1030804@mtcc.com> On 01/03/2012 05:09 AM, Greg Ihnen wrote: > A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. Greg I've been doing something with my site/app (phresheez) that is helpful on that front: instead of having them use their password, the app auto-generates a password for the user instead. I did this mainly for convenience -- users hate typing on their phones -- but it has the nice property that you don't have a domino effect if a password on my site is compromised. Since most browsers auto-remember your passwords anyway, it even works in the web world too. For most need-to-join sites, I think this is a pretty reasonable solution. Maybe not for, oh say, financial sites where password recovery is a little bit scarier, but for the run of the mill app/site... it seems that this solution at least solves the domino problem. Mike From smb at cs.columbia.edu Tue Jan 3 07:40:47 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Tue, 3 Jan 2012 08:40:47 -0500 Subject: AD and enforced password policies In-Reply-To: <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> Message-ID: <2AC71587-2896-45FC-B77C-8C789B3C28F7@cs.columbia.edu> On Jan 3, 2012, at 8:09 19AM, Greg Ihnen wrote: > > On Jan 3, 2012, at 4:14 AM, M?ns Nilsson wrote: > >> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me): >> >>> However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. >> >> If you force me to change a password every three months, I'm going >> to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, >> you lose. >> >> Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc, >> and we're all doomed, or they will be lucky and guess. None of these >> attack modes will be mitigated by the 3-month scheme; success/fail as >> seen by the bad guys will be a lot quicker than three months. If they >> do not get lucky with john or rainbow tables, they'll move on. >> >> (Some scenarios still are affected by this, of course, but there is a >> lot to be done to stop bad things from happening like not getting your >> hashes stolen etc. On-line repeated login failures aren't going to work >> because you'll detect that, right? ) >> >> Either way, expiring often is the first and most effective step at making >> the lusers hate you and will only bring the Post-It(tm) makers happy. >> >> If your password crypto is NSA KW-26 or similar, OTOH, just >> don the Navy blues and start swapping punchcards at 0000 ZULU. >> (http://en.wikipedia.org/wiki/File:Kw-26.jpg) >> >> -- >> M?ns Nilsson primary/secondary/besserwisser/machina >> MN-1334-RIPE +46 705 989668 >> Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!! > > > A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. > It's not a side issue; in my opinion it's a far more important issue in most situations. I do the same thing that you do for all but my most critical passwords. --Steve Bellovin, https://www.cs.columbia.edu/~smb From mansaxel at besserwisser.org Tue Jan 3 07:43:55 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Tue, 3 Jan 2012 14:43:55 +0100 Subject: AD and enforced password policies In-Reply-To: <4F030320.1030804@mtcc.com> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> <4F030320.1030804@mtcc.com> Message-ID: <20120103134353.GQ7491@besserwisser.org> Subject: Re: AD and enforced password policies Date: Tue, Jan 03, 2012 at 05:31:12AM -0800 Quoting Michael Thomas (mike at mtcc.com): > For most need-to-join sites, I think this is a pretty reasonable solution. Maybe > not for, oh say, financial sites where password recovery is a little bit scarier, > but for the run of the mill app/site... it seems that this solution at least > solves the domino problem. There is indeed a difference between Europe (or is it only .SE?) and USA here; no bank in Sweden lets you login without at least a client certificate and password/pin code. Most banks have a hardware token, either challenge-response or HOTP/TOTP; some use the chip in chip-and-pin cards as certificate carrier, and combine it with a reader device to manage pin code entry. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Hello? Enema Bondage? I'm calling because I want to be happy, I guess ... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From gary.buhrmaster at gmail.com Tue Jan 3 07:59:16 2012 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Tue, 3 Jan 2012 05:59:16 -0800 Subject: AD and enforced password policies In-Reply-To: <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> Message-ID: On Tue, Jan 3, 2012 at 05:09, Greg Ihnen wrote: .... > A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. Second obligatory xkcd reference (Password reuse): http://xkcd.com/792/ From tim at pelican.org Tue Jan 3 08:16:38 2012 From: tim at pelican.org (Tim Franklin) Date: Tue, 03 Jan 2012 14:16:38 -0000 (GMT) Subject: AD and enforced password policies In-Reply-To: <20120103134353.GQ7491@besserwisser.org> Message-ID: <23f7068e-b0bd-44a7-9e73-f0c81d6c7a12@mail.pelican.org> > There is indeed a difference between Europe (or is it only .SE?) and > USA here; no bank in Sweden lets you login without at least a client > certificate and password/pin code. Most banks have a hardware token, > either challenge-response or HOTP/TOTP; some use the chip in chip-and-pin > cards as certificate carrier, and combine it with a reader device to > manage pin code entry. Can't speak for Europe as a whole, but certainly in the UK it's not common - and I wish it was. I do have different passwords for my banking and other finance-type sites (pensions etc), both for each site and distinct from my "fuzzykittens" passwords (which do re-use a handful of variations on a couple of themes). A hardware token would be very nice though. Client cert worries me a bit - while it *should* be standards-based, I'm sure there's some way to implement it such that it only works on Windows. Given how long it took for banks to stop with the "Safari! Evil! Access denied!" routine, I don't hold much faith in their willingness or ability to build cross-platform solutions. Grumble for the day: Santander, who require so many different IDs, logins, codes, reference numbers etc to access their on-line services with no indication at all of how any of them relate to the documentation previously sent or any changes made since, that there's no way to deal with it other than to write them down. Oh, and some more different codes, with more different names, to access the same account by telephone. Strongly not recommended. Regards, Tim. From jared at puck.nether.net Tue Jan 3 08:22:31 2012 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 3 Jan 2012 09:22:31 -0500 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: <6501EF60-ADA9-4D98-BB93-82F3A6E24E22@puck.nether.net> On Jan 2, 2012, at 8:45 PM, Steven Bellovin wrote: > Minimum Length : 8 > Maximum Length : 12 > Maximum Repeated Characters : 2 > Minimum Alphabetic Characters Required : 1 > Minimum Numeric Characters Required : 1 > Starts with a Numeric Character > No User Name > No past passwords > At least one character must be ~!@#$%^&*()-_+\verb!+={}[]\|;:/?.,<>"'`! One site I saw would break when you exceeded the maximum length but silently accept it. Making the users jump through sufficient hoops to generate a password and keep it for the sake of "security" only serve to weaken the resolve of users and complexity of passwords used. Dare I say, if a password system is too cumbersome I may reject them as an employer at some point out of frustration, or just call the help desk daily to reset the password. back to the OP question. I've used the Quest system as a user and found it useful. Having this outside any VPN for your remote users is very helpful. - Jared From markrefresh12 at gmail.com Tue Jan 3 09:01:27 2012 From: markrefresh12 at gmail.com (Mark Smith) Date: Tue, 3 Jan 2012 17:01:27 +0200 Subject: Redundant multicast routing Message-ID: Hi What's your recipe to implement redundant multicast (stub) routing? Let's think about the simplest scenario. We have 2 routers, R1 and R2 and 3 ip networks. All 3 networks are directly connected to both routers and the routers are performing unicast routing between networks using VRRP as the redundancy protocol. Let's disregard L2 redundancy here and assume it works. Same goes with igmp snoop. net1: 192.168.1.0/24, VRRP .254, R1 .1, R2 .2 net2: 192.168.2.0/24, VRRP .254, R1 .1, R2 .2 net3: 192.168.3.0/24, VRRP .254, R1 .1, R2 .2 Say multicast source is in net1 and receiver in net2. If I did not need redundancy in multicast, I would just configure all interfaces on R1 as pim passive and it would (probably) work. But if I want the multicast routing to be redundant, what should I do? If I add the R2 interfaces as pim passive, the multicast is forwarded to net2 (and net3) twice because R1 and R2 do not know about each other. I tested this. If I configure all R1 and R2 interfaces as pim dense, the destination receives multicast fine, but it is flooded between R1 and R3 2 or 3 times (because pim dense floods the multicast to all pim neighbors and R1 and R2 are pim neighbors in all 2 networks). So, core links are unnecessarily consumed. I tested this, too. One choice could be to use pim sparse and configure R1 and R2 to be anycast RPs using loopback interface and configure MSDP peering between them. But given the simplicity of the topology, this seems unnecessarily complex configuration. I have not tested this yet. Maybe MVR could be solution but I think it will cause stream multiplication too. I have not tested MVR yet either. I would like to keep the recipe as vendor agnostic as possible. Thanks for help :) From olivier.benghozi at wifirst.fr Tue Jan 3 10:09:22 2012 From: olivier.benghozi at wifirst.fr (Olivier Benghozi) Date: Tue, 3 Jan 2012 17:09:22 +0100 Subject: Redundant multicast routing In-Reply-To: References: Message-ID: Hi, While anycast RP is better (redundancy is faster), it's not necessary: you can just use PIM-SM with BSR & 2 RPs with hash-mask distribution for the layer 3 redundancy. By design, igmp snooping forwards all multicast traffic to mrouter ports (that is, all router interfaces with pim activated), so to stop useless traffic between the routers, it will be necessary to do something at the layer 2 level; you can remove some of this by using something like cisco's ip pim snooping dr-flood on the layer 2 part (on the receiving vlans). regards, Olivier > Hi > > What's your recipe to implement redundant multicast (stub) routing? > Let's think about the simplest scenario. We have 2 routers, R1 and R2 > and 3 ip networks. All 3 networks are directly connected to both > routers and the routers are performing unicast routing between > networks using VRRP as the redundancy protocol. Let's disregard L2 > redundancy here and assume it works. Same goes with igmp snoop. > > net1: 192.168.1.0/24, VRRP .254, R1 .1, R2 .2 > net2: 192.168.2.0/24, VRRP .254, R1 .1, R2 .2 > net3: 192.168.3.0/24, VRRP .254, R1 .1, R2 .2 > > Say multicast source is in net1 and receiver in net2. > > If I did not need redundancy in multicast, I would just configure all > interfaces on R1 as pim passive and it would (probably) work. But if I > want the multicast routing to be redundant, what should I do? > > If I add the R2 interfaces as pim passive, the multicast is forwarded > to net2 (and net3) twice because R1 and R2 do not know about each > other. I tested this. > If I configure all R1 and R2 interfaces as pim dense, the destination > receives multicast fine, but it is flooded between R1 and R3 2 or 3 > times (because pim dense floods the multicast to all pim neighbors and > R1 and R2 are pim neighbors in all 2 networks). So, core links are > unnecessarily consumed. I tested this, too. > > One choice could be to use pim sparse and configure R1 and R2 to be > anycast RPs using loopback interface and configure MSDP peering > between them. But given the simplicity of the topology, this seems > unnecessarily complex configuration. I have not tested this yet. > > Maybe MVR could be solution but I think it will cause stream > multiplication too. I have not tested MVR yet either. > > I would like to keep the recipe as vendor agnostic as possible. > > Thanks for help :) > From m.d.bernardi at zitomedia.net Tue Jan 3 10:27:13 2012 From: m.d.bernardi at zitomedia.net (Matt Bernardi) Date: Tue, 03 Jan 2012 11:27:13 -0500 Subject: Multicast video stream to EIA analog channel Message-ID: <4F032C61.70108@zitomedia.net> Hello all, I am new to the mailing list and wanted to pick some of your guys brains about something. I work for a small cable service provider. What I am trying to do is receive a multicast stream, modulate it and send it out as an EIA analog channel. I know there is equipment built for this specific reason(RGP SEP, APEX1000, etc) but this is just going to be a temporary fix as we are doing a total video overhaul and moving to all MPEG4 capable equipment. I figured there is a way to accomplish this with linux as my budget isn't very large, but all of my reasearch hasn't really helped so I'm reaching out to you. Has anyone ever done this? or know of any good reference sites for this? Any info would be greatly appreciated. Thanks again, Matt Bernardi From ddevereauxweber at gmail.com Tue Jan 3 10:51:53 2012 From: ddevereauxweber at gmail.com (David Devereaux-Weber) Date: Tue, 3 Jan 2012 10:51:53 -0600 Subject: Multicast video stream to EIA analog channel In-Reply-To: <4F032C61.70108@zitomedia.net> References: <4F032C61.70108@zitomedia.net> Message-ID: Matt, Computers (Linux or otherwise) don't have RF modulators. I do not know of a single-channel IP-in analog modulator (I looked at Blonder Tongue, Drake and Pico Digital). It is possible to cobble together a Linux system running VideoLAN player, and get analog audio and video out of the computer, and pipe that into an analog modulator. Dave Devereaux-Weber University of Wisconsin-Madison From m.d.bernardi at zitomedia.net Tue Jan 3 11:21:42 2012 From: m.d.bernardi at zitomedia.net (Matt Bernardi) Date: Tue, 03 Jan 2012 12:21:42 -0500 Subject: Multicast video stream to EIA analog channel In-Reply-To: References: <4F032C61.70108@zitomedia.net> Message-ID: <4F033926.906@zitomedia.net> Dave, thanks for the advice. I thought about using VLC but could figure out how to modulate it to the proper EIA channel. I figured someone would've made a PCI-E card that has a RF interface w/ upconverter built-in. The only one I found was from DEKTEC and they only modulate to digital signals not analog. I'll start playing with that today! Thanks again. On 01/03/2012 11:51 AM, David Devereaux-Weber wrote: > Matt, > > Computers (Linux or otherwise) don't have RF modulators. I do not > know of a single-channel IP-in analog modulator (I looked at Blonder > Tongue, Drake and Pico Digital). > > It is possible to cobble together a Linux system running VideoLAN > player, and get analog audio and video out of > the computer, and pipe that into an analog modulator. > > Dave Devereaux-Weber > University of Wisconsin-Madison From joshbaird at gmail.com Tue Jan 3 11:42:44 2012 From: joshbaird at gmail.com (Josh Baird) Date: Tue, 3 Jan 2012 12:42:44 -0500 Subject: Problems with 100.42.32.0/20 Message-ID: Hi, We just received 100.42.32.0/20 from ARIN. ?According to ARIN, this block was received from IANA in November 2010 and was issued to us in November 2011. ?Since we started using it, we have seen many problems with different Geo-IP providers incorrectly classifying the block - both location and provider wise (lots of them think this is Verizon space for some reason in both Canada and Kansas). ?I have followed http://nanog.cluepon.net/index.php/GeoIP and contacted most of these providers already. Not one has returned my email/inquiry. The main problem that I am seeing is that Verizon/UUNET is filtering access to some of their networks from 100.42.32.0/20. ?We are currently unable to reach any of UUNET.net's authoritative DNS servers (198.6.1.83, 198.6.1.161, etc) and appear to be filtered by some Verizon Business/UUNET routers. $ traceroute 198.6.1.83 traceroute to 198.6.1.83 (198.6.1.83), 30 hops max, 40 byte packets 1 ?209.65.192.129 (209.65.192.129) ?1.491 ms ?1.716 ms ?1.942 ms 2 ?vl41-irtr1.dan100.net.kywimax.com (209.65.192.45) ?0.551 ms ?0.582 ms ?0.587 ms 3 ?rrcs-173-197-155-189.west.biz.rr.com (173.197.155.189) ?0.474 ms 0.519 ms ?0.505 ms 4 ?ae8.chcgill3-rtr1.kc.rr.com (65.28.199.197) ?20.349 ms ?20.340 ms ?20.409 ms 5 ?ae-5-1.cr0.chi30.tbone.rr.com (66.109.6.112) ?20.243 ms ?20.235 ms ?20.223 ms 6 ?107.14.17.147 (107.14.17.147) ?27.982 ms ?27.567 ms ?27.540 ms 7 ?216.156.72.165.ptr.us.xo.net (216.156.72.165) ?20.945 ms te1-2-0d0.cir1.chicago2-il.us.xo.net (216.156.72.5) ?20.920 ms 216.156.72.157.ptr.us.xo.net (216.156.72.157) ?20.912 ms 8 ? (204.255.168.97) ?20.868 ms ?20.826 ms ?20.910 ms 9 ? (152.63.66.77) ?36.133 ms ?36.243 ms ?36.233 ms 10 ? (152.63.43.109) ?45.859 ms ?45.853 ms ?45.843 ms 11 ? (152.63.38.9) ?45.177 ms ?45.175 ms ?45.168 ms 12 ?* * * 13 ?* * * 14 ?* ?(207.18.173.162) ?46.105 ms !X * (pos5-0.soesr1.ash.ops.us.uu.net) I have contacted VZW Business' IP-NOC and was not really given a contact that could help me with this situation. I have also emailed filters at lists.verizonbusiness.com and I'm awaiting a response (hopefully). Would anyone happen to have an idea of why I am seeing so many problems with this block, and who I may be able to reach out to at VZB to hopefully get this issue resolved? Thanks. From joshbaird at gmail.com Tue Jan 3 13:04:59 2012 From: joshbaird at gmail.com (Josh Baird) Date: Tue, 3 Jan 2012 14:04:59 -0500 Subject: Problems with 100.42.32.0/20 In-Reply-To: References: Message-ID: Verizon just contacted me off-list. The problem was identified as an outdated bogon filter on their end. Verizon - thanks for the quick response! Thanks, Josh On Tue, Jan 3, 2012 at 12:42 PM, Josh Baird wrote: > Hi, > > We just received 100.42.32.0/20 from ARIN. ?According to ARIN, this > block was received from IANA in November 2010 and was issued to us in > November 2011. ?Since we started using it, we have seen many problems > with different Geo-IP providers incorrectly classifying the block - > both location and provider wise (lots of them think this is Verizon > space for some reason in both Canada and Kansas). ?I have followed > http://nanog.cluepon.net/index.php/GeoIP and contacted most of these > providers already. ?Not one has returned my email/inquiry. > > The main problem that I am seeing is that Verizon/UUNET is filtering > access to some of their networks from 100.42.32.0/20. ?We are > currently unable to reach any of UUNET.net's authoritative DNS servers > (198.6.1.83, 198.6.1.161, etc) and appear to be filtered by some > Verizon Business/UUNET routers. > > $ traceroute 198.6.1.83 > traceroute to 198.6.1.83 (198.6.1.83), 30 hops max, 40 byte packets > 1 ?209.65.192.129 (209.65.192.129) ?1.491 ms ?1.716 ms ?1.942 ms > 2 ?vl41-irtr1.dan100.net.kywimax.com (209.65.192.45) ?0.551 ms ?0.582 > ms ?0.587 ms > 3 ?rrcs-173-197-155-189.west.biz.rr.com (173.197.155.189) ?0.474 ms > 0.519 ms ?0.505 ms > 4 ?ae8.chcgill3-rtr1.kc.rr.com (65.28.199.197) ?20.349 ms ?20.340 ms ?20.409 ms > 5 ?ae-5-1.cr0.chi30.tbone.rr.com (66.109.6.112) ?20.243 ms ?20.235 ms ?20.223 ms > 6 ?107.14.17.147 (107.14.17.147) ?27.982 ms ?27.567 ms ?27.540 ms > 7 ?216.156.72.165.ptr.us.xo.net (216.156.72.165) ?20.945 ms > te1-2-0d0.cir1.chicago2-il.us.xo.net (216.156.72.5) ?20.920 ms > 216.156.72.157.ptr.us.xo.net (216.156.72.157) ?20.912 ms > 8 ? (204.255.168.97) ?20.868 ms ?20.826 ms ?20.910 ms > 9 ? (152.63.66.77) ?36.133 ms ?36.243 ms ?36.233 ms > 10 ? (152.63.43.109) ?45.859 ms ?45.853 ms ?45.843 ms > 11 ? (152.63.38.9) ?45.177 ms ?45.175 ms ?45.168 ms > 12 ?* * * > 13 ?* * * > 14 ?* ?(207.18.173.162) ?46.105 ms !X * > > (pos5-0.soesr1.ash.ops.us.uu.net) > > I have contacted VZW Business' IP-NOC and was not really given a > contact that could help me with this situation. ?I have also emailed > filters at lists.verizonbusiness.com and I'm awaiting a response > (hopefully). > > Would anyone happen to have an idea of why I am seeing so many > problems with this block, and who I may be able to reach out to at VZB > to hopefully get this issue resolved? > > Thanks. From leigh.porter at ukbroadband.com Tue Jan 3 13:40:39 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Tue, 3 Jan 2012 19:40:39 +0000 Subject: DC wiring standards Message-ID: <722D7606-AA61-4AA1-A7B3-B7520CDE73A3@ukbroadband.com> Hi all, Does anybody know where I can find standards for DC cabling for -48v systems? I'm looking for general best common practices, cable colouring etc. Thanks, -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From jackson.tim at gmail.com Tue Jan 3 13:49:02 2012 From: jackson.tim at gmail.com (Tim Jackson) Date: Tue, 3 Jan 2012 13:49:02 -0600 Subject: DC wiring standards In-Reply-To: <722D7606-AA61-4AA1-A7B3-B7520CDE73A3@ukbroadband.com> References: <722D7606-AA61-4AA1-A7B3-B7520CDE73A3@ukbroadband.com> Message-ID: https://ebiznet.sbc.com/sbcnebs/Documents/TP76300/index.html On Tue, Jan 3, 2012 at 1:40 PM, Leigh Porter wrote: > Hi all, > > Does anybody know where I can find standards for DC cabling for -48v systems? > > I'm looking for general best common practices, cable colouring etc. > > Thanks, > > -- > Leigh Porter > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > From owen at delong.com Tue Jan 3 15:41:21 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jan 2012 13:41:21 -0800 Subject: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: <4EF4E24D.4020107@cis.vutbr.cz> References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF23092.9090103@cis.vutbr.cz> <4EF4E24D.4020107@cis.vutbr.cz> Message-ID: > >> >>> - SLAAC is usually processed in a kernel, DHCPv6 is usually run as a >>> process in the user space. Diagnostic and troubleshooting is more >>> complicated. >> >> Some operating system do the SLAAC processing in user space. What is >> the problem. > > As I wrote. Troubleshooting is more difficult. > Having done a fair amount of troubleshooting for both SLAAC and DHCPv6 in real world deployments, I think your argument may be more theoretical than anecdotal in this case. In my general experience, it's been relatively easy to troubleshoot either protocol and neither is particularly more difficult than the other. Start by making sure that you are sending and/or receiving correctly formed packets with the right data. If not, then you know that the packet originator is the most likely culprit. Absent misconfiguration of the router, I've never seen an incorrect RA. I've never seen an incorrect RS packet. Malformed DHCPv6 packets have been extremely rare in my experience. Packets with incorrect data are almost always the result of a configuration error. The difference of whether this is processed in kernel or user space has very little impact on the troubleshooting process in most real world scenarios. Owen From owen at delong.com Tue Jan 3 15:52:07 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jan 2012 13:52:07 -0800 Subject: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: <4EF4E984.1050102@cis.vutbr.cz> References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF23092.9090103@cis.vutbr.cz> <4EF38D5A.4070003@cis.vutbr.cz> <4EF4DBDE.7050706@cis.vutbr.cz> <4EF4E984.1050102@cis.vutbr.cz> Message-ID: <67CC2B8B-9071-40CA-B186-242C2538BECF@delong.com> > > I agree with you, that is not typical for many networks. For example in > our network we have enabled some of that features (not all) only in some > subnets. Unfortunately those subnets connects over 70% of our users > (6500). Is also great that many produces are going to take that issues > seriously. > > Actually we have quite big concerns with decision if: > > 1. to buy cheaper access switches (like HP 42xx) that have security > features for IPv4 but will never have support for IPv6. The hardware > does not support IPv6 at all. In that case we will be able to replace > access switches in quite short time - one year. And in next five years > we will be buy a brand new generation of switches that will have all > those problems solved (I hope). > > or > > 2. to buy much more expensive switches (like HP 54xx) that supports some > basic security features for IPv6 and there is some a probability that > other features will be implemented. So we will be able to use ra-guard > and ACLs immediately. In that case there is still a chance that some > features will not be implemented due to hardware limits. So we will have > to buy new generation of switches again in five years. > > Tomas To me, that question is a no-brainer. Buying a product without IPv6 support today as a cost-saving measure makes about as much sense as spending $20 to pay someone to recover $0.50 worth of screws from the factory floor sweepings every night. You might create the appearance of savings in the short run, but, the costs in the medium and long terms will vastly overwhelm any perceived short-term savings. Owen From owen at delong.com Tue Jan 3 15:56:57 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jan 2012 13:56:57 -0800 Subject: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF23092.9090103@cis.vutbr.cz> <4EF38D5A.4070003@cis.vutbr.cz> <4EF4DBDE.7050706@cis.vutbr.cz> Message-ID: On Dec 23, 2011, at 1:23 PM, Jeff Wheeler wrote: > On Fri, Dec 23, 2011 at 4:13 PM, Mohacsi Janos wrote: >> If you can limit number of ARP/NDP entries per interfaces and you complement >> RAGuard and DHCPv4 snooping your are done. > > That depends on how ARP/ND gleaning works on the box. In short, Cisco > already has a knob to limit the number of ND entries per interface on > some of their kit, and it is not a solution, only a damage mitigation > measure. http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf In the real world, sufficient damage prevention/mitigation qualifies as a solution. Owen From owen at delong.com Tue Jan 3 16:36:54 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jan 2012 14:36:54 -0800 Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: References: <20111224.080822.74721455.sthaug@nethelp.no> <1324724331.2763.20.camel@karl> <4EF5B477.7040703@gmail.com> Message-ID: On Dec 24, 2011, at 6:48 AM, Glen Kent wrote: >> >> SLAAC only works with /64 - yes - but only if it runs on Ethernet-like >> Interface ID's of 64bit length (RFC2464). > > Ok, the last 64 bits of the 128 bit address identifies an Interface ID > which is uniquely derived from the 48bit MAC address (which exists > only in ethernet). > Not exactly. Most media have some form of link-layer addressing. For Firewire, it's native EUI-64. For Ethernet, it's EUI-48 MAC addresses. For token ring, I believe there are also EUI-48 addresses. For FDDI (Remember FDDI?) I believe it was EUI-48 addresses. ATM and Frame Relay also have EUI addresses built in to their interfaces (though I don't remember the exact format and am too lazy to look it up at the moment). >> SLAAC could work ok with /65 on non-Ethernet media, like a >> point-to-point link whose Interface ID's length be negotiated during the >> setup phase. > > If we can do this for a p2p link, then why cant the same be done for > an ethernet link? > I'm not so sure the statement above is actually true. Owen > Glen > >> >> Other non-64 Interface IDs could be constructed for 802.15.4 links, for >> example a 16bit MAC address could be converted into a 32bit Interface >> ID. SLAAC would thus use a /96 prefix in the RA and a 32bit IID. >> >> IP-over-USB misses an Interface ID altogether, so one is free to define >> its length. >> >> Alex >> >>> >>> Regards, K. >>> >> >> From owen at delong.com Tue Jan 3 17:19:08 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jan 2012 15:19:08 -0800 Subject: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: <4EF67019.1000309@necom830.hpcl.titech.ac.jp> References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF23092.9090103@cis.vutbr.cz> <4EF4E24D.4020107@cis.vutbr.cz> <4EF4EBE0.4050609@necom830.hpcl.titech.ac.jp> <4EF58B34.6000904@rancid.berkeley.edu> <4EF59438.8040505@necom830.hpcl.titech.ac.jp> <1324724731.2763.26.camel@karl> <4EF6612F.2070901@necom830.hpcl.titech.ac.jp> <4EF66348.8040500@bogus.com> <4EF67019.1000309@necom830.hpcl.titech.ac.jp> Message-ID: <052FB5BB-4487-4940-87A7-0041A8AD6DF5@delong.com> On Dec 24, 2011, at 4:36 PM, Masataka Ohta wrote: > Joel jaeggli wrote: > >>> First of all, ND use is optional and, if ND is used, RA >>> must be used. >>> >>> It means that, if RA is not used, ND can't be used. >> >> Finding and maintaining the l2 address for a device on a subnet where RA >> is not used is a pretty common activity so I'm not sure how your would >> conclude that. 2461/4861/5942 certainly don't preclude that. > > RFC6434 has contradictory statements: > > Neighbor Discovery SHOULD be supported. > > and > > Hosts MUST support IPv6 Stateless Address Autoconfiguration as > defined in [RFC4862]. > These do not conflict. > and a reasonable interpretation is SLAAC MUST be supported if > ND is supported. > The implementation of IPv6 in a host MUST support SLAAC. That does not mean that the host must use that support in any particular environment. Owen From owen at delong.com Tue Jan 3 17:45:03 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jan 2012 15:45:03 -0800 Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: References: Message-ID: On Dec 27, 2011, at 3:28 PM, Glen Kent wrote: > It seems ISIS and OSPFv3 use the link local next-hop in their route > advertisements. > > We discussed that SLAAC doesnt work with prefixes > 64 on the ethernet > medium (which i believe is quite, if not most, prevalent). If thats > the case then how are operators who assign netmasks > 64 use ISIS and > OSPF, since these protocols will use the link local address? > The global unicast prefix length is independent of the link local prefix length. Technically, link local is fe80::/10, though many implementations erroneously treat it as fe80::/64. In most cases, since the 54 bits between fe80 and the IID are almost always 0, this error has no impact. > I had assumed that nodes derive their link local address from the > Route Advertisements. They derive their least significant 64 bytes > from their MACs and the most significant 64 from the prefix announced > in the RAs. > No, nodes derive their link local address from the reserved prefix fe80::/10 and their EUI-64 IID based on their MAC address. They then use that link local address to send out an RS message in order to get global unicast prefixes from the RAs received in response. Owen > Glen > > On Tue, Dec 27, 2011 at 6:25 AM, Glen Kent wrote: >> Sven, >> >>> also various bgp implementations will send the autoconfigure crap ip as the >>> next-hop instead of the session ip, resulting in all kinds of crap in your >>> route table (if not fixed with nasty hacks on your end ;) which doesn't >>> exactly make it easy to figure out which one belongs to which peer >>> all the more reason not to use that autoconfigure crap ;) >> >> As per RFC 2545 BGP announces a global address as the next-hop. Its >> only in one particular case that it advertises both global and link >> local addresses. >> >> So, i guess, BGP is not broken. >> >> Its only RIPng afaik that mandates using a link local address. >> >> Glen From Valdis.Kletnieks at vt.edu Tue Jan 3 18:40:53 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 03 Jan 2012 19:40:53 -0500 Subject: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: Your message of "Tue, 03 Jan 2012 15:19:08 PST." <052FB5BB-4487-4940-87A7-0041A8AD6DF5@delong.com> References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF23092.9090103@cis.vutbr.cz> <4EF4E24D.4020107@cis.vutbr.cz> <4EF4EBE0.4050609@necom830.hpcl.titech.ac.jp> <4EF58B34.6000904@rancid.berkeley.edu> <4EF59438.8040505@necom830.hpcl.titech.ac.jp> <1324724731.2763.26.camel@karl> <4EF6612F.2070901@necom830.hpcl.titech.ac.jp> <4EF66348.8040500@bogus.com> <4EF67019.1000309@necom830.hpcl.titech.ac.jp> <052FB5BB-4487-4940-87A7-0041A8AD6DF5@delong.com> Message-ID: <6205.1325637653@turing-police.cc.vt.edu> On Tue, 03 Jan 2012 15:19:08 PST, Owen DeLong said: > The implementation of IPv6 in a host MUST support SLAAC. That does not mean > that the host must use that support in any particular environment. The odd part is that the above paragraph is equally true if you replace SLAAC with IPSec - but in *that* case nobody has an issue with it. Just sayin'... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From kauer at biplane.com.au Tue Jan 3 20:41:41 2012 From: kauer at biplane.com.au (Karl Auer) Date: Wed, 04 Jan 2012 13:41:41 +1100 Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: References: Message-ID: <1325644901.2556.134.camel@karl> On Tue, 2012-01-03 at 15:45 -0800, Owen DeLong wrote: > Technically, link local is fe80::/10, though many implementations erroneously > treat it as fe80::/64. In most cases, since the 54 bits between fe80 and the > IID are almost always 0, this error has no impact. Yes, well, I'm a bit confused about that. Maybe I haven't read the trail of overlapping, obsoleting and conflicting RFCs carefully enough. RFC 4862 (section 5.3) says that the interface ID can run all the way up to the end of the link-local prefix. Since this is defined as a /10, an interface ID can be up to 118 bits long. In RFC 4862 the prefix length is not actually given; instead it says "the well-known link-local prefix FE80::0 [RFC4291] (of appropriate length)". RFC 4862 also says that the whole thing must be consistent with RFC 4291. RFC 4291 (section 2.5.6), defines the first ten bits as 1111111010, then the next 54 bits as zero - BUT does not specify a prefix length. Those implementations that use /64 can thus be forgiven, I think. So - are those 54 bits reserved and zero, or can an interface ID be anything up to 118 bits long? I'd be interested in a definitive answer, if there is one. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 From randy at psg.com Tue Jan 3 21:52:40 2012 From: randy at psg.com (Randy Bush) Date: Wed, 04 Jan 2012 12:52:40 +0900 Subject: AD and enforced password policies In-Reply-To: <20120103134353.GQ7491@besserwisser.org> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> <4F030320.1030804@mtcc.com> <20120103134353.GQ7491@besserwisser.org> Message-ID: fwiw, citibank in the states uses normal passwording for personal accounts. but citibank business uses two-factor with a password and a customized vasco digipass 270. randy From toddunder at gmail.com Tue Jan 3 22:13:04 2012 From: toddunder at gmail.com (Todd Underwood) Date: Tue, 3 Jan 2012 23:13:04 -0500 Subject: AD and enforced password policies In-Reply-To: References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> <4F030320.1030804@mtcc.com> <20120103134353.GQ7491@besserwisser.org> Message-ID: additionally, etrade in the states has had 2-factor authentication (RSA token) for over 8 or 9 years now. it's one reasonable reason to stay with them. t On Tue, Jan 3, 2012 at 10:52 PM, Randy Bush wrote: > fwiw, citibank in the states uses normal passwording for personal > accounts. ?but citibank business uses two-factor with a password > and a customized vasco digipass 270. > > randy > From graham at g-rock.net Tue Jan 3 22:23:34 2012 From: graham at g-rock.net (Graham Wooden) Date: Tue, 03 Jan 2012 22:23:34 -0600 Subject: CenturyLink - DNS admin needed Message-ID: Hello, Any CenturyLink DNS admin folks lingering around? If so, can you contact me off-list? I believe there is some erroneous data lingering in the DNS caching servers and would like to get that resolved. TTL has appeared to have come and gone and it?s not refreshing. FYI - I tried to go through our support channels (we?re a TDM based customer), but that isn?t proving to be getting us anywhere... Thank you, -graham From mysidia at gmail.com Tue Jan 3 22:58:35 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Tue, 3 Jan 2012 22:58:35 -0600 Subject: AD and enforced password policies In-Reply-To: <20120103084411.GN7491@besserwisser.org> References: <20120103084411.GN7491@besserwisser.org> Message-ID: On Tue, Jan 3, 2012 at 2:44 AM, M?ns Nilsson wrote: > Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at > 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me): > > However I would say 365 day expiration is a little long, 3 months is > about the average in a non financial oriented network. > If you force me to change a password every three months, I'm going > to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, > you lose. > [snip] A good use for expiration is to mitigate the risk that a password was guessed or accidentally leaked but not used yet to launch a detected attack / abuse the account -- expiration of the password doesn't destroy leaked data or uninstall malware, so it is not any sort of replacement for proper intrusion detection, security monitoring, and explicit incident response. It is more secure to have solid intrusion detection, alarms, or 2 factor auth. For internet-connected systems; 5 day, 10 day, 30 day, 60 day password expirations are fairly useless, because the intruder guesses the password one day, and probably abuses it in less than 24 hours; 6-month and 12-month expirations accomplish very similar, but much less of a nuisance. Chances are very good that if a password is leaked, it will be abused long before it expires, and if you don't detect the compromise, this means your intrusion detection systems have failed; expiration of the password doesn't erase the results of a successful compromise, or lock out the successful intruder. So password expiration is not a good crutch. A more effective expiration measure is to use 2-factor authentication, with one time passwords that expire within 30 seconds. Manual forced immediate password expiration should be in the security admin's toolbox as a possible response to observation of questionable or potentially remotely suspicious activity on a system that user had been logged into recently. -- -JH From mansaxel at besserwisser.org Wed Jan 4 03:00:40 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Wed, 4 Jan 2012 10:00:40 +0100 Subject: AD and enforced password policies In-Reply-To: <23f7068e-b0bd-44a7-9e73-f0c81d6c7a12@mail.pelican.org> References: <20120103134353.GQ7491@besserwisser.org> <23f7068e-b0bd-44a7-9e73-f0c81d6c7a12@mail.pelican.org> Message-ID: <20120104090039.GR7491@besserwisser.org> Subject: Re: AD and enforced password policies Date: Tue, Jan 03, 2012 at 02:16:38PM -0000 Quoting Tim Franklin (tim at pelican.org): > > There is indeed a difference between Europe (or is it only .SE?) and > > USA here; no bank in Sweden lets you login without at least a client > > certificate and password/pin code. Most banks have a hardware token, > > either challenge-response or HOTP/TOTP; some use the chip in chip-and-pin > > cards as certificate carrier, and combine it with a reader device to > > manage pin code entry. > > Can't speak for Europe as a whole, but certainly in the UK it's not common - and I wish it was. I do have different passwords for my banking and other finance-type sites (pensions etc), both for each site and distinct from my "fuzzykittens" passwords (which do re-use a handful of variations on a couple of themes). A hardware token would be very nice though. If it only was one token for all. Public services usually use most of the several national ID card "standards" that we have so for things like doing tax returns, applying for public health insurance payments, etc, one solution "works" -- but all the others have one each. Identity federations are probably the way to go. > Client cert worries me a bit - while it *should* be standards-based, I'm sure there's some way to implement it such that it only works on Windows. Given how long it took for banks to stop with the "Safari! Evil! Access denied!" routine, I don't hold much faith in their willingness or ability to build cross-platform solutions. It sometimes works. Sometimes not. I have chip-and-pin with cert on and reader. If I use it as a standalone authenticator I can even use elinks, but to use it as national ID card I need to run a bunch of apps, and must stay on Firefox3. This is for OSX. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 UH-OH!! I think KEN is OVER-DUE on his R.V. PAYMENTS and HE'S having a NERVOUS BREAKDOWN too!! Ha ha. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From mansaxel at besserwisser.org Wed Jan 4 03:03:28 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Wed, 4 Jan 2012 10:03:28 +0100 Subject: AD and enforced password policies In-Reply-To: References: <20120103084411.GN7491@besserwisser.org> Message-ID: <20120104090327.GS7491@besserwisser.org> Subject: Re: AD and enforced password policies Date: Tue, Jan 03, 2012 at 10:58:35PM -0600 Quoting Jimmy Hess (mysidia at gmail.com): > Manual forced immediate password expiration should be in the security > admin's toolbox as a possible response to observation of questionable or > potentially remotely suspicious activity on a system that user had been > logged into recently. Indeed. If doubt arises, just change. Have been on the fringe of a kdc compromise. 10000 students and faculty were required to show up in person and change on approved terminals. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Wow! Look!! A stray meatball!! Let's interview it! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From randy at psg.com Wed Jan 4 04:10:06 2012 From: randy at psg.com (Randy Bush) Date: Wed, 04 Jan 2012 19:10:06 +0900 Subject: incoming smtp from v6 addresses Message-ID: for incoming mail that is *accepted*, i.e. not stuff like 2012-01-04 00:37:28 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org 2012-01-04 00:37:28 H=(nexo.es) [118.39.80.118] F= rejected RCPT : blocked because 118.39.80.118 is in blacklist at rbl-plus.mail-abuse.org: Mail from 118.39.80.118 blocked using Trend Micro Email Reputation database. Please see 2012-01-04 00:37:28 no host name found for IP address 118.39.80.118 2012-01-04 00:37:29 REJECT 118.39.80.118 too many bad recip 2012-01-04 00:37:29 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org 7.8% is over ipv6 transport but only 2% of outgoing deliveries are over ipv6. what do other folk see? randy From regnauld at nsrc.org Wed Jan 4 04:15:56 2012 From: regnauld at nsrc.org (Phil Regnauld) Date: Wed, 4 Jan 2012 11:15:56 +0100 Subject: incoming smtp from v6 addresses In-Reply-To: References: Message-ID: <20120104101556.GA8280@macbook.bluepipe.net> Randy Bush (randy) writes: > > 7.8% is over ipv6 transport > > but only 2% of outgoing deliveries are over ipv6. > > what do other folk see? What's your primary configuration ? Hub, end user system ? Care to share the methodology ? I can run some stats, but want to be sure we're comparing the same thing :) Cheers, Phil From joelja at bogus.com Wed Jan 4 04:16:34 2012 From: joelja at bogus.com (Joel jaeggli) Date: Wed, 04 Jan 2012 02:16:34 -0800 Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: References: <20111228.141052.104056686.sthaug@nethelp.no> <37f38f1f-369f-4056-8593-32b54e7fbc88@d8g2000yqk.googlegroups.com> <20111228.155045.85391394.sthaug@nethelp.no> Message-ID: <4F042702.4010004@bogus.com> On 12/28/11 07:30 , Ryan Malayter wrote: > Except nowhere in there is the prefix length for the test indicated, > and the exact halving of forwarding rate for IPv6 leads one to believe > that there are two TCAM lookups for IPv6 (hence 64-bit prefix lookups) > versus one for IPv4. A cam (assuming your router uses one) can easily be parititioned to support 144 bit words, and you can look up the whole address in one go. A router designer might well choose to fold the lookup and partion a cam table in a different fashion, to reduce memory consumption, save power etc. if they choose to split lookups (for example with the 72 most significant bits in the first lookup and the last 56 in a second) it's because they believe the tradeoff associated with two constant time lookups is acceptable. remember the cam table lookup is competing against a prefix trie lookup with a variable stride pattern done in really fast dram for mind/market share. > For example, what is the forwarding rate for IPv6 when the tables are > filled with /124 IPv6 routes that differ only in the last 60 bits? > > Even then EANTC test results you reference make no mention of the > prefix length for IPv4 or IPv6, or even the number of routes in the > lookup table during the testing: > http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd800c958a.pdf > > > From randy at psg.com Wed Jan 4 04:26:59 2012 From: randy at psg.com (Randy Bush) Date: Wed, 04 Jan 2012 19:26:59 +0900 Subject: incoming smtp from v6 addresses In-Reply-To: <20120104101556.GA8280@macbook.bluepipe.net> References: <20120104101556.GA8280@macbook.bluepipe.net> Message-ID: >> 7.8% is over ipv6 transport >> but only 2% of outgoing deliveries are over ipv6. > What's your primary configuration ? Hub, end user system ? the main smtp receiver and sender for maybe 100 users and a few dozen mailing list of small to lower middle class size. > Care to share the methodology ? I can run some stats, but want > to be sure we're comparing the same thing :) hold your nose zgrep '<=.*\[....:' /var/spool/exim/log/main* | wc zgrep '<=' /var/spool/exim/log/main* | wc and the ever failthful bc :) randy From s+Mailinglisten.nanog at sloc.de Wed Jan 4 05:37:09 2012 From: s+Mailinglisten.nanog at sloc.de (Sebastian Spies) Date: Wed, 04 Jan 2012 12:37:09 +0100 Subject: incoming smtp from v6 addresses In-Reply-To: References: Message-ID: <4F0439E5.1030306@sloc.de> Am 04.01.2012 11:10, schrieb Randy Bush: > for incoming mail that is *accepted*, i.e. not stuff like > 2012-01-04 00:37:28 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org > 2012-01-04 00:37:28 H=(nexo.es) [118.39.80.118] F= rejected RCPT : blocked because 118.39.80.118 is in blacklist at rbl-plus.mail-abuse.org: Mail from 118.39.80.118 blocked using Trend Micro Email Reputation database. Please see > 2012-01-04 00:37:28 no host name found for IP address 118.39.80.118 > 2012-01-04 00:37:29 REJECT 118.39.80.118 too many bad recip > 2012-01-04 00:37:29 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org > > 7.8% is over ipv6 transport > > but only 2% of outgoing deliveries are over ipv6. > > what do other folk see? > > randy Received $ grep 'amavis' mail.log | grep Passed | wc -l 448 $ grep 'amavis' mail.log | grep Passed | grep IPv6 | wc -l 91 $ grep 'amavis' mail.log | grep Passed | grep IPv6 | grep -v '2001:1838::cc5d:d48a' | wc -l 18 Sent $ grep 'postfix/smtp' mail.log | grep 'status=sent' | grep -v '127.0.0.1' |wc -l 253 enceladus:/var/log# grep 'postfix/smtp' mail.log | grep 'status=sent' | egrep '\[([a-f0-9]{0,4}:)+[a-f0-9]{0,4}\]' | wc -l 19 with most of them going to mailin.v6.t-online.de[2003:2:2:10:fee::32]:25 ~40 silent users Sebastian From mansaxel at besserwisser.org Wed Jan 4 06:02:55 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Wed, 4 Jan 2012 13:02:55 +0100 Subject: anycast load balancing issue Message-ID: <20120104120255.GT7491@besserwisser.org> Hi, I'm in the process of deploying an anycast DNS service internally. We're on a pretty provider-like network, where we run MPLS to provide several network overlays for different services. iBGP is used to distribute routing information, and ISIS is used as IGP. In one of the VRFen we would like to place name servers using a common IP address. To get speedy network updates when outages occur we'll be using OSPF on the name servers to inject the routes into the IGP. The P/E router then redistributes the route into the right VRF. (the name server OSPF process is not aware of MPLS; it just talks to a router.) So far so good. This works. Trouble is, we find that (untweaked) cost and metric are such that all nodes are equal. The last resort (peer router ID) gets invoked and all traffic goes to one single instance. Of course, when that instance falls off the net recalculation takes place and another node steps in, but I'd like true path lengths (IGP hop count) to influence more than iBGP (route-reflector-style) selection. Any clues? Oh, all-cisco, all ASR1000 series. All links GE. ~90 routers in IGP. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 ... this must be what it's like to be a COLLEGE GRADUATE!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From jared at puck.nether.net Wed Jan 4 06:18:11 2012 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 4 Jan 2012 07:18:11 -0500 Subject: incoming smtp from v6 addresses In-Reply-To: References: <20120104101556.GA8280@macbook.bluepipe.net> Message-ID: <3D93FC5B-C419-42CF-9441-508FF473C2E3@puck.nether.net> On Jan 4, 2012, at 5:26 AM, Randy Bush wrote: >>> 7.8% is over ipv6 transport >>> but only 2% of outgoing deliveries are over ipv6. >> What's your primary configuration ? Hub, end user system ? > > the main smtp receiver and sender for maybe 100 users and a few > dozen mailing list of small to lower middle class size. > >> Care to share the methodology ? I can run some stats, but want >> to be sure we're comparing the same thing :) > > hold your nose > > zgrep '<=.*\[....:' /var/spool/exim/log/main* | wc > zgrep '<=' /var/spool/exim/log/main* | wc > > and the ever failthful bc :) Similar footprint, and I have something like the following on puck: puck:~$ grep IPv6: /var/log/maillog | grep stat=Sent | wc -l 9043 puck:~$ grep stat=Sent /var/log/maillog | wc -l 110343 If gmail were to host AAAA for their MX I would see a lot more mail delivered over there. - Jared -- stats -- unique list delivery [mailman at puck jared]$ /home/mailman/bin/find_member @ | grep -v 'found in' | wc -l 26442 [mailman at puck jared]$ /home/mailman/bin/find_member @gmail | grep -v 'found in' | wc -l 7098 unique addresses [mailman at puck jared]$ /home/mailman/bin/find_member @ | grep 'found in' | wc -l 16044 [mailman at puck jared]$ /home/mailman/bin/find_member @gmail | grep 'found in' | wc -l 4076 From ops.lists at gmail.com Wed Jan 4 06:18:31 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 4 Jan 2012 17:48:31 +0530 Subject: incoming smtp from v6 addresses In-Reply-To: References: <20120104101556.GA8280@macbook.bluepipe.net> Message-ID: On Wed, Jan 4, 2012 at 3:56 PM, Randy Bush wrote: > zgrep '<=.*\[....:' /var/spool/exim/log/main* | wc > zgrep '<=' /var/spool/exim/log/main* | wc frodo:/home/suresh# zgrep '<=.*\[....:' /var/log/exim4/mainlog* | wc 16673 385620 7023087 frodo:/home/suresh# zgrep '<=' /var/log/exim4/mainlog* | wc 24277 559746 10110840 -- Suresh Ramasubramanian (ops.lists at gmail.com) From regnauld at nsrc.org Wed Jan 4 06:23:34 2012 From: regnauld at nsrc.org (Phil Regnauld) Date: Wed, 4 Jan 2012 13:23:34 +0100 Subject: incoming smtp from v6 addresses In-Reply-To: <4F0439E5.1030306@sloc.de> References: <4F0439E5.1030306@sloc.de> Message-ID: <20120104122334.GA9005@macbook.bluepipe.net> Received # grep 'amavis' mail.log | grep Passed | wc -l 1411 (1189 if only counting CLEAN, post amavisd) #grep 'amavis' mail.log | grep Passed | grep IPv6 | grep -v '::1' | wc -l 255 (253 if only counting CLEAN - so less spam in IPv6 :) Sent # grep 'postfix/smtp' mail.log | grep 'status=sent' | grep -v '127.0.0.1' | wc -l 1422 # grep 'postfix/smtp' mail.log | grep 'status=sent' | egrep '\[([a-f0-9]{0,4}:)+[a-f0-9]{0,4}\]' | wc -l 13 (filtered out a v6 IP that gets a copy of every mail) 18% incoming, .9% outgoing... From mansaxel at besserwisser.org Wed Jan 4 06:51:54 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Wed, 4 Jan 2012 13:51:54 +0100 Subject: anycast load balancing issue In-Reply-To: <20120104120255.GT7491@besserwisser.org> References: <20120104120255.GT7491@besserwisser.org> Message-ID: <20120104125154.GU7491@besserwisser.org> Subject: anycast load balancing issue Date: Wed, Jan 04, 2012 at 01:02:55PM +0100 Quoting M?ns Nilsson (mansaxel at besserwisser.org): > Trouble is, we find that (untweaked) cost and metric are such that all > nodes are equal. s/all nodes/all nodes in my pathetically small test case/ Was no issue. I just was unlucky in selecting test cases. Sorry. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Do you have exactly what I want in a plaid poindexter bar bat?? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From bicknell at ufp.org Wed Jan 4 08:47:24 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Wed, 4 Jan 2012 06:47:24 -0800 Subject: incoming smtp from v6 addresses In-Reply-To: <3D93FC5B-C419-42CF-9441-508FF473C2E3@puck.nether.net> References: <20120104101556.GA8280@macbook.bluepipe.net> <3D93FC5B-C419-42CF-9441-508FF473C2E3@puck.nether.net> Message-ID: <20120104144724.GA50083@ussenterprise.ufp.org> In a message written on Wed, Jan 04, 2012 at 07:18:11AM -0500, Jared Mauch wrote: > Similar footprint, and I have something like the following on puck: > > puck:~$ grep IPv6: /var/log/maillog | grep stat=Sent | wc -l > 9043 > puck:~$ grep stat=Sent /var/log/maillog | wc -l > 110343 I have a mail system that has almost 0 technical users on it. % grep IPv6: /var/log/maillog | grep stat=Sent | wc -l 4 % grep stat=Sent /var/log/maillog | wc -l 1298 :( > If gmail were to host AAAA for their MX I would see a lot more mail delivered over there. Agreed, gmail, yahoo, hotmail and AOL are probably 80% of the total mail on that box, so those four could make a huge swing, individually or collectively. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From cb.list6 at gmail.com Wed Jan 4 08:56:58 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Wed, 4 Jan 2012 06:56:58 -0800 Subject: anycast load balancing issue In-Reply-To: <20120104125154.GU7491@besserwisser.org> References: <20120104120255.GT7491@besserwisser.org> <20120104125154.GU7491@besserwisser.org> Message-ID: On Jan 4, 2012 4:52 AM, "M?ns Nilsson" wrote: > > Subject: anycast load balancing issue Date: Wed, Jan 04, 2012 at 01:02:55PM +0100 Quoting M?ns Nilsson (mansaxel at besserwisser.org): > > > Trouble is, we find that (untweaked) cost and metric are such that all > > nodes are equal. > > s/all nodes/all nodes in my pathetically small test case/ > > Was no issue. I just was unlucky in selecting test cases. Sorry. > > > -- > M?ns Nilsson primary/secondary/besserwisser/machina > MN-1334-RIPE +46 705 989668 > Do you have exactly what I want in a plaid poindexter bar bat?? > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAk8ES2oACgkQ02/pMZDM1cUXpgCfQtLkFUBsbO5Z3wDPiWV1djQB > SukAnA7hBBWC83iTzjjogsxPIfI5GxmK > =L5pI > -----END PGP SIGNATURE----- > I use: Anycast = server loop back Protocol to server = bgp / bfd This allows for ecmp horizontal scaling for n number of dns servers (where n is less than Max ecmp paths) You may need to turn the bgp ecmp multipath knob. From simon.perreault at viagenie.ca Wed Jan 4 08:58:24 2012 From: simon.perreault at viagenie.ca (Simon Perreault) Date: Wed, 04 Jan 2012 09:58:24 -0500 Subject: incoming smtp from v6 addresses In-Reply-To: References: Message-ID: <4F046910.5010507@viagenie.ca> Randy Bush wrote, on 01/04/2012 05:10 AM: > 7.8% is over ipv6 transport > > but only 2% of outgoing deliveries are over ipv6. A consequence of AAAA whitelisting? Simon -- DTN made easy, lean, and smart --> http://postellation.viagenie.ca NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca From mike at sentex.net Wed Jan 4 09:46:08 2012 From: mike at sentex.net (Mike Tancsa) Date: Wed, 04 Jan 2012 10:46:08 -0500 Subject: incoming smtp from v6 addresses In-Reply-To: References: Message-ID: <4F047440.6070500@sentex.net> On 1/4/2012 5:10 AM, Randy Bush wrote: > for incoming mail that is *accepted*, i.e. not stuff like > 2012-01-04 00:37:28 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org > 2012-01-04 00:37:28 H=(nexo.es) [118.39.80.118] F= rejected RCPT : blocked because 118.39.80.118 is in blacklist at rbl-plus.mail-abuse.org: Mail from 118.39.80.118 blocked using Trend Micro Email Reputation database. Please see > 2012-01-04 00:37:28 no host name found for IP address 118.39.80.118 > 2012-01-04 00:37:29 REJECT 118.39.80.118 too many bad recip > 2012-01-04 00:37:29 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org > > 7.8% is over ipv6 transport > > but only 2% of outgoing deliveries are over ipv6. For accepted mail today, 2% is v6 for outbound, 4% for v6 is inbound. I suspect the higher inbound values might be due to tech mailling lists which tend to come from IPv6 enabled hosts ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From davei at otd.com Wed Jan 4 09:54:15 2012 From: davei at otd.com (Dave Israel) Date: Wed, 04 Jan 2012 10:54:15 -0500 Subject: incoming smtp from v6 addresses In-Reply-To: <4F047440.6070500@sentex.net> References: <4F047440.6070500@sentex.net> Message-ID: <4F047627.4010906@otd.com> On 1/4/2012 10:46 AM, Mike Tancsa wrote: > I suspect the higher inbound values might be due to tech mailling > lists which tend to come from IPv6 enabled hosts ? Yeah, all of my (non-internal) ipv6 mail is from such mailing lists. -Dave From kohn.jack at gmail.com Wed Jan 4 09:55:49 2012 From: kohn.jack at gmail.com (Jack Kohn) Date: Wed, 4 Jan 2012 21:25:49 +0530 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> Message-ID: Tom, It seems NIST recommends ESP over AH. You can look at the following 2 emails from Manav and Sriram on the IPsecME WG: http://www.ietf.org/mail-archive/web/ipsec/current/msg07403.html http://www.ietf.org/mail-archive/web/ipsec/current/msg07407.html Jack On Mon, Jan 2, 2012 at 5:57 AM, TR Shaw wrote: > > On Jan 1, 2012, at 7:12 PM, John Smith wrote: > >> Hi, >> >> I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. >> >> Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? >> >> Regards, >> John > > AH provides for ?connectionless integrity and data origin authentication and provides protection against replay attacks. ?Many US Gov departments that have to follow NIST and do not understand what this means require it between internal point-to-point routers between one portion of their organization and another adding more expense for no increase in operational security. > > If you are following NIST or DCID-63, this is required to meet certain integrity requirements > > ESP provides confidentiality, ?data origin authentication, ?connectionless integrity, ?an anti-replay service, ?and limited traffic flow confidentiality. ?EG AH portion provides for the integrity requirement and the ESP encryption provides for the confidentiality requirement of NIST. > > Think of AH that it is like just signing a PGPMail and ESP as signing and encrypting a PGPMail. > > There are reasons for both. > > Tom > > From rbonica at juniper.net Wed Jan 4 09:58:09 2012 From: rbonica at juniper.net (Ronald Bonica) Date: Wed, 4 Jan 2012 10:58:09 -0500 Subject: Trouble accessing www.nanog.org Message-ID: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> Is anyone else having trouble accessing www.nanog.org. I can ping the site but don't get any response from HTTP requests. -------------------------- Ron Bonica vcard: www.bonica.org/ron/ronbonica.vcf From trelane at trelane.net Wed Jan 4 10:09:34 2012 From: trelane at trelane.net (Andrew D Kirch) Date: Wed, 04 Jan 2012 11:09:34 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> Message-ID: <4F0479BE.6030206@trelane.net> works for me From sean at seanharlow.info Wed Jan 4 10:12:20 2012 From: sean at seanharlow.info (Sean Harlow) Date: Wed, 4 Jan 2012 11:12:20 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: <4F0479BE.6030206@trelane.net> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> Message-ID: <46B0986A-4AF3-4A59-BC96-BC502CF93E9A@seanharlow.info> I was seeing the same problem, but it seems to be working now. On Jan 4, 2012, at 11:09 AM, Andrew D Kirch wrote: > works for me > > From betty at newnog.org Wed Jan 4 10:14:59 2012 From: betty at newnog.org (Betty Burke ) Date: Wed, 4 Jan 2012 11:14:59 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: <4F0479BE.6030206@trelane.net> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> Message-ID: Works for me as well :> I will check to see if there was some interruption in service and report as warranted. Betty On Wed, Jan 4, 2012 at 11:09 AM, Andrew D Kirch wrote: > works for me > > > -- Betty Burke NewNOG/NANOG Executive Director Office (810) 214-1218 Direct (510) 492-4030 From dwessels at verisign.com Wed Jan 4 12:41:03 2012 From: dwessels at verisign.com (Wessels, Duane) Date: Wed, 4 Jan 2012 10:41:03 -0800 Subject: Trouble accessing www.nanog.org In-Reply-To: References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> Message-ID: <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> The brief problem in accessing www.nanog.org was due to numerous parallel downloads of a large video file by a single source IP address. We have no reason to believe it was malicious in intent, but the offender has been blocked anyway. Anyone from AS37986 around? Duane W. From alexandru.petrescu at gmail.com Wed Jan 4 12:50:30 2012 From: alexandru.petrescu at gmail.com (Alexandru Petrescu) Date: Wed, 04 Jan 2012 19:50:30 +0100 Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: References: <20111224.080822.74721455.sthaug@nethelp.no> <1324724331.2763.20.camel@karl> <4EF5B477.7040703@gmail.com> Message-ID: <4F049F76.8080309@gmail.com> Le 03/01/2012 23:36, Owen DeLong a ?crit : > > On Dec 24, 2011, at 6:48 AM, Glen Kent wrote: > >>> >>> SLAAC only works with /64 - yes - but only if it runs on >>> Ethernet-like Interface ID's of 64bit length (RFC2464). >> >> Ok, the last 64 bits of the 128 bit address identifies an Interface >> ID which is uniquely derived from the 48bit MAC address (which >> exists only in ethernet). >> > > Not exactly. Most media have some form of link-layer addressing. For > Firewire, it's native EUI-64. For Ethernet, it's EUI-48 MAC > addresses. For token ring, I believe there are also EUI-48 addresses. > For FDDI (Remember FDDI?) I believe it was EUI-48 addresses. ATM and > Frame Relay also have EUI addresses built in to their interfaces > (though I don't remember the exact format and am too lazy to look it > up at the moment). > >>> SLAAC could work ok with /65 on non-Ethernet media, like a >>> point-to-point link whose Interface ID's length be negotiated >>> during the setup phase. >> >> If we can do this for a p2p link, then why cant the same be done >> for an ethernet link? >> > > I'm not so sure the statement above is actually true. I think that's right, sorry. I mean - a reread of the PPPv6 RFC tells that the Interface ID negotiated by PPP is stricly 64bit length. (although it does refer to rfc4941 which specifically acks that "note that an IPv6 identifier does not necessarily have to be 64 bits in length"). It's a mess :-) Alex > > Owen > >> Glen >> >>> >>> Other non-64 Interface IDs could be constructed for 802.15.4 >>> links, for example a 16bit MAC address could be converted into a >>> 32bit Interface ID. SLAAC would thus use a /96 prefix in the RA >>> and a 32bit IID. >>> >>> IP-over-USB misses an Interface ID altogether, so one is free to >>> define its length. >>> >>> Alex >>> >>>> >>>> Regards, K. >>>> >>> >>> > > From hrlinneweh at sbcglobal.net Wed Jan 4 13:38:32 2012 From: hrlinneweh at sbcglobal.net (Henry Linneweh) Date: Wed, 4 Jan 2012 11:38:32 -0800 (PST) Subject: 2012-Big-Data-Big-Traffic Message-ID: <1325705912.46396.YahooMailNeo@web180309.mail.gq1.yahoo.com> New issues for massive data movement http://www.infineta.com/sites/default/files/pdf/IRG-2012-Big-Data-Big-Traffic-and-the-WAN.pdf Henry From seth.mos at dds.nl Wed Jan 4 14:00:26 2012 From: seth.mos at dds.nl (Seth Mos) Date: Wed, 4 Jan 2012 21:00:26 +0100 Subject: IPv6 resolvers Message-ID: Hi Nanog, Owen, I was wondering if many people are seeing horrendous latency on the free Hurricane Electric resolvers? Both accessing the v4 or v6 resolvers have horrendous latency. This could well be coupled to their free nature and popularity. So far when contacting Hurricane Electric they restart the resolver on their end and all is well again, but now other pfSense users in the US were noticing these latency issues as well, leading me to believe it is a larger issue. But I was wondering if a more permanent solution for these resolvers exist. 74.82.42.42 2373 msec 2001:470:20::2 2592 msec The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok too. 2001:4860:4860::8844 16 msec Kind regards, Seth Mos From wesley.george at twcable.com Wed Jan 4 14:10:13 2012 From: wesley.george at twcable.com (George, Wes) Date: Wed, 4 Jan 2012 15:10:13 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> Message-ID: > From: Wessels, Duane [mailto:dwessels at verisign.com] > Sent: Wednesday, January 04, 2012 1:41 PM > Subject: Re: Trouble accessing www.nanog.org > > > The brief problem in accessing www.nanog.org was due to numerous > parallel > downloads of a large video file by a single source IP address. We have > no reason to believe it was malicious in intent, but the offender has > been > blocked anyway. [WEG] In the lovely CGN future, not only will you see this type of behavior (multiple pulls from the same IP) all of the time, your response to block it would have taken tens or hundreds of users out of service simultaneously. /troll Not meant to fault your response, merely to point out yet one more way that CGN is likely to break things where an assumption of 1 IP = 1 user/host/network exists. Wes George This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. From bmanning at vacation.karoshi.com Wed Jan 4 14:18:01 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Wed, 4 Jan 2012 20:18:01 +0000 Subject: Trouble accessing www.nanog.org In-Reply-To: References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> Message-ID: <20120104201801.GA3917@vacation.karoshi.com.> On Wed, Jan 04, 2012 at 03:10:13PM -0500, George, Wes wrote: > > From: Wessels, Duane [mailto:dwessels at verisign.com] > > Sent: Wednesday, January 04, 2012 1:41 PM > > Subject: Re: Trouble accessing www.nanog.org > > > > > > The brief problem in accessing www.nanog.org was due to numerous > > parallel > > downloads of a large video file by a single source IP address. We have > > no reason to believe it was malicious in intent, but the offender has > > been > > blocked anyway. > > [WEG] In the lovely CGN future, not only will you see this type of behavior (multiple pulls from the same IP) all of the time, your response to block it would have taken tens or hundreds of users out of service simultaneously. > /troll > > Not meant to fault your response, merely to point out yet one more way that CGN is likely to break things where an assumption of 1 IP = 1 user/host/network exists. > > Wes George Hum... thats not how I read Duanes response at all.. I thought they blocked the (excessively) large video file from download... :) /bill From raymond at prolocation.net Wed Jan 4 14:21:05 2012 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed, 4 Jan 2012 21:21:05 +0100 (CET) Subject: IPv6 resolvers In-Reply-To: References: Message-ID: Hi! > But I was wondering if a more permanent solution for these resolvers exist. > > 74.82.42.42 2373 msec > 2001:470:20::2 2592 msec > > The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok too. > 2001:4860:4860::8844 16 msec [root at ipv6proxy ~]# ping 74.82.42.42 PING 74.82.42.42 (74.82.42.42) 56(84) bytes of data. 64 bytes from 74.82.42.42: icmp_seq=1 ttl=61 time=0.664 ms 64 bytes from 74.82.42.42: icmp_seq=2 ttl=61 time=0.640 ms 64 bytes from 74.82.42.42: icmp_seq=3 ttl=61 time=0.551 ms 64 bytes from 74.82.42.42: icmp_seq=4 ttl=61 time=0.614 ms [root at ipv6proxy ~]# ping6 2001:470:20::2 PING 2001:470:20::2(2001:470:20::2) 56 data bytes 64 bytes from 2001:470:20::2: icmp_seq=1 ttl=61 time=0.488 ms 64 bytes from 2001:470:20::2: icmp_seq=2 ttl=61 time=0.478 ms 64 bytes from 2001:470:20::2: icmp_seq=3 ttl=61 time=0.739 ms 64 bytes from 2001:470:20::2: icmp_seq=4 ttl=61 time=0.515 ms Looks pretty normal here. Bye, Raymond. From morrowc.lists at gmail.com Wed Jan 4 14:21:24 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 4 Jan 2012 15:21:24 -0500 Subject: IPv6 resolvers In-Reply-To: References: Message-ID: On Wed, Jan 4, 2012 at 3:00 PM, Seth Mos wrote: > Hi Nanog, Owen, > > I was wondering if many people are seeing horrendous latency on the free Hurricane Electric resolvers? > > Both accessing the v4 or v6 resolvers have horrendous latency. This could well be coupled to their free nature and popularity. > > So far when contacting Hurricane Electric they restart the resolver on their end and all is well again, but now other pfSense users in the US were noticing these latency issues as well, leading me to believe it is a larger issue. err, are all pfsense people automatically configured to use he's servers? that seems sorta rude if so... > > But I was wondering if a more permanent solution for these resolvers exist. > > > ?74.82.42.42 ? ? 2373 msec > ?2001:470:20::2 ?2592 msec > > The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok too. > ?2001:4860:4860::8844 ? ?16 msec > > Kind regards, > > Seth Mos From prox at prolixium.com Wed Jan 4 14:33:10 2012 From: prox at prolixium.com (Mark Kamichoff) Date: Wed, 4 Jan 2012 15:33:10 -0500 Subject: IPv6 resolvers In-Reply-To: References: Message-ID: <20120104203310.GA14647@prolixium.com> On Wed, Jan 04, 2012 at 09:00:26PM +0100, Seth Mos wrote: > I was wondering if many people are seeing horrendous latency on the > free Hurricane Electric resolvers? Looks fine to me: (neodymium:15:27)% dig @74.82.42.42 cnn.com. A ; <<>> DiG 9.7.3 <<>> @74.82.42.42 cnn.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53277 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cnn.com. IN A ;; ANSWER SECTION: cnn.com. 299 IN A 157.166.226.26 cnn.com. 299 IN A 157.166.255.19 cnn.com. 299 IN A 157.166.255.18 cnn.com. 299 IN A 157.166.226.25 ;; Query time: 38 msec ;; SERVER: 74.82.42.42#53(74.82.42.42) ;; WHEN: Wed Jan 4 15:27:17 2012 ;; MSG SIZE rcvd: 89 (neodymium:15:32)% dig @2001:470:20::2 cnn.com. A ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 cnn.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41382 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cnn.com. IN A ;; ANSWER SECTION: cnn.com. 295 IN A 157.166.226.25 cnn.com. 295 IN A 157.166.255.18 cnn.com. 295 IN A 157.166.255.19 cnn.com. 295 IN A 157.166.226.26 ;; Query time: 20 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:32:27 2012 ;; MSG SIZE rcvd: 89 That being said, keep in mind these are anycasted. I'm using 216.66.22.2 [tserv13.ash1.ipv6.he.net] for IPv4 and 209.51.161.14 [tserv4.nyc4.ipv6.he.net] according to the A record returned by whoami.akamai.net. I might not be hitting the same server you are. - Mark -- Mark Kamichoff prox at prolixium.com http://www.prolixium.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From seth.mos at dds.nl Wed Jan 4 14:39:39 2012 From: seth.mos at dds.nl (Seth Mos) Date: Wed, 4 Jan 2012 21:39:39 +0100 Subject: IPv6 resolvers In-Reply-To: <20120104203310.GA14647@prolixium.com> References: <20120104203310.GA14647@prolixium.com> Message-ID: Hi, Just pointing out to other responding to this thread that I was referring to the *query* response times, I said nothing about ICMP which is perfectly fine. So please stop responding with ping response times already :-) No, pfSense does not set these per default, they are in wide use because these are part of the Google DNS whitelist for V6 records. Op 4 jan 2012, om 21:33 heeft Mark Kamichoff het volgende geschreven: > ;; ANSWER SECTION: > cnn.com. 299 IN A 157.166.226.26 > cnn.com. 299 IN A 157.166.255.19 > cnn.com. 299 IN A 157.166.255.18 > cnn.com. 299 IN A 157.166.226.25 And a similar mistake I see others respond too as well, this is another domain with just a IPv4 record. That was not really what I was complaining about but I was not specific enough in my email When requesting the DNS for the hostname with a Quad A the story is entirely different! Try www.pfsense.com or www.didi.nl Those will definitely hit the issue, otherwise one can always use Nanog.org like below. 74.82.42.42 2204 msec 2001:4860:4860::8844 17 msec 2001:470:20::2 2890 msec Best regards, Seth > > ;; Query time: 38 msec > ;; SERVER: 74.82.42.42#53(74.82.42.42) > ;; WHEN: Wed Jan 4 15:27:17 2012 > ;; MSG SIZE rcvd: 89 > > (neodymium:15:32)% dig @2001:470:20::2 cnn.com. A > > ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 cnn.com. A > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41382 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;cnn.com. IN A > > ;; ANSWER SECTION: > cnn.com. 295 IN A 157.166.226.25 > cnn.com. 295 IN A 157.166.255.18 > cnn.com. 295 IN A 157.166.255.19 > cnn.com. 295 IN A 157.166.226.26 > > ;; Query time: 20 msec > ;; SERVER: 2001:470:20::2#53(2001:470:20::2) > ;; WHEN: Wed Jan 4 15:32:27 2012 > ;; MSG SIZE rcvd: 89 > > That being said, keep in mind these are anycasted. I'm using > 216.66.22.2 [tserv13.ash1.ipv6.he.net] for IPv4 and 209.51.161.14 > [tserv4.nyc4.ipv6.he.net] according to the A record returned by > whoami.akamai.net. I might not be hitting the same server you are. > > - Mark > > -- > Mark Kamichoff > prox at prolixium.com > http://www.prolixium.com/ From raymond at prolocation.net Wed Jan 4 14:42:02 2012 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed, 4 Jan 2012 21:42:02 +0100 (CET) Subject: IPv6 resolvers In-Reply-To: References: <20120104203310.GA14647@prolixium.com> Message-ID: Hi! > So please stop responding with ping response times already :-) > > No, pfSense does not set these per default, they are in wide use > because these are part of the Google DNS whitelist for V6 records. > And a similar mistake I see others respond too as well, this is another > domain with just a IPv4 record. That was not really what I was > complaining about but I was not specific enough in my email > > When requesting the DNS for the hostname with a Quad A the story is > entirely different! > > Try www.pfsense.com or www.didi.nl Tried those three for you and prolocation.net. All fine? This should not be on nanog i guess. Check with their support, or something :-) [root at ipv6proxy ~]# time host www.prolocation.net 2001:470:20::2 Using domain server: Name: 2001:470:20::2 Address: 2001:470:20::2#53 Aliases: www.prolocation.net has address 94.228.129.19 www.prolocation.net has IPv6 address 2a00:d00:ff:131:94:228:131:131 real 0m0.011s user 0m0.001s sys 0m0.008s [root at ipv6proxy ~]# [root at ipv6proxy ~]# time host pfsense.com 2001:470:20::2 Using domain server: Name: 2001:470:20::2 Address: 2001:470:20::2#53 Aliases: pfsense.com is an alias for pfsense.org. pfsense.org has address 69.64.6.21 pfsense.org has IPv6 address 2605:8000:d:1::167 pfsense.org mail is handled by 10 mail.pfsense.org. real 0m0.011s user 0m0.001s sys 0m0.007s [root at ipv6proxy ~]# time host www.didi.nl 2001:470:20::2 Using domain server: Name: 2001:470:20::2 Address: 2001:470:20::2#53 Aliases: www.didi.nl has address 82.94.161.132 www.didi.nl has IPv6 address 2001:888:2087:33::132 real 0m0.523s user 0m0.001s sys 0m0.006s Bye, Raymond. From prox at prolixium.com Wed Jan 4 14:46:56 2012 From: prox at prolixium.com (Mark Kamichoff) Date: Wed, 4 Jan 2012 15:46:56 -0500 Subject: IPv6 resolvers In-Reply-To: References: <20120104203310.GA14647@prolixium.com> Message-ID: <20120104204656.GB14647@prolixium.com> On Wed, Jan 04, 2012 at 09:39:39PM +0100, Seth Mos wrote: > And a similar mistake I see others respond too as well, this is > another domain with just a IPv4 record. That was not really what I was > complaining about but I was not specific enough in my email > > When requesting the DNS for the hostname with a Quad A the story is > entirely different! > > Try www.pfsense.com or www.didi.nl Still not seeing additional latency from here: (neodymium:15:44)% dig @2001:470:20::2 www.didi.nl. AAAA ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 www.didi.nl. AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33979 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.didi.nl. IN AAAA ;; ANSWER SECTION: www.didi.nl. 3520 IN AAAA 2001:888:2087:33::132 ;; Query time: 20 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:44:06 2012 ;; MSG SIZE rcvd: 57 And if that is already cached, let's try something that should require a fresh lookup: (neodymium:15:44)% dig @2001:470:20::2 tengigabitethernet.com. AAAA ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 tengigabitethernet.com. AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41662 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;tengigabitethernet.com. IN AAAA ;; ANSWER SECTION: tengigabitethernet.com. 3600 IN AAAA 2001:48c8:1:104::e ;; Query time: 84 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:44:41 2012 ;; MSG SIZE rcvd: 68 Again, not too bad.. - Mark -- Mark Kamichoff prox at prolixium.com http://www.prolixium.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From m.hallgren at free.fr Wed Jan 4 15:10:55 2012 From: m.hallgren at free.fr (Michael Hallgren) Date: Wed, 04 Jan 2012 22:10:55 +0100 Subject: Trouble accessing www.nanog.org In-Reply-To: <20120104201801.GA3917@vacation.karoshi.com.> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> <20120104201801.GA3917@vacation.karoshi.com.> Message-ID: <1325711455.3241.98.camel@home> Le mercredi 04 janvier 2012 ? 20:18 +0000, bmanning at vacation.karoshi.com a ?crit : > On Wed, Jan 04, 2012 at 03:10:13PM -0500, George, Wes wrote: > > > From: Wessels, Duane [mailto:dwessels at verisign.com] > > > Sent: Wednesday, January 04, 2012 1:41 PM > > > Subject: Re: Trouble accessing www.nanog.org > > > > > > > > > The brief problem in accessing www.nanog.org was due to numerous > > > parallel > > > downloads of a large video file by a single source IP address. We have > > > no reason to believe it was malicious in intent, but the offender has > > > been > > > blocked anyway. > > > > [WEG] In the lovely CGN future, not only will you see this type of behavior (multiple pulls from the same IP) all of the time, your response to block it would have taken tens or hundreds of users out of service simultaneously. > > /troll > > > > Not meant to fault your response, merely to point out yet one more way that CGN is likely to break things where an assumption of 1 IP = 1 user/host/network exists. > > > > Wes George > > Hum... thats not how I read Duanes response at all.. I thought they blocked > the (excessively) large video file from download... :) Depends of how we (are supposed to) interpret ``the offender has been blocked anyway'' :) Cheers, mh > > /bill > From jeroen at mompl.net Wed Jan 4 15:58:41 2012 From: jeroen at mompl.net (Jeroen van Aart) Date: Wed, 04 Jan 2012 13:58:41 -0800 Subject: Looking for a Tier 1 ISP Mentor for career advice. In-Reply-To: References: <48778.1321883369@turing-police.cc.vt.edu> <4ECAB566.5070408@blakjak.net> Message-ID: <4F04CB91.8040208@mompl.net> randal k wrote: > This is a huge point. We've had a LOT of trouble finding good network > engineers who have all of the previously mentioned "soft" attributes - > anything, can't setup a syslog server, doesn't understand AD much less > LDAP, etc. Imagine, an employee who can help themselves 90% of the time ... > Finding the diamond that has strong niche skill, networking, with a broad & > just-deep-enough sysadmin background has been very, very hard. I cannot Raking up an older thread, but I have to comment on this. I understand it is hard to find the right person for the job. And even harder to find someone who has a wide range of knowledge and "deep" specialised knowledge to boot. When I was even more naive I always thought that in the world of IT most people knew a lot about many things, because it's not just a job but their hobby and passion (it is for me). So a sysadmin knows how to code and a coder knows how to set up a network and server etc. Yet what I noticed is that it is very rare to find such people. In fact I found people in one niche being almost ignorant of other fields. Say a coder gets confused when /tmp fills up and being unaware of this thing called a "search engine" and instead will virtually cry "help my puter b0rked, I stuck!" and vice versa. It looks to me it's just the nature of most people to be good at only one or a couple of things and be mostly ignorant about the rest. It's not going to change much, and we just have to accept that's how it is for the most part. However it can be mitigated to some extent: > emphasize enough the importance of cross-training. Immensely valuable. This indeed will help a lot and is very important. Sadly though in the USA this kind of thing is not found to be important at all. Besides that, it is actually quite hard to find the right job. Or, actually, to be even acknowledged or heard by the employer of such a job. As always this thing goes both ways. Employers in the USA need to invest more in training their employees and learning should be an important and constant part of one's job and be actively encouraged. I think in this they're quite behind their Western European counterparts. Regards, Jeroen -- Earthquake Magnitude: 3.2 Date: Wednesday, January 4, 2012 17:24:31 UTC Location: Southern Alaska Latitude: 59.8964; Longitude: -153.3298 Depth: 135.00 km From nathan at atlasnetworks.us Wed Jan 4 16:25:40 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Wed, 4 Jan 2012 22:25:40 +0000 Subject: Looking for a Tier 1 ISP Mentor for career advice. In-Reply-To: <4F04CB91.8040208@mompl.net> References: <48778.1321883369@turing-police.cc.vt.edu> <4ECAB566.5070408@blakjak.net> <4F04CB91.8040208@mompl.net> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B65E23B@ex-mb-1.corp.atlasnetworks.us> > Say a > coder gets confused when /tmp fills up and being unaware of this thing > called a "search engine" and instead will virtually cry "help my puter > b0rked, I stuck!" and vice versa. Hah! In my experience, this phenomenon is not unique to coders, sysadmins, or any other specialization. People prefer to look to other people for their answers. This one has bugged me for a long time, as I'm not sure what to attribute it to - is it a desire to be social, or to have the answer personalized? Is it a compliment indicative of respect of ones peer, or is it an indication of laziness? > Employers in the USA need to invest more in training their employees > and > learning should be an important and constant part of one's job and be > actively encouraged. I think in this they're quite behind their Western > European counterparts. This is likely true in many larger corporations. I have found the startup and SMB sectors to be highly amenable to investing in their people. Cash-strapped businesses are most likely to consider the ROI of buying their employees skillsets (ie, training) vs hiring in new employees just to acquire those skillsets, whereas larger companies either already have a guy who knows how to do X, or doesn't really mind hiring an X specialist (or the all-too-common X consultant). Nathan From mksmith at adhost.com Wed Jan 4 17:10:22 2012 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Wed, 4 Jan 2012 23:10:22 +0000 Subject: Trouble accessing www.nanog.org In-Reply-To: <1325711455.3241.98.camel@home> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> <20120104201801.GA3917@vacation.karoshi.com.> <1325711455.3241.98.camel@home> Message-ID: > -----Original Message----- > From: Michael Hallgren [mailto:m.hallgren at free.fr] > Sent: Wednesday, January 04, 2012 1:11 PM > To: bmanning at vacation.karoshi.com > Cc: Wessels, Duane; nanog at nanog.org > Subject: Re: Trouble accessing www.nanog.org > > Le mercredi 04 janvier 2012 ? 20:18 +0000, bmanning at vacation.karoshi.com > a ?crit : > > On Wed, Jan 04, 2012 at 03:10:13PM -0500, George, Wes wrote: > > > > From: Wessels, Duane [mailto:dwessels at verisign.com] > > > > Sent: Wednesday, January 04, 2012 1:41 PM > > > > Subject: Re: Trouble accessing www.nanog.org > > > > > > > > > > > > The brief problem in accessing www.nanog.org was due to numerous > > > > parallel > > > > downloads of a large video file by a single source IP address. We have > > > > no reason to believe it was malicious in intent, but the offender has > > > > been > > > > blocked anyway. > > > > > > [WEG] In the lovely CGN future, not only will you see this type of > behavior (multiple pulls from the same IP) all of the time, your response to > block it would have taken tens or hundreds of users out of service > simultaneously. > > > /troll > > > > > > Not meant to fault your response, merely to point out yet one more way > that CGN is likely to break things where an assumption of 1 IP = 1 > user/host/network exists. > > > > > > Wes George > > > > Hum... thats not how I read Duanes response at all.. I thought they > blocked > > the (excessively) large video file from download... :) > > Depends of how we (are supposed to) interpret ``the offender has been > blocked anyway'' :) > > Cheers, > mh > > > > /bill > > > There was a single source IP with 200+ open, active http connections to a single large media file. The single IP address was blocked. The file itself is still available on the site. Mike From ryan at u13.net Wed Jan 4 17:40:39 2012 From: ryan at u13.net (Ryan Rawdon) Date: Wed, 4 Jan 2012 18:40:39 -0500 Subject: IPv6 resolvers In-Reply-To: <20120104204656.GB14647@prolixium.com> References: <20120104203310.GA14647@prolixium.com> <20120104204656.GB14647@prolixium.com> Message-ID: <79FBF1F6-F847-4A3D-85DF-9D1BF57FB59B@u13.net> On Jan 4, 2012, at 3:46 PM, Mark Kamichoff wrote: > On Wed, Jan 04, 2012 at 09:39:39PM +0100, Seth Mos wrote: >> And a similar mistake I see others respond too as well, this is >> another domain with just a IPv4 record. That was not really what I was >> complaining about but I was not specific enough in my email >> >> When requesting the DNS for the hostname with a Quad A the story is >> entirely different! >> >> Try www.pfsense.com or www.didi.nl > > Still not seeing additional latency from here: Try .pfsense.org (see below) to avoid caching, since the problem in question does not rely on the name existing. I am able to reproduce it roughly every 3rd random string I try, definitely not every time. I am unable to reproduce it with other domains so far, only pfsense.org and when it does occur I see a 1500-2200ms query time: nova-dhcp-host111:~ ryan$ dig @ordns.he.net awegawregwaefg.pfsense.org ; <<>> DiG 9.6.0-APPLE-P2 <<>> @ordns.he.net awegawregwaefg.pfsense.org ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24807 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;awegawregwaefg.pfsense.org. IN A ;; AUTHORITY SECTION: pfsense.org. 3600 IN SOA dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2012010200 10001 1801 604801 3601 ;; Query time: 1695 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 18:34:17 2012 ;; MSG SIZE rcvd: 117 nova-dhcp-host111:~ ryan$ > > (neodymium:15:44)% dig @2001:470:20::2 www.didi.nl. AAAA > > ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 www.didi.nl. AAAA > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33979 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;www.didi.nl. IN AAAA > > ;; ANSWER SECTION: > www.didi.nl. 3520 IN AAAA 2001:888:2087:33::132 > > ;; Query time: 20 msec > ;; SERVER: 2001:470:20::2#53(2001:470:20::2) > ;; WHEN: Wed Jan 4 15:44:06 2012 > ;; MSG SIZE rcvd: 57 > > And if that is already cached, let's try something that should require a > fresh lookup: > > (neodymium:15:44)% dig @2001:470:20::2 tengigabitethernet.com. AAAA > > ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 tengigabitethernet.com. AAAA > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41662 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;tengigabitethernet.com. IN AAAA > > ;; ANSWER SECTION: > tengigabitethernet.com. 3600 IN AAAA 2001:48c8:1:104::e > > ;; Query time: 84 msec > ;; SERVER: 2001:470:20::2#53(2001:470:20::2) > ;; WHEN: Wed Jan 4 15:44:41 2012 > ;; MSG SIZE rcvd: 68 > > Again, not too bad.. > > - Mark > > -- > Mark Kamichoff > prox at prolixium.com > http://www.prolixium.com/ From cmadams at hiwaay.net Wed Jan 4 17:48:40 2012 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 4 Jan 2012 17:48:40 -0600 Subject: IPv6 resolvers In-Reply-To: <79FBF1F6-F847-4A3D-85DF-9D1BF57FB59B@u13.net> References: <20120104203310.GA14647@prolixium.com> <20120104204656.GB14647@prolixium.com> <79FBF1F6-F847-4A3D-85DF-9D1BF57FB59B@u13.net> Message-ID: <20120104234840.GA22334@hiwaay.net> Once upon a time, Ryan Rawdon said: > Try .pfsense.org (see below) to avoid caching, since the problem in question does not rely on the name existing. I am able to reproduce it roughly every 3rd random string I try, definitely not every time. I am unable to reproduce it with other domains so far, only pfsense.org and when it does occur I see a 1500-2200ms query time: This appears to be a problem with the authoritative servers for pfsense.org. They are dns[1-5].registrar-servers.com (which each have multiple IP addresses). If I try each IP, I get no response from 38.101.213.194 and 2+ second response time from 69.16.244.25. Both of those IPs are listed for dns1.registrar-servers.com. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From cloos at jhcloos.com Wed Jan 4 20:23:20 2012 From: cloos at jhcloos.com (James Cloos) Date: Wed, 04 Jan 2012 21:23:20 -0500 Subject: incoming smtp from v6 addresses In-Reply-To: (Randy Bush's message of "Wed, 04 Jan 2012 19:26:59 +0900") References: <20120104101556.GA8280@macbook.bluepipe.net> Message-ID: >>>>> "RB" == Randy Bush writes: >>> 7.8% is over ipv6 transport >>> but only 2% of outgoing deliveries are over ipv6. This is incoming only, mostly mailing lists (including a few *busy* ones): :; zgrep -Ec 'client=[^[]+\[[^]]+:' /var/log/mail.info* |awk -F: '{i+=$NF} END {print i}' 33966 :; zgrep -Ec 'client=[^[]+\[[0-9]+\.' /var/log/mail.info* |awk -F: '{i+=$NF} END {print i}' 176978 so 19.19% ipv6. That is somewhat biased by the fact that debian and, IIRC, gnome lists are sent from ipv6-capable hosts and their bugs lists are among the busiest lists. For outgoing, s/client/relay/ which results in about 4.75% ipv6. -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 grep --color=yes -Ec 'client=[^[]+\[[^]]+:' /var/log/mail.info From morrowc.lists at gmail.com Wed Jan 4 21:33:39 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 4 Jan 2012 22:33:39 -0500 Subject: IPv6 resolvers In-Reply-To: <20120104234840.GA22334@hiwaay.net> References: <20120104203310.GA14647@prolixium.com> <20120104204656.GB14647@prolixium.com> <79FBF1F6-F847-4A3D-85DF-9D1BF57FB59B@u13.net> <20120104234840.GA22334@hiwaay.net> Message-ID: does pfsense need real dns hosting maybe? I hear: http://puck.nether.net/dns ... works. On Wed, Jan 4, 2012 at 6:48 PM, Chris Adams wrote: > registrar-servers.com. From morrowc.lists at gmail.com Wed Jan 4 21:36:27 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 4 Jan 2012 22:36:27 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> <20120104201801.GA3917@vacation.karoshi.com.> <1325711455.3241.98.camel@home> Message-ID: On Wed, Jan 4, 2012 at 6:10 PM, Michael K. Smith - Adhost wrote: > There was a single source IP with 200+ open, active http connections to a single large media file. ?The single IP address was blocked. ?The file itself is still available on the site. oh! so the 200 or so users on tulip.net that were downloading nanog content were blocked, bummer :( /troll-mode=on Err, while we're talking about video files and nanog, why is the video content still served off (stored content I mean) nanog.org servers? Why not use one of the many video serving services? some of which are free even :) (that part's not a troll, a real question, even!) -chris From mksmith at adhost.com Wed Jan 4 21:41:06 2012 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 5 Jan 2012 03:41:06 +0000 Subject: Trouble accessing www.nanog.org In-Reply-To: References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> <20120104201801.GA3917@vacation.karoshi.com.> <1325711455.3241.98.camel@home> Message-ID: <1514023B-A622-4C03-B26A-84128290030A@adhost.com> On Jan 4, 2012, at 7:36 PM, Christopher Morrow wrote: > On Wed, Jan 4, 2012 at 6:10 PM, Michael K. Smith - Adhost > wrote: > >> There was a single source IP with 200+ open, active http connections to a single large media file. The single IP address was blocked. The file itself is still available on the site. > > oh! so the 200 or so users on tulip.net that were downloading nanog > content were blocked, bummer :( > > /troll-mode=on > "And now if everyone would open their laptop and go to the following address?" > Err, while we're talking about video files and nanog, why is the video > content still served off (stored content I mean) nanog.org servers? > Why not use one of the many video serving services? some of which are > free even :) > (that part's not a troll, a real question, even!) > -chris The website work hasn't yet begun, so that is certainly still on the table. If you would like to volunteer some of your time? Mike From morrowc.lists at gmail.com Wed Jan 4 21:45:18 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 4 Jan 2012 22:45:18 -0500 Subject: incoming smtp from v6 addresses In-Reply-To: References: <20120104101556.GA8280@macbook.bluepipe.net> Message-ID: On Wed, Jan 4, 2012 at 5:26 AM, Randy Bush wrote: > hold your nose > > zgrep '<=.*\[....:' /var/spool/exim/log/main* | wc > zgrep '<=' /var/spool/exim/log/main* | wc > > and the ever failthful bc :) err... one of 4 MX's for home email... (I'll catch the others later on) v6 inbound: $ egrep '\[2...:' /tmp/today.from |wc -l 244 v4 inbound: $ egrep -v '\[2...:' /tmp/today.from |wc -l 135591 percent v4: 135591/(244+135591) * 100 99.82 v6 outbound: $ egrep '\[2...:' /tmp/today.to |wc -l 198 v4 outbound: $ egrep -v '\[2...:' /tmp/today.to |wc -l 196 a note about the OUT numbers... I was apparently bouncing/connection-refusing to a relay over v6 :( so.... 2 REAL connections out, 196 failures, w00t! (this mailserver does little 'out' email apparently) From morrowc.lists at gmail.com Wed Jan 4 21:47:17 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 4 Jan 2012 22:47:17 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: <1514023B-A622-4C03-B26A-84128290030A@adhost.com> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> <20120104201801.GA3917@vacation.karoshi.com.> <1325711455.3241.98.camel@home> <1514023B-A622-4C03-B26A-84128290030A@adhost.com> Message-ID: On Wed, Jan 4, 2012 at 10:41 PM, Michael K. Smith - Adhost wrote: >> Err, while we're talking about video files and nanog, why is the video >> content still served off (stored content I mean) nanog.org servers? >> Why not use one of the many video serving services? some of which are >> free even :) >> (that part's not a troll, a real question, even!) >> -chris > > > The website work hasn't yet begun, so that is certainly still on the table. ?If you would like to volunteer some of your time? I'm sure we could arrange some process to ingest videos to some form of video-hosting-website... a videotubes site let's say. who should I chat with? From mksmith at adhost.com Wed Jan 4 22:44:38 2012 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 5 Jan 2012 04:44:38 +0000 Subject: Trouble accessing www.nanog.org In-Reply-To: References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> <20120104201801.GA3917@vacation.karoshi.com.> <1325711455.3241.98.camel@home> <1514023B-A622-4C03-B26A-84128290030A@adhost.com> Message-ID: <589A9865-53D5-4482-853C-F21D6DC6D053@adhost.com> Mike On Jan 4, 2012, at 7:47 PM, Christopher Morrow wrote: > On Wed, Jan 4, 2012 at 10:41 PM, Michael K. Smith - Adhost > wrote: > >>> Err, while we're talking about video files and nanog, why is the video >>> content still served off (stored content I mean) nanog.org servers? >>> Why not use one of the many video serving services? some of which are >>> free even :) >>> (that part's not a troll, a real question, even!) >>> -chris >> >> >> The website work hasn't yet begun, so that is certainly still on the table. If you would like to volunteer some of your time? > > I'm sure we could arrange some process to ingest videos to some form > of video-hosting-website... a videotubes site let's say. > > who should I chat with? -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) From bonomi at mail.r-bonomi.com Wed Jan 4 23:03:07 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Wed, 4 Jan 2012 23:03:07 -0600 (CST) Subject: Looking for a Tier 1 ISP Mentor for career advice. In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B65E23B@ex-mb-1.corp.atlasnetworks.us> Message-ID: <201201050503.q05537dQ025987@mail.r-bonomi.com> Nathan Eisenberg wrote: > To: Jeroen van Aart , NANOG list > Subject: RE: Looking for a Tier 1 ISP Mentor for career advice. > Date: Wed, 4 Jan 2012 22:25:40 +0000 > > > Say a > > coder gets confused when /tmp fills up and being unaware of this thing > > called a "search engine" and instead will virtually cry "help my puter > > b0rked, I stuck!" and vice versa. > > Hah! In my experience, this phenomenon is not unique to coders, > sysadmins, or any other specialization. People prefer to look to other > people for their answers. This one has bugged me for a long time, as > I'm not sure what to attribute it to - is it a desire to be social, or > to have the answer personalized? Is it a compliment indicative of > respect of ones peer, or is it an indication of laziness? This phenomona has been recognized for, well, "forever". The 'reasons' are codified in 'traditional wisdom' like "two heads are better than one", or the modern "The solution to the most intractable problem is immediately obvious to the first unqualified observer." When ones own way of lookinng at a problem isn't working, it is necessary to find a "different way of looking at the problem". The most efficient way to do that is talk to some who thinks differently than you do. "Search engines" are good for finding facts; 'less good' for finding abstract/concept info -- It's much harder to formulate a search query to find something to 'fill in the blanks' in an _incomplete_ conceptualization. If yu can foumulate the search for "what you're missing" the search probably contains the answers you're looking for. Also, the act of 'organizing ones thoughts' to explain the problem to someone who is *NOT* familiar with the background of the problem can lead to _self-recognition_ of the solution. I have phoned a collegue, many times, and/or had a collegue phone me, where the _one-sided_ conversation has gone; <-- "Hello?" --> "Hi! I've got a problem. like _this_ {launches into description}... OH!! never mind, the light just dawned!" <-- " Glad I could help." "Troubleshooting", however, _is_ a special case situation. I can pontificate on this at some length. You have been warned. Troubleshooting problems is an 'art', not a 'science'. Either you know how to do it, or you don't. And, like any other "art", you can't teach it; you _can_ teach 'mechanics' that help people who have an 'instinctive' (for lack of a better word) grasp of the subject "do it better". But the _ability_ has to be there in the first place. It's similaar to integral calculus -- you have a result, and are looking for the question. (Remember how _hard_ integration was -- until the 'AHA!' moment when, all of a sudden, it all made sense. And you were shaking your head wondering *why* you had so much trouble 'getting it'.) Troubleshooting is much the same. If you've seen "that" problem before, you have an idea of what -may- be causing it. And can start checking for the existing of each possible 'what' that you know about. With experience, you know _which_ "what" is most likely and to start there. Also, what _additional_ things to check, to narrow down the list of 'possibles'. 'Search engines' are good when you have a 'question' and are looking for looking for an 'answer' (like 'differential calculus', to use the math metaphor). But they're "medium lousy", at best, at finding the 'question' that fits the 'answer'. There are some major attempts being made to build computers that _can_ reverse engineer the 'question' from an 'answer'. See 'Watson' -- the IBM research computer project that plays as a contestant on "Jeopardy!" The latest incarnation 'does good' a lot of the time, but when it's wrong it is *very* wrong. I don't think I've ever seen it be 'close, but incorrect'. From kmedcalf at dessus.com Thu Jan 5 03:51:00 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Thu, 05 Jan 2012 02:51:00 -0700 Subject: Trouble accessing www.nanog.org In-Reply-To: Message-ID: <0034f79f5f0a0f4dab52881760e8fba3@mail.dessus.com> There is video hosting web sites on the intertubes? Now where would those be found, I wonder. All I have ever seen is macro-streaming that is fraudulently labeled and advertised as video -- the worst being something called FlashVirus, which was written by a company called MacroVirus Media or something like that, and currently owned and flogged by Adobe along with their "Proprietary Document Format" (the latest versions of which boast UVTD technology -- Unstoppable Virus Transport and Distribution). If the so-called video contains arbitrary executable code (or can run arbitrary executable code), or requires the use of a specific application to "play" (or infect the target), then it should not be described as "video". It is a streaming-macro. Microsoft was the first OS vendor to add the "Execute Payload" header to IP which saved much time and effort in the distribution of malicious code via the internet. Unfortunatly, Adobe and several other vendors have patents on what is called the method of "Executable Data" and made Microsoft remove their wonderous invention under pain of patent lawsuits. Of course, maybe whats meant is File hosting, where the File being hosted just happens to contain video data in standard data format (preferably a pure-data format that does not embed execution macros of any type). ;) --- ()? ascii ribbon campaign against html e-mail /\? www.asciiribbon.org > -----Original Message----- > From: Christopher Morrow [mailto:morrowc.lists at gmail.com] > Sent: Wednesday, 04 January, 2012 20:47 > To: Michael K. Smith - Adhost > Cc: bmanning at vacation.karoshi.com; Wessels, Duane; nanog at nanog.org > Subject: Re: Trouble accessing www.nanog.org > > On Wed, Jan 4, 2012 at 10:41 PM, Michael K. Smith - Adhost > wrote: > > >> Err, while we're talking about video files and nanog, why is the video > >> content still served off (stored content I mean) nanog.org servers? > >> Why not use one of the many video serving services? some of which are > >> free even :) > >> (that part's not a troll, a real question, even!) > >> -chris > > > > > > The website work hasn't yet begun, so that is certainly still on the > table. ?If you would like to volunteer some of your time... > > I'm sure we could arrange some process to ingest videos to some form > of video-hosting-website... a videotubes site let's say. > > who should I chat with? From jr at xor.at Thu Jan 5 09:12:33 2012 From: jr at xor.at (Johannes Resch) Date: Thu, 05 Jan 2012 16:12:33 +0100 Subject: anycast load balancing issue In-Reply-To: <20120104120255.GT7491@besserwisser.org> References: <20120104120255.GT7491@besserwisser.org> Message-ID: <4F05BDE1.3040103@xor.at> Hi, On 04.01.2012 13:02, M?ns Nilsson wrote: > > [..snipped..] > > Trouble is, we find that (untweaked) cost and metric are such that all > nodes are equal. The last resort (peer router ID) gets invoked and all > traffic goes to one single instance. Of course, when that instance falls > off the net recalculation takes place and another node steps in, but > I'd like true path lengths (IGP hop count) to influence more than iBGP > (route-reflector-style) selection. > > Any clues? > > Oh, all-cisco, all ASR1000 series. All links GE. ~90 routers in IGP. > Since you mention route-reflector route selection - are you already using per-VRF, per-PE route distinguishers for that L3VPN instance? If not, I'd recommend doing so - this will cause your RR to see all paths as unique routes, distributing all of them (instead just the best one from the RR perspective) to RR clients. As result all PEs will always have all paths for this particular prefix (and can then take the best path decision based on local IGP metric to the respective BGP next hops). Doing that can also significantly improve reconvergence times for certain failure scenarios (e.g. ingress PE failure), as PEs can start using alternative paths (already available in local BGP RIB) as soon as the IGP nexthop for the failed PE is invalidated and do not need to wait for BGP RR reconvergence. cheers, -jr From jra at baylink.com Thu Jan 5 09:22:52 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 5 Jan 2012 10:22:52 -0500 (EST) Subject: Whacky Weekend: Is Internet Access a Human Right? Message-ID: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Vint Cerf says no: http://j.mp/wwL9Ip But I wonder to what degree that's dependent on how much our governments make Internet access the most practical/only practical way to interact with them. Understand: I'm not saying that FiOS should be a human right. But as a society, America's recognized for decades that you gotta have a telephone, and subsidized local/lifeline service to that extent; that sort of subsidy applies to cellular phones now as well. Thoughts? Cheers, -- jr 'yes, I know I'm early...' a -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From rsk at gsp.org Thu Jan 5 09:22:55 2012 From: rsk at gsp.org (Rich Kulawiec) Date: Thu, 5 Jan 2012 10:22:55 -0500 Subject: Internet Edge and Defense in Depth In-Reply-To: References: <922ACC42D498884AA02B3565688AF995340255F77F@USEXMBS01.mwd.h2o> Message-ID: <20120105152255.GC20575@gsp.org> On Tue, Dec 06, 2011 at 01:44:05PM -0800, Jonathan Lassoff wrote: > Cramming every little feature under the sun into one appliance makes for > great glossy brochures and Powerpoint decks, but I just don't think it's > practical. 1. It's an excellent way to create a single point-of-failure. 2. I prefer, when building defense-in-depth, to build the layers with different technology running on different operating systems on different architectures. There's no doubt this adds some complexity and that it requires judicious design to be scalable, maintainable, and so on. But it raises the bar for attackers considerably, and it gives defenders a fighting chance of discovering a breach in one layer before it becomes a breach in all layers. 3. One of the mistakes we all continue to make, whether we have our paws on integrated appliances or separate systems, is default-permit. We really need to make sure that the syntactic equivalent of "deny all from any to any" is the first rule installed in any of these, and then work from there. ---rsk p.s. In re Powerpoint, I've long held that the appropriate response to "I have a PowerPoint presentation..." is for everyone else in the room to find a strong rope and a sturdy tree, and do what must be done for the sake of humanity. From marshall.eubanks at gmail.com Thu Jan 5 09:29:46 2012 From: marshall.eubanks at gmail.com (Marshall Eubanks) Date: Thu, 5 Jan 2012 10:29:46 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: <0034f79f5f0a0f4dab52881760e8fba3@mail.dessus.com> References: <0034f79f5f0a0f4dab52881760e8fba3@mail.dessus.com> Message-ID: On Thu, Jan 5, 2012 at 4:51 AM, Keith Medcalf wrote: > > There is video hosting web sites on the intertubes? > > Now where would those be found, I wonder. ?All I have ever seen is macro-streaming that is fraudulently labeled and advertised as video -- the worst being something called FlashVirus, which was written by a company called MacroVirus Media or something like that, and currently owned and flogged by Adobe along with their "Proprietary Document Format" (the latest versions of which boast UVTD technology -- Unstoppable Virus Transport and Distribution). > > If the so-called video contains arbitrary executable code (or can run arbitrary executable code), or requires the use of a specific application to "play" (or infect the target), then it should not be described as "video". ?It is a streaming-macro. > Is H.264 Turing-complete ? Is Ogg-Vorbis ? (It seems like those are the two reasonable open standard choices.)) Regards Marshall > Microsoft was the first OS vendor to add the "Execute Payload" header to IP which saved much time and effort in the distribution of malicious code via the internet. ?Unfortunatly, Adobe and several other vendors have patents on what is called the method of "Executable Data" and made Microsoft remove their wonderous invention under pain of patent lawsuits. > > Of course, maybe whats meant is File hosting, where the File being hosted just happens to contain video data in standard data format (preferably a pure-data format that does not embed execution macros of any type). > > ;) > > --- > ()? ascii ribbon campaign against html e-mail > /\? www.asciiribbon.org > > >> -----Original Message----- >> From: Christopher Morrow [mailto:morrowc.lists at gmail.com] >> Sent: Wednesday, 04 January, 2012 20:47 >> To: Michael K. Smith - Adhost >> Cc: bmanning at vacation.karoshi.com; Wessels, Duane; nanog at nanog.org >> Subject: Re: Trouble accessing www.nanog.org >> >> On Wed, Jan 4, 2012 at 10:41 PM, Michael K. Smith - Adhost >> wrote: >> >> >> Err, while we're talking about video files and nanog, why is the video >> >> content still served off (stored content I mean) nanog.org servers? >> >> Why not use one of the many video serving services? some of which are >> >> free even :) >> >> (that part's not a troll, a real question, even!) >> >> -chris >> > >> > >> > The website work hasn't yet begun, so that is certainly still on the >> table. ?If you would like to volunteer some of your time... >> >> I'm sure we could arrange some process to ingest videos to some form >> of video-hosting-website... a videotubes site let's say. >> >> who should I chat with? > > > > > From mikea at mikea.ath.cx Thu Jan 5 09:33:15 2012 From: mikea at mikea.ath.cx (Mike Andrews) Date: Thu, 5 Jan 2012 09:33:15 -0600 Subject: Internet Edge and Defense in Depth In-Reply-To: <20120105152255.GC20575@gsp.org> References: <922ACC42D498884AA02B3565688AF995340255F77F@USEXMBS01.mwd.h2o> <20120105152255.GC20575@gsp.org> Message-ID: <20120105153315.GB92250@mikea.ath.cx> On Thu, Jan 05, 2012 at 10:22:55AM -0500, Rich Kulawiec wrote: > On Tue, Dec 06, 2011 at 01:44:05PM -0800, Jonathan Lassoff wrote: > > Cramming every little feature under the sun into one appliance makes for > > great glossy brochures and Powerpoint decks, but I just don't think it's > > practical. > > 1. It's an excellent way to create a single point-of-failure. > > 2. I prefer, when building defense-in-depth, to build the layers with different > technology running on different operating systems on different architectures. > There's no doubt this adds some complexity and that it requires judicious > design to be scalable, maintainable, and so on. But it raises the bar > for attackers considerably, and it gives defenders a fighting chance of > discovering a breach in one layer before it becomes a breach in all layers. > > 3. One of the mistakes we all continue to make, whether we have our > paws on integrated appliances or separate systems, is default-permit. > We really need to make sure that the syntactic equivalent of "deny > all from any to any" is the first rule installed in any of these, > and then work from there. > > p.s. In re Powerpoint, I've long held that the appropriate response to > "I have a PowerPoint presentation..." is for everyone else in the room > to find a strong rope and a sturdy tree, and do what must be done for > the sake of humanity. "Power corrupts. PowerPoint corrupts absolutely." As regards avoidance of SPOFs, I also prefer multiple layers in different technologies &c. A monoculture is horribly vulnerable. I grant that network hardware isn't exactly Ireland just before the potato famine, but the parallels are there and applicable in at least some senses. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From marshall.eubanks at gmail.com Thu Jan 5 09:36:44 2012 From: marshall.eubanks at gmail.com (Marshall Eubanks) Date: Thu, 5 Jan 2012 10:36:44 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: On Thu, Jan 5, 2012 at 10:22 AM, Jay Ashworth wrote: > Vint Cerf says no: http://j.mp/wwL9Ip With all due respect to Vint, I think that it isn't now, but it will be. Regards Marshall > > But I wonder to what degree that's dependent on how much our governments make > Internet access the most practical/only practical way to interact with them. > > Understand: I'm not saying that FiOS should be a human right. ?But as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. > > Thoughts? > > Cheers, > -- jr 'yes, I know I'm early...' a > -- > Jay R. Ashworth ? ? ? ? ? ? ? ? ?Baylink ? ? ? ? ? ? ? ? ? ? ? jra at baylink.com > Designer ? ? ? ? ? ? ? ? ? ? The Things I Think ? ? ? ? ? ? ? ? ? ? ? RFC 2100 > Ashworth & Associates ? ? http://baylink.pitas.com ? ? ? ? 2000 Land Rover DII > St Petersburg FL USA ? ? ?http://photo.imageinc.us ? ? ? ? ? ? +1 727 647 1274 > From bicknell at ufp.org Thu Jan 5 09:41:10 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 5 Jan 2012 07:41:10 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: <20120105154110.GA6914@ussenterprise.ufp.org> In a message written on Thu, Jan 05, 2012 at 10:22:52AM -0500, Jay Ashworth wrote: > Understand: I'm not saying that FiOS should be a human right. But as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. There's a pretty big gap between providing subsidized service because it's good for people/society/the government/business/whatever and a "human right". The government subsidizes lots of things, roads, electric service, planting of wheat that doesn't make any of them human rights. A few years back I read the Wikipedia page on Human Rights, and it made me realize the topic is far deeper than I had initially thought. There really are a lot of nuances to the topic. http://en.wikipedia.org/wiki/Human_rights Broadband, to me, is not a human right. It is something that makes our society more efficient, and improves the quality of life for virtually every citizen, so I do think the government has a role and interest in seeing widespread, if not universal broadband deployment. Failure to provide broadband to someone is not a human rights violation though, and the idea that it is probably is offensive to those who have experienced real human rights violations. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From zaid at zaidali.com Thu Jan 5 09:45:25 2012 From: zaid at zaidali.com (Zaid Ali) Date: Thu, 05 Jan 2012 07:45:25 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: I agree with Vint here. Basic human rights are access to food, clothing and shelter. I think we are still struggling in the world with that. With your logic one would expect the radio and TV to be a basic human right but they are not, they are and will remain powerful medium which be enablers of something else and the Internet would fit there. Zaid On 1/5/12 7:22 AM, "Jay Ashworth" wrote: >Vint Cerf says no: http://j.mp/wwL9Ip > >But I wonder to what degree that's dependent on how much our governments >make >Internet access the most practical/only practical way to interact with >them. > >Understand: I'm not saying that FiOS should be a human right. But as a >society, America's recognized for decades that you gotta have a telephone, >and subsidized local/lifeline service to that extent; that sort of subsidy >applies to cellular phones now as well. > >Thoughts? > >Cheers, >-- jr 'yes, I know I'm early...' a >-- >Jay R. Ashworth Baylink >jra at baylink.com >Designer The Things I Think RFC >2100 >Ashworth & Associates http://baylink.pitas.com 2000 Land >Rover DII >St Petersburg FL USA http://photo.imageinc.us +1 727 647 >1274 > From aledm at qix.co.uk Thu Jan 5 09:47:56 2012 From: aledm at qix.co.uk (Aled Morris) Date: Thu, 5 Jan 2012 15:47:56 +0000 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: On 5 January 2012 15:22, Jay Ashworth wrote: > Understand: I'm not saying that FiOS should be a human right. But as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. > > There is a subtlety here too - when we grant a monopoly (e.g. to operate a physical loop or in licensing spectrum) in return we often place a "universal service obligation" on the operator in order they don't abuse their monoply by not providing service to "less profitable" customers. This isn't the same as a "right" to a phone. Aled From eesslinger at fpu-tn.com Thu Jan 5 09:56:46 2012 From: eesslinger at fpu-tn.com (Eric J Esslinger) Date: Thu, 5 Jan 2012 09:56:46 -0600 Subject: question regarding US requirements for journaling public email (possible legislation?) Message-ID: Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am on a holiday morning). Sorry to drop what is possibly just someone misunderstanding something or pulling my leg on the list, but over the holidays I ran into one of my buddies that is also a network admin type and he was griping about mail journalling, which I already do for our corporate email accounts. However, his discussion was in terms of all customer email... Which I said was probably a bad thing to do. His response was there is legislation being pushed in both House and Senate that would require journalling for 2 or 5 years, all mail passing through all of your mail servers. I've seen nothing, and my google fu has turned up nothing other than corporate requirements, so I ask here. Has anyone heard of such a bill working it's way through either side of congress? (I am speaking specifically of full email journaling, not just logs, which I do archive for significant amounts of time.) I also don't want to discuss the pros, cons, merits, costs, goods, or evils of such a requirement, just wanted to know if this is something I should be looking forward towards maybe needing to implement. Thanks for your attention and may you have a low incident new year. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. From jra at baylink.com Thu Jan 5 10:07:56 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 5 Jan 2012 11:07:56 -0500 (EST) Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: Message-ID: <22737847.3289.1325779676786.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Zaid Ali" > On 1/5/12 7:22 AM, "Jay Ashworth" wrote: > > >Vint Cerf says no: http://j.mp/wwL9Ip > > > >But I wonder to what degree that's dependent on how much our governments > >make Internet access the most practical/only practical way to interact > >with them. > > > >Understand: I'm not saying that FiOS should be a human right. But as a > >society, America's recognized for decades that you gotta have a telephone, > >and subsidized local/lifeline service to that extent; that sort of subsidy > >applies to cellular phones now as well. > I agree with Vint here. Basic human rights are access to food, clothing > and shelter. I think we are still struggling in the world with that. With > your logic one would expect the radio and TV to be a basic human right but > they are not, they are and will remain powerful medium which be enablers > of something else and the Internet would fit there. Well, I dunno... as I think was obvious from my other comments: TV and Radio are *broadcast* media; telephones and the internet are not; they're *two-way* communications media... and they're the communications media which have been chosen by the organs of government we've constituted to run things for us. You hit the important word, though, in your reply: "*access to* food, clothing, and shelter"... not the things themselves. The question here is "is *access to* the Internet a human right, something which the government ought to recognize and protect"? I sort of think it is, myself... and I think that Vint is missing the point: *all* of the things we generally view as human rights are enablers to other things, and we generally dub them *as those things*, by synecdoche... at least in my experience. If I'm not mistaken, Vint's on this list; perhaps he'll chime in. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Thu Jan 5 10:09:59 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 5 Jan 2012 11:09:59 -0500 (EST) Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <20120105154110.GA6914@ussenterprise.ufp.org> Message-ID: <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Leo Bicknell" > Broadband, to me, is not a human right. It is something that makes our > society more efficient, and improves the quality of life for virtually > every citizen, so I do think the government has a role and interest in > seeing widespread, if not universal broadband deployment. Failure to > provide broadband to someone is not a human rights violation though, > and the idea that it is probably is offensive to those who have > experienced real human rights violations. Didn't *say* broadband. Didn't even say "Internet service". Said "Internet *access*", in the non-techspeak meaning of those words. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From marshall.eubanks at gmail.com Thu Jan 5 10:26:50 2012 From: marshall.eubanks at gmail.com (Marshall Eubanks) Date: Thu, 5 Jan 2012 11:26:50 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <22737847.3289.1325779676786.JavaMail.root@benjamin.baylink.com> References: <22737847.3289.1325779676786.JavaMail.root@benjamin.baylink.com> Message-ID: On Thu, Jan 5, 2012 at 11:07 AM, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Zaid Ali" > >> On 1/5/12 7:22 AM, "Jay Ashworth" wrote: >> >> >Vint Cerf says no: http://j.mp/wwL9Ip >> > >> >But I wonder to what degree that's dependent on how much our governments >> >make Internet access the most practical/only practical way to interact >> >with them. >> > >> >Understand: I'm not saying that FiOS should be a human right. But as a >> >society, America's recognized for decades that you gotta have a telephone, >> >and subsidized local/lifeline service to that extent; that sort of subsidy >> >applies to cellular phones now as well. > >> I agree with Vint here. Basic human rights are access to food, clothing >> and shelter. I think we are still struggling in the world with that. With >> your logic one would expect the radio and TV to be a basic human right but >> they are not, they are and will remain powerful medium which be enablers >> of something else and the Internet would fit there. > > Well, I dunno... as I think was obvious from my other comments: TV and Radio > are *broadcast* media; telephones and the internet are not; they're *two-way* > communications media... and they're the communications media which have been > chosen by the organs of government we've constituted to run things for us. > > You hit the important word, though, in your reply: "*access to* food, clothing, > and shelter"... not the things themselves. > > The question here is "is *access to* the Internet a human right, something > which the government ought to recognize and protect"? ?I sort of think it is, > myself... and I think that Vint is missing the point: *all* of the things > we generally view as human rights are enablers to other things, and we > generally dub them *as those things*, by synecdoche... at least in my > experience. > > If I'm not mistaken, Vint's on this list; perhaps he'll chime in. ?:-) Here is a way to think about it - is denial of X a violation of human rights ? If so, access to X should be viewed as a human right. Denial of food, for example, is certainly a violation of human rights. That is not the same as saying that everyone always will be able to afford to eat anything they want, or in dire circumstances even all they need, but to deny food is certainly to violate human rights. I think that if we had heard that (say) Libya's Khaddafi had denied (say) the people of Benghazi all access to telephony, that that would be regarded as a violation of human rights. (Actually, he did and it was). People would, for example, start dying because no one could call an ambulance in an emergency. It would set the stage for further human rights violations, because no one could alert the world to what was happening. Etc. In 1880, that would not have been true, but today it is. Is the Internet at that level ? IMO, no, but it will be soon. That is not the same to say that everyone will get 100 Gbps for free, any more than everyone gets to eat at La Tour d'Argent in Paris. Regards Marshall > > Cheers, > -- jra > -- > Jay R. Ashworth ? ? ? ? ? ? ? ? ?Baylink ? ? ? ? ? ? ? ? ? ? ? jra at baylink.com > Designer ? ? ? ? ? ? ? ? ? ? The Things I Think ? ? ? ? ? ? ? ? ? ? ? RFC 2100 > Ashworth & Associates ? ? http://baylink.pitas.com ? ? ? ? 2000 Land Rover DII > St Petersburg FL USA ? ? ?http://photo.imageinc.us ? ? ? ? ? ? +1 727 647 1274 > From bicknell at ufp.org Thu Jan 5 10:29:05 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 5 Jan 2012 08:29:05 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> Message-ID: <20120105162905.GB6914@ussenterprise.ufp.org> In a message written on Thu, Jan 05, 2012 at 11:09:59AM -0500, Jay Ashworth wrote: > > Broadband, to me, is not a human right. It is something that makes our > > society more efficient, and improves the quality of life for virtually > > every citizen, so I do think the government has a role and interest in > > seeing widespread, if not universal broadband deployment. Failure to > > provide broadband to someone is not a human rights violation though, > > and the idea that it is probably is offensive to those who have > > experienced real human rights violations. > > Didn't *say* broadband. Didn't even say "Internet service". Said "Internet > *access*", in the non-techspeak meaning of those words. For the purposes of my e-mail and this point in time, they are all synonymous. That is, if "interenet access" is a right, providing someone a 9600bps dial up does not, in my mind, qualify. That might qualify for e-mail access, but you can not use a reasonable fraction of the Internet at that access speed. Similarly, denying someone internet service denies them internet access. The only difference between your terms and mine, is that mine are fixed to this point in time while yours is a general concept that may move in the future. One day 50Mbps broadband may not qualify anymore as "internet access" due to where the interernet ends up. But let's take a specific (famous) example. Kevin Mitnick. From his wikipedia page: "During his supervised release, which ended on January 21, 2003, he was initially forbidden to use any communications technology other than a landline telephone." If Internet access (to use your term) had been a human right than his human rights were violated by the government when they banned him from using any communications technology. Do we really want to suggest that banning him from using the computer is the same level of violation as enslaving him, torturing him, or even killing him? -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From zaid at zaidali.com Thu Jan 5 10:37:07 2012 From: zaid at zaidali.com (Zaid Ali) Date: Thu, 05 Jan 2012 08:37:07 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <22737847.3289.1325779676786.JavaMail.root@benjamin.baylink.com> Message-ID: On 1/5/12 8:07 AM, "Jay Ashworth" wrote: >----- Original Message ----- >> From: "Zaid Ali" > >> On 1/5/12 7:22 AM, "Jay Ashworth" wrote: >> >> >Vint Cerf says no: http://j.mp/wwL9Ip >> > >> >But I wonder to what degree that's dependent on how much our >>governments >> >make Internet access the most practical/only practical way to interact >> >with them. >> > >> >Understand: I'm not saying that FiOS should be a human right. But as a >> >society, America's recognized for decades that you gotta have a >>telephone, >> >and subsidized local/lifeline service to that extent; that sort of >>subsidy >> >applies to cellular phones now as well. > >> I agree with Vint here. Basic human rights are access to food, clothing >> and shelter. I think we are still struggling in the world with that. >>With >> your logic one would expect the radio and TV to be a basic human right >>but >> they are not, they are and will remain powerful medium which be enablers >> of something else and the Internet would fit there. > >Well, I dunno... as I think was obvious from my other comments: TV and >Radio >are *broadcast* media; telephones and the internet are not; they're >*two-way* >communications media... and they're the communications media which have >been >chosen by the organs of government we've constituted to run things for us. > >You hit the important word, though, in your reply: "*access to* food, >clothing, >and shelter"... not the things themselves. > >The question here is "is *access to* the Internet a human right, >something >which the government ought to recognize and protect"? I sort of think it >is, >myself... and I think that Vint is missing the point: *all* of the things >we generally view as human rights are enablers to other things, and we >generally dub them *as those things*, by synecdoche... at least in my >experience. If I wrote a blog article that criticized the government and it was shutdown along with my Internet access I wouldn't say that my right to the Internet was violated. I would say that my right to free speech was violated. Regardless of one way or two way communication it is communication. Zaid From mjkelly at gmail.com Thu Jan 5 10:36:54 2012 From: mjkelly at gmail.com (Matt Kelly) Date: Thu, 5 Jan 2012 11:36:54 -0500 Subject: Comcast Postmaster... Message-ID: <5ECF0F04-F1FC-453D-A75C-14CB6C782423@gmail.com> Would a comcast postmaster be so kind as to contact me off list? Thanks. -- Matt From davei at otd.com Thu Jan 5 10:48:06 2012 From: davei at otd.com (Dave Israel) Date: Thu, 05 Jan 2012 11:48:06 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <20120105162905.GB6914@ussenterprise.ufp.org> References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> Message-ID: <4F05D446.2060208@otd.com> On 1/5/2012 11:29 AM, Leo Bicknell wrote: > In a message written on Thu, Jan 05, 2012 at 11:09:59AM -0500, Jay Ashworth wrote: >> Didn't *say* broadband. Didn't even say "Internet service". Said "Internet >> *access*", in the non-techspeak meaning of those words. > For the purposes of my e-mail and this point in time, they are all > synonymous. > > That is, if "interenet access" is a right, providing someone a > 9600bps dial up does not, in my mind, qualify. That might qualify > for e-mail access, but you can not use a reasonable fraction of the > Internet at that access speed. Similarly, denying someone internet > service denies them internet access. The only difference between your > terms and mine, is that mine are fixed to this point in time while > yours is a general concept that may move in the future. One day 50Mbps > broadband may not qualify anymore as "internet access" due to where the > interernet ends up. I think you're still thinking of service, as opposed to access. Public terminals, say at libraries, are also access. Free public wifi is also access. > > But let's take a specific (famous) example. Kevin Mitnick. From > his wikipedia page: > > "During his supervised release, which ended on January 21, 2003, he was > initially forbidden to use any communications technology other than a > landline telephone." > > If Internet access (to use your term) had been a human right than > his human rights were violated by the government when they banned > him from using any communications technology. Do we really want to > suggest that banning him from using the computer is the same level of > violation as enslaving him, torturing him, or even killing him? > Clearly not, at least at this point in history. Internet access is more like access to transportation; the law implicitly requires you to have it (in the form of being able to compel a person to appear at a given place and time), but not only fails to mandate its availability, but includes provisions for explicitly denying access to it in some cases. Internet access becomes a human right only when your other, more basic human rights depend on it. If a person without internet access cannot obtain food, shelter, or basic transportation, then it is a human right. As an aside, your example is flawed, because judicial punishment does involve a loss, or at least a curtailment, of what many people consider to be basic rights. -Dave From Valdis.Kletnieks at vt.edu Thu Jan 5 10:52:11 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 05 Jan 2012 11:52:11 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: Your message of "Thu, 05 Jan 2012 08:29:05 PST." <20120105162905.GB6914@ussenterprise.ufp.org> References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> Message-ID: <3814.1325782331@turing-police.cc.vt.edu> On Thu, 05 Jan 2012 08:29:05 PST, Leo Bicknell said: > But let's take a specific (famous) example. Kevin Mitnick. From > his wikipedia page: > > "During his supervised release, which ended on January 21, 2003, he was > initially forbidden to use any communications technology other than a > landline telephone." > > If Internet access (to use your term) had been a human right than > his human rights were violated by the government when they banned > him from using any communications technology. Do we really want to > suggest that banning him from using the computer is the same level of > violation as enslaving him, torturing him, or even killing him? Convicted felons surrender a number of rights: freedom (jail terms), the right to vote, etc. And nobody seems to consider that concept a "violation" (though it *is* of course up for debate exactly what rights it's OK to remove from a felon, and for how long). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From Valdis.Kletnieks at vt.edu Thu Jan 5 10:55:53 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 05 Jan 2012 11:55:53 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: Your message of "Thu, 05 Jan 2012 11:09:59 EST." <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> References: <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> Message-ID: <3949.1325782553@turing-police.cc.vt.edu> On Thu, 05 Jan 2012 11:09:59 EST, Jay Ashworth said: > Didn't *say* broadband. Didn't even say "Internet service". Said "Internet > *access*", in the non-techspeak meaning of those words. There are those who would say "Free Internet access is available at the Public Library and the Community Center" counts as "internet access". What say the peanut gallery? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From rps at maine.edu Thu Jan 5 11:00:04 2012 From: rps at maine.edu (Ray Soucy) Date: Thu, 5 Jan 2012 12:00:04 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: It's an interesting question. Most think of the Internet in the context of entertainment and productivity. I would ask that those who do remove themselves from the US (or any other prosperous nation) and think about Internet access in nations that are oppressed or depressed. 1. The Internet allows people to communicate (important in environments where the people are victims of oppression). 2. The Internet allows people to learn (if education is a human right, it's not a giant leap to say the Internet is how you deliver it). North Korea, at least, would be a very different nation with universal Internet access. I think a lot of smaller nations as well. There has never been a greater exporter for American ideals of freedom and democracy than the Internet. On the whole I think it has become something people shouldn't be denied access to. Is "boradband" a human right? I don't know the answer to that. But some level of access to the Internet (even if it's slow) is something that would make the world a better place if everyone had access. As we think about freedom and how our laws affect the Internet (SOPA, PROTECT IP, etc) this is something we should also keep in mind. On Thu, Jan 5, 2012 at 10:22 AM, Jay Ashworth wrote: > Vint Cerf says no: http://j.mp/wwL9Ip > > But I wonder to what degree that's dependent on how much our governments make > Internet access the most practical/only practical way to interact with them. > > Understand: I'm not saying that FiOS should be a human right. ?But as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. > > Thoughts? > > Cheers, > -- jr 'yes, I know I'm early...' a > -- > Jay R. Ashworth ? ? ? ? ? ? ? ? ?Baylink ? ? ? ? ? ? ? ? ? ? ? jra at baylink.com > Designer ? ? ? ? ? ? ? ? ? ? The Things I Think ? ? ? ? ? ? ? ? ? ? ? RFC 2100 > Ashworth & Associates ? ? http://baylink.pitas.com ? ? ? ? 2000 Land Rover DII > St Petersburg FL USA ? ? ?http://photo.imageinc.us ? ? ? ? ? ? +1 727 647 1274 > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From bicknell at ufp.org Thu Jan 5 11:00:53 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 5 Jan 2012 09:00:53 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <3814.1325782331@turing-police.cc.vt.edu> <4F05D446.2060208@otd.com> References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> <3814.1325782331@turing-police.cc.vt.edu> <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> <4F05D446.2060208@otd.com> Message-ID: <20120105170053.GA10161@ussenterprise.ufp.org> In a message written on Thu, Jan 05, 2012 at 11:48:06AM -0500, Dave Israel wrote: > As an aside, your example is flawed, because judicial punishment does > involve a loss, or at least a curtailment, of what many people consider > to be basic rights. In a message written on Thu, Jan 05, 2012 at 11:52:11AM -0500, Valdis.Kletnieks at vt.edu wrote: > Convicted felons surrender a number of rights: freedom (jail terms), the > right to vote, etc. And nobody seems to consider that concept a "violation" > (though it *is* of course up for debate exactly what rights it's OK to remove > from a felon, and for how long). You both make the same, very interesting point. I want to point folks back to the Wikipedia page: http://en.wikipedia.org/wiki/Human_rights Look at some the substantive rights: - Right to life. - Freeom from torture. - Freedom from slavery. - Right to a fair trial. - Freedom of speach. - Freedom of thought, conscience, and religion. For the most part we don't let judical punishment infringe on those rights. (Yes, there are exceptions, and yes, it depends a lot on the location in question. For instance the death peanlty infringes on the first substantive right.) However, for an ordinary criminal (Kevin Mitnick, in my example) we generally require the courts to uphold all of the substantive rights in most civilized societies. _Human_ rights is a very specific subset of a continium of rights. Note that the "right to vote" is not in the substantive list above, and is taken away by judical process in many societies. Not all rights are human rights. Should you have a right to internet access, just like a right to vote? Perhaps. Are either one the specific class of _human rights_, no. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From Timothy.Green at ManTech.com Thu Jan 5 11:11:32 2012 From: Timothy.Green at ManTech.com (Green, Timothy) Date: Thu, 5 Jan 2012 12:11:32 -0500 Subject: Router Assessment Tool Message-ID: Happy New Year All!!! I'm trying to perform STIG compliancy on various Cisco equipment. Has anybody used the Router Assessment Tool (RAT) for routers and switches? Any cheap (free) recommendations? As a last ditch effort I could use NMAP. Thanks, Tim From jonschipp at gmail.com Thu Jan 5 11:34:32 2012 From: jonschipp at gmail.com (Jon Schipp) Date: Thu, 5 Jan 2012 12:34:32 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <20120105170053.GA10161@ussenterprise.ufp.org> References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> <3814.1325782331@turing-police.cc.vt.edu> <4F05D446.2060208@otd.com> <20120105170053.GA10161@ussenterprise.ufp.org> Message-ID: I think there's a fundamental difference between human and civil rights. Human rights come from our humanity, i.e. us being human. As humans, we can walk, talk, produce things, own property, etc. Assuming that isn't true, the next logical question is where do you draw the line? Vehicles are beneficial to society, can they be a human right? If you keep bringing these type of questions up and substitute any good in place of vehicles, you can see how absurd it is. There's no consistency. I think the idea that food, shelter etc. are human rights is absurd. Doesn't that imply that someone must provide those things for me? What if they don't want to? Does that mean they are forced to? Which would be a violation of their human rights. Civil rights are rights that are provided by societal institutions e.g. governments This makes the most sense to me anyway. I probably need to go read some John Locke. http://www.differencebetween.net/miscellaneous/politics/difference-between-human-and-civil-rights/ On Thu, Jan 5, 2012 at 12:00 PM, Leo Bicknell wrote: > In a message written on Thu, Jan 05, 2012 at 11:48:06AM -0500, Dave Israel wrote: >> As an aside, your example is flawed, because judicial punishment does >> involve a loss, or at least a curtailment, of what many people consider >> to be basic rights. > > In a message written on Thu, Jan 05, 2012 at 11:52:11AM -0500, Valdis.Kletnieks at vt.edu wrote: >> Convicted felons surrender a number of rights: freedom (jail terms), the >> right to vote, etc. ?And nobody seems to consider that concept a "violation" >> (though it *is* of course up for debate exactly what rights it's OK to remove >> from a felon, and for how long). > > You both make the same, very interesting point. ?I want to point > folks back to the Wikipedia page: > > http://en.wikipedia.org/wiki/Human_rights > > Look at some the substantive rights: > > ?- Right to life. > ?- Freeom from torture. > ?- Freedom from slavery. > ?- Right to a fair trial. > ?- Freedom of speach. > ?- Freedom of thought, conscience, and religion. > > For the most part we don't let judical punishment infringe on those > rights. ?(Yes, there are exceptions, and yes, it depends a lot on > the location in question. ?For instance the death peanlty infringes > on the first substantive right.) > > However, for an ordinary criminal (Kevin Mitnick, in my example) > we generally require the courts to uphold all of the substantive > rights in most civilized societies. > > _Human_ rights is a very specific subset of a continium of rights. > Note that the "right to vote" is not in the substantive list above, > and is taken away by judical process in many societies. ?Not all rights > are human rights. > > Should you have a right to internet access, just like a right to vote? > Perhaps. ?Are either one the specific class of _human rights_, no. > > -- > ? ? ? Leo Bicknell - bicknell at ufp.org - CCIE 3440 > ? ? ? ?PGP keys at http://www.ufp.org/~bicknell/ From Valdis.Kletnieks at vt.edu Thu Jan 5 11:49:51 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 05 Jan 2012 12:49:51 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: Your message of "Thu, 05 Jan 2012 12:34:32 EST." References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> <3814.1325782331@turing-police.cc.vt.edu> <4F05D446.2060208@otd.com> <20120105170053.GA10161@ussenterprise.ufp.org> Message-ID: <7253.1325785791@turing-police.cc.vt.edu> On Thu, 05 Jan 2012 12:34:32 EST, Jon Schipp said: > I think the idea that food, shelter etc. are human rights is absurd. > Doesn't that imply that someone must provide those things for me? What > if they don't want to? Does that mean they are forced to? Which would > be a violation of their human rights. There are those who think that it's a government's responsibility to make sure that people don't die from starvation or lack of access to medical care. Then there are those who think it's OK to let people die in the gutter. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From eesslinger at fpu-tn.com Thu Jan 5 11:54:55 2012 From: eesslinger at fpu-tn.com (Eric J Esslinger) Date: Thu, 5 Jan 2012 11:54:55 -0600 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: Message-ID: Based on a some I have received off list it seems no-one has ever heard of such a proposal that has had any serious traction so I assume the gentleman was either mistaken, paranoid, or trying to pull a joke on me. Thank you for the responses everyone. You can now get back to your regularly scheduled regulatory headaches. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 > -----Original Message----- > From: Eric J Esslinger [mailto:eesslinger at fpu-tn.com] > Sent: Thursday, January 05, 2012 9:57 AM > To: 'nanog at nanog.org' > Subject: question regarding US requirements for journaling > public email (possible legislation?) > > > Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am > on a holiday morning). Sorry to drop what is possibly just > someone misunderstanding something or pulling my leg on the > list, but over the holidays I ran into one of my buddies that > is also a network admin type and he was griping about mail > journalling, which I already do for our corporate email > accounts. However, his discussion was in terms of all > customer email... Which I said was probably a bad thing to > do. His response was there is legislation being pushed in > both House and Senate that would require journalling for 2 or > 5 years, all mail passing through all of your mail servers. > > I've seen nothing, and my google fu has turned up nothing > other than corporate requirements, so I ask here. Has anyone > heard of such a bill working it's way through either side of congress? > > (I am speaking specifically of full email journaling, not > just logs, which I do archive for significant amounts of time.) > > I also don't want to discuss the pros, cons, merits, costs, > goods, or evils of such a requirement, just wanted to know if > this is something I should be looking forward towards maybe > needing to implement. > > Thanks for your attention and may you have a low incident new > year. __________________________ Eric Esslinger Information > Services Manager - Fayetteville Public Utilities > http://www.fpu-tn.com/ (931)433-1522 ext 165 > > This message may contain confidential and/or proprietary > information and is intended for the person/entity to whom it > was originally addressed. Any use by others is strictly prohibited. > > This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. From kevin at steadfast.net Thu Jan 5 12:01:01 2012 From: kevin at steadfast.net (Kevin Stange) Date: Thu, 05 Jan 2012 12:01:01 -0600 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> <3814.1325782331@turing-police.cc.vt.edu> <4F05D446.2060208@otd.com> <20120105170053.GA10161@ussenterprise.ufp.org> Message-ID: <4F05E55D.4060106@steadfast.net> On 01/05/2012 11:34 AM, Jon Schipp wrote: > I think the idea that food, shelter etc. are human rights is absurd. > Doesn't that imply that someone must provide those things for me? What > if they don't want to? Does that mean they are forced to? Which would > be a violation of their human rights. Human rights are things that no government or person should have the right to *take away* from someone. For example, a government need not provide food to all people who need it necessarily, but they must not prevent people from gaining access to food if they want it. I would argue that the better societies have systems in place for providing access to things that are human rights via the government when no one else is able to step up. -- Kevin Stange Chief Technology Officer Steadfast Networks http://steadfast.net Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: From zaid at zaidali.com Thu Jan 5 12:06:16 2012 From: zaid at zaidali.com (Zaid Ali) Date: Thu, 05 Jan 2012 10:06:16 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: Message-ID: On 1/5/12 9:34 AM, "Jon Schipp" wrote: >I think there's a fundamental difference between human and civil rights. > >Human rights come from our humanity, i.e. us being human. As humans, >we can walk, talk, produce things, own property, etc. > >Assuming that isn't true, the next logical question is where do you >draw the line? >Vehicles are beneficial to society, can they be a human right? If you >keep bringing these type of questions up and substitute any good in >place of vehicles, you can see how absurd it is. There's no >consistency. > >I think the idea that food, shelter etc. are human rights is absurd. >Doesn't that imply that someone must provide those things for me? What >if they don't want to? Does that mean they are forced to? Which would >be a violation of their human rights. No, it doesn't mean that someone must provide it for you. It means that "access" must not be denied. Take for example the homeless situation in San Francisco, if the city did not provide shelter for the homeless there would be an outcry our human right violation. If you walk around San Francisco you still see people sleeping in the streets and this is because they choose to but they do have the right to go to a shelter so the city of San Francisco is doing the right thing for basic human right. In India my observation is that people may be really poor but they do not go hungry or denied shelter even though they choose to make it out of a cardboard box. The government makes sure that the lands are protected which is why the slumps are not bulldozed by a developer. This is a good example of human right. Electricity, communication mediums are all things that people get together to bring either as an individual self or a community. Zaid From nathan at atlasnetworks.us Thu Jan 5 12:09:47 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Thu, 5 Jan 2012 18:09:47 +0000 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <7253.1325785791@turing-police.cc.vt.edu> References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> <3814.1325782331@turing-police.cc.vt.edu> <4F05D446.2060208@otd.com> <20120105170053.GA10161@ussenterprise.ufp.org> <7253.1325785791@turing-police.cc.vt.edu> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B6616DE@ex-mb-1.corp.atlasnetworks.us> > > I think the idea that food, shelter etc. are human rights is absurd. > > Doesn't that imply that someone must provide those things for me? > What > > if they don't want to? Does that mean they are forced to? Which would > > be a violation of their human rights. > > There are those who think that it's a government's responsibility to > make sure that people don't die from starvation or lack of access to > medical care. > Then there are those who think it's OK to let people die in the gutter. And as with most things - the 'truth' is probably somewhere between the extremes. Internet access, as a vehicle for free speech, is at least an important civil right. I wouldn't immediately discard the notion that, as a subset of free speech, it is a human right. Internet access, by way of cell phones, has increasingly enabled repressed peoples to expose their suffering to the outside world. One doesn't have to look any further than the protests in Iran after the reelection of Ahmadinejad to see that. When the reporters and cameras have been exiled, and all that remains is the general public armed with their cellphones against the military police armed with rifles, freedom of speech and internet access become the very same thing. Certainly, to an oppressive dictator, internet access and free speech are the very same right. In a modern world, to curtail one is to curtail the other. Nathan ? From dhc2 at dcrocker.net Thu Jan 5 12:29:10 2012 From: dhc2 at dcrocker.net (Dave CROCKER) Date: Thu, 05 Jan 2012 10:29:10 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: <4F05EBF6.4050203@dcrocker.net> On 1/5/2012 7:36 AM, Marshall Eubanks wrote: > On Thu, Jan 5, 2012 at 10:22 AM, Jay Ashworth wrote: >> Vint Cerf says no: http://j.mp/wwL9Ip > > With all due respect to Vint, I think that it isn't now, but it will be. With all due respect for the view that it will be, I'll suggest that this entirely misses the point of his op-ed. His point is to distinguish means versus ends and that something as basic as a human right needs to be about ends, not means. Means often change -- sometimes quickly -- but ends are typically quite stable. Discussion about means needs to be in terms of the ends they serve. From the US perspective, speech and assembly are examples of rights. The 'right' to telephone service is not a direct right; it's a derivative of the speech right, I believe. Onerous assembly laws are examples of unacceptable means. The Internet is a set of means. (Zaid's concrete example about blog blocking is also on point.) Broadly, we need to be careful to distinguish between core issues (rights, causes, and the like) from derivative and surface issues (means, symptoms, and the like. It's extremely easy to get caught up with the details of means and symptoms and entirely miss the underlying, strategic issues. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From bill at herrin.us Thu Jan 5 12:37:15 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jan 2012 13:37:15 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: Free Speech is a human right. It's still a human right when that speech is conveyed over the Internet. To the extent that a government obstructs Internet access by its citizens, it is obstructing a human right. In a capitalist society, human rights are about obstruction, not compulsion. The right to life does not compel a government to provide you with medical care; it merely prevents the government from obstructing your ability to otherwise obtain treatment. Likewise, the right to free speech does not compel a government to provide you with an Internet account. Socialist societies have a different point of view. A socialist government has a compulsion to provide its citizens at least minimalist and at most egalitarian facilities for the exercise of their human rights. On Thu, Jan 5, 2012 at 10:22 AM, Jay Ashworth wrote: > as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. Personally, I've always thought it a tragedy that the universal service fund was diverted to provide laptops to kindergartners. I'd love to see it collected from all network service and be applicable to all unbundled rural basic network service. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From rps at maine.edu Thu Jan 5 12:39:44 2012 From: rps at maine.edu (Ray Soucy) Date: Thu, 5 Jan 2012 13:39:44 -0500 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: Message-ID: If you search for "email archiving" instead of journaling you'll come up with a lot more information. It dates back to court rule changes in 2006. Most of it is hype because of [largely incorrect] articles like this one (just one of the first hits): http://www.itworld.com/security/55954/law-requires-email-archiving It's really something that you would need a lawyer to give you an answer on (I am not a lawyer, this is not legal advice, etc). My [limited] understanding is that if you are required to disclose whether or not you have any electronic document (including email) requested as part of the discovery process. If you do have it, you're required to produce it. Since it being on some hard drive of an employee computer qualifies as having it, many larger companies decided to archive centrally. The rules only require 7 years back (I think), so that's the amount of time it's generally archived for. TL;DR you're not required to archive email, but if you need to know whether or not you have it if asked. Again, my understanding here is pretty limited. If anyone know for certain feel free to chime in. On Thu, Jan 5, 2012 at 12:54 PM, Eric J Esslinger wrote: > Based on a some I have received off list it seems no-one has ever heard of such a proposal that has had any serious traction so I assume the gentleman was either mistaken, paranoid, or trying to pull a joke on me. > > Thank you for the responses everyone. You can now get back to your regularly scheduled regulatory headaches. > > __________________________ > Eric Esslinger > Information Services Manager - Fayetteville Public Utilities > http://www.fpu-tn.com/ > (931)433-1522 ext 165 > > > >> -----Original Message----- >> From: Eric J Esslinger [mailto:eesslinger at fpu-tn.com] >> Sent: Thursday, January 05, 2012 9:57 AM >> To: 'nanog at nanog.org' >> Subject: question regarding US requirements for journaling >> public email (possible legislation?) >> >> >> Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am >> on a holiday morning). Sorry to drop what is possibly just >> someone misunderstanding something or pulling my leg on the >> list, but over the holidays I ran into one of my buddies that >> is also a network admin type and he was griping about mail >> journalling, which I already do for our corporate email >> accounts. However, his discussion was in terms of all >> customer email... Which I said was probably a bad thing to >> do. His response was there is legislation being pushed in >> both House and Senate that would require journalling for 2 or >> 5 years, all mail passing through all of your mail servers. >> >> I've seen nothing, and my google fu has turned up nothing >> other than corporate requirements, so I ask here. Has anyone >> heard of such a bill working it's way through either side of congress? >> >> (I am speaking specifically of full email journaling, not >> just logs, which I do archive for significant amounts of time.) >> >> I also don't want to discuss the pros, cons, merits, costs, >> goods, or evils of such a requirement, just wanted to know if >> this is something I should be looking forward towards maybe >> needing to implement. >> >> Thanks for your attention and may you have a low incident new >> year. __________________________ Eric Esslinger Information >> Services Manager - Fayetteville Public Utilities >> http://www.fpu-tn.com/ (931)433-1522 ext 165 >> >> This message may contain confidential and/or proprietary >> information and is intended for the person/entity to whom it >> was originally addressed. Any use by others is strictly prohibited. >> >> > > This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From bill at herrin.us Thu Jan 5 12:42:50 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jan 2012 13:42:50 -0500 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: Message-ID: On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger wrote: > His response was there is legislation being pushed in both > House and Senate that would require journalling for 2 or 5 > years, all mail passing through all of your mail servers. Hi Eric, The only relatively recent thing I'm aware of in the Congress is the Protecting Children From Internet Pornographers Act of 2011. http://thomas.loc.gov/cgi-bin/bdquery/z?d112:h.r.01981: What it actually says is: `(1) A commercial provider of an electronic communication service shall retain for a period of at least one year a log of the temporarily assigned network addresses the provider assigns to a subscriber to or customer of such service that enables the identification of the corresponding customer or subscriber information under subsection (c)(2) of this section.' That may mean journaling individual TCP connections in a NAT environment but it doesn't address content, email or otherwise. I'd say your friend was confused. The really odd thing is that the act also says: `(2) Access to a record or information required to be retained under this subsection may not be compelled by any person or other entity that is not a governmental entity.' What does that mean for the MPAA seeking the identity of a bit torrent user? Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From Valdis.Kletnieks at vt.edu Thu Jan 5 12:52:34 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 05 Jan 2012 13:52:34 -0500 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: Your message of "Thu, 05 Jan 2012 13:42:50 EST." References: Message-ID: <10278.1325789554@turing-police.cc.vt.edu> On Thu, 05 Jan 2012 13:42:50 EST, William Herrin said: > The really odd thing is that the act also says: > > `(2) Access to a record or information required to be retained under > this subsection may not be compelled by any person or other entity > that is not a governmental entity.' > > What does that mean for the MPAA seeking the identity of a bit torrent user? Means they need to get a subpoena (at which point it's the court, a governmental entity, doing the compelling). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From BEJones at semprautilities.com Thu Jan 5 13:01:55 2012 From: BEJones at semprautilities.com (Jones, Barry) Date: Thu, 5 Jan 2012 11:01:55 -0800 Subject: AD and enforced password policies In-Reply-To: <2AC71587-2896-45FC-B77C-8C789B3C28F7@cs.columbia.edu> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> <2AC71587-2896-45FC-B77C-8C789B3C28F7@cs.columbia.edu> Message-ID: 'Either way, expiring often is the first and most effective step at making the lusers hate you and will only bring the Post-It(tm) makers happy.' If you want to make them really, really unhappy, implement a rotating user ID coupled with an often expiring password policy. For example, User ID jjones1, jjones2, jjones3, jjones4 (for winter, summer, fall, spring). Works with clothing choices, but angers user communities... :-) -----Original Message----- From: Steven Bellovin [mailto:smb at cs.columbia.edu] Sent: Tuesday, January 03, 2012 5:41 AM To: Greg Ihnen Cc: Nanog at nanog.org Subject: Re: AD and enforced password policies On Jan 3, 2012, at 8:09 19AM, Greg Ihnen wrote: > > On Jan 3, 2012, at 4:14 AM, M?ns Nilsson wrote: > >> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me): >> >>> However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. >> >> If you force me to change a password every three months, I'm going to >> start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, >> you lose. >> >> Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 >> etc, and we're all doomed, or they will be lucky and guess. None of >> these attack modes will be mitigated by the 3-month scheme; >> success/fail as seen by the bad guys will be a lot quicker than three >> months. If they do not get lucky with john or rainbow tables, they'll move on. >> >> (Some scenarios still are affected by this, of course, but there is a >> lot to be done to stop bad things from happening like not getting >> your hashes stolen etc. On-line repeated login failures aren't going >> to work because you'll detect that, right? ) >> >> Either way, expiring often is the first and most effective step at >> making the lusers hate you and will only bring the Post-It(tm) makers happy. >> >> If your password crypto is NSA KW-26 or similar, OTOH, just don the >> Navy blues and start swapping punchcards at 0000 ZULU. >> (http://en.wikipedia.org/wiki/File:Kw-26.jpg) >> >> -- >> M?ns Nilsson primary/secondary/besserwisser/machina >> MN-1334-RIPE +46 705 989668 >> Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!! > > > A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. > It's not a side issue; in my opinion it's a far more important issue in most situations. I do the same thing that you do for all but my most critical passwords. --Steve Bellovin, https://www.cs.columbia.edu/~smb From fred at cisco.com Thu Jan 5 13:16:15 2012 From: fred at cisco.com (Fred Baker) Date: Thu, 5 Jan 2012 11:16:15 -0800 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: Message-ID: On Jan 5, 2012, at 10:42 AM, William Herrin wrote: > On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger wrote: >> His response was there is legislation being pushed in both >> House and Senate that would require journalling for 2 or 5 >> years, all mail passing through all of your mail servers. > > Hi Eric, > > The only relatively recent thing I'm aware of in the Congress is the > Protecting Children From Internet Pornographers Act of 2011. Since you bring it up, I sent this to Eric a few moments ago. Like you, IANAL, and this is not legal advice. > From: Fred Baker > Date: January 5, 2012 10:46:30 AM PST > To: Eric J Esslinger > Subject: Re: question regarding US requirements for journaling public email (possible legislation?) > > I don't know of anything on email journaling, but you might look into section 4 of the "Protecting Children From Internet Pornographers Act of 2011", which asks you to log IP addresses allocated to subscribers. My guess is that the concern is correct, but the details have morphed into urban legend. > > http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981 > http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide-massive-data-retention-law-pretending-its-anti-child-porn-law.shtml > > I'm not sure I see this as shrilly as the techdirt article does, but it is in fact enabling legislation for a part of Article 20 of the COE Cybercrime Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, CALEA, and PATRIOT. Article 20 essentially looks for retention of mail/web/etc logs, and in the Danish interpretation, maintaining Netflow records for every subscriber in Denmark along with a mapping between IP address and subscriber identity in a form that can be data mined with an appropriate warrant. I can't say (I don't know) whether the Danish Police have in fact implemented what they proposed in 2003. What they were looking for at the time was that the netflow records would be kept for something on the order of 6-18 months. From a US perspective, you might peruse http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_States The Wikipedia article goes on to comment on the forensic value of data retention. I think it is fair to say that the use of telephone numbers in TV shows like CSI ("gee, he called X a lot, maybe we should too") is the comic book version of the use but not far from the mark. A law enforcement official once described it to me as "mapping criminal networks"; if Alice and Bob are known criminals that talk with each other, and both also talk regularly with Carol, Carol may simply be a mutual friend, but she might also be something else. Further, if Alice and Bob are known criminals in one organization, Dick and Jane are known criminals in another, and a change in communication patterns is observed - Alice and Bob don't talk with Dick or Jane for a long period, and then they start talking - it may signal a shift that law enforcement is interested in. From smb at cs.columbia.edu Thu Jan 5 14:10:45 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Thu, 5 Jan 2012 15:10:45 -0500 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: Message-ID: <5FA8EC31-383E-4989-A9A4-F79449CF7735@cs.columbia.edu> On Jan 5, 2012, at 2:16 PM, Fred Baker wrote: > > On Jan 5, 2012, at 10:42 AM, William Herrin wrote: > >> On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger wrote: >>> His response was there is legislation being pushed in both >>> House and Senate that would require journalling for 2 or 5 >>> years, all mail passing through all of your mail servers. >> >> Hi Eric, >> >> The only relatively recent thing I'm aware of in the Congress is the >> Protecting Children From Internet Pornographers Act of 2011. > > Since you bring it up, I sent this to Eric a few moments ago. Like you, IANAL, and this is not legal advice. > >> From: Fred Baker >> Date: January 5, 2012 10:46:30 AM PST >> To: Eric J Esslinger >> Subject: Re: question regarding US requirements for journaling public email (possible legislation?) >> >> I don't know of anything on email journaling, but you might look into section 4 of the "Protecting Children From Internet Pornographers Act of 2011", which asks you to log IP addresses allocated to subscribers. My guess is that the concern is correct, but the details have morphed into urban legend. >> >> http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981 >> http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide-massive-data-retention-law-pretending-its-anti-child-porn-law.shtml >> >> I'm not sure I see this as shrilly as the techdirt article does, but it is in fact enabling legislation for a part of Article 20 of the COE Cybercrime Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, CALEA, and PATRIOT. Article 20 essentially looks for retention of mail/web/etc logs, and in the Danish interpretation, maintaining Netflow records for every subscriber in Denmark along with a mapping between IP address and subscriber identity in a form that can be data mined with an appropriate warrant. > > I can't say (I don't know) whether the Danish Police have in fact implemented what they proposed in 2003. What they were looking for at the time was that the netflow records would be kept for something on the order of 6-18 months. > > From a US perspective, you might peruse > > http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_States > > The Wikipedia article goes on to comment on the forensic value of data retention. I think it is fair to say that the use of telephone numbers in TV shows like CSI ("gee, he called X a lot, maybe we should too") is the comic book version of the use but not far from the mark. A law enforcement official once described it to me as "mapping criminal networks"; if Alice and Bob are known criminals that talk with each other, and both also talk regularly with Carol, Carol may simply be a mutual friend, but she might also be something else. Further, if Alice and Bob are known criminals in one organization, Dick and Jane are known criminals in another, and a change in communication patterns is observed - Alice and Bob don't talk with Dick or Jane for a long period, and then they start talking - it may signal a shift that law enforcement is interested in. > Yah, but that's all "non-content records"; it's a far cry from having to retain the body of every email, which is what he asked about. As far as I know -- and I'm on enough tech policy lists that I probably would know -- nothing like that is being proposed. That said, for a few industries -- finance comes to mind -- companies are required to do things like that by the SEC, but not ISPs per se. See http://www.archivecompliance.com/Laws-governing-email-archiving-compliance.html for some details. --Steve Bellovin, https://www.cs.columbia.edu/~smb From fmartin at linkedin.com Thu Jan 5 14:11:21 2012 From: fmartin at linkedin.com (Franck Martin) Date: Thu, 5 Jan 2012 20:11:21 +0000 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <22737847.3289.1325779676786.JavaMail.root@benjamin.baylink.com> Message-ID: On 1/5/12 8:07 , "Jay Ashworth" wrote: >----- Original Message ----- >> From: "Zaid Ali" > >> On 1/5/12 7:22 AM, "Jay Ashworth" wrote: >> >> >Vint Cerf says no: http://j.mp/wwL9Ip >> > > >The question here is "is *access to* the Internet a human right, >something >which the government ought to recognize and protect"? I sort of think it >is, >myself... and I think that Vint is missing the point: *all* of the things >we generally view as human rights are enablers to other things, and we >generally dub them *as those things*, by synecdoche... at least in my >experience. The basic human right is free speech, this is how the Internet gets protected, by proxy. But then... I think only the US claims to have free speech as a constitutional right. This is not in the mind of many Europeans... From fmartin at linkedin.com Thu Jan 5 14:15:15 2012 From: fmartin at linkedin.com (Franck Martin) Date: Thu, 5 Jan 2012 20:15:15 +0000 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <3949.1325782553@turing-police.cc.vt.edu> Message-ID: Universal Access vs Universal Service It is important to understand the difference. I have argued that Developing countries should only provide Universal Access as the weight of providing Universal Service is way too expensive and would tax too much the business community which is developing the economy so that Universal Service may become a reality one day. On 1/5/12 8:55 , "Valdis.Kletnieks at vt.edu" wrote: >On Thu, 05 Jan 2012 11:09:59 EST, Jay Ashworth said: > >> Didn't *say* broadband. Didn't even say "Internet service". Said >>"Internet >> *access*", in the non-techspeak meaning of those words. > >There are those who would say "Free Internet access is available at the >Public Library and the Community Center" counts as "internet access". > >What say the peanut gallery? From kmedcalf at dessus.com Thu Jan 5 14:21:53 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Thu, 05 Jan 2012 13:21:53 -0700 Subject: Trouble accessing www.nanog.org In-Reply-To: Message-ID: --- ()? ascii ribbon campaign against html e-mail /\? www.asciiribbon.org > On Thursday, 05 January, 2012 08:30, Marshall Eubanks said: > > On Thu, Jan 5, 2012 at 4:51 AM, Keith Medcalf wrote: > > > There is video hosting web sites on the intertubes? > > > Now where would those be found, I wonder. ?All I have ever seen is macro- > > > streaming that is fraudulently labeled and advertised as video -- the worst > > > being something called FlashVirus, which was written by a company called > > > MacroVirus Media or something like that, and currently owned and flogged by > > > Adobe along with their "Proprietary Document Format" (the latest versions of > > > which boast UVTD technology -- Unstoppable Virus Transport and Distribution). > > > If the so-called video contains arbitrary executable code (or can run > > > arbitrary executable code), or requires the use of a specific application to > > > "play" (or infect the target), then it should not be described as > > > "video". ?It is a streaming-macro. > Is H.264 Turing-complete ? Is Ogg-Vorbis ? (It seems like those are > the two reasonable open standard choices.)) Okay by me. Just no "Flash Video Streams" if you please. > Regards > Marshall > > Microsoft was the first OS vendor to add the "Execute Payload" header to IP > which saved much time and effort in the distribution of malicious code via > the internet. ?Unfortunatly, Adobe and several other vendors have patents on > what is called the method of "Executable Data" and made Microsoft remove > their wonderous invention under pain of patent lawsuits. > > > > Of course, maybe whats meant is File hosting, where the File being hosted > just happens to contain video data in standard data format (preferably a > pure-data format that does not embed execution macros of any type). > > > > ;) > > > > --- > > ()? ascii ribbon campaign against html e-mail > > /\? www.asciiribbon.org > > > > > >> -----Original Message----- > >> From: Christopher Morrow [mailto:morrowc.lists at gmail.com] > >> Sent: Wednesday, 04 January, 2012 20:47 > >> To: Michael K. Smith - Adhost > >> Cc: bmanning at vacation.karoshi.com; Wessels, Duane; nanog at nanog.org > >> Subject: Re: Trouble accessing www.nanog.org > >> > >> On Wed, Jan 4, 2012 at 10:41 PM, Michael K. Smith - Adhost > >> wrote: > >> > >> >> Err, while we're talking about video files and nanog, why is the video > >> >> content still served off (stored content I mean) nanog.org servers? > >> >> Why not use one of the many video serving services? some of which are > >> >> free even :) > >> >> (that part's not a troll, a real question, even!) > >> >> -chris > >> > > >> > > >> > The website work hasn't yet begun, so that is certainly still on the > >> table. ?If you would like to volunteer some of your time... > >> > >> I'm sure we could arrange some process to ingest videos to some form > >> of video-hosting-website... a videotubes site let's say. > >> > >> who should I chat with? > > > > > > > > > > From cjp at 0x1.net Thu Jan 5 14:42:23 2012 From: cjp at 0x1.net (Christopher J. Pilkington) Date: Thu, 5 Jan 2012 15:42:23 -0500 Subject: "Non-vendor neutral" hosting/colocation Message-ID: <-4642010466787914164@unknownmsgid> We are experiencing an issue in NYCMNY where the hosting facility's owner, a large IXC and CLEC, is being less than cooperative in allowing the ILEC delivering a private circuit to the hosting facility. They will allow ILEC to deliver the circuit elsewhere in the building, but will not provide us a cross connect to this facility. Hosting provider will however gladly use their own CLEC to provide us the service and provide cross connect to same. I have no details on whether this is contractually permitted or not. Another circuit from a third IXC/CLEC ran into a similar problem. This carrier "resolved it" by using the hosting company's CLEC for local loop, even though third carrier has lit facilities elsewhere in said facility. We have concerns for future issues involving the merger of a previous vendor-neutral hosting facility company and another telco provider. Any experiences or advice, on or off list, would be helpful. Also, comments from regulatory geeks would be interesting as well. -cjp From askoorb+nanog at gmail.com Thu Jan 5 14:57:02 2012 From: askoorb+nanog at gmail.com (Alex Brooks) Date: Thu, 5 Jan 2012 20:57:02 +0000 Subject: Trouble accessing www.nanog.org In-Reply-To: References: Message-ID: On Thu, Jan 5, 2012 at 8:21 PM, Keith Medcalf wrote: > > > > > > --- > ()? ascii ribbon campaign against html e-mail > /\? www.asciiribbon.org > > > > On Thursday, 05 January, 2012 08:30, Marshall Eubanks said: > > > > On Thu, Jan 5, 2012 at 4:51 AM, Keith Medcalf wrote: > > > > > There is video hosting web sites on the intertubes? > > > > Now where would those be found, I wonder. ?All I have ever seen is macro- > > > > streaming that is fraudulently labeled and advertised as video -- the worst > > > > being something called FlashVirus, which was written by a company called > > > > MacroVirus Media or something like that, and currently owned and flogged by > > > > Adobe along with their "Proprietary Document Format" (the latest versions of > > > > which boast UVTD technology -- Unstoppable Virus Transport and Distribution). > > > > > > If the so-called video contains arbitrary executable code (or can run > > > > arbitrary executable code), or requires the use of a specific application to > > > > "play" (or infect the target), then it should not be described as > > > > "video". ?It is a streaming-macro. > > > > Is H.264 Turing-complete ? Is Ogg-Vorbis ? (It seems like those are > > the two reasonable open standard choices.)) > > Okay by me. ?Just no "Flash Video Streams" if you please. > FWIW many of the big video hosting sites have this option now, and many send an appropriate format for the browser being used: http://www.youtube.com/html5 http://www.dailymotion.com/html5 http://vimeo.com/blog:268 http://blip.tv/html5/ http://www.archive.org/details/Html5DemoVideo Alex From joly at punkcast.com Thu Jan 5 14:57:29 2012 From: joly at punkcast.com (Joly MacFie) Date: Thu, 5 Jan 2012 15:57:29 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <3949.1325782553@turing-police.cc.vt.edu> References: <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <3949.1325782553@turing-police.cc.vt.edu> Message-ID: I know here in NYC, when the government talks, access is defined as availability, whether utilized or not. j On Thu, Jan 5, 2012 at 11:55 AM, wrote: > On Thu, 05 Jan 2012 11:09:59 EST, Jay Ashworth said: > > > Didn't *say* broadband. Didn't even say "Internet service". Said > "Internet > > *access*", in the non-techspeak meaning of those words. > > There are those who would say "Free Internet access is available at the > Public Library and the Community Center" counts as "internet access". > > What say the peanut gallery? > -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- - From joly at punkcast.com Thu Jan 5 15:06:07 2012 From: joly at punkcast.com (Joly MacFie) Date: Thu, 5 Jan 2012 16:06:07 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: Not a new line of thinking for Vint. He said much the same thing at our INET in NYC. http://www.youtube.com/watch?v=XPc79dlLs0U What's notable is that as a "father" Vint is more aware than many of the ephemerality of the Internet, and when speculating futurewise at the INET he consistently referred to it as "the Internet or whatever may replace it." On Thu, Jan 5, 2012 at 10:22 AM, Jay Ashworth wrote: > Vint Cerf says no: http://j.mp/wwL9Ip > > -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- - From morrowc.lists at gmail.com Thu Jan 5 15:09:54 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 5 Jan 2012 16:09:54 -0500 Subject: Router Assessment Tool In-Reply-To: References: Message-ID: On Thu, Jan 5, 2012 at 12:11 PM, Green, Timothy wrote: > Happy New Year All!!! > > I'm trying to perform STIG compliancy on various Cisco equipment. ?Has anybody used the Router Assessment Tool (RAT) for routers and switches? ? Any cheap (free) recommendations? ?As a last ditch effort I could use NMAP. > uunet did for a time use a variant of RAT... you may get some mileage asking George Jones about it. From morrowc.lists at gmail.com Thu Jan 5 15:13:38 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 5 Jan 2012 16:13:38 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: References: Message-ID: On Thu, Jan 5, 2012 at 3:21 PM, Keith Medcalf wrote: > >> Is H.264 Turing-complete ? Is Ogg-Vorbis ? (It seems like those are >> the two reasonable open standard choices.)) > > Okay by me. ?Just no "Flash Video Streams" if you please. what about html5? From DStaal at usa.net Thu Jan 5 15:43:51 2012 From: DStaal at usa.net (Daniel Staal) Date: Thu, 5 Jan 2012 16:43:51 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: References: Message-ID: <088ae21864bf835f1c147baffaca6c3d.squirrel@www.magehandbook.com> On Thu, January 5, 2012 11:37 am, Zaid Ali wrote: > > If I wrote a blog article that criticized the government and it was > shutdown along with my Internet access I wouldn't say that my right to the > Internet was violated. I would say that my right to free speech was > violated. Regardless of one way or two way communication it is > communication. The Internet is quickly becoming more than just a medium for speech. It is access to services, education, markets, and tools of analysis, among *many* others. Many of the specifics are covered under other rights, so the question is does the whole become more than the parts, and is *that* a right? I'm with the 'probably not quite yet, but soon' group. I don't think it will be long before it is impossible to participate in modern society in any meaningful way without access to the Internet. Vint does have one other point: the tool is not the whole of the thing. What we currently call 'the Internet' could be replaced by a different network, if someone were to invent something that was a good enough replacement. But at this point, I think *that* network would be called 'the Internet' then, and we don't *have* a separate name for the tool from what it does. (With the possible exception of some terms in cyberpunk novels...) Daniel T. Staal --------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --------------------------------------------------------------- From sh.vahabzadeh at gmail.com Thu Jan 5 15:59:30 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Fri, 6 Jan 2012 01:29:30 +0330 Subject: OSS Systems Message-ID: Hi there, Has anybody experience about running and OSS System in enterprise level? And do you have any idea about it? For example for an ISP who is running users more than 20K or 30K, there must be some good solutions to integrate all systems like: Radius, Billing Systems and CRM For example after searching and asking friends I have some ideas about Radius to use: radiator Is there anybody who has analyse such a systems before in his ISP? Need sharing here :) Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From leigh.porter at ukbroadband.com Thu Jan 5 16:15:22 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Thu, 5 Jan 2012 22:15:22 +0000 Subject: OSS Systems In-Reply-To: References: Message-ID: <6E5615AD-CD76-4599-8164-2B6B41687751@ukbroadband.com> On 5 Jan 2012, at 22:02, "Shahab Vahabzadeh" wrote: > Hi there, > Has anybody experience about running and OSS System in enterprise level? > And do you have any idea about it? > For example for an ISP who is running users more than 20K or 30K, there > must be some good solutions to integrate all systems like: > Radius, Billing Systems and CRM > For example after searching and asking friends I have some ideas about > Radius to use: radiator > Is there anybody who has analyse such a systems before in his ISP? Need > sharing here :) > Thanks We did this a few years ago and ended up writing the while thing ourselves. This included billing, subscriber management etc etc. We integrates to salesforce.com for the internal front end and the user facing stuff we did ourselves. It was a big project and took a team of six about six months. But we ended up with a perfect solution that did exactly what we needed and it was pretty good. It handled within the order of users you mention, but we designed to 100k users. We used radiator (highly recommended) with openldap back end. Multiple load balanced servers etc etc. The worst thing we did was to build our own mail system. Not that it was an issue, it never went wrong, but these days I'd just send people to gmail or something. -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From sh.vahabzadeh at gmail.com Thu Jan 5 16:21:04 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Fri, 6 Jan 2012 01:51:04 +0330 Subject: OSS Systems In-Reply-To: <6E5615AD-CD76-4599-8164-2B6B41687751@ukbroadband.com> References: <6E5615AD-CD76-4599-8164-2B6B41687751@ukbroadband.com> Message-ID: Dear Leigh, Thanks for you answer, So you recommend radiator? What about analyses, you know always thinking about billing systems with staffs who does not have any idea about backend is hard ... You always have problems with operators and they make lots of exceptions, Is'nt it? And if you have time would you please tell me more about your load balancers? I am really confused really with designing and analysing this project :( Thanks On Fri, Jan 6, 2012 at 1:45 AM, Leigh Porter wrote: > > > On 5 Jan 2012, at 22:02, "Shahab Vahabzadeh" > wrote: > > > Hi there, > > Has anybody experience about running and OSS System in enterprise level? > > And do you have any idea about it? > > For example for an ISP who is running users more than 20K or 30K, there > > must be some good solutions to integrate all systems like: > > Radius, Billing Systems and CRM > > For example after searching and asking friends I have some ideas about > > Radius to use: radiator > > Is there anybody who has analyse such a systems before in his ISP? Need > > sharing here :) > > Thanks > > We did this a few years ago and ended up writing the while thing > ourselves. This included billing, subscriber management etc etc. > > We integrates to salesforce.com for the internal front end and the user > facing stuff we did ourselves. > > It was a big project and took a team of six about six months. But we ended > up with a perfect solution that did exactly what we needed and it was > pretty good. > > It handled within the order of users you mention, but we designed to 100k > users. > > We used radiator (highly recommended) with openldap back end. Multiple > load balanced servers etc etc. > > The worst thing we did was to build our own mail system. Not that it was > an issue, it never went wrong, but these days I'd just send people to gmail > or something. > > -- > Leigh Porter > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From jna at retina.net Thu Jan 5 16:24:49 2012 From: jna at retina.net (John Adams) Date: Thu, 5 Jan 2012 14:24:49 -0800 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: Message-ID: On Thu, Jan 5, 2012 at 7:56 AM, Eric J Esslinger wrote: > > (I am speaking specifically of full email journaling, not just logs, which > I do archive for significant amounts of time.) > > I also don't want to discuss the pros, cons, merits, costs, goods, or > evils of such a requirement, just wanted to know if this is something I > should be looking forward towards maybe needing to implement. > This is probably not what you want to hear, but you should really read through EFF's "Best Practices for Online Service Providers." https://www.eff.org/wp/osp Specifically: OSPs cannot be forced to provide data that does not exist. EFF suggests that OSPs draft an internal policy that states that they collect only limited information and do not retain any logs of user activity on their networks for more than a few weeks. If a court order requests data that is more than a few weeks old, the OSP can simply point to the policy and explain that it cannot furnish the requested data. Likewise, if unnecessary PII is regularly deleted, the OSP cannot supply what it does not retain. This saves the OSP time and money, while also providing the OSP with sufficient data for its own administrative and business purposes. From bzs at world.std.com Thu Jan 5 17:06:15 2012 From: bzs at world.std.com (Barry Shein) Date: Thu, 5 Jan 2012 18:06:15 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: References: <22737847.3289.1325779676786.JavaMail.root@benjamin.baylink.com> Message-ID: <20230.11495.643459.352921@world.std.com> Sorry if someone said this but I think it's interesting that the first amendment to the US Constitution specifically lists freedom of speech AND freedom of press, rather than perhaps allowing one (speech) to imply the other (press, i.e., that speech fixed to a medium.) If we use that as a signficiant guide that would seem to say that mere speech is not enough, the right to disseminate that speech to others is also necessary. -- -Barry Shein The World | bzs at TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo* From avg at kotovnik.com Thu Jan 5 21:05:31 2012 From: avg at kotovnik.com (Vadim Antonov) Date: Thu, 05 Jan 2012 19:05:31 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: References: Message-ID: <4F0664FB.4010009@kotovnik.com> There are no such rights. Each positive right is somebody else's obligation. Being forced to feed, clothe, and house somebody else is called slavery. So is providing Internet access, TV, or whatever else. Doesn't matter if this slavery is part-time, the principle remains the same -- some people gang up on you and force you to work for their benefit. On the other hand the ability to exchange any information with any other consenting parties and at your own expense - without being censored, interfered with, or snooped upon - is indeed a basic human right. --vadim On 01/05/2012 07:45 AM, Zaid Ali wrote: > I agree with Vint here. Basic human rights are access to food, clothing > and shelter. I think we are still struggling in the world with that. With > your logic one would expect the radio and TV to be a basic human right but > they are not, they are and will remain powerful medium which be enablers > of something else and the Internet would fit there. > > Zaid From nathan at atlasnetworks.us Thu Jan 5 21:24:43 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Fri, 6 Jan 2012 03:24:43 +0000 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <4F0664FB.4010009@kotovnik.com> References: <4F0664FB.4010009@kotovnik.com> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B6623EF@ex-mb-1.corp.atlasnetworks.us> > There are no such rights. Each positive right is somebody else's obligation. > Being forced to feed, clothe, and house somebody else is called slavery. So is > providing Internet access, TV, or whatever else. Doesn't matter if this slavery > is part-time, the principle remains the same -- some people gang up on you > and force you to work for their benefit. This is antisocial nonsense. Governed societies exist because the supporting output of the group is greater than that of the same number of individuals. That infrastructure of government - the social building blocks that obligate us to each other - are not slavery, they are freedom from the anarchists, the equal opportunists (those that hold that we all have, inherently, have the same opportunity to succeed), and the Darwinists. By your logic, librarians are slaves, as are all civil servants. Radio is another of the greatest examples of a means of speech that is universally accessible, and yet we would not call broadcasters slaves either. Absolute nonsense. Nathan From ops.lists at gmail.com Thu Jan 5 21:41:30 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 6 Jan 2012 09:11:30 +0530 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: Message-ID: I would love to ask the EFF just what you do when you don't log stuff, and then need to troubleshoot someone causing a DDoS or something from your network in a hurry. Not that I'd get any sort of a useful answer from them, beyond random propaganda that spam filtering is evil, DPI is demoniacal etc etc. On Fri, Jan 6, 2012 at 3:54 AM, John Adams wrote: > > OSPs cannot be forced to provide data that does not exist. EFF suggests > that OSPs draft an internal policy that states that they collect only > limited information and do not retain any logs of user activity on their > networks for more than a few weeks. If a court order requests data that is > more than a few weeks old, the OSP can simply point to the policy and > explain that it cannot furnish the requested data. Likewise, if unnecessary > PII is regularly deleted, the OSP cannot supply what it does not retain. > This saves the OSP time and money, while also providing the OSP with > sufficient data for its own administrative and business purposes. -- Suresh Ramasubramanian (ops.lists at gmail.com) From Valdis.Kletnieks at vt.edu Thu Jan 5 22:00:15 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 05 Jan 2012 23:00:15 -0500 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: Your message of "Fri, 06 Jan 2012 09:11:30 +0530." References: Message-ID: <14188.1325822415@turing-police.cc.vt.edu> On Fri, 06 Jan 2012 09:11:30 +0530, Suresh Ramasubramanian said: > I would love to ask the EFF just what you do when you don't log stuff, > and then need to troubleshoot someone causing a DDoS or something from > your network in a hurry. What John actually said: > OSPs cannot be forced to provide data that does not exist. EFF suggests > that OSPs draft an internal policy that states that they collect only > limited information and do not retain any logs of user activity on their > networks for more than a few weeks. You need to track down a miscreant user *right now*? You got the last 48 hours of logs right at hand. It's been a week? Meh, if somebody's been getting hit by a DDoS for a week and is just now calling you, the fact they have a DDoS is the least of their problems. Toss the logs. :) > Not that I'd get any sort of a useful answer from them, beyond random > propaganda that spam filtering is evil, DPI is demoniacal etc etc. Might want to go and actually read https://www.eff.org/wp/osp before you say that. The PDF version runs to about 15 pages of detailed and useful info for an OSP.; -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From ops.lists at gmail.com Thu Jan 5 22:05:37 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 6 Jan 2012 09:35:37 +0530 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: <14188.1325822415@turing-police.cc.vt.edu> References: <14188.1325822415@turing-police.cc.vt.edu> Message-ID: There's no shortage of stuff that reaches you 80..90 days after the fact The UK voluntary retention rules make a lot more sense, compared to "a few days", which is entirely impractical On Fri, Jan 6, 2012 at 9:30 AM, wrote: > > You need to track down a miscreant user *right now*? You got the last 48 hours > of logs right at hand. ?It's been a week? Meh, if somebody's been getting hit by > a DDoS for a week and is just now calling you, the fact they have a DDoS is the > least of their problems. Toss the logs. :) -- Suresh Ramasubramanian (ops.lists at gmail.com) From richard.barnes at gmail.com Thu Jan 5 22:52:58 2012 From: richard.barnes at gmail.com (Richard Barnes) Date: Thu, 5 Jan 2012 23:52:58 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: The analogy that occurs to me is to roads. People generally have a right of free movement, which implies that if they are capable of using roads (e.g., if they have a car and can drive it), then they should be generally free to do so, certain reasonable legal constraints notwithstanding. And in this case, the reasonableness of constraints arises from the fact that things like driving licenses and road signs are based on clear safety concerns. Mapping this over to the Internet: People generally have a right of free expression, which implies that if they are capable of using the Internet, they should be generally free to use it, certain reasonable legal constraints not withstanding. The human right in question, then, isn't a right to Internet access per se; people aren't entitled to a broadband link any more than they're entitled to live near good roads. (Note, however, that communities typically try to maintain their roads to a certain standard.) Rather, the right is to a certain *class* of Internet access, free of unnecessary constraints. The question of legal constraints and "reasonableness" is much thornier in this domain; you're not going to kill someone by sending them spam. (Well, maybe with SCADA systems, but we'll put that aside for now.) The obvious cases (e.g., child porn) are to some degree already covered, although there's some variation around the globe (Nazi propaganda in France). The debate over PROTECT-IP is at some level about whether and which constraints on Internet usage based on copyright constraints are reasonable. --Richard On Thu, Jan 5, 2012 at 10:22 AM, Jay Ashworth wrote: > Vint Cerf says no: http://j.mp/wwL9Ip > > But I wonder to what degree that's dependent on how much our governments make > Internet access the most practical/only practical way to interact with them. > > Understand: I'm not saying that FiOS should be a human right. ?But as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. > > Thoughts? > > Cheers, > -- jr 'yes, I know I'm early...' a > -- > Jay R. Ashworth ? ? ? ? ? ? ? ? ?Baylink ? ? ? ? ? ? ? ? ? ? ? jra at baylink.com > Designer ? ? ? ? ? ? ? ? ? ? The Things I Think ? ? ? ? ? ? ? ? ? ? ? RFC 2100 > Ashworth & Associates ? ? http://baylink.pitas.com ? ? ? ? 2000 Land Rover DII > St Petersburg FL USA ? ? ?http://photo.imageinc.us ? ? ? ? ? ? +1 727 647 1274 > From avg at kotovnik.com Fri Jan 6 00:58:58 2012 From: avg at kotovnik.com (Vadim Antonov) Date: Thu, 05 Jan 2012 22:58:58 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B6623EF@ex-mb-1.corp.atlasnetworks.us> References: <4F0664FB.4010009@kotovnik.com> <8C26A4FDAE599041A13EB499117D3C286B6623EF@ex-mb-1.corp.atlasnetworks.us> Message-ID: <4F069BB2.2010300@kotovnik.com> Nathan Eisenberg wrote: >> There are no such rights. Each positive right is somebody else's obligation. > This is antisocial nonsense. If you want to be a slave, that's your right. But leave me out of your schemes, please. May I ask you to remove the guns and violence your "representatives" are threatening me with if I refuse to "participate"? Because I don't think it's possible to have a civilized discussion when one party insists on forcing the other to obey. By the way, it takes a really twisted mindset to consider violence towards people who didn't do anything bad to you as socially acceptable. --vadim From joly at punkcast.com Fri Jan 6 01:07:02 2012 From: joly at punkcast.com (Joly MacFie) Date: Fri, 6 Jan 2012 02:07:02 -0500 Subject: "Non-vendor neutral" hosting/colocation In-Reply-To: <-4642010466787914164@unknownmsgid> References: <-4642010466787914164@unknownmsgid> Message-ID: I could be mistaken but I think similar circumstances were what originally led to the establishment of Telx's IXP at 60 Hudson. j On Thu, Jan 5, 2012 at 3:42 PM, Christopher J. Pilkington wrote: > We are experiencing an issue in NYCMNY where the hosting facility's > owner, a large IXC and CLEC, is being less than cooperative in > allowing the ILEC delivering a private circuit to the hosting > facility. They will allow ILEC to deliver the circuit elsewhere in the > building, but will not provide us a cross connect to this facility. > Hosting provider will however gladly use their own CLEC to provide us > the service and provide cross connect to same. I have no details on > whether this is contractually permitted or not. > > Another circuit from a third IXC/CLEC ran into a similar problem. This > carrier "resolved it" by using the hosting company's CLEC for local > loop, even though third carrier has lit facilities elsewhere in said > facility. > > We have concerns for future issues involving the merger of a previous > vendor-neutral hosting facility company and another telco provider. > > Any experiences or advice, on or off list, would be helpful. Also, > comments from regulatory geeks would be interesting as well. > > -cjp > > -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- - From mansaxel at besserwisser.org Fri Jan 6 01:16:03 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Fri, 6 Jan 2012 08:16:03 +0100 Subject: anycast load balancing issue In-Reply-To: <4F05BDE1.3040103@xor.at> References: <20120104120255.GT7491@besserwisser.org> <4F05BDE1.3040103@xor.at> Message-ID: <20120106071603.GH7491@besserwisser.org> Subject: Re: anycast load balancing issue Date: Thu, Jan 05, 2012 at 04:12:33PM +0100 Quoting Johannes Resch (jr at xor.at): > >Any clues? > Since you mention route-reflector route selection - are you already > using per-VRF, per-PE route distinguishers for that L3VPN instance? Problem solved - what I did not tell (shame on me) was that there are two islands of IGP (growing pains...) redistributing to each other... The metric in that redistribution was too low, resulting in artificially "cheap" paths to the wrong places. Thanks all who made me think a second round and solve this. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Hold the MAYO & pass the COSMIC AWARENESS ... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From randy at psg.com Fri Jan 6 01:34:36 2012 From: randy at psg.com (Randy Bush) Date: Fri, 06 Jan 2012 16:34:36 +0900 Subject: "Non-vendor neutral" hosting/colocation In-Reply-To: <-4642010466787914164@unknownmsgid> References: <-4642010466787914164@unknownmsgid> Message-ID: > We are experiencing an issue in NYCMNY where the hosting facility's > owner, a large IXC and CLEC, is being less than cooperative in > allowing the ILEC delivering a private circuit to the hosting > facility. move to a carrier-neutral facility. unless you do that, the beatings will continue. randy From leigh.porter at ukbroadband.com Fri Jan 6 06:40:27 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Fri, 6 Jan 2012 12:40:27 +0000 Subject: anycast load balancing issue In-Reply-To: <20120106071603.GH7491@besserwisser.org> References: <20120104120255.GT7491@besserwisser.org> <4F05BDE1.3040103@xor.at>,<20120106071603.GH7491@besserwisser.org> Message-ID: <49EB8AD6-1BCE-4F68-953C-7742B04EE2F7@ukbroadband.com> On 6 Jan 2012, at 07:33, "M?ns Nilsson" wrote: > > Thanks all who made me think a second round and solve this. Hence why people prefer to ask people and not GOOG et-al. -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From smb at cs.columbia.edu Fri Jan 6 07:59:50 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Fri, 6 Jan 2012 08:59:50 -0500 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: <14188.1325822415@turing-police.cc.vt.edu> Message-ID: On Jan 5, 2012, at 11:05 37PM, Suresh Ramasubramanian wrote: > There's no shortage of stuff that reaches you 80..90 days after the fact > > The UK voluntary retention rules make a lot more sense, compared to "a > few days", which is entirely impractical > > On Fri, Jan 6, 2012 at 9:30 AM, wrote: >> >> You need to track down a miscreant user *right now*? You got the last 48 hours >> of logs right at hand. It's been a week? Meh, if somebody's been getting hit by >> a DDoS for a week and is just now calling you, the fact they have a DDoS is the >> least of their problems. Toss the logs. :) The answer from the EFF is the same: retain what *you* have an operational or administrative need for. This is very different from a legislative mandate for multiyear retention. --Steve Bellovin, https://www.cs.columbia.edu/~smb From mcarey at kinber.org Fri Jan 6 08:15:13 2012 From: mcarey at kinber.org (Michael Carey) Date: Fri, 6 Jan 2012 09:15:13 -0500 Subject: SSL Certificates Message-ID: Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use. Thanks, -- Michael D. Carey KINBER Network Engineer mcarey at kinber.org M: 814.777.5027 GV: (814) 205-6773 Skype: KINBER.Mike.Carey KINBER - Keystone Initiative for Network Based Education and Research - www.kinber.org PennREN - Pennsylvania's Research and Education Network From amcmillen at sliqua.com Fri Jan 6 08:18:11 2012 From: amcmillen at sliqua.com (Alexander McMillen) Date: Fri, 6 Jan 2012 09:18:11 -0500 Subject: SSL Certificates In-Reply-To: References: Message-ID: <47F96507-F894-4379-A4B9-2DFFC341DA1E@sliqua.com> AlphaSSL is pretty solid, priced right too. -- Alexander McMillen Chief Executive Officer Sliqua Enterprise Hosting, Inc. - AS32740 Serving up scale and service since 2002. Is your mission critical?? 1-877-4-SLIQUA - http://www.sliqua.com - http://www.isyourmissioncritical.com On Jan 6, 2012, at 9:15 AM, Michael Carey wrote: > Looking for a recommendation on who to buy affordable and reputable SSL > certificates from? Symantec, Thawte, and Comodo are the names that come to > mind, just wondering if there are others folks use. > > Thanks, > > -- > Michael D. Carey > KINBER Network Engineer > mcarey at kinber.org > M: 814.777.5027 > GV: (814) 205-6773 > Skype: KINBER.Mike.Carey > > KINBER - Keystone Initiative for Network Based Education and Research - > www.kinber.org > PennREN - Pennsylvania's Research and Education Network From joshbaird at gmail.com Fri Jan 6 08:27:27 2012 From: joshbaird at gmail.com (Josh Baird) Date: Fri, 6 Jan 2012 09:27:27 -0500 Subject: SSL Certificates In-Reply-To: References: Message-ID: We typically stick with Network Solutions, and DigiCert for SANcertificates. ?VeriSign's prices are just insane. On Fri, Jan 6, 2012 at 9:15 AM, Michael Carey wrote: > Looking for a recommendation on who to buy affordable and reputable SSL > certificates from? ?Symantec, Thawte, and Comodo are the names that come to > mind, just wondering if there are others folks use. > > Thanks, > > -- > Michael D. Carey > KINBER Network Engineer > mcarey at kinber.org > M: 814.777.5027 > GV: (814) 205-6773 > Skype: KINBER.Mike.Carey > > KINBER - Keystone Initiative for Network Based Education and Research - > www.kinber.org > PennREN - Pennsylvania's Research and Education Network From mhuff at ox.com Fri Jan 6 08:32:15 2012 From: mhuff at ox.com (Matthew Huff) Date: Fri, 6 Jan 2012 09:32:15 -0500 Subject: SSL Certificates In-Reply-To: References: Message-ID: <483E6B0272B0284BA86D7596C40D29F901212BB19CAD@PUR-EXCH07.ox.com> I've had good experience with Entrust. One thing to be careful with is some mobile devices (especially older Android ones) have limited root certificates. Network Solutions and Entrust work, some others, not so much. From my experience Android 2.3+ has most of the common root certs, but previous versions don't. I wonder if someone has a list comparing root certificate support across platforms? ---- Matthew Huff? | 1 Manhattanville Rd Director of Operations???| Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: Michael Carey [mailto:mcarey at kinber.org] > Sent: Friday, January 06, 2012 9:15 AM > To: nanog at nanog.org > Subject: SSL Certificates > > Looking for a recommendation on who to buy affordable and reputable SSL > certificates from? Symantec, Thawte, and Comodo are the names that > come to mind, just wondering if there are others folks use. > > Thanks, > > -- > Michael D. Carey > KINBER Network Engineer > mcarey at kinber.org > M: 814.777.5027 > GV: (814) 205-6773 > Skype: KINBER.Mike.Carey > > KINBER - Keystone Initiative for Network Based Education and Research - > www.kinber.org PennREN - Pennsylvania's Research and Education Network From blake at pfankuch.me Fri Jan 6 08:55:07 2012 From: blake at pfankuch.me (Blake T. Pfankuch) Date: Fri, 6 Jan 2012 14:55:07 +0000 Subject: SSL Certificates In-Reply-To: <483E6B0272B0284BA86D7596C40D29F901212BB19CAD@PUR-EXCH07.ox.com> References: <483E6B0272B0284BA86D7596C40D29F901212BB19CAD@PUR-EXCH07.ox.com> Message-ID: We have been using GoDaddy for quite some time as they offer good deals if you call them in and buy in bulk. Mind you we manage certs for about 50-100 customers as well. Haven't had any issues with them not being trusted on mobile devices except for old windows mobile 5 and early 6 devices. -----Original Message----- From: Matthew Huff [mailto:mhuff at ox.com] Sent: Friday, January 06, 2012 7:32 AM To: 'Michael Carey'; nanog at nanog.org Subject: RE: SSL Certificates I've had good experience with Entrust. One thing to be careful with is some mobile devices (especially older Android ones) have limited root certificates. Network Solutions and Entrust work, some others, not so much. From my experience Android 2.3+ has most of the common root certs, but previous versions don't. I wonder if someone has a list comparing root certificate support across platforms? ---- Matthew Huff? | 1 Manhattanville Rd Director of Operations???| Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: Michael Carey [mailto:mcarey at kinber.org] > Sent: Friday, January 06, 2012 9:15 AM > To: nanog at nanog.org > Subject: SSL Certificates > > Looking for a recommendation on who to buy affordable and reputable > SSL certificates from? Symantec, Thawte, and Comodo are the names > that come to mind, just wondering if there are others folks use. > > Thanks, > > -- > Michael D. Carey > KINBER Network Engineer > mcarey at kinber.org > M: 814.777.5027 > GV: (814) 205-6773 > Skype: KINBER.Mike.Carey > > KINBER - Keystone Initiative for Network Based Education and Research > - www.kinber.org PennREN - Pennsylvania's Research and Education > Network From graham at g-rock.net Fri Jan 6 09:08:28 2012 From: graham at g-rock.net (=?utf-8?B?Z3JhaGFtQGctcm9jay5uZXQ=?=) Date: Fri, 06 Jan 2012 09:08:28 -0600 Subject: =?utf-8?B?UmU6IFNTTCBDZXJ0aWZpY2F0ZXM=?= Message-ID: We use rapidssl. Seems to be ok across the board. No reports otherwise. Sent from my HTC on the Now Network from Sprint! ----- Reply message ----- From: "Michael Carey" Date: Fri, Jan 6, 2012 8:15 am Subject: SSL Certificates To: Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use. Thanks, -- Michael D. Carey KINBER Network Engineer mcarey at kinber.org M: 814.777.5027 GV: (814) 205-6773 Skype: KINBER.Mike.Carey KINBER - Keystone Initiative for Network Based Education and Research - www.kinber.org PennREN - Pennsylvania's Research and Education Network From morrowc.lists at gmail.com Fri Jan 6 09:08:55 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 6 Jan 2012 10:08:55 -0500 Subject: SSL Certificates In-Reply-To: References: <483E6B0272B0284BA86D7596C40D29F901212BB19CAD@PUR-EXCH07.ox.com> Message-ID: >> From: Michael Carey [mailto:mcarey at kinber.org] >> Sent: Friday, January 06, 2012 9:15 AM >> To: nanog at nanog.org >> Subject: SSL Certificates >> >> Looking for a recommendation on who to buy affordable and reputable >> SSL certificates from? ?Symantec, Thawte, and Comodo are the names >> that come to mind, just wondering if there are others folks use. startssl.com - free certs that work in apple-mail, chrome, ff, ie, tbird, across mac/linux/windows... you can't beat free. (you do have to update yearly, but it's not painful, and is probably worth doing as practice anyway) -chris From alan at clegg.com Fri Jan 6 09:12:37 2012 From: alan at clegg.com (Alan Clegg) Date: Fri, 06 Jan 2012 10:12:37 -0500 Subject: looking for traffic sources aimed at 192.153.154.124 Message-ID: <4F070F65.20605@clegg.com> If anyone has some spare cycles and wants to help disrupt a DDoS, if you can look for traffic sourced within your network, destination 192.153.154.124 port 80, I'd appreciate it. I've been under attack for about the last 12 hours. Other pointers to resources to trace the miscreants responsible would also be appreciated. Thanks, AlanC -- alan at clegg.com | aclegg at infoblox.com 1.919.355.8851 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From Valdis.Kletnieks at vt.edu Fri Jan 6 09:31:13 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 06 Jan 2012 10:31:13 -0500 Subject: looking for traffic sources aimed at 192.153.154.124 In-Reply-To: Your message of "Fri, 06 Jan 2012 10:12:37 EST." <4F070F65.20605@clegg.com> References: <4F070F65.20605@clegg.com> Message-ID: <45901.1325863873@turing-police.cc.vt.edu> On Fri, 06 Jan 2012 10:12:37 EST, Alan Clegg said: > I've been under attack for about the last 12 hours. > > Other pointers to resources to trace the miscreants responsible would > also be appreciated. To tie this in to another thread - Alan is somebody who understands you probably have operational logs going back 12 hours, but won't have them 90 days from now, so he's asking now. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From ka at pacific.net Fri Jan 6 09:31:46 2012 From: ka at pacific.net (Ken A) Date: Fri, 06 Jan 2012 09:31:46 -0600 Subject: SSL Certificates In-Reply-To: References: Message-ID: <4F0713E2.4060004@pacific.net> theSSLstore has good reseller pricing on a variety of certs. ~ $10 domain validated rapidssl certs in about 5 minutes. More expensive and time consuming certs are available, Verisign, Geotrust, Thawte, greenbars, wildcards, etc.. Ken On 1/6/2012 8:15 AM, Michael Carey wrote: > Looking for a recommendation on who to buy affordable and reputable SSL > certificates from? Symantec, Thawte, and Comodo are the names that come to > mind, just wondering if there are others folks use. > > Thanks, > -- Ken Anderson Pacific Internet - http://www.pacific.net From ryanshea at google.com Fri Jan 6 10:13:45 2012 From: ryanshea at google.com (Ryan Shea) Date: Fri, 6 Jan 2012 11:13:45 -0500 Subject: Router Assessment Tool In-Reply-To: References: Message-ID: I think it is actually Router Audit Tool rather than assessment no? I'm not sure that NMAP is an appropriate substitute for for a configuration audit tool, but it's not a bad idea to do some accounting of what ports are open for business on your devices. I have had some limited success with RAT at prior jobs, and in fact at UUNet/VzB, but IIRC it really was not a tool which could be readily used to build new audit rules. Although it is an okay starting point for some generic audits, you may be best served by rolling your own, which is what I did there. On Thu, Jan 5, 2012 at 4:09 PM, Christopher Morrow wrote: > On Thu, Jan 5, 2012 at 12:11 PM, Green, Timothy > wrote: > > Happy New Year All!!! > > > > I'm trying to perform STIG compliancy on various Cisco equipment. Has > anybody used the Router Assessment Tool (RAT) for routers and switches? > Any cheap (free) recommendations? As a last ditch effort I could use NMAP. > > > > uunet did for a time use a variant of RAT... you may get some mileage > asking George Jones about it. > > From berni at birkenwald.de Fri Jan 6 13:16:50 2012 From: berni at birkenwald.de (Bernhard Schmidt) Date: Fri, 6 Jan 2012 19:16:50 +0000 (UTC) Subject: incoming smtp from v6 addresses References: Message-ID: Randy Bush wrote: > for incoming mail that is *accepted*, i.e. not stuff like > 2012-01-04 00:37:28 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org > 2012-01-04 00:37:28 H=(nexo.es) [118.39.80.118] F= rejected RCPT : blocked because 118.39.80.118 is in blacklist at rbl-plus.mail-abuse.org: Mail from 118.39.80.118 blocked using Trend Micro Email Reputation database. Please see > 2012-01-04 00:37:28 no host name found for IP address 118.39.80.118 > 2012-01-04 00:37:29 REJECT 118.39.80.118 too many bad recip > 2012-01-04 00:37:29 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org > > 7.8% is over ipv6 transport > > but only 2% of outgoing deliveries are over ipv6. > > what do other folk see? Main inbound MX for a large educational institution sees around 5% of mails coming in via IPv6. Might be a bit biased due to holiday season. Outbound is mostly running on legacy servers without IPv6, yet :-( Bernhard From cscora at apnic.net Fri Jan 6 13:25:22 2012 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 7 Jan 2012 05:25:22 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201201061925.q06JPMSr007491@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 07 Jan, 2012 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 388994 Prefixes after maximum aggregation: 168547 Deaggregation factor: 2.31 Unique aggregates announced to Internet: 190697 Total ASes present in the Internet Routing Table: 39774 Prefixes per ASN: 9.78 Origin-only ASes present in the Internet Routing Table: 32587 Origin ASes announcing only one prefix: 15529 Transit ASes present in the Internet Routing Table: 5365 Transit-only ASes present in the Internet Routing Table: 140 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 33 Max AS path prepend of ASN (48687) 24 Prefixes from unregistered ASNs in the Routing Table: 2082 Unregistered ASNs in the Routing Table: 1044 Number of 32-bit ASNs allocated by the RIRs: 2160 Number of 32-bit ASNs visible in the Routing Table: 1822 Prefixes from 32-bit ASNs in the Routing Table: 4340 Special use prefixes present in the Routing Table: 2 Prefixes being announced from unallocated address space: 120 Number of addresses announced to Internet: 2506673712 Equivalent to 149 /8s, 104 /16s and 206 /24s Percentage of available address space announced: 67.6 Percentage of allocated address space announced: 67.6 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 91.9 Total number of prefixes smaller than registry allocations: 164906 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 96263 Total APNIC prefixes after maximum aggregation: 31431 APNIC Deaggregation factor: 3.06 Prefixes being announced from the APNIC address blocks: 92611 Unique aggregates announced from the APNIC address blocks: 38795 APNIC Region origin ASes present in the Internet Routing Table: 4630 APNIC Prefixes per ASN: 20.00 APNIC Region origin ASes announcing only one prefix: 1254 APNIC Region transit ASes present in the Internet Routing Table: 730 Average APNIC Region AS path length visible: 4.3 Max APNIC Region AS path length visible: 18 Number of APNIC region 32-bit ASNs visible in the Routing Table: 125 Number of APNIC addresses announced to Internet: 633118080 Equivalent to 37 /8s, 188 /16s and 157 /24s Percentage of available APNIC address space announced: 80.3 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-132095, 132096-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 147034 Total ARIN prefixes after maximum aggregation: 74945 ARIN Deaggregation factor: 1.96 Prefixes being announced from the ARIN address blocks: 119074 Unique aggregates announced from the ARIN address blocks: 49000 ARIN Region origin ASes present in the Internet Routing Table: 14841 ARIN Prefixes per ASN: 8.02 ARIN Region origin ASes announcing only one prefix: 5683 ARIN Region transit ASes present in the Internet Routing Table: 1574 Average ARIN Region AS path length visible: 4.0 Max ARIN Region AS path length visible: 25 Number of ARIN region 32-bit ASNs visible in the Routing Table: 14 Number of ARIN addresses announced to Internet: 804838592 Equivalent to 47 /8s, 248 /16s and 220 /24s Percentage of available ARIN address space announced: 64.0 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 95494 Total RIPE prefixes after maximum aggregation: 51954 RIPE Deaggregation factor: 1.84 Prefixes being announced from the RIPE address blocks: 87490 Unique aggregates announced from the RIPE address blocks: 55635 RIPE Region origin ASes present in the Internet Routing Table: 16229 RIPE Prefixes per ASN: 5.39 RIPE Region origin ASes announcing only one prefix: 7979 RIPE Region transit ASes present in the Internet Routing Table: 2578 Average RIPE Region AS path length visible: 4.6 Max RIPE Region AS path length visible: 33 Number of RIPE region 32-bit ASNs visible in the Routing Table: 1269 Number of RIPE addresses announced to Internet: 496218056 Equivalent to 29 /8s, 147 /16s and 175 /24s Percentage of available RIPE address space announced: 79.9 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 196608-198655 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 185/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 37108 Total LACNIC prefixes after maximum aggregation: 8068 LACNIC Deaggregation factor: 4.60 Prefixes being announced from the LACNIC address blocks: 36658 Unique aggregates announced from the LACNIC address blocks: 19174 LACNIC Region origin ASes present in the Internet Routing Table: 1561 LACNIC Prefixes per ASN: 23.48 LACNIC Region origin ASes announcing only one prefix: 448 LACNIC Region transit ASes present in the Internet Routing Table: 287 Average LACNIC Region AS path length visible: 4.5 Max LACNIC Region AS path length visible: 24 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 410 Number of LACNIC addresses announced to Internet: 95243144 Equivalent to 5 /8s, 173 /16s and 75 /24s Percentage of available LACNIC address space announced: 63.1 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 8593 Total AfriNIC prefixes after maximum aggregation: 2076 AfriNIC Deaggregation factor: 4.14 Prefixes being announced from the AfriNIC address blocks: 6622 Unique aggregates announced from the AfriNIC address blocks: 2089 AfriNIC Region origin ASes present in the Internet Routing Table: 509 AfriNIC Prefixes per ASN: 13.01 AfriNIC Region origin ASes announcing only one prefix: 165 AfriNIC Region transit ASes present in the Internet Routing Table: 116 Average AfriNIC Region AS path length visible: 4.6 Max AfriNIC Region AS path length visible: 25 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 4 Number of AfriNIC addresses announced to Internet: 30739456 Equivalent to 1 /8s, 213 /16s and 12 /24s Percentage of available AfriNIC address space announced: 45.8 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 2467 11099 965 Korea Telecom (KIX) 17974 1719 503 37 PT TELEKOMUNIKASI INDONESIA 7545 1630 303 86 TPG Internet Pty Ltd 4755 1517 385 157 TATA Communications formerly 7552 1409 1064 7 Vietel Corporation 9829 1172 989 28 BSNL National Internet Backbo 9583 1111 81 496 Sify Limited 4808 1091 2036 310 CNCGROUP IP network: China169 24560 986 381 164 Bharti Airtel Ltd., Telemedia 18101 975 131 156 Reliance Infocom Ltd Internet Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3476 3814 217 bellsouth.net, inc. 7029 3161 1017 200 Windstream Communications Inc 18566 2093 382 177 Covad Communications 1785 1864 680 122 PaeTec Communications, Inc. 4323 1620 1065 385 Time Warner Telecom 20115 1616 1551 619 Charter Communications 22773 1518 2909 107 Cox Communications, Inc. 30036 1484 264 691 Mediacom Communications Corp 19262 1389 4683 401 Verizon Global Networks 7018 1302 7013 853 AT&T WorldNet Services Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8402 1564 480 15 Corbina telecom 15557 1096 2161 64 LDCOM NETWORKS 2118 672 99 14 EUnet/RELCOM Autonomous Syste 6830 645 1928 414 UPC Distribution Services 34984 636 132 198 BILISIM TELEKOM 20940 563 183 449 Akamai Technologies European 12479 551 636 53 Uni2 Autonomous System 3320 531 8162 397 Deutsche Telekom AG 8551 504 360 81 Bezeq International 3292 480 2106 407 TDC Tele Danmark Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 10620 1721 319 159 TVCABLE BOGOTA 28573 1573 1064 76 NET Servicos de Comunicao S.A 8151 1459 2989 346 UniNet S.A. de C.V. 7303 1255 756 178 Telecom Argentina Stet-France 27947 632 73 95 Telconet S.A 22047 582 322 17 VTR PUNTO NET S.A. 7738 551 1050 31 Telecomunicacoes da Bahia S.A 3816 547 237 91 Empresa Nacional de Telecomun 6503 538 434 67 AVANTEL, S.A. 11172 533 86 99 Servicios Alestra S.A de C.V Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1032 958 13 TEDATA 24863 794 146 36 LINKdotNET AS number 3741 280 939 229 The Internet Solution 6713 250 649 18 Itissalat Al-MAGHRIB 15706 242 32 6 Sudatel Internet Exchange Aut 33776 240 13 8 Starcomms Nigeria Limited 29571 217 17 13 Ci Telecom Autonomous system 12258 195 28 60 Vodacom Internet Company 24835 191 80 8 RAYA Telecom - Egypt 16637 160 664 82 MTN Network Solutions Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3476 3814 217 bellsouth.net, inc. 7029 3161 1017 200 Windstream Communications Inc 4766 2467 11099 965 Korea Telecom (KIX) 18566 2093 382 177 Covad Communications 1785 1864 680 122 PaeTec Communications, Inc. 10620 1721 319 159 TVCABLE BOGOTA 17974 1719 503 37 PT TELEKOMUNIKASI INDONESIA 7545 1630 303 86 TPG Internet Pty Ltd 4323 1620 1065 385 Time Warner Telecom 20115 1616 1551 619 Charter Communications Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 7029 3161 2961 Windstream Communications Inc 18566 2093 1916 Covad Communications 1785 1864 1742 PaeTec Communications, Inc. 17974 1719 1682 PT TELEKOMUNIKASI INDONESIA 10620 1721 1562 TVCABLE BOGOTA 8402 1564 1549 Corbina telecom 7545 1630 1544 TPG Internet Pty Ltd 4766 2467 1502 Korea Telecom (KIX) 28573 1573 1497 NET Servicos de Comunicao S.A 22773 1518 1411 Cox Communications, Inc. Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.14.170.0/24 4323 Time Warner Telecom 32567 UNALLOCATED 12.25.107.0/24 4323 Time Warner Telecom 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic 13317 UNALLOCATED 12.44.10.0/24 7018 AT&T WorldNet Servic 23502 UNALLOCATED 12.44.44.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.103.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.110.0/24 701 UUNET Technologies, 16476 UNALLOCATED 12.46.27.0/24 7018 AT&T WorldNet Servic 32873 UNALLOCATED 12.46.100.0/23 10912 InterNAP Network Ser Complete listing at http://thyme.rand.apnic.net/current/data-badAS Prefixes from private and non-routed address space (Global) ----------------------------------------------------------- Prefix Origin AS Description 128.0.0.0/21 12654 RIPE NCC RIS Project 128.0.24.0/24 12654 RIPE NCC RIS Project Complete listing at http://thyme.rand.apnic.net/current/data-dsua Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 14.192.0.0/22 45464 Room 201, TGU Bldg 14.192.4.0/22 45464 Room 201, TGU Bldg 14.192.8.0/22 45464 Room 201, TGU Bldg 14.192.12.0/22 45464 Room 201, TGU Bldg 14.192.16.0/22 45464 Room 201, TGU Bldg 14.192.20.0/22 45464 Room 201, TGU Bldg 14.192.24.0/22 45464 Room 201, TGU Bldg 14.192.28.0/22 45464 Room 201, TGU Bldg 37.35.8.0/21 8400 "TELEKOM SRBIJA" a.d. 37.35.64.0/21 33983 IP network of ARTMOTION n.p.s Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:12 /10:27 /11:81 /12:237 /13:465 /14:815 /15:1453 /16:12097 /17:6127 /18:10171 /19:20180 /20:27922 /21:28372 /22:38717 /23:36054 /24:202631 /25:1177 /26:1403 /27:780 /28:167 /29:55 /30:14 /31:0 /32:18 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 7029 2789 3161 Windstream Communications Inc 6389 2121 3476 bellsouth.net, inc. 18566 2042 2093 Covad Communications 10620 1616 1721 TVCABLE BOGOTA 8402 1543 1564 Corbina telecom 30036 1443 1484 Mediacom Communications Corp 11492 1115 1152 Cable One 1785 1066 1864 PaeTec Communications, Inc. 7011 1051 1168 Citizens Utilities 15557 1046 1096 LDCOM NETWORKS Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:494 2:417 4:15 5:1 6:3 8:364 12:1949 13:1 14:583 15:11 16:3 17:7 20:9 23:85 24:1717 27:1171 31:787 32:67 33:2 34:2 36:4 37:15 38:794 40:114 41:3004 42:85 43:1 44:3 46:1166 47:3 49:297 50:501 52:13 55:6 56:2 57:41 58:942 59:487 60:343 61:1177 62:938 63:1966 64:4116 65:2302 66:4368 67:1989 68:1165 69:3147 70:921 71:419 72:1787 74:2645 75:442 76:321 77:940 78:894 79:501 80:1187 81:859 82:523 83:530 84:581 85:1167 86:748 87:911 88:349 89:1583 90:261 91:4403 92:534 93:1523 94:1336 95:1049 96:401 97:295 98:788 99:38 100:18 101:127 103:612 106:10 107:126 108:101 109:1422 110:681 111:835 112:429 113:494 114:599 115:738 116:867 117:724 118:889 119:1234 120:386 121:673 122:1621 123:1051 124:1338 125:1351 128:536 129:192 130:189 131:586 132:163 133:21 134:226 135:54 136:213 137:151 138:286 139:135 140:490 141:261 142:379 143:403 144:501 145:67 146:474 147:222 148:632 149:276 150:165 151:192 152:444 153:169 154:7 155:393 156:210 157:366 158:155 159:511 160:345 161:221 162:336 163:187 164:523 165:393 166:552 167:454 168:816 169:147 170:828 171:95 172:4 173:1785 174:588 175:417 176:333 177:442 178:1169 180:1215 181:43 182:686 183:267 184:422 185:1 186:1479 187:816 188:1006 189:1169 190:5328 192:5988 193:5447 194:3788 195:3192 196:1286 197:174 198:3619 199:4256 200:5570 201:1690 202:8512 203:8592 204:4342 205:2423 206:2701 207:2803 208:4009 209:3545 210:2747 211:1477 212:1963 213:1813 214:837 215:93 216:4909 217:1478 218:568 219:338 220:1243 221:563 222:324 223:266 End of report From packetjockey at gmail.com Fri Jan 6 13:38:19 2012 From: packetjockey at gmail.com (Rafael Rodriguez) Date: Fri, 6 Jan 2012 14:38:19 -0500 Subject: Automate Peering Maintenance Message-ID: Hello list, Want to ping the list and see how the operational community automates peering maintenance. I've spoken to a few folks and this seem completely foreign to them. By 'automate' I mean creating and updating dynamically (runs periodically) prefix and/ord AS-Path filters from IRR data and directly applying configuration to routers. I'm currently looking at bgpq, RtConfig, and IRRToolSet for generating the prefix and AS-Path filters but haven't been able to find anything that does the automatic re-provisioning/re-configuration on the peering sessions. Would be looking for tool(s) that's Junos friendly. Thanks! Cheers, RR From bonald at gmail.com Fri Jan 6 14:31:22 2012 From: bonald at gmail.com (Bonald) Date: Fri, 6 Jan 2012 16:31:22 -0400 Subject: QinQ switch or similar Message-ID: Hi, We need to purchase some switch that support 1gbit QinQ. Any suggestions ? We need to connect 9 schools together in layer2. All 9 schools have 1gb link from our provider, provider gaves us 5 vlan to work with. We have around 35 vlan in-house. We are low budget. Any recommendation beside QinQ ? From mike.lyon at gmail.com Fri Jan 6 14:39:16 2012 From: mike.lyon at gmail.com (Mike Lyon) Date: Fri, 6 Jan 2012 12:39:16 -0800 Subject: QinQ switch or similar In-Reply-To: References: Message-ID: <-3847818410115600494@unknownmsgid> Checkout the Milrotik Routerboards. Low cost and extremely versatile. Www.mikrotik.com Cheers, Mike Sent from my iPhone On Jan 6, 2012, at 12:32, Bonald wrote: > Hi, > We need to purchase some switch that support 1gbit QinQ. > Any suggestions ? We need to connect 9 schools together in layer2. > All 9 schools have 1gb link from our provider, provider gaves us 5 vlan to > work with. > We have around 35 vlan in-house. > > We are low budget. Any recommendation beside QinQ ? From cidr-report at potaroo.net Fri Jan 6 16:00:00 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 6 Jan 2012 22:00:00 GMT Subject: BGP Update Report Message-ID: <201201062200.q06M00oE000120@wattle.apnic.net> BGP Update Report Interval: 29-Dec-11 -to- 05-Jan-12 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS17665 166462 12.0% 2107.1 -- IN2CABLE-AP AS Number of In2cable.com (India) Ltd. 2 - AS42116 99564 7.2% 1914.7 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 3 - AS8402 38327 2.8% 58.4 -- CORBINA-AS OJSC "Vimpelcom" 4 - AS9829 37920 2.7% 66.5 -- BSNL-NIB National Internet Backbone 5 - AS32528 24000 1.7% 12000.0 -- ABBOTT Abbot Labs 6 - AS7552 21159 1.5% 21.4 -- VIETEL-AS-AP Vietel Corporation 7 - AS24560 20453 1.5% 21.0 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 8 - AS20632 20290 1.5% 20290.0 -- PETERSTAR-AS PeterStar 9 - AS6072 16016 1.2% 1144.0 -- UNISYS-6072 For routing issues, email hostmaster at unisys.com 10 - AS19223 12809 0.9% 12809.0 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 11 - AS5800 11895 0.9% 42.5 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 12 - AS17639 10537 0.8% 114.5 -- COMCLARK-AS ComClark Network & Technology Corp. 13 - AS28885 10272 0.7% 79.0 -- OMANTEL-NAP-AS OmanTel NAP 14 - AS9498 9372 0.7% 8.7 -- BBIL-AP BHARTI Airtel Ltd. 15 - AS27738 9066 0.7% 26.6 -- Ecuadortelecom S.A. 16 - AS27947 8433 0.6% 15.2 -- Telconet S.A 17 - AS27051 7814 0.6% 244.2 -- DNIC-ASBLK-27032-27159 - DoD Network Information Center 18 - AS5089 7793 0.6% 185.5 -- NTL Virgin Media Limited 19 - AS14522 7792 0.6% 29.1 -- Satnet 20 - AS30036 7403 0.5% 7.1 -- MEDIACOM-ENTERPRISE-BUSINESS - Mediacom Communications Corp TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS20632 20290 1.5% 20290.0 -- PETERSTAR-AS PeterStar 2 - AS19223 12809 0.9% 12809.0 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 3 - AS32528 24000 1.7% 12000.0 -- ABBOTT Abbot Labs 4 - AS27295 6636 0.5% 6636.0 -- GENICA - Genica Corporation 5 - AS39353 5728 0.4% 5728.0 -- PRINCAST-AS Gobierno del Principado de Asturias 6 - AS10209 4914 0.4% 4914.0 -- SYNOPSYS-AS-JP-AP Japan HUB and Data Center 7 - AS45723 3797 0.3% 3797.0 -- OMADATA-AS-ID Omadata Indonesia, PT 8 - AS17408 3277 0.2% 3277.0 -- ABOVE-AS-AP AboveNet Communications Taiwan 9 - AS17665 166462 12.0% 2107.1 -- IN2CABLE-AP AS Number of In2cable.com (India) Ltd. 10 - AS42116 99564 7.2% 1914.7 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 11 - AS6072 16016 1.2% 1144.0 -- UNISYS-6072 For routing issues, email hostmaster at unisys.com 12 - AS45704 2031 0.1% 1015.5 -- INTERDATA-AS-ID MEDIA INTERDATA, PT 13 - AS14240 1910 0.1% 955.0 -- PMC-AS-1 - PMC-Sierra, INC. 14 - AS53362 938 0.1% 938.0 -- MIXIT-AS - Mixit, Inc. 15 - AS3 743 0.1% 1587.0 -- FIRSTEASY-AS 1st Easy Limited 16 - AS56939 602 0.0% 602.0 -- CREDOS Credo-S Ltd. 17 - AS21271 572 0.0% 572.0 -- SOTELMABGP 18 - AS17370 565 0.0% 565.0 -- MCAFEE-COM - McAfee, Inc. 19 - AS18804 1061 0.1% 530.5 -- AKCIN - AKCIN INC. 20 - AS46510 530 0.0% 530.0 -- ACS-EDUCATION-SERVICES - ACS Education Services TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 84.204.132.0/24 20290 1.4% AS20632 -- PETERSTAR-AS PeterStar 2 - 67.97.156.0/24 12809 0.9% AS19223 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 3 - 130.36.34.0/24 12000 0.8% AS32528 -- ABBOTT Abbot Labs 4 - 130.36.35.0/24 12000 0.8% AS32528 -- ABBOTT Abbot Labs 5 - 203.192.248.0/23 10339 0.7% AS17665 -- IN2CABLE-AP AS Number of In2cable.com (India) Ltd. 6 - 203.194.96.0/20 10223 0.7% AS17665 -- IN2CABLE-AP AS Number of In2cable.com (India) Ltd. 7 - 202.56.215.0/24 7441 0.5% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 8 - 12.202.99.0/24 6636 0.5% AS27295 -- GENICA - Genica Corporation 9 - 46.147.124.0/22 6574 0.5% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 10 - 46.147.108.0/22 6570 0.5% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 11 - 46.147.120.0/22 6563 0.5% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 12 - 95.78.4.0/22 6556 0.5% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 13 - 95.78.84.0/22 6544 0.5% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 14 - 95.78.20.0/22 6537 0.5% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 15 - 95.78.88.0/22 6525 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 16 - 95.78.96.0/22 6508 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 17 - 95.78.92.0/22 6507 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 18 - 95.78.100.0/22 6499 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 19 - 95.78.108.0/22 6497 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 20 - 95.78.116.0/22 6471 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jan 6 16:00:00 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 6 Jan 2012 22:00:00 GMT Subject: The Cidr Report Message-ID: <201201062200.q06M0021000114@wattle.apnic.net> This report has been generated at Fri Jan 6 21:12:32 2012 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 30-12-11 390109 227812 31-12-11 390100 227934 01-01-12 390038 227925 02-01-12 390086 227921 03-01-12 390131 228113 04-01-12 390399 228366 05-01-12 390766 228275 06-01-12 391121 228173 AS Summary 39862 Number of ASes in routing system 16752 Number of ASes announcing only one prefix 3476 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 109506048 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 06Jan12 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 391113 228127 162986 41.7% All ASes AS6389 3476 220 3256 93.7% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS7029 3202 1486 1716 53.6% WINDSTREAM - Windstream Communications Inc AS18566 2093 413 1680 80.3% COVAD - Covad Communications Co. AS4766 2475 992 1483 59.9% KIXS-AS-KR Korea Telecom AS22773 1518 116 1402 92.4% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4755 1514 198 1316 86.9% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS4323 1621 387 1234 76.1% TWTC - tw telecom holdings, inc. AS28573 1573 394 1179 75.0% NET Servicos de Comunicao S.A. AS1785 1867 784 1083 58.0% AS-PAETEC-NET - PaeTec Communications, Inc. AS7552 1409 419 990 70.3% VIETEL-AS-AP Vietel Corporation AS19262 1389 402 987 71.1% VZGNI-TRANSIT - Verizon Online LLC AS10620 1721 760 961 55.8% Telmex Colombia S.A. AS7303 1255 367 888 70.8% Telecom Argentina S.A. AS18101 976 157 819 83.9% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS8151 1461 660 801 54.8% Uninet S.A. de C.V. AS8402 1523 732 791 51.9% CORBINA-AS OJSC "Vimpelcom" AS30036 1484 699 785 52.9% MEDIACOM-ENTERPRISE-BUSINESS - Mediacom Communications Corp AS4808 1091 341 750 68.7% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS15557 1096 368 728 66.4% LDCOMNET Societe Francaise du Radiotelephone S.A AS24560 985 271 714 72.5% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS7545 1630 948 682 41.8% TPG-INTERNET-AP TPG Internet Pty Ltd AS3356 1104 458 646 58.5% LEVEL3 Level 3 Communications AS2118 672 61 611 90.9% RELCOM-AS OOO "NPO Relcom" AS17974 1720 1109 611 35.5% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS17676 677 74 603 89.1% GIGAINFRA Softbank BB Corp. AS4804 662 95 567 85.6% MPX-AS Microplex PTY LTD AS9498 862 300 562 65.2% BBIL-AP BHARTI Airtel Ltd. AS20115 1616 1059 557 34.5% CHARTER-NET-HKY-NC - Charter Communications AS4780 786 235 551 70.1% SEEDNET Digital United Inc. AS3549 969 420 549 56.7% GBLX Global Crossing Ltd. Total 44427 14925 29502 66.4% Top 30 total Possible Bogus Routes 10.86.64.32/30 AS65530 -Private Use AS- 10.86.64.36/30 AS65530 -Private Use AS- 10.86.65.32/30 AS65530 -Private Use AS- 10.86.65.36/30 AS65530 -Private Use AS- 10.255.255.0/30 AS65530 -Private Use AS- 10.255.255.4/30 AS65530 -Private Use AS- 10.255.255.8/30 AS65530 -Private Use AS- 14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 37.44.64.0/18 AS6697 BELPAK-AS Republican Association BELTELECOM 37.45.0.0/16 AS6697 BELPAK-AS Republican Association BELTELECOM 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.21.192.0/20 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.212.0/22 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.216.0/21 AS11610 INETNEBR-1 - Internet Nebraska Corporation 66.129.0.0/19 AS3901 ARRAKIS - Higher Technology Services 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications 69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A. 72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC 80.88.10.0/24 AS33774 DJAWEB 98.159.96.0/20 AS46975 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services Inc. 172.45.1.0/24 AS29571 CITelecom-AS 172.45.2.0/24 AS29571 CITelecom-AS 172.45.3.0/24 AS29571 CITelecom-AS 172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group) 190.104.32.0/21 AS27882 Telef?nica Celular de Bolivia S.A. 192.146.137.0/24 AS25376 NETNORTH-ASN Netnorth Limited 193.0.22.0/23 AS3333 RIPE-NCC-AS RIPE Network Coordination Centre 200.6.93.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.6.94.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.6.95.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.23.84.0/24 AS8151 Uninet S.A. de C.V. 200.24.73.0/24 AS26061 Equant Colombia 200.33.40.0/24 AS11172 Alestra, S. de R.L. de C.V. 200.34.0.0/20 AS6342 Instituto Tecnol?gico y de Estudios Superiores de Monterrey 200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd. 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.83.120.0/21 AS37972 202.83.124.0/24 AS37972 202.83.125.0/24 AS37972 202.83.126.0/24 AS37972 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.160.152.0/22 AS10113 DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.142.219.0/24 AS45149 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A. 206.123.129.0/24 AS10790 INREACH-AS - InReach Internet 206.180.240.0/20 AS12083 KNOLOGY-NET - KNOLOGY, Inc. 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.91.56.0/21 AS22241 IC2NET - IC2NET 208.91.56.0/24 AS22241 IC2NET - IC2NET 208.91.57.0/24 AS22241 IC2NET - IC2NET 208.91.58.0/24 AS22241 IC2NET - IC2NET 208.91.59.0/24 AS22241 IC2NET - IC2NET 208.91.60.0/24 AS22241 IC2NET - IC2NET 208.91.61.0/24 AS22241 IC2NET - IC2NET 208.91.62.0/24 AS22241 IC2NET - IC2NET 208.91.63.0/24 AS22241 IC2NET - IC2NET 209.133.224.0/19 AS4323 TWTC - tw telecom holdings, inc. 209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.222.240.0/22 AS19747 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc. 216.21.160.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport 216.194.160.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport 217.26.128.0/20 AS48111 Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From matt.addison at lists.evilgeni.us Fri Jan 6 17:36:22 2012 From: matt.addison at lists.evilgeni.us (Matt Addison) Date: Fri, 6 Jan 2012 18:36:22 -0500 Subject: QinQ switch or similar In-Reply-To: References: Message-ID: <-4843177455144437189@unknownmsgid> Sent from my mobile device, so please excuse any horrible misspellings. On Jan 6, 2012, at 15:32, Bonald wrote: > Hi, > We need to purchase some switch that support 1gbit QinQ. > Any suggestions ? We need to connect 9 schools together in layer2. > All 9 schools have 1gb link from our provider, provider gaves us 5 vlan to > work with. > We have around 35 vlan in-house. > > We are low budget. Any recommendation beside QinQ ? Your provider won't do QinQ for you? Have you verified they support the appropriate MTU for you to do your own QinQ under their tag (at least 1502)? As far as equipment, most Cisco kit from 3550 on up will do QinQ. Other alternatives would be to light it with routers and do EoMPLS or VPLS, but it'll be more expensive than just doing QinQ but potentially more scalable/stable. From christopher.morrow at gmail.com Fri Jan 6 19:47:49 2012 From: christopher.morrow at gmail.com (Christopher Morrow) Date: Fri, 6 Jan 2012 20:47:49 -0500 Subject: Misreporting abuse, it's not actually helpful: root@fireslayer.maxihost.com.br Message-ID: [ABUSE] Attack comming from IP 90.185.110.92 to 189.1.164.138 So... FireSlayer, did you get a cold? or perhaps have too much to drink? sending reports of what looks like CoD4: 16:36:58.728250 IP 90.185.110.92.27005 > 189.1.172.238.28960: UDP, length 14 16:36:58.741473 IP 90.185.110.92.27005 > 189.1.169.243.28922: UDP, length 14 16:36:58.754083 IP 90.185.110.92.27005 > 189.1.164.56.28947: UDP, length 14 server traffic to your customers is cool, it's not so cool if you send the reports to the wrong origin asn... AS15169 doesn't actually originate 90.185.110.0/24, it looks to me like: AS39554 | 90.185.110.0 | FULLRATE Fullrate A/S probably does though... I'm not sure what math tricks you may have tried, but 39554 is in no way like 15169. Could you take some time to disable your report generation canon and fix it before re-enabling it? I'm not the only person getting mis-fired reports, if you want to help everyone please turn off the canon. thnx! -chris (note, we've asked privately, you don't seem to respond/listen, perhaps publicly noting this will get: 1) your attention 2) you to stop the insanity) From paul at neoverve.com Fri Jan 6 19:50:32 2012 From: paul at neoverve.com (Paul Norton) Date: Fri, 06 Jan 2012 17:50:32 -0800 Subject: SSL Certificates In-Reply-To: <4F0713E2.4060004@pacific.net> References: <4F0713E2.4060004@pacific.net> Message-ID: <4F07A4E8.6060308@neoverve.com> I second The SSL Store (http://www.thesslstore.com/) -- Paul Norton Systems Administrator Neoverve - www.neoverve.com Neoverve Blog - http://blog.neoverve.com/ On 1/6/2012 7:31 AM, Ken A wrote: > theSSLstore has good reseller pricing on a variety of certs. > ~ $10 domain validated rapidssl certs in about 5 minutes. > More expensive and time consuming certs are available, Verisign, > Geotrust, Thawte, greenbars, wildcards, etc.. > Ken > > On 1/6/2012 8:15 AM, Michael Carey wrote: >> Looking for a recommendation on who to buy affordable and reputable SSL >> certificates from? Symantec, Thawte, and Comodo are the names that >> come to >> mind, just wondering if there are others folks use. >> >> Thanks, >> > From randy at psg.com Fri Jan 6 21:46:42 2012 From: randy at psg.com (Randy Bush) Date: Sat, 07 Jan 2012 12:46:42 +0900 Subject: Misreporting abuse, it's not actually helpful: root@fireslayer.maxihost.com.br In-Reply-To: References: Message-ID: > probably does though... I'm not sure what math tricks you may have > tried, but 39554 is in no way like 15169. Could you take some time to > disable your report generation canon and fix it before re-enabling it? > I'm not the only person getting mis-fired reports, if you want to help > everyone please turn off the canon. procmail them back to the ceo or c.o of the idiots. randy From bjorn at mork.no Sat Jan 7 06:00:43 2012 From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=) Date: Sat, 07 Jan 2012 13:00:43 +0100 Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: <20111228.164544.39172608.sthaug@nethelp.no> (sthaug@nethelp.no's message of "Wed, 28 Dec 2011 16:45:44 +0100 (CET)") References: <37f38f1f-369f-4056-8593-32b54e7fbc88@d8g2000yqk.googlegroups.com> <20111228.155045.85391394.sthaug@nethelp.no> <20111228.164544.39172608.sthaug@nethelp.no> Message-ID: <87lipjg1sk.fsf@nemi.mork.no> sthaug at nethelp.no writes: > And yes, we know equipment that cannot *filter* on full IPv6 + port > number headers exists (e.g. Cisco 6500/7600 with 144 bit TCAMs) - my > original point was that I still haven't seen equipment with forwarding > problems for prefixes > 64 bits. Depends on what you consider a problem and whether you consider a layer 3 switch a "router" at all, but there are certainly some switches which will be more or less effective depending on prefix length. Ref e.g. http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swsdm.html#wp1257279 where you'll find this carefully worded hint: "Note: An IPv4 route requires only one TCAM entry. Because of the hardware compression scheme used for IPv6, an IPv6 route can take more than one TCAM entry, reducing the number of entries forwarded in hardware. For example, for IPv6 directly connected IP addresses, the desktop template might allow less than two thousand entries." Translated: "The stated numbers for IPv6 routes are twice the real max. However, prefix compression may give better utilisation under certain conditions". Bj?rn From sthaug at nethelp.no Sat Jan 7 07:24:28 2012 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Sat, 07 Jan 2012 14:24:28 +0100 (CET) Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: <87lipjg1sk.fsf@nemi.mork.no> References: <20111228.164544.39172608.sthaug@nethelp.no> <87lipjg1sk.fsf@nemi.mork.no> Message-ID: <20120107.142428.74717744.sthaug@nethelp.no> > "Note: An IPv4 route requires only one TCAM entry. Because of the > hardware compression scheme used for IPv6, an IPv6 route can take > more than one TCAM entry, reducing the number of entries forwarded > in hardware. For example, for IPv6 directly connected IP addresses, > the desktop template might allow less than two thousand entries." > > > Translated: "The stated numbers for IPv6 routes are twice the real max. > However, prefix compression may give better utilisation under certain > conditions". Thanks, that's the first *specific* information I've seen of equipment that might have problems (reduced number of entries) with longer than 64 bit prefixes. Fortunately we're not using 3560/3750 for IPv6 routing at the moment. Any other takers? Steinar Haug, Nethelp consulting, sthaug at nethelp.no From lists at mtin.net Sat Jan 7 14:17:56 2012 From: lists at mtin.net (Justin Wilson) Date: Sat, 07 Jan 2012 15:17:56 -0500 Subject: OT: Consultant for Dial-up needed Message-ID: Sorry for the post but I havent made much headway on finding some help. I know several of you still run dialup modem pools. I need some help. I have a single USR total control chassis talking to cistron radius. The cistron box died today. I was able to get the files from the server, but am missing something. Looking for a consultant ASAP to help with this. Thanks, Justin -- Justin Wilson Aol & Yahoo IM: j2sw http://www.mtin.net/blog ? xISP News http://www.twitter.com/j2sw ? Follow me on Twitter From frnkblk at iname.com Sat Jan 7 15:30:05 2012 From: frnkblk at iname.com (Frank Bulk) Date: Sat, 7 Jan 2012 15:30:05 -0600 Subject: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days In-Reply-To: <000a01ccb061$5d60c100$18224300$@iname.com> References: <000001cc5d68$93fc01d0$bbf40570$@iname.com> <0C6A4A8DD60DBF4A99C300DDA771BFAB01E8192746C7@server3.MUTUALTEL.MTCNET.NET> <000a01ccb061$5d60c100$18224300$@iname.com> Message-ID: <009401cccd83$85a625d0$90f27170$@iname.com> HTTP both www.qwest.com and www.centurylink.com have been in and out since December 27. Sometimes it responds in less than 10 seconds, other times it connects and there's no TCP response for minutes. This was tested from two different networks. If anyone from CenturyLink is lurking, could you please notify your NOC or IT department? Frank -----Original Message----- From: Frank Bulk [mailto:frnkblk at iname.com] Sent: Thursday, December 01, 2011 1:43 PM To: nanog at nanog.org Subject: RE: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days AAAA and IPv6 access to www.centurylink.com were restored around 11:30 am U.S. Central. Frank -----Original Message----- From: Frank Bulk [mailto:frnkblk at iname.com] Sent: Wednesday, November 30, 2011 6:59 AM To: 'nanog at nanog.org' Subject: RE: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days Well, sometime yesterday www.centurylink.com removed it AAAA record(s). www.qwest.com still has them. Frank -----Original Message----- From: Frank Bulk [mailto:frnkblk at iname.com] Sent: Monday, October 24, 2011 1:47 PM To: 'nanog at nanog.org' Subject: RE: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days Good news: access to the v6 version of www.qwest.com came up at 12:30 pm today -- it redirects to www.centurylink.com, but at least it's working. Only www.savvis.com remains in my list of service provider websites that have non-working IPv6. Frank -----Original Message----- From: Frank Bulk [mailto:frnkblk at iname.com] Sent: Thursday, August 18, 2011 12:35 AM To: nanog at nanog.org Subject: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days The IPv6 version of www.qwest.com has been down for 10 days. Wget shows a 301 to www.centurylink.com, but that also fails. Emails to the nocs at both companies have gone unanswered. Unless HE is deployed in a web browser, this behavior leads to a bad end-user experience. If anyone can prod either of these two companies that would be much appreciated. Frank nagios:/home/fbulk# wget -6 www.qwest.com --2011-08-18 00:32:40-- http://www.qwest.com/ Resolving www.qwest.com... 2001:428:b21:1::20 Connecting to www.qwest.com|2001:428:b21:1::20|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://www.centurylink.com/ [following] --2011-08-18 00:32:40-- http://www.centurylink.com/ Resolving www.centurylink.com... 2001:428:b21:1::22 Connecting to www.centurylink.com|2001:428:b21:1::22|:80... failed: Connection timed out. Retrying. --2011-08-18 00:33:02-- (try: 2) http://www.centurylink.com/ Connecting to www.centurylink.com|2001:428:b21:1::22|:80... failed: Connection timed out. Retrying. --2011-08-18 00:33:25-- (try: 3) http://www.centurylink.com/ Connecting to www.centurylink.com|2001:428:b21:1::22|:80... failed: Connection timed out. Retrying. --2011-08-18 00:33:49-- (try: 4) http://www.centurylink.com/ Connecting to www.centurylink.com|2001:428:b21:1::22|:80... failed: Connection timed out. Retrying. Etc... From david at davidswafford.com Sun Jan 8 06:05:50 2012 From: david at davidswafford.com (David Swafford) Date: Sun, 8 Jan 2012 07:05:50 -0500 Subject: QinQ switch or similar In-Reply-To: <-4843177455144437189@unknownmsgid> References: <-4843177455144437189@unknownmsgid> Message-ID: I'd check w/ the provider. They may be giving you only 5 VLANs to avoid explaining/configuring QinQ -- remember, most small school environments are limited on their IT knowledge. I bet if you ask, they already support it, or have the gear/people to help with your need. David. On Fri, Jan 6, 2012 at 6:36 PM, Matt Addison wrote: > Sent from my mobile device, so please excuse any horrible misspellings. > > On Jan 6, 2012, at 15:32, Bonald wrote: > >> Hi, >> We need to purchase some switch that support 1gbit QinQ. >> Any suggestions ? We need to connect 9 schools together in layer2. >> All 9 schools have 1gb link from our provider, provider gaves us 5 vlan to >> work with. >> We have around 35 vlan in-house. >> >> We are low budget. Any recommendation beside QinQ ? > > Your provider won't do QinQ for you? Have you verified they support > the appropriate MTU for you to do your own QinQ under their tag (at > least 1502)? > > As far as equipment, most Cisco kit from 3550 on up will do QinQ. > > Other alternatives would be to light it with routers and do EoMPLS or > VPLS, but it'll be more expensive than just doing QinQ but potentially > more scalable/stable. > From neal.rauhauser at gmail.com Sun Jan 8 11:13:03 2012 From: neal.rauhauser at gmail.com (N Rauhauser) Date: Sun, 8 Jan 2012 12:13:03 -0500 Subject: shell access to BGP router, CALEA tips?? Message-ID: Ladies & Gentlemen, I wanted to check something on an IP address block this morning and, much to my surprise, I don't have access to a single router that has a full table in it - first time since 1999 this is the case. I see route views is still happily serving up shells, but I'm curious to know if there are any other viewpoints available. I am probably going to script something for this particular problem, so I want boxes that have shell access, not graphical looking glass type stuff. I am also plunged into the world of lawful intercept after a long absence. Other than providing muddled responses ten minutes before the deadline on obvious MPAA/RIAA trolls I haven't had to do a subpoena response since 2005 and I've not installed anything that needed to meet requirements since 2009. Is there a good write up somewhere on the current state of affairs? Neal Rauhauser From joelja at bogus.com Sun Jan 8 12:45:13 2012 From: joelja at bogus.com (Joel jaeggli) Date: Sun, 08 Jan 2012 10:45:13 -0800 Subject: QinQ switch or similar In-Reply-To: References: Message-ID: <4F09E439.7000407@bogus.com> On 1/6/12 12:31 , Bonald wrote: > Hi, > We need to purchase some switch that support 1gbit QinQ. > Any suggestions ? We need to connect 9 schools together in layer2. > All 9 schools have 1gb link from our provider, provider gaves us 5 vlan to > work with. > We have around 35 vlan in-house. > > We are low budget. Any recommendation beside QinQ ? The alternative to QinQ would be the exercise would probably be more scalable if the broadcast domains vlans of each, were constrained to their respective sites. Something like force10 s25n would be all the l3 switch you'd need to make this routed. From JTyler at fiberutilities.com Sun Jan 8 14:06:36 2012 From: JTyler at fiberutilities.com (Jensen Tyler) Date: Sun, 8 Jan 2012 14:06:36 -0600 Subject: QinQ switch or similar In-Reply-To: References: Message-ID: <1A8A762BD508624A8BDAB9F5E1638F94601CBB76F5@comsrv01.fg.local> We have been using Ciena switches for QinQ. CN3920 would fit best for low cost. Pretty easy to use. -----Original Message----- From: Bonald [mailto:bonald at gmail.com] Sent: Friday, January 06, 2012 2:31 PM To: nanog at nanog.org Subject: QinQ switch or similar Hi, We need to purchase some switch that support 1gbit QinQ. Any suggestions ? We need to connect 9 schools together in layer2. All 9 schools have 1gb link from our provider, provider gaves us 5 vlan to work with. We have around 35 vlan in-house. We are low budget. Any recommendation beside QinQ ? From dcp at dcptech.com Sun Jan 8 18:31:08 2012 From: dcp at dcptech.com (David Prall) Date: Sun, 8 Jan 2012 19:31:08 -0500 Subject: shell access to BGP router, CALEA tips?? In-Reply-To: References: Message-ID: <019501ccce65$fca9d8b0$f5fd8a10$@com> Both AT&T and Hurricane Electric have access for this. A quick list of them. http://www.netdigix.com/servers.html Majority of these are telnet:// links. David -- http://dcp.dcptech.com -----Original Message----- From: N Rauhauser [mailto:neal.rauhauser at gmail.com] Sent: Sunday, January 08, 2012 12:13 PM To: nanog at nanog.org Subject: shell access to BGP router, CALEA tips?? Ladies & Gentlemen, I wanted to check something on an IP address block this morning and, much to my surprise, I don't have access to a single router that has a full table in it - first time since 1999 this is the case. I see route views is still happily serving up shells, but I'm curious to know if there are any other viewpoints available. I am probably going to script something for this particular problem, so I want boxes that have shell access, not graphical looking glass type stuff. I am also plunged into the world of lawful intercept after a long absence. Other than providing muddled responses ten minutes before the deadline on obvious MPAA/RIAA trolls I haven't had to do a subpoena response since 2005 and I've not installed anything that needed to meet requirements since 2009. Is there a good write up somewhere on the current state of affairs? Neal Rauhauser From ops.lists at gmail.com Sun Jan 8 19:48:01 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 9 Jan 2012 07:18:01 +0530 Subject: Misreporting abuse, it's not actually helpful: root@fireslayer.maxihost.com.br In-Reply-To: References: Message-ID: And maybe ask the author of whatever "goober with firewall" script that is to rm -rf and securely delete his code? [old term from the nanae days, abbreviated to GWF] On Sat, Jan 7, 2012 at 9:16 AM, Randy Bush wrote: >> probably does though... I'm not sure what math tricks you may have >> tried, but 39554 is in no way like 15169. Could you take some time to >> disable your report generation canon and fix it before re-enabling it? >> I'm not the only person getting mis-fired reports, if you want to help >> everyone please turn off the canon. > > procmail them back to the ceo or c.o of the idiots. -- Suresh Ramasubramanian (ops.lists at gmail.com) From trelane at trelane.net Mon Jan 9 00:34:47 2012 From: trelane at trelane.net (Andrew D Kirch) Date: Mon, 09 Jan 2012 01:34:47 -0500 Subject: Misreporting abuse, it's not actually helpful: root@fireslayer.maxihost.com.br In-Reply-To: References: Message-ID: <4F0A8A87.1090500@trelane.net> On 1/8/2012 8:48 PM, Suresh Ramasubramanian wrote: > And maybe ask the author of whatever "goober with firewall" script > that is to rm -rf and securely delete his code? > > [old term from the nanae days, abbreviated to GWF] > > On Sat, Jan 7, 2012 at 9:16 AM, Randy Bush wrote: >>> probably does though... I'm not sure what math tricks you may have >>> tried, but 39554 is in no way like 15169. Could you take some time to >>> disable your report generation canon and fix it before re-enabling it? >>> I'm not the only person getting mis-fired reports, if you want to help >>> everyone please turn off the canon. >> procmail them back to the ceo or c.o of the idiots. > > I find that contacting the upstream of errant bulk abuse reports about the UBE problem tends to get things solved quickly. Abuse desk droids that have to sift through 8 gallons of crap every day tend to frown on their own users contributions to the smelly pile on someone else's abuse desk. Andrew From sh.vahabzadeh at gmail.com Mon Jan 9 14:40:37 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Tue, 10 Jan 2012 00:10:37 +0330 Subject: "PPPoE Intermediate Agent or TR101" in Huawei MA5600 Message-ID: Hi Everybody, I have lots of Huawei MA5600 in my pop sites and my "display version" output is "VERSION: MA5600V300R003C05". Can any body help me to know how I can enable "PPPoE Intermediate Agent or TR101" in these DSLAM's? Or let me know if this version of DSLAM support this feature or not? I want to have port attributes too when users send to NAS and from that to Radius. Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From arturo.servin at gmail.com Mon Jan 9 14:59:47 2012 From: arturo.servin at gmail.com (Arturo Servin) Date: Mon, 9 Jan 2012 18:59:47 -0200 Subject: shell access to BGP router, CALEA tips?? In-Reply-To: <019501ccce65$fca9d8b0$f5fd8a10$@com> References: <019501ccce65$fca9d8b0$f5fd8a10$@com> Message-ID: <34BCE5B6-2465-4CB9-98BE-F0DB3B6D17EF@gmail.com> Not sure if this is what you are looking for: http://www.traceroute.org/#Route%20Servers /as On 8 Jan 2012, at 22:31, David Prall wrote: > Both AT&T and Hurricane Electric have access for this. > > A quick list of them. > http://www.netdigix.com/servers.html > > Majority of these are telnet:// links. > > David > > -- > http://dcp.dcptech.com > > > > -----Original Message----- > From: N Rauhauser [mailto:neal.rauhauser at gmail.com] > Sent: Sunday, January 08, 2012 12:13 PM > To: nanog at nanog.org > Subject: shell access to BGP router, CALEA tips?? > > Ladies & Gentlemen, > > I wanted to check something on an IP address block this morning and, > much to my surprise, I don't have access to a single router that has a full > table in it - first time since 1999 this is the case. I see route views is > still happily serving up shells, but I'm curious to know if there are any > other viewpoints available. I am probably going to script something for > this particular problem, so I want boxes that have shell access, not > graphical looking glass type stuff. > > > I am also plunged into the world of lawful intercept after a long > absence. Other than providing muddled responses ten minutes before the > deadline on obvious MPAA/RIAA trolls I haven't had to do a subpoena > response since 2005 and I've not installed anything that needed to meet > requirements since 2009. Is there a good write up somewhere on the current > state of affairs? > > > > > > Neal Rauhauser > From vanwolfe at gmail.com Mon Jan 9 17:41:07 2012 From: vanwolfe at gmail.com (Van Wolfe) Date: Mon, 9 Jan 2012 16:41:07 -0700 Subject: AWS VPC Network Outage (US East) Message-ID: Is anyone else having issues with VPN access into a dedicated VPC (AWS US East)? We are unable to access our VM's across our tunnel. AWS alluded to a service wide network outage. Thank you, /Van From kelly at hawknetworks.com Mon Jan 9 17:52:14 2012 From: kelly at hawknetworks.com (Kelly Kane) Date: Mon, 9 Jan 2012 15:52:14 -0800 Subject: AWS VPC Network Outage (US East) In-Reply-To: References: Message-ID: On Mon, Jan 9, 2012 at 15:41, Van Wolfe wrote: > Is anyone else having issues with VPN access into a dedicated VPC (AWS US > East)? ?We are unable to access our VM's across our tunnel. ?AWS alluded to > a service wide network outage. We are seeing this as well. Kelly From snow at teardrop.org Mon Jan 9 17:55:05 2012 From: snow at teardrop.org (James Snow) Date: Mon, 9 Jan 2012 15:55:05 -0800 Subject: AWS VPC Network Outage (US East) In-Reply-To: References: Message-ID: <20120109235505.GE14990@teardrop.org> On Mon, Jan 09, 2012 at 04:41:07PM -0700, Van Wolfe wrote: > Is anyone else having issues with VPN access into a dedicated VPC (AWS US > East)? We are unable to access our VM's across our tunnel. AWS alluded to > a service wide network outage. Yes. Our tunnels and peering stayed up, but we lost all traffic. Silly as it may seem, forcefully bouncing our end seems to have resurrected it. -Snow From vanwolfe at gmail.com Mon Jan 9 18:12:56 2012 From: vanwolfe at gmail.com (Van Wolfe) Date: Mon, 9 Jan 2012 17:12:56 -0700 Subject: AWS VPC Network Outage (US East) In-Reply-To: <20120109235505.GE14990@teardrop.org> References: <20120109235505.GE14990@teardrop.org> Message-ID: We tried bouncing our tunnels without success. Amazon has updated their service dashboard: 3:56 PM PST We are investigating increased packet loss impacting VPN connections in the US-EAST-1 region. Thank you for your responses. /Van On Mon, Jan 9, 2012 at 4:55 PM, James Snow wrote: > On Mon, Jan 09, 2012 at 04:41:07PM -0700, Van Wolfe wrote: > > Is anyone else having issues with VPN access into a dedicated VPC (AWS US > > East)? We are unable to access our VM's across our tunnel. AWS alluded > to > > a service wide network outage. > > Yes. Our tunnels and peering stayed up, but we lost all traffic. > > Silly as it may seem, forcefully bouncing our end seems to have > resurrected it. > > > -Snow > > From djahandarie at gmail.com Mon Jan 9 18:49:51 2012 From: djahandarie at gmail.com (Darius Jahandarie) Date: Mon, 9 Jan 2012 19:49:51 -0500 Subject: AWS VPC Network Outage (US East) In-Reply-To: References: <20120109235505.GE14990@teardrop.org> Message-ID: On Mon, Jan 9, 2012 at 19:12, Van Wolfe wrote:> 3:56 PM PST We are investigating increased packet loss impacting VPN> connections in the US-EAST-1 region. I didn't know a cloud could be heavy enough to crash. -- Darius Jahandarie From vanwolfe at gmail.com Mon Jan 9 19:40:44 2012 From: vanwolfe at gmail.com (Van Wolfe) Date: Mon, 9 Jan 2012 18:40:44 -0700 Subject: AWS VPC Network Outage (US East) In-Reply-To: References: <20120109235505.GE14990@teardrop.org> Message-ID: Your network just evaporates. On Mon, Jan 9, 2012 at 5:49 PM, Darius Jahandarie wrote: > On Mon, Jan 9, 2012 at 19:12, Van Wolfe wrote:> > 3:56 PM PST We are investigating increased packet loss impacting VPN> > connections in the US-EAST-1 region. > I didn't know a cloud could be heavy enough to crash. > > -- > Darius Jahandarie > From henry at AegisInfoSys.com Mon Jan 9 20:50:00 2012 From: henry at AegisInfoSys.com (Henry Yen) Date: Mon, 9 Jan 2012 21:50:00 -0500 Subject: SSL Certificates In-Reply-To: References: Message-ID: <20120110025000.GF27517@nntp.AegisInfoSys.com> verisign, who used to own geotrust (who owns rapidssl) was sold to symantec last year. or some similar swapping of chain links. anyway, for some, the symantec umbrella might be a polarizing factor. On Fri, Jan 06, 2012 at 09:08:28AM -0600, graham at g-rock.net wrote: > We use rapidssl. Seems to be ok across the board. No reports otherwise. > > ----- Reply message ----- > From: "Michael Carey" > Date: Fri, Jan 6, 2012 8:15 am > Subject: SSL Certificates > To: > > Looking for a recommendation on who to buy affordable and reputable SSL > certificates from? Symantec, Thawte, and Comodo are the names that come to > mind, just wondering if there are others folks use. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From henry at AegisInfoSys.com Mon Jan 9 21:00:01 2012 From: henry at AegisInfoSys.com (Henry Yen) Date: Mon, 9 Jan 2012 22:00:01 -0500 Subject: SSL Certificates In-Reply-To: References: <483E6B0272B0284BA86D7596C40D29F901212BB19CAD@PUR-EXCH07.ox.com> Message-ID: <20120110030001.GG27517@nntp.AegisInfoSys.com> On Fri, Jan 06, 2012 at 10:08:55AM -0500, Christopher Morrow wrote: > >> From: Michael Carey [mailto:mcarey at kinber.org] > >> Sent: Friday, January 06, 2012 9:15 AM > >> To: nanog at nanog.org > >> Subject: SSL Certificates > >> > >> Looking for a recommendation on who to buy affordable and reputable > >> SSL certificates from? ?Symantec, Thawte, and Comodo are the names > >> that come to mind, just wondering if there are others folks use. > > startssl.com - free certs that work in apple-mail, chrome, ff, ie, > tbird, across mac/linux/windows... you can't beat free. > > (you do have to update yearly, but it's not painful, and is probably > worth doing as practice anyway) i think their "free" certificates are for personal/individual use only, and may not be as useful for company/business usage. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From henry at AegisInfoSys.com Mon Jan 9 21:11:56 2012 From: henry at AegisInfoSys.com (Henry Yen) Date: Mon, 9 Jan 2012 22:11:56 -0500 Subject: SSL Certificates In-Reply-To: References: Message-ID: <20120110031156.GH27517@nntp.AegisInfoSys.com> netsol was bought by web.com. "out of the frying pan ... "? On Fri, Jan 06, 2012 at 09:27:27AM -0500, Josh Baird wrote: > We typically stick with Network Solutions, and DigiCert for > SANcertificates. ?VeriSign's prices are just insane. > > On Fri, Jan 6, 2012 at 9:15 AM, Michael Carey wrote: > > Looking for a recommendation on who to buy affordable and reputable SSL > > certificates from? ?Symantec, Thawte, and Comodo are the names that come to > > mind, just wondering if there are others folks use. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From sergey at lobanov.in Mon Jan 9 22:55:24 2012 From: sergey at lobanov.in (Sergey V. Lobanov) Date: Tue, 10 Jan 2012 08:55:24 +0400 Subject: "PPPoE Intermediate Agent or TR101" in Huawei MA5600 In-Reply-To: References: Message-ID: <4F0BC4BC.4020600@lobanov.in> (config)#pitp enable On 01/10/2012 12:40 AM, Shahab Vahabzadeh wrote: > Hi Everybody, > I have lots of Huawei MA5600 in my pop sites and my "display version" > output is "VERSION: MA5600V300R003C05". > Can any body help me to know how I can enable "PPPoE Intermediate Agent or > TR101" in these DSLAM's? > Or let me know if this version of DSLAM support this feature or not? > I want to have port attributes too when users send to NAS and from that to > Radius. > Thanks > -- wbr, Sergey V. Lobanov E-mail: sergey at lobanov.in From jra at baylink.com Tue Jan 10 09:58:04 2012 From: jra at baylink.com (Jay Ashworth) Date: Tue, 10 Jan 2012 10:58:04 -0500 (EST) Subject: So... my colo was just bought. Message-ID: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> By Knology. Should I be scared? My experiences with Knology have been fairly thin, but uniformly negative, for at least the last 5 years. But I know that the plural of 'anecdote' is not 'data'. That said, I'm accepting all anecdotes. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From bhmccie at gmail.com Tue Jan 10 10:05:27 2012 From: bhmccie at gmail.com (-Hammer-) Date: Tue, 10 Jan 2012 10:05:27 -0600 Subject: So... my colo was just bought. In-Reply-To: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> Message-ID: <4F0C61C7.7070401@gmail.com> Jay, Do you know if they'll be keeping/maintaining your colo? Or is it too early for that kind of information? -Hammer- "I was a normal American nerd" -Jack Herer On 1/10/2012 9:58 AM, Jay Ashworth wrote: > By Knology. > > Should I be scared? > > My experiences with Knology have been fairly thin, but uniformly negative, > for at least the last 5 years. But I know that the plural of 'anecdote' is > not 'data'. That said, I'm accepting all anecdotes. :-) > > Cheers, > -- jra From dylan.ebner at crlmed.com Tue Jan 10 10:28:51 2012 From: dylan.ebner at crlmed.com (Dylan Ebner) Date: Tue, 10 Jan 2012 16:28:51 +0000 Subject: So... my colo was just bought. In-Reply-To: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> Message-ID: <017265BF3B9640499754DD48777C3D207206E5B110@MBX9.EXCHPROD.USA.NET> Jay- We experianced a similar situation 5 or 6 years ago. We were in a SAS70-II colo that had great staff and an impressive track record. They were national, but not huge. When we picked them, we had two colo providers that were competing for our business. The other was the company that bought our colo. In the end, we made our decision not on price/options, but we felt the smaller company would give us better service. We were right. The new owners are enormous and corprate thinks they are the best thing since sliced bread. I can tell you they are not. Since the buyout, we have had too many account reps to count on one hand, they are never local and they never seem to care. Getting anything done inside the DC is so complicated we almost never use our remote hands. Even getting into the DC now takes 15 minutes because of all the checks we have to go through. Unfortuneatly where I am located there are only 2 colos that can provide 15kw/rack reliably, and one company owns both of them. -----Original Message----- From: Jay Ashworth [mailto:jra at baylink.com] Sent: Tuesday, January 10, 2012 9:58 AM To: NANOG Subject: So... my colo was just bought. By Knology. Should I be scared? My experiences with Knology have been fairly thin, but uniformly negative, for at least the last 5 years. But I know that the plural of 'anecdote' is not 'data'. That said, I'm accepting all anecdotes. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From dholmes at mwdh2o.com Tue Jan 10 11:23:53 2012 From: dholmes at mwdh2o.com (Holmes,David A) Date: Tue, 10 Jan 2012 09:23:53 -0800 Subject: So... my colo was just bought. In-Reply-To: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> Message-ID: <922ACC42D498884AA02B3565688AF9953402FBA519@USEXMBS01.mwd.h2o> In the 2002-2003 time frame I worked for a company that colo'd strategic business servers in various telco facilities (big names, some that are still in business today), but these telco's had no problem with closing down the colo and giving 6 months notice to all tenants, with very little advanced notice. So this created a situation where a replacement site had to be found, space leased, equipment purchased, network bandwidth negotiated and purchased, etc. within that 6 month timeframe, or face the consequences of being essentially out of business. I can't speak for the company that is the subject of the email though, only of what has happened to me in the past. -----Original Message----- From: Jay Ashworth [mailto:jra at baylink.com] Sent: Tuesday, January 10, 2012 7:58 AM To: NANOG Subject: So... my colo was just bought. By Knology. Should I be scared? My experiences with Knology have been fairly thin, but uniformly negative, for at least the last 5 years. But I know that the plural of 'anecdote' is not 'data'. That said, I'm accepting all anecdotes. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 This communication, together with any attachments or embedded links, is for the sole use of the intended recipient(s) and may contain information that is confidential or legally protected. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, dissemination, distribution or use of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by return e-mail message and delete the original and all copies of the communication, along with any attachments or embedded links, from your system. From patrick at zill.net Tue Jan 10 11:31:28 2012 From: patrick at zill.net (Patrick Giagnocavo) Date: Tue, 10 Jan 2012 12:31:28 -0500 Subject: So... my colo was just bought. In-Reply-To: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> Message-ID: <4F0C75F0.9000100@zill.net> On 1/10/2012 10:58 AM, Jay Ashworth wrote: > By Knology. > > Should I be scared? > > My experiences with Knology have been fairly thin, but uniformly negative, > for at least the last 5 years. But I know that the plural of 'anecdote' is > not 'data'. That said, I'm accepting all anecdotes. :-) > > Cheers, > -- jra You have to read the contract you signed. If it is still valid ("survivable" I think is the phrase?) then you have less to worry about. If not, they can mess with you a lot. Expect all the local guys you dealt with to be gone in 6 months. --Patrick From gfitzpatrick at telx.com Tue Jan 10 12:20:20 2012 From: gfitzpatrick at telx.com (George Fitzpatrick) Date: Tue, 10 Jan 2012 12:20:20 -0600 Subject: So... my colo was just bought. In-Reply-To: <4F0C75F0.9000100@zill.net> References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> <4F0C75F0.9000100@zill.net> Message-ID: If folks are having colo. issues please take a look at Telx. We will be in San Diego as well. In the meantime let's talk. Thanks, George 917.371.7257 -----Original Message----- From: Patrick Giagnocavo [mailto:patrick at zill.net] Sent: Tuesday, January 10, 2012 12:31 PM To: nanog at nanog.org Subject: Re: So... my colo was just bought. On 1/10/2012 10:58 AM, Jay Ashworth wrote: > By Knology. > > Should I be scared? > > My experiences with Knology have been fairly thin, but uniformly > negative, for at least the last 5 years. But I know that the plural > of 'anecdote' is not 'data'. That said, I'm accepting all anecdotes. > :-) > > Cheers, > -- jra You have to read the contract you signed. If it is still valid ("survivable" I think is the phrase?) then you have less to worry about. If not, they can mess with you a lot. Expect all the local guys you dealt with to be gone in 6 months. --Patrick ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. ______________________________________________________________________ From pauldotwall at gmail.com Tue Jan 10 12:58:33 2012 From: pauldotwall at gmail.com (Paul WALL) Date: Tue, 10 Jan 2012 18:58:33 +0000 Subject: So... my colo was just bought. In-Reply-To: References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> <4F0C75F0.9000100@zill.net> Message-ID: George, We appreciate your sponsorship but using the NANOG mailing list to sell your colo is inappropriate. Best Regards, Paul On Tue, Jan 10, 2012 at 6:20 PM, George Fitzpatrick wrote: > If folks are having colo. issues please take a look at Telx. > We will be in San Diego as well. > In the meantime let's talk. > > Thanks, > George > 917.371.7257 > > -----Original Message----- > From: Patrick Giagnocavo [mailto:patrick at zill.net] > Sent: Tuesday, January 10, 2012 12:31 PM > To: nanog at nanog.org > Subject: Re: So... my colo was just bought. > > On 1/10/2012 10:58 AM, Jay Ashworth wrote: >> By Knology. >> >> Should I be scared? >> >> My experiences with Knology have been fairly thin, but uniformly >> negative, for at least the last 5 years. ?But I know that the plural >> of 'anecdote' is not 'data'. ?That said, I'm accepting all anecdotes. >> :-) >> >> Cheers, >> -- jra > > You have to read the contract you signed. ?If it is still valid ("survivable" I think is the phrase?) then you have less to worry about. > ?If not, they can mess with you a lot. > > Expect all the local guys you dealt with to be gone in 6 months. > > --Patrick > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > ______________________________________________________________________ From gfitzpatrick at telx.com Tue Jan 10 13:01:26 2012 From: gfitzpatrick at telx.com (George Fitzpatrick) Date: Tue, 10 Jan 2012 13:01:26 -0600 Subject: So... my colo was just bought. In-Reply-To: References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> <4F0C75F0.9000100@zill.net> Message-ID: Yes sorry for the post, Thanks. -----Original Message----- From: Paul WALL [mailto:pauldotwall at gmail.com] Sent: Tuesday, January 10, 2012 1:59 PM To: George Fitzpatrick Cc: nanog at nanog.org Subject: Re: So... my colo was just bought. George, We appreciate your sponsorship but using the NANOG mailing list to sell your colo is inappropriate. Best Regards, Paul On Tue, Jan 10, 2012 at 6:20 PM, George Fitzpatrick wrote: > If folks are having colo. issues please take a look at Telx. > We will be in San Diego as well. > In the meantime let's talk. > > Thanks, > George > 917.371.7257 > > -----Original Message----- > From: Patrick Giagnocavo [mailto:patrick at zill.net] > Sent: Tuesday, January 10, 2012 12:31 PM > To: nanog at nanog.org > Subject: Re: So... my colo was just bought. > > On 1/10/2012 10:58 AM, Jay Ashworth wrote: >> By Knology. >> >> Should I be scared? >> >> My experiences with Knology have been fairly thin, but uniformly >> negative, for at least the last 5 years. ?But I know that the plural >> of 'anecdote' is not 'data'. ?That said, I'm accepting all anecdotes. >> :-) >> >> Cheers, >> -- jra > > You have to read the contract you signed. ?If it is still valid ("survivable" I think is the phrase?) then you have less to worry about. > ?If not, they can mess with you a lot. > > Expect all the local guys you dealt with to be gone in 6 months. > > --Patrick > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. ______________________________________________________________________ From bmanning at vacation.karoshi.com Tue Jan 10 13:07:28 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 10 Jan 2012 19:07:28 +0000 Subject: So... my colo was just bought. In-Reply-To: References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> <4F0C75F0.9000100@zill.net> Message-ID: <20120110190728.GB28224@vacation.karoshi.com.> darn... and I was going to sublease some rack space in my sub-basement... /bill On Tue, Jan 10, 2012 at 06:58:33PM +0000, Paul WALL wrote: > George, > > We appreciate your sponsorship but using the NANOG mailing list to > sell your colo is inappropriate. > > Best Regards, > Paul > > On Tue, Jan 10, 2012 at 6:20 PM, George Fitzpatrick > wrote: > > If folks are having colo. issues please take a look at Telx. > > We will be in San Diego as well. > > In the meantime let's talk. > > > > Thanks, > > George > > 917.371.7257 > > > > -----Original Message----- > > From: Patrick Giagnocavo [mailto:patrick at zill.net] > > Sent: Tuesday, January 10, 2012 12:31 PM > > To: nanog at nanog.org > > Subject: Re: So... my colo was just bought. > > > > On 1/10/2012 10:58 AM, Jay Ashworth wrote: > >> By Knology. > >> > >> Should I be scared? > >> > >> My experiences with Knology have been fairly thin, but uniformly > >> negative, for at least the last 5 years. But I know that the plural > >> of 'anecdote' is not 'data'. That said, I'm accepting all anecdotes. > >> :-) > >> > >> Cheers, > >> -- jra > > > > You have to read the contract you signed. If it is still valid ("survivable" I think is the phrase?) then you have less to worry about. > > If not, they can mess with you a lot. > > > > Expect all the local guys you dealt with to be gone in 6 months. > > > > --Patrick > > > > > > ______________________________________________________________________ > > This email has been scanned by the Symantec Email Security.cloud service. > > ______________________________________________________________________ > From bclark at spectraaccess.com Tue Jan 10 13:56:53 2012 From: bclark at spectraaccess.com (Bret Clark) Date: Tue, 10 Jan 2012 14:56:53 -0500 Subject: So... my colo was just bought. In-Reply-To: <4F0C75F0.9000100@zill.net> References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> <4F0C75F0.9000100@zill.net> Message-ID: <4F0C9805.7070409@spectraaccess.com> On 01/10/2012 12:31 PM, Patrick Giagnocavo wrote: > Expect all the local guys you dealt with to be gone in 6 months. > --Patrick It's unfortunate just how true this will be. Bret From deric.kwok2000 at gmail.com Tue Jan 10 16:43:03 2012 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Tue, 10 Jan 2012 17:43:03 -0500 Subject: bgp question Message-ID: Hi all When we get newip, we should let the upstream know to expor it as there should have rule in their side. how about upstream provider, does they need to let their all bgp interconnect to know those our newip? If no, Can I know how it works? If they don't have rules each other, ls it any problems? Thank you so much From jof at thejof.com Tue Jan 10 16:48:30 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Tue, 10 Jan 2012 14:48:30 -0800 Subject: bgp question In-Reply-To: References: Message-ID: On Tue, Jan 10, 2012 at 2:43 PM, Deric Kwok wrote: > Hi all > > When we get newip, we should let the upstream know to expor it as > there should have rule in their side. > > how about upstream provider, does they need to let their all bgp > interconnect to know those our newip? > > If no, Can I know how it works? > > If they don't have rules each other, ls it any problems? > It depends on your upstream ISPs. Conventionally, some choose to place exact filters in place on BGP announcements that exactly match IP space that is registered with a RIR or LIR, some build those filters from IRR sources, and others just filter on the number of prefixes your sending (to avoid sending a whole table out on accident). I'm sure there are some other filtering schemes in place around the world. In the case of exact filters, you'll need to contact your upstream ISPs and ask them to update their filters. In the case of IRR-sourced filtering information, update the prefixes that you originate with your IRR provider. And in the case of max-prefix filtering, ask your ISP what they have their equipment set to. Cheers, jof From brez at brezworks.com Tue Jan 10 17:24:47 2012 From: brez at brezworks.com (Jeremy Bresley) Date: Tue, 10 Jan 2012 17:24:47 -0600 Subject: Comcast DNSSEC Message-ID: <4F0CC8BF.1080009@brezworks.com> Hadn't seen this mentioned yet. http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html Comcast has signed all their managed domains, as well as deployed DNSSEC resolvers for their customers. And they're encouraging others to make the jump to DNSSEC now as well, especially e-comm/banking sites. Nice work guys, any of the Comcast guys on the list want to give us an idea how much work is involved in this from a large-scale service provider perspective to do it? Any big caveats you encountered that people should watch out for? Jeremy "TheBrez" Bresley brez at brezworks.com From alter3d at alter3d.ca Tue Jan 10 19:10:56 2012 From: alter3d at alter3d.ca (Peter Kristolaitis) Date: Tue, 10 Jan 2012 20:10:56 -0500 Subject: Comcast DNSSEC In-Reply-To: <4F0CC8BF.1080009@brezworks.com> References: <4F0CC8BF.1080009@brezworks.com> Message-ID: <4F0CE1A0.6030603@alter3d.ca> Wow! Congrats to the Comcast crew, that's absolutely awesome! Definitely interested in hearing any "lessons learned" that you can share from the exercise. - Pete On 1/10/2012 6:24 PM, Jeremy Bresley wrote: > Hadn't seen this mentioned yet. > > http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html > > Comcast has signed all their managed domains, as well as deployed > DNSSEC resolvers for their customers. And they're encouraging others > to make the jump to DNSSEC now as well, especially e-comm/banking sites. > > Nice work guys, any of the Comcast guys on the list want to give us an > idea how much work is involved in this from a large-scale service > provider perspective to do it? Any big caveats you encountered that > people should watch out for? > > Jeremy "TheBrez" Bresley > brez at brezworks.com > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4418 bytes Desc: S/MIME Cryptographic Signature URL: From cb.list6 at gmail.com Tue Jan 10 19:43:28 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Tue, 10 Jan 2012 17:43:28 -0800 Subject: Comcast DNSSEC In-Reply-To: <4F0CE1A0.6030603@alter3d.ca> References: <4F0CC8BF.1080009@brezworks.com> <4F0CE1A0.6030603@alter3d.ca> Message-ID: On Jan 10, 2012 5:11 PM, "Peter Kristolaitis" wrote: > > Wow! Congrats to the Comcast crew, that's absolutely awesome! > +1 Between dnssec and ipv6 Comcast has shown true internet evolution leadership in their *actions*, which really stands out in an industry full of talk. Cb > Definitely interested in hearing any "lessons learned" that you can share from the exercise. > > - Pete > > > > > On 1/10/2012 6:24 PM, Jeremy Bresley wrote: >> >> Hadn't seen this mentioned yet. >> >> http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html >> >> Comcast has signed all their managed domains, as well as deployed DNSSEC resolvers for their customers. And they're encouraging others to make the jump to DNSSEC now as well, especially e-comm/banking sites. >> >> Nice work guys, any of the Comcast guys on the list want to give us an idea how much work is involved in this from a large-scale service provider perspective to do it? Any big caveats you encountered that people should watch out for? >> >> Jeremy "TheBrez" Bresley >> brez at brezworks.com >> > From streiner at cluebyfour.org Tue Jan 10 18:58:09 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Tue, 10 Jan 2012 19:58:09 -0500 (EST) Subject: bgp question In-Reply-To: References: Message-ID: On Tue, 10 Jan 2012, Deric Kwok wrote: > When we get newip, we should let the upstream know to expor it as > there should have rule in their side. Correct. Ideally, two things happen: 1. You tell your upstreams and peers about the new space, and they update whatever prefix filters they have in place for your network. 2. You update you own outbound BGP filters wherever necessary so that you can announce the new prefix, aggregated to the extent possible, when you're ready. > how about upstream provider, does they need to let their all bgp > interconnect to know those our newip? They might. It depends on the relationship your upstreams have with their neighbors. Different providers have different criteria for what they'll accept and how they manage their filters. If your upstreams need to have their upstreams and/or peers update their BGP filters, it is their responsibility to notify them. Note that this can add to the amount of time it will take before your direct upstreams are ready to accept and propagate your new prefix. Some providers might require that your new prefix be registered in one of several routing registries, and they'll update their filters based on your new registry data. jms From i.grok at comcast.net Tue Jan 10 23:58:31 2012 From: i.grok at comcast.net (Scott Schmit) Date: Wed, 11 Jan 2012 00:58:31 -0500 Subject: Comcast DNSSEC In-Reply-To: <4F0CC8BF.1080009@brezworks.com> References: <4F0CC8BF.1080009@brezworks.com> Message-ID: <20120111055831.GA2427@odin.ulthar.us> On Tue, Jan 10, 2012 at 05:24:47PM -0600, Jeremy Bresley wrote: > Hadn't seen this mentioned yet. > > http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html > > Comcast has signed all their managed domains, as well as deployed > DNSSEC resolvers for their customers. And they're encouraging > others to make the jump to DNSSEC now as well, especially > e-comm/banking sites. Very cool, but they haven't signed *all* of them. comcast.net still isn't signed, nor are any of the reverse zones, nor is comcastonline.com (in Comcast's SOAs). You can probably quibble about whether the reverse zones are important, but comcast.net is quite a significant miss. (Email, DNS, their "more information links", etc.) Still, I'm glad they're doing it, and hopefully reality will catch up with their announcement soon. :-) -- Scott Schmit From bonomi at mail.r-bonomi.com Wed Jan 11 01:05:26 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Wed, 11 Jan 2012 01:05:26 -0600 (CST) Subject: Comcast DNSSEC In-Reply-To: <20120111055831.GA2427@odin.ulthar.us> Message-ID: <201201110705.q0B75QF4088053@mail.r-bonomi.com> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Wed Jan 11 00:02:13 2012 > Date: Wed, 11 Jan 2012 00:58:31 -0500 > From: Scott Schmit > To: nanog at nanog.org > Subject: Re: Comcast DNSSEC > > On Tue, Jan 10, 2012 at 05:24:47PM -0600, Jeremy Bresley wrote: > > Hadn't seen this mentioned yet. > > > > http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html > > > > Comcast has signed all their managed domains, as well as deployed > > DNSSEC resolvers for their customers. And they're encouraging > > others to make the jump to DNSSEC now as well, especially > > e-comm/banking sites. > > Very cool, but they haven't signed *all* of them. comcast.net still > isn't signed, nor are any of the reverse zones, nor is comcastonline.com > (in Comcast's SOAs). > > You can probably quibble about whether the reverse zones are important, > but comcast.net is quite a significant miss. (Email, DNS, their "more > information links", etc.) > > Still, I'm glad they're doing it, and hopefully reality will catch up > with their announcement soon. :-) > > -- > Scott Schmit > From joelja at bogus.com Wed Jan 11 01:34:33 2012 From: joelja at bogus.com (Joel jaeggli) Date: Tue, 10 Jan 2012 23:34:33 -0800 Subject: BOF at NANOG 54 - IPV4 runout, doing more with less. Message-ID: <4F0D3B89.6040204@bogus.com> Greetings, The BOF topic that I proposed during the recent thread: Re: Sad IPv4 story? Got approved, I'm still looking for 1-2 additional speakers to round out the agenda. To recap: * IPV4 run-out means new entrants will from the outset deploy techniques the present operators consider undesirable. * IPV6 should be appearing as part and parcel of new greenfield projects I would think. * On the vendor side CGN hardware is becoming a mature product space. * Datacenter/ICP operators confront a similar set of problems both supporting outgoing connections for large pools and incoming termination. I you have thoughts on any or all of these subjects your fellow NANOG participants are likely to be a receptive audience. In particular I think our colleagues running access networks would be potentially interested in thoughtful commentary on some of the following: * Port constrained or determistic nat mappings e.g. draft-donley-behave-deterministic-cgn-00 * What the near term state of residential/small business cpe are, and what if anything they're still missing to be suitable for ipv6 deployment. * What scaling properties pitfalls have been encountered with big stateful translation systems either nat44 or nat64. If you like a formal slot on the agenda, please reach out to me. If you simply have an interest in this area let me know and we'll see if we can fit your topic in the plan. Thanks joel From mohta at necom830.hpcl.titech.ac.jp Wed Jan 11 08:58:25 2012 From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta) Date: Wed, 11 Jan 2012 23:58:25 +0900 Subject: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: <68424.1325204802@turing-police.cc.vt.edu> References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF14814.2080709@bowenvale.co.nz> <4F214584-12C3-42BC-A38B-13D991B9B4A0@muada.com> <4EFB09D8.3000107@necom830.hpcl.titech.ac.jp> <4EFB11F3.1090007@necom830.hpcl.titech.ac.jp> <14160.1325099085@turing-police.cc.vt.edu> <4EFBD594.2000604@necom830.hpcl.titech.ac.jp> <30391.1325139437@turing-police.cc.vt.edu> <82ipkzwxhv.fsf@mid.bfk.de> <38375.1325160093@turing-police.cc.vt.edu> <4EFC62C9.9030101@necom830.hpcl.titech.ac.jp> <44691.1325175089@turing-police.cc.vt.edu> <4EFCE9F8.2040604@necom830.hpcl.titech.ac.jp> <68424.1325204802@turing-police.cc.vt.edu> Message-ID: <4F0DA391.9090900@necom830.hpcl.titech.ac.jp> Valdis.Kletnieks at vt.edu wrote: >> Beyond that, if there are multiple routers, having a default >> router and relying > Yes yes we know, and we've understood this for a quarter century or so. My > disagreement is that even though 99.8% of machines *don't* have multiple > routers, you seem to be pedantically insisting that some sort of IGP is > mandatory for *all* end hosts, even though only 0.2% or so will actually see > any benefit at all.. Not. Though hosts should implement some IGPs, the default can be to just depend on default routers supplied from DHCP. A better default could be that IGP will be automatically invoked if DHCP does not supply a default router. If there are multiple IGPs are implemented, snooping IGPs' advertisement to know which is the locally available IGP may also be a good idea. My point w.r.t. multiple next hop routers is that RA supplied information is not good enough, which means DHCP is no worse than RA even if there are multiple next hop routers. Masataka Ohta From Jason_Livingood at cable.comcast.com Wed Jan 11 14:03:32 2012 From: Jason_Livingood at cable.comcast.com (Livingood, Jason) Date: Wed, 11 Jan 2012 20:03:32 +0000 Subject: Comcast DNSSEC In-Reply-To: <20120111055831.GA2427@odin.ulthar.us> Message-ID: >Very cool, but they haven't signed *all* of them. comcast.net still >isn't signed, nor are any of the reverse zones, nor is comcastonline.com >(in Comcast's SOAs). We'll be there very soon. Sometimes unplanned work in other areas pulls resources temporarily, conspiring against the best plans. ;-) - JL >Still, I'm glad they're doing it, and hopefully reality will catch up >with their announcement soon. :-) > >-- >Scott Schmit > From william.allen.simpson at gmail.com Wed Jan 11 14:12:38 2012 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Wed, 11 Jan 2012 15:12:38 -0500 Subject: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: <4F0DA391.9090900@necom830.hpcl.titech.ac.jp> References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF14814.2080709@bowenvale.co.nz> <4F214584-12C3-42BC-A38B-13D991B9B4A0@muada.com> <4EFB09D8.3000107@necom830.hpcl.titech.ac.jp> <4EFB11F3.1090007@necom830.hpcl.titech.ac.jp> <14160.1325099085@turing-police.cc.vt.edu> <4EFBD594.2000604@necom830.hpcl.titech.ac.jp> <30391.1325139437@turing-police.cc.vt.edu> <82ipkzwxhv.fsf@mid.bfk.de> <38375.1325160093@turing-police.cc.vt.edu> <4EFC62C9.9030101@necom830.hpcl.titech.ac.jp> <44691.1325175089@turing-police.cc.vt.edu> <4EFCE9F8.2040604@necom830.hpcl.titech.ac.jp> <68424.1325204802@turing-police.cc.vt.edu> <4F0DA391.9090900@necom830.hpcl.titech.ac.jp> Message-ID: <4F0DED36.9000005@gmail.com> On 1/11/12 9:58 AM, Masataka Ohta wrote: > A better default could be that IGP will be automatically invoked > if DHCP does not supply a default router. > That's ridiculous. You need some link state to even find a DHCP server. So, the very idea that DHCP would tell you where your routers are is preposterous on its face. Besides, that's terrible system design. You should never design a system where some code paths aren't exercised regularly. > If there are multiple IGPs are implemented, snooping IGPs' > advertisement to know which is the locally available IGP may > also be a good idea. > > My point w.r.t. multiple next hop routers is that RA supplied > information is not good enough, which means DHCP is no > worse than RA even if there are multiple next hop routers. > I've not read the whole thread yet (I had read the start what seems to be weeks ago), but I'll pipe up here and point out that in my _original_ design, every host was running a link state IGP. Even without any router at all, you need link state to handle mobile nodes, hidden terminals, partitioned networks, satellite versus land-line unidirectional links, etc, etc, etc. Of course, all that was ripped out by the ignorant folks who came later. Thus, IPv6 is much worse at self-configuration, security, mobility, and *everything* than originally envisioned. From mailinglists.chk at gmail.com Wed Jan 11 14:14:29 2012 From: mailinglists.chk at gmail.com (chk) Date: Wed, 11 Jan 2012 12:14:29 -0800 Subject: RoadRunner/Adelphia AS14065 contact Message-ID: <4F0DEDA5.7070000@gmail.com> If there is a Roadrunner contact monitoring the list can you please contact me off list regarding a routing issue from ns1/2.adelphia.net Thanks. From jra at baylink.com Wed Jan 11 15:36:32 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 16:36:32 -0500 (EST) Subject: So... my colo was just bought. In-Reply-To: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> Message-ID: <24438852.4514.1326317792792.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Jay Ashworth" > By Knology. > > Should I be scared? > > My experiences with Knology have been fairly thin, but uniformly negative, > for at least the last 5 years. But I know that the plural of 'anecdote' is > not 'data'. That said, I'm accepting all anecdotes. :-) And what I got was lots of stories about how bad "my colo just got bought by $BIGCO" can suck. For which, thanks... but I already knew that. I had been more interested in whether people had opinions about *the buyer*, Knology, which might counteract my personal, but anecdotal, bad impression. No one actually appears to have anything specifically bad to say about them, so I guess that's good. Cheers, -- jr 'waggles finger at the people who *called* them cause of my post' a -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Wed Jan 11 15:38:02 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 16:38:02 -0500 (EST) Subject: So... my colo was just bought. In-Reply-To: <24438852.4514.1326317792792.JavaMail.root@benjamin.baylink.com> Message-ID: <21369785.4516.1326317882787.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Jay Ashworth" > No one actually appears to have anything specifically bad to say about > them, so I guess that's good. And for the record, I've been quite happy with E-Sol; as long as Knology plays no games with the staff, I don't expect any problems. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From bclark at spectraaccess.com Wed Jan 11 16:00:39 2012 From: bclark at spectraaccess.com (Bret Clark) Date: Wed, 11 Jan 2012 17:00:39 -0500 Subject: So... my colo was just bought. In-Reply-To: <21369785.4516.1326317882787.JavaMail.root@benjamin.baylink.com> References: <21369785.4516.1326317882787.JavaMail.root@benjamin.baylink.com> Message-ID: <4F0E0687.1030205@spectraaccess.com> On 01/11/2012 04:38 PM, Jay Ashworth wrote: > And for the record, I've been quite happy with E-Sol; as long as Knology > plays no games with the staff, I don't expect any problems. > > Cheers, > -- jra It's extremely important you let the right people in Knology know that. Bret From jra at baylink.com Wed Jan 11 16:18:41 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 17:18:41 -0500 (EST) Subject: So... my colo was just bought. In-Reply-To: <4F0E0687.1030205@spectraaccess.com> Message-ID: <20342361.4522.1326320321578.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Bret Clark" > On 01/11/2012 04:38 PM, Jay Ashworth wrote: > > And for the record, I've been quite happy with E-Sol; as long as > > Knology plays no games with the staff, I don't expect any problems. > > It's extremely important you let the right people in Knology know > that. Wouldn't it be pretty to think The Right People just saw it? :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Wed Jan 11 16:41:15 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 17:41:15 -0500 (EST) Subject: Monday Night Footbal -- on Google? Message-ID: <8099304.4608.1326321675642.JavaMail.root@benjamin.baylink.com> In this week's CES coverage on Marketplace, venture capitalist Mark Suster of GRP Partners opines that Google will bid on the broadcast rights to MNF within the next 5 years. http://www.marketplace.org/topics/tech/ces-2012/future-television-way-we-watch Is 'The Internet' ready to deliver live 1080p HD with very close to zero dropouts to 25-30 million viewers for 4 hours straight every week, yet? People don't mind buffering in cat videos, but I'm pretty sure they don't want Tim Tebow's last pass of the game interrupted by an hourglass for 5 seconds. Will CDN's help this? Multicast? Or is this just a yawn story for you guys who run "the backbone" these days? Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From Valdis.Kletnieks at vt.edu Wed Jan 11 18:11:54 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 11 Jan 2012 19:11:54 -0500 Subject: Monday Night Footbal -- on Google? In-Reply-To: Your message of "Wed, 11 Jan 2012 17:41:15 EST." <8099304.4608.1326321675642.JavaMail.root@benjamin.baylink.com> References: <8099304.4608.1326321675642.JavaMail.root@benjamin.baylink.com> Message-ID: <4221.1326327114@turing-police.cc.vt.edu> On Wed, 11 Jan 2012 17:41:15 EST, Jay Ashworth said: > Is 'The Internet' ready to deliver live 1080p HD with very close to zero > dropouts to 25-30 million viewers for 4 hours straight every week, yet? Depends how much compression you use. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From djahandarie at gmail.com Wed Jan 11 19:04:06 2012 From: djahandarie at gmail.com (Darius Jahandarie) Date: Wed, 11 Jan 2012 20:04:06 -0500 Subject: Monday Night Footbal -- on Google? In-Reply-To: <4221.1326327114@turing-police.cc.vt.edu> References: <8099304.4608.1326321675642.JavaMail.root@benjamin.baylink.com> <4221.1326327114@turing-police.cc.vt.edu> Message-ID: On Wed, Jan 11, 2012 at 19:11, wrote: > On Wed, 11 Jan 2012 17:41:15 EST, Jay Ashworth said: > >> Is 'The Internet' ready to deliver live 1080p HD with very close to zero >> dropouts to 25-30 million viewers for 4 hours straight every week, yet? > > Depends how much compression you use. ?:) We will certainly see the next frontier of bitrate starvation. And y'all thought shoving 50 channels on a single satellite transceiver tier was bad! -- Darius Jahandarie From gfitzpatrick at telx.com Wed Jan 11 19:19:57 2012 From: gfitzpatrick at telx.com (George Fitzpatrick) Date: Thu, 12 Jan 2012 01:19:57 +0000 Subject: Monday Night Footbal -- on Google? In-Reply-To: Message-ID: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> Smart tv's should help, no? ----- Original Message ----- From: Darius Jahandarie [mailto:djahandarie at gmail.com] Sent: Wednesday, January 11, 2012 08:04 PM To: NANOG Subject: Re: Monday Night Footbal -- on Google? On Wed, Jan 11, 2012 at 19:11, wrote: > On Wed, 11 Jan 2012 17:41:15 EST, Jay Ashworth said: > >> Is 'The Internet' ready to deliver live 1080p HD with very close to zero >> dropouts to 25-30 million viewers for 4 hours straight every week, yet? > > Depends how much compression you use. ?:) We will certainly see the next frontier of bitrate starvation. And y'all thought shoving 50 channels on a single satellite transceiver tier was bad! -- Darius Jahandarie ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. ______________________________________________________________________ From Valdis.Kletnieks at vt.edu Wed Jan 11 19:32:23 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 11 Jan 2012 20:32:23 -0500 Subject: Monday Night Footbal -- on Google? In-Reply-To: Your message of "Thu, 12 Jan 2012 01:19:57 GMT." <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> Message-ID: <8359.1326331943@turing-police.cc.vt.edu> On Thu, 12 Jan 2012 01:19:57 GMT, George Fitzpatrick said: > Smart tv's should help, no? Only so much. No matter what they show on CSI about enhancing video, if that stream got compressed so the football Tim Tebow just threw is just a brown ellipse, there;s no legitimate way to put the seams back on that sucker. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From tagno25 at gmail.com Wed Jan 11 20:20:32 2012 From: tagno25 at gmail.com (Philip Dorr) Date: Wed, 11 Jan 2012 20:20:32 -0600 Subject: Monday Night Footbal -- on Google? In-Reply-To: <8359.1326331943@turing-police.cc.vt.edu> References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> Message-ID: On Wed, Jan 11, 2012 at 7:32 PM, wrote: > On Thu, 12 Jan 2012 01:19:57 GMT, George Fitzpatrick said: >> Smart tv's should help, no? > > Only so much. > > No matter what they show on CSI about enhancing video, if that stream got > compressed so the football Tim Tebow just threw is just a brown ellipse, > there;s no legitimate way to put the seams back on that sucker. > But the TV should only be receiving one stream at a time, unless there is pip. Each stream would probably be around 5mbps. If multicast is used it shouldn't take 150pbps, it should be much lower. From streiner at cluebyfour.org Wed Jan 11 16:45:37 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 11 Jan 2012 17:45:37 -0500 (EST) Subject: Monday Night Footbal -- on Google? In-Reply-To: References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> Message-ID: On Wed, 11 Jan 2012, Philip Dorr wrote: > But the TV should only be receiving one stream at a time, unless there > is pip. Each stream would probably be around 5mbps. > > If multicast is used it shouldn't take 150pbps, it should be much lower. That could be one of the things that helps spur v6 adoption - multicast being somewhat less of an afterthought :) While v4 multicast works, and delivering video is one of the things it can do very well, some networks don't route v4 multicast or exchange v4 multicast prefixes, so its utility on a wide scale can be limited. jms From tvhawaii at shaka.com Wed Jan 11 20:40:51 2012 From: tvhawaii at shaka.com (Michael Painter) Date: Wed, 11 Jan 2012 16:40:51 -1000 Subject: Monday Night Footbal -- on Google? References: <8099304.4608.1326321675642.JavaMail.root@benjamin.baylink.com> <4221.1326327114@turing-police.cc.vt.edu> Message-ID: <7FD35F1C279D440E934534B59FCEF247@owner59e1f1502> Darius Jahandarie wrote: > On Wed, Jan 11, 2012 at 19:11, wrote: >> On Wed, 11 Jan 2012 17:41:15 EST, Jay Ashworth said: >> >>> Is 'The Internet' ready to deliver live 1080p HD with very close to zero >>> dropouts to 25-30 million viewers for 4 hours straight every week, yet? >> >> Depends how much compression you use. :) > > We will certainly see the next frontier of bitrate starvation. And > y'all thought shoving 50 channels on a single satellite transceiver > tier was bad! Not sure where/what you're talking about, but here in the U.S.A, Dish Network and DirecTV seem to put a max of 7 MPEG 4 HD channels on a *transponder*. http://www.satelliteguys.us/thelist/index.php?page=sub --Michael From djahandarie at gmail.com Wed Jan 11 20:54:50 2012 From: djahandarie at gmail.com (Darius Jahandarie) Date: Wed, 11 Jan 2012 21:54:50 -0500 Subject: Monday Night Footbal -- on Google? In-Reply-To: <7FD35F1C279D440E934534B59FCEF247@owner59e1f1502> References: <8099304.4608.1326321675642.JavaMail.root@benjamin.baylink.com> <4221.1326327114@turing-police.cc.vt.edu> <7FD35F1C279D440E934534B59FCEF247@owner59e1f1502> Message-ID: On Wed, Jan 11, 2012 at 21:40, Michael Painter wrote: > Not sure where/what you're talking about, but here in the U.S.A, Dish > Network and DirecTV seem to put a max of 7 MPEG 4 HD channels on a > *transponder*. > http://www.satelliteguys.us/thelist/index.php?page=sub > > --Michael > Referring to some Japanese stations, like ATX-HD. It's not actually 30, but it's pretty bad. It's a brilliant stream of blocks you get back, not sure if you'd call it video... :p -- Darius Jahandarie From jra at baylink.com Wed Jan 11 22:00:06 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 23:00:06 -0500 (EST) Subject: Monday Night Football -- on Google? In-Reply-To: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> Message-ID: <4476842.4624.1326340806015.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "George Fitzpatrick" > Smart tv's should help, no? Maybe, maybe not. I think not, and for the reason I just posted as a comment on Marketplace's story: I call it the Compatible Color problem. Due to DMCA, SOPA, and other such corporate paranoia legislation purchased by the large media conglomerates, we may end up in a situation where you need one box to watch Netflix, another box to watch Google, and so on and so on, yada yada. Once Congress gets over thinking it's cute to be ignorant of how the internet works ("series of tubes, right?"), that probably won't play in Washington anymore than it plays in Peoria... but I hope it doesn't wait to *start* getting worked on until "The Super Bowl is next Sunday! And my TV doesn't *do* Google!!!" Cause that Would Be Bad. (These problems have, of course, Already Been Solved. But the media companies aren't interested in those solutions, cause they don't make it possible for those companies to charge you for the same product 14 times, for your TV, your computer, your smartphone, your game console, your car....) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Wed Jan 11 22:06:42 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 23:06:42 -0500 (EST) Subject: Monday Night Footbal -- on Google? In-Reply-To: Message-ID: <15429452.4628.1326341202514.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Philip Dorr" > But the TV should only be receiving one stream at a time, unless there > is pip. Each stream would probably be around 5mbps. I believe you're an optimist. Weekly football is probably the second most important thing on a TV network behind the championships for whatever sport they're carrying, in a year. I'm not saying you need the whole 19mbps (though, remember here, we are not talking about "Additional Carriage"; we are talking about *being the only way people can see that game* -- and my example was the Super Bowl).. but unless MPEG algorithms have gotten *much* better than I'm aware of, 5mb/s is probably not enough for the Super Bowl. And you'd really be better off with some FEC, too, even if it costs you a couple frames extra delay. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Wed Jan 11 22:08:15 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 23:08:15 -0500 (EST) Subject: Monday Night Footbal -- on Google? In-Reply-To: <7FD35F1C279D440E934534B59FCEF247@owner59e1f1502> Message-ID: <16554396.4630.1326341295740.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Michael Painter" > Not sure where/what you're talking about, but here in the U.S.A, Dish > Network and DirecTV seem to put a max of 7 MPEG 4 HD > channels on a *transponder*. > http://www.satelliteguys.us/thelist/index.php?page=sub Yup; at varying bit rates; I worked for a program provider to both, and I know just how fast the price goes up if you need enough signal to handle even *slow* motion. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From tvhawaii at shaka.com Wed Jan 11 23:14:52 2012 From: tvhawaii at shaka.com (Michael Painter) Date: Wed, 11 Jan 2012 19:14:52 -1000 Subject: Monday Night Footbal -- on Google? References: <16554396.4630.1326341295740.JavaMail.root@benjamin.baylink.com> Message-ID: <0254F3C559F64AC4A85BAA64761A144B@owner59e1f1502> Jay Ashworth wrote: > ----- Original Message ----- >> From: "Michael Painter" > >> Not sure where/what you're talking about, but here in the U.S.A, Dish >> Network and DirecTV seem to put a max of 7 MPEG 4 HD >> channels on a *transponder*. >> http://www.satelliteguys.us/thelist/index.php?page=sub > > Yup; at varying bit rates; I worked for a program provider to both, and I > know just how fast the price goes up if you need enough signal to handle > even *slow* motion. :-) > > Cheers, > -- jra Cool. Is information about who buys what, closely guarded? If you have seen the effects of 'starving' content with fast motion, I'd be interested in hearing what that looked like. I'm familiar with resolution vs. screen size vs. viewing distance factors, btw. Thanks, --Michael From oscar.vives at gmail.com Thu Jan 12 03:33:08 2012 From: oscar.vives at gmail.com (Tei) Date: Thu, 12 Jan 2012 10:33:08 +0100 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: On 5 January 2012 16:22, Jay Ashworth wrote: > Vint Cerf says no: http://j.mp/wwL9Ip > > But I wonder to what degree that's dependent on how much our governments make > Internet access the most practical/only practical way to interact with them. > > Understand: I'm not saying that FiOS should be a human right. ?But as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. > > Thoughts? > You don't need a new right. The human rights include education and access to be able to participate in your culture. A human banned from using the internet would not have access to culture, and will be banned from participate in it. Based on this page: http://en.wikipedia.org/wiki/Human_rights 5.5 5.7 5.7.* Practical terms: The ugly conclusion is that you can put a men in jail, but that don't include ban such men to access the internet. Say, you put in jail a cracker. The judge as to remove him from two rights, the right to freelly walk anywhere, and the right to post in his favorite forum/mail list. -- -- ?in del ?ensaje. From paul at impletec.com Thu Jan 12 10:11:49 2012 From: paul at impletec.com (Paul Kaminsky) Date: Thu, 12 Jan 2012 18:11:49 +0200 Subject: In search of uplink vendor Message-ID: Hi all, We are at a stage where we need an all-out uplink vendor to fuel our business endeavor. The bells and whistles we need are: 1. 1 Gbps link with complete block of UDP/ICMP protocol 2. BGP session with our AS 3. Ability to blackhole (no route to host) by /32 prefix 4. Presence in Equinix SV1 or SV5 (San Jose) DC's - this is not mandatory, we're open for suggestions If you feel your company measures up or is a cut above the rest, please get in touch with us to discuss the specific details. Cheers Paul From streiner at cluebyfour.org Thu Jan 12 07:01:58 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 12 Jan 2012 08:01:58 -0500 (EST) Subject: In search of uplink vendor In-Reply-To: References: Message-ID: On Thu, 12 Jan 2012, Paul Kaminsky wrote: > We are at a stage where we need an all-out uplink vendor to fuel our business endeavor. The bells and whistles we need are: > > 1. 1 Gbps link with complete block of UDP/ICMP protocol > 2. BGP session with our AS > 3. Ability to blackhole (no route to host) by /32 prefix > 4. Presence in Equinix SV1 or SV5 (San Jose) DC's - this is not mandatory, we're open for suggestions > > If you feel your company measures up or is a cut above the rest, please >get in touch with us to discuss the specific details. Note: I am not a vendor. One question: 1. Not knowing anything about your business, is there a specific reason that you want "a complete block of UDP/ICMP protocol"? That can be problematic with IPv4, and downright foolish with IPv6. jms From bmanning at vacation.karoshi.com Thu Jan 12 11:07:35 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Thu, 12 Jan 2012 17:07:35 +0000 Subject: In search of uplink vendor In-Reply-To: References: Message-ID: <20120112170735.GB29157@vacation.karoshi.com.> On Thu, Jan 12, 2012 at 08:01:58AM -0500, Justin M. Streiner wrote: > On Thu, 12 Jan 2012, Paul Kaminsky wrote: > > >We are at a stage where we need an all-out uplink vendor to fuel our > >business endeavor. The bells and whistles we need are: > > > >1. 1 Gbps link with complete block of UDP/ICMP protocol > >2. BGP session with our AS > >3. Ability to blackhole (no route to host) by /32 prefix > >4. Presence in Equinix SV1 or SV5 (San Jose) DC's - this is not mandatory, > >we're open for suggestions > > > >If you feel your company measures up or is a cut above the rest, please > >get in touch with us to discuss the specific details. > > Note: I am not a vendor. > > One question: > 1. Not knowing anything about your business, is there a specific reason > that you want "a complete block of UDP/ICMP protocol"? That can be > problematic with IPv4, and downright foolish with IPv6. > > jms perhaps we are walking around w/ incomplete notions of what constitutes a "complete block of UDP/ICMP protocol"... for me, literally,this makes no sense whatsoever. ratcheting back on my literal filter (be liberal in what you accept) I beleive what he is asking for is a contigious block of IP addresses for use in his network. am also making the inference that he is only looking for IPv4 (no route to host by /32 prefix). so the only remaining, burning question is - what size block? a /33? a /31? maybe a /28? or a /22? a /19? (the /33 is right out... filtering on /32 would block both hosts!) I think its quite reasonable to expect a contigious block of addresses, regardless of address family. Not at all "downright foolish". It is rare to see someone -not- get a contigious block. ymmv of course. /bill From morrowc.lists at gmail.com Thu Jan 12 11:16:04 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 12 Jan 2012 12:16:04 -0500 Subject: In search of uplink vendor In-Reply-To: References: Message-ID: On Thu, Jan 12, 2012 at 8:01 AM, Justin M. Streiner wrote: > On Thu, 12 Jan 2012, Paul Kaminsky wrote: > >> We are at a stage where we need an all-out uplink vendor to fuel our >> business endeavor. The bells and whistles we need are: >> >> 1. 1 Gbps link with complete block of UDP/ICMP protocol >> 2. BGP session with our AS you have an asn? >> 3. Ability to blackhole (no route to host) by /32 prefix >> 4. Presence in Equinix SV1 or SV5 (San Jose) DC's - this is not mandatory, >> we're open for suggestions >> >> If you feel your company measures up or is a cut above the rest, please >> get in touch with us to discuss the specific details. > > > Note: I am not a vendor. > > One question: > 1. Not knowing anything about your business, is there a specific reason that > you want "a complete block of UDP/ICMP protocol"? ?That can be problematic > with IPv4, and downright foolish with IPv6. > maybe he's upset that his current EU provider is in Sannyvale not Sunnyvale? inetnum: 109.206.160.0 - 109.206.191.255 netname: SERVEREL descr: Serverel Corp. country: EU org: ORG-SC64-RIPE admin-c: SN2485-RIPE tech-c: SN2485-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-by: SERVEREL-MNT mnt-lower: RIPE-NCC-END-MNT mnt-routes: SERVEREL-MNT mnt-domains: SERVEREL-MNT source: RIPE # Filtered organisation: ORG-SC64-RIPE org-name: Serverel Corp org-type: OTHER address: 970 Corte Madera ave, Sannyvale, CA, US phone: +18772467863 abuse-mailbox: abuse at serverel.com admin-c: AN495-RIPE ripe.. you may want to clean up some data here :) Also, that small townhouse, it surprises me that someone was able to get a gig pipe into it... especially with a /19 assigned. Odd, why is RIPE supplying space to what seems like clearly a ARIN region endpoint? -chris > jms > From streiner at cluebyfour.org Thu Jan 12 07:41:23 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 12 Jan 2012 08:41:23 -0500 (EST) Subject: In search of uplink vendor In-Reply-To: <20120112170735.GB29157@vacation.karoshi.com.> References: <20120112170735.GB29157@vacation.karoshi.com.> Message-ID: On Thu, 12 Jan 2012, bmanning at vacation.karoshi.com wrote: > On Thu, Jan 12, 2012 at 08:01:58AM -0500, Justin M. Streiner wrote: >> On Thu, 12 Jan 2012, Paul Kaminsky wrote: >>> 1. 1 Gbps link with complete block of UDP/ICMP protocol >> One question: >> 1. Not knowing anything about your business, is there a specific reason >> that you want "a complete block of UDP/ICMP protocol"? That can be >> problematic with IPv4, and downright foolish with IPv6. > perhaps we are walking around w/ incomplete notions of what > constitutes a "complete block of UDP/ICMP protocol"... My notion of the original statement was that the OP was looking for a provider that would block all UDP and ICMP, as in firewalls and packet filters. I also made the possibly-incorrect assumption that if the OP has an ASN from which to announce prefixes, it would also be reasonable to expect that they already have at least one prefix to announce. >From that angle, 'problematic' and 'downright foolish' is not such a far walk ;) jms From bmanning at vacation.karoshi.com Thu Jan 12 11:43:08 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Thu, 12 Jan 2012 17:43:08 +0000 Subject: In search of uplink vendor In-Reply-To: References: <20120112170735.GB29157@vacation.karoshi.com.> Message-ID: <20120112174308.GD29157@vacation.karoshi.com.> On Thu, Jan 12, 2012 at 08:41:23AM -0500, Justin M. Streiner wrote: > On Thu, 12 Jan 2012, bmanning at vacation.karoshi.com wrote: > > >On Thu, Jan 12, 2012 at 08:01:58AM -0500, Justin M. Streiner wrote: > >>On Thu, 12 Jan 2012, Paul Kaminsky wrote: > >>>1. 1 Gbps link with complete block of UDP/ICMP protocol > >>One question: > >>1. Not knowing anything about your business, is there a specific reason > >>that you want "a complete block of UDP/ICMP protocol"? That can be > >>problematic with IPv4, and downright foolish with IPv6. > > > perhaps we are walking around w/ incomplete notions of what > > constitutes a "complete block of UDP/ICMP protocol"... > > My notion of the original statement was that the OP was looking for a > provider that would block all UDP and ICMP, as in firewalls and packet > filters. I also made the possibly-incorrect assumption that if the OP > has an ASN from which to announce prefixes, it would also be reasonable to > expect that they already have at least one prefix to announce. > > >From that angle, 'problematic' and 'downright foolish' is not such a far > walk ;) > > jms ndeed. and now i am curious.. what business plan/product/service could make money w/o ICMP or UDP access.. ??? /bill From bicknell at ufp.org Thu Jan 12 11:50:06 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 12 Jan 2012 09:50:06 -0800 Subject: In search of uplink vendor In-Reply-To: <20120112174308.GD29157@vacation.karoshi.com.> References: <20120112170735.GB29157@vacation.karoshi.com.> <20120112174308.GD29157@vacation.karoshi.com.> Message-ID: <20120112175006.GA64623@ussenterprise.ufp.org> In a message written on Thu, Jan 12, 2012 at 05:43:08PM +0000, bmanning at vacation.karoshi.com wrote: > ndeed. and now i am curious.. what business plan/product/service > could make money w/o ICMP or UDP access.. ??? Turn the OP's e-mail into a URL: http://www.impletec.com/ Impletec Traffic Laboratory was established with the aim to develop and provide high-load solutions for Network Engineering, CDN, DDoS Protection and other high-level network services. At the highest possible standards, with minimum hassle and lowest expense to you - our valued customer. I know of a half dozen "DDoS Protection ISP's" that block all UDP and ICMP. It also fits with his desire to have a blackhole community by the /32 with his upstream. I don't know if this sort of filter all ICMP behavior is more a symtom of the providers or their customer bases, but regardless of the source it makes most of the sites behind these services very slow and/or unreachable from some locations. I'm not sure posting "I'm a DDoS magnet" on NANOG will get a lot of people jumping up to offer service, or good rates! :) -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From morrowc.lists at gmail.com Thu Jan 12 12:59:36 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 12 Jan 2012 13:59:36 -0500 Subject: In search of uplink vendor In-Reply-To: <20120112175006.GA64623@ussenterprise.ufp.org> References: <20120112170735.GB29157@vacation.karoshi.com.> <20120112174308.GD29157@vacation.karoshi.com.> <20120112175006.GA64623@ussenterprise.ufp.org> Message-ID: On Thu, Jan 12, 2012 at 12:50 PM, Leo Bicknell wrote: > Turn the OP's e-mail into a URL: http://www.impletec.com/ > > ?Impletec Traffic Laboratory was established with the aim to develop and > ?provide high-load solutions for Network Engineering, CDN, DDoS > ?Protection and other high-level network services. At the highest > ?possible standards, with minimum hassle and lowest expense to you - our > ?valued customer. wait, they are a dos mitigation service provider and they can't handle udp/icmp traffic? so ... really: "We do dos mitigation for tcp services, we outsource the udp/icmp to someone else" ? From network.ipdog at gmail.com Thu Jan 12 13:45:58 2012 From: network.ipdog at gmail.com (Network IP Dog) Date: Thu, 12 Jan 2012 11:45:58 -0800 Subject: In search of uplink vendor In-Reply-To: <20120112175006.GA64623@ussenterprise.ufp.org> References: <20120112170735.GB29157@vacation.karoshi.com.> <20120112174308.GD29157@vacation.karoshi.com.> <20120112175006.GA64623@ussenterprise.ufp.org> Message-ID: <4f0f3882.e52a320a.612a.ffffe7c5@mx.google.com> QUOTE " I know of a half dozen "DDoS Protection ISP's" that block all UDP and ICMP" Isn't this Internet censorship? Ephesians 4:32 & Cheers!!! -----Original Message----- From: Leo Bicknell [mailto:bicknell at ufp.org] Sent: Thursday, January 12, 2012 9:50 AM To: NANOG Subject: Re: In search of uplink vendor In a message written on Thu, Jan 12, 2012 at 05:43:08PM +0000, bmanning at vacation.karoshi.com wrote: > ndeed. and now i am curious.. what business plan/product/service > could make money w/o ICMP or UDP access.. ??? Turn the OP's e-mail into a URL: http://www.impletec.com/ Impletec Traffic Laboratory was established with the aim to develop and provide high-load solutions for Network Engineering, CDN, DDoS Protection and other high-level network services. At the highest possible standards, with minimum hassle and lowest expense to you - our valued customer. I know of a half dozen "DDoS Protection ISP's" that block all UDP and ICMP. It also fits with his desire to have a blackhole community by the /32 with his upstream. I don't know if this sort of filter all ICMP behavior is more a symtom of the providers or their customer bases, but regardless of the source it makes most of the sites behind these services very slow and/or unreachable from some locations. I'm not sure posting "I'm a DDoS magnet" on NANOG will get a lot of people jumping up to offer service, or good rates! :) -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ From bicknell at ufp.org Thu Jan 12 13:53:24 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 12 Jan 2012 11:53:24 -0800 Subject: In search of uplink vendor In-Reply-To: <4f0f3882.e52a320a.612a.ffffe7c5@mx.google.com> References: <20120112170735.GB29157@vacation.karoshi.com.> <20120112174308.GD29157@vacation.karoshi.com.> <20120112175006.GA64623@ussenterprise.ufp.org> <4f0f3882.e52a320a.612a.ffffe7c5@mx.google.com> Message-ID: <20120112195324.GA69767@ussenterprise.ufp.org> In a message written on Thu, Jan 12, 2012 at 11:45:58AM -0800, Network IP Dog wrote: > QUOTE " I know of a half dozen "DDoS Protection ISP's" that block all UDP > and ICMP" > > Isn't this Internet censorship? It's not censorship when you pay someone to stuff a sock in your own mouth. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From bmanning at vacation.karoshi.com Thu Jan 12 13:58:25 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Thu, 12 Jan 2012 19:58:25 +0000 Subject: In search of uplink vendor In-Reply-To: <20120112195324.GA69767@ussenterprise.ufp.org> References: <20120112170735.GB29157@vacation.karoshi.com.> <20120112174308.GD29157@vacation.karoshi.com.> <20120112175006.GA64623@ussenterprise.ufp.org> <4f0f3882.e52a320a.612a.ffffe7c5@mx.google.com> <20120112195324.GA69767@ussenterprise.ufp.org> Message-ID: <20120112195825.GA4598@vacation.karoshi.com.> On Thu, Jan 12, 2012 at 11:53:24AM -0800, Leo Bicknell wrote: > In a message written on Thu, Jan 12, 2012 at 11:45:58AM -0800, Network IP Dog wrote: > > QUOTE " I know of a half dozen "DDoS Protection ISP's" that block all UDP > > and ICMP" > > > > Isn't this Internet censorship? > > It's not censorship when you pay someone to stuff a sock in your > own mouth. > yes it is... :) when you do it yourself or pay to have t done for you. /bill From Valdis.Kletnieks at vt.edu Thu Jan 12 14:02:00 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 12 Jan 2012 15:02:00 -0500 Subject: In search of uplink vendor In-Reply-To: Your message of "Thu, 12 Jan 2012 11:53:24 PST." <20120112195324.GA69767@ussenterprise.ufp.org> References: <20120112170735.GB29157@vacation.karoshi.com> <20120112174308.GD29157@vacation.karoshi.com> <20120112175006.GA64623@ussenterprise.ufp.org> <4f0f3882.e52a320a.612a.ffffe7c5@mx.google.com> <20120112195324.GA69767@ussenterprise.ufp.org> Message-ID: <17127.1326398520@turing-police.cc.vt.edu> On Thu, 12 Jan 2012 11:53:24 PST, Leo Bicknell said: > In a message written on Thu, Jan 12, 2012 at 11:45:58AM -0800, Network IP Dog wrote: > > Isn't this Internet censorship? > > It's not censorship when you pay someone to stuff a sock in your > own mouth. Collorary: It is, however, censorship when somebody tries to shut down websites about the practice. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jra at baylink.com Thu Jan 12 14:16:56 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 12 Jan 2012 15:16:56 -0500 (EST) Subject: In search of uplink vendor In-Reply-To: <20120112170735.GB29157@vacation.karoshi.com.> Message-ID: <9053814.4748.1326399416279.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: bmanning at vacation.karoshi.com > > >1. 1 Gbps link with complete block of UDP/ICMP protocol > > One question: > > 1. Not knowing anything about your business, is there a specific reason > > that you want "a complete block of UDP/ICMP protocol"? That can be > > problematic with IPv4, and downright foolish with IPv6. > > perhaps we are walking around w/ incomplete notions of what > constitutes a "complete block of UDP/ICMP protocol"... > > for me, literally,this makes no sense whatsoever. ratcheting back > on my literal filter (be liberal in what you accept) I beleive > what he is asking for is a contigious block of IP addresses > for use in his network. am also making the inference that he is > only looking for IPv4 (no route to host by /32 prefix). Well, I dunno; I concur with jms: I assumed he meant "where the provider drops all incoming UDP and ICMP traffic addressed towards my IP space on the floor". Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Thu Jan 12 14:18:59 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 12 Jan 2012 15:18:59 -0500 (EST) Subject: In search of uplink vendor In-Reply-To: <4f0f3882.e52a320a.612a.ffffe7c5@mx.google.com> Message-ID: <13924436.4750.1326399539460.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Network IP Dog" > Isn't this Internet censorship? Repeat after me: It's not censorship unless it's imposed by a government. I don't know that "per speaker" or "per topic" are required, but they're common. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From whtn0ise at goeaston.net Thu Jan 12 14:38:04 2012 From: whtn0ise at goeaston.net (whtn0ise) Date: Thu, 12 Jan 2012 15:38:04 -0500 Subject: Looking for Capitol One, NA POC Message-ID: <4F0F44AC.1080208@goeaston.net> If there is a member Capitol One North America's IT/Security on this distro please contact me off line please. From paul at paulstewart.org Thu Jan 12 15:02:49 2012 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 12 Jan 2012 16:02:49 -0500 Subject: Linux Centralized Administration Message-ID: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Hey folks. just curious what people are using for automating updates to Linux boxes? Today, we manually do YUM updates to all the CentOS servers . just an example but a good one. I have heard there are some open source solutions similar to that of Red Hat Network? Cheers, Paul From Valdis.Kletnieks at vt.edu Thu Jan 12 15:07:53 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 12 Jan 2012 16:07:53 -0500 Subject: Linux Centralized Administration In-Reply-To: Your message of "Thu, 12 Jan 2012 16:02:49 EST." <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <20681.1326402473@turing-police.cc.vt.edu> On Thu, 12 Jan 2012 16:02:49 EST, Paul Stewart said: > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source solutions > similar to that of Red Hat Network? You can configure yum-updatesd to download and/or apply new updates automagically. Whether that's a good idea is a different question. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From cra at WPI.EDU Thu Jan 12 15:09:54 2012 From: cra at WPI.EDU (Chuck Anderson) Date: Thu, 12 Jan 2012 16:09:54 -0500 Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <20120112210954.GE5069@angus.ind.WPI.EDU> On Thu, Jan 12, 2012 at 04:02:49PM -0500, Paul Stewart wrote: > Hey folks. just curious what people are using for automating updates to > Linux boxes? yum > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source solutions > similar to that of Red Hat Network? yum install yum-cron chkconfig yum-cron on service yum-cron start From md1clv at md1clv.com Thu Jan 12 15:10:20 2012 From: md1clv at md1clv.com (Daniel Ankers) Date: Thu, 12 Jan 2012 21:10:20 +0000 Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: On 12 January 2012 21:02, Paul Stewart wrote: > Hey folks. just curious what people are using for automating updates to > Linux boxes? > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. ?I have heard there are some open source solutions > similar to that of Red Hat Network? It so happens that just yesterday I stumbled across Spacewalk (http://spacewalk.redhat.com) - which is the open source version of RHN Satellite. I ran into a few problems setting the server up - but nothing too difficult to solve, and client installation is a breeze. Dan From jof at thejof.com Thu Jan 12 15:11:21 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Thu, 12 Jan 2012 13:11:21 -0800 Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: On Thu, Jan 12, 2012 at 1:02 PM, Paul Stewart wrote: > Hey folks. just curious what people are using for automating updates to > Linux boxes? > > > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. ?I have heard there are some open source solutions > similar to that of Red Hat Network? There's no tool I could recommend that would be very close to RHN. However, for solving the problem of keeping packages up to date and systems in a known-state, I would recommend checking out some configuration management tools. There are several popular ones nowadays, though I personally prefer Puppet or Chef. Both are tools that allow administrators to declare what a system should look like, and abstract away the hard work of making that happen on a variety of platforms. In both cases, it's possible to monitor how well those tools are working and what they're doing in the background so that you can get an idea of what's up to date and what's not. Are you just trying to solve for making sure that packages are up to date? Making sure that running daemons are also up to date? Cheers, jof From Timothy.Green at ManTech.com Thu Jan 12 15:11:53 2012 From: Timothy.Green at ManTech.com (Green, Timothy) Date: Thu, 12 Jan 2012 16:11:53 -0500 Subject: Linux Centralized Administration In-Reply-To: <20120112210954.GE5069@angus.ind.WPI.EDU> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <20120112210954.GE5069@angus.ind.WPI.EDU> Message-ID: We are using Security Blanket. It's a COTs product that works really well.... -----Original Message----- From: Chuck Anderson [mailto:cra at WPI.EDU] Sent: Thursday, January 12, 2012 4:10 PM To: nanog at nanog.org Subject: Re: Linux Centralized Administration On Thu, Jan 12, 2012 at 04:02:49PM -0500, Paul Stewart wrote: > Hey folks. just curious what people are using for automating updates to > Linux boxes? yum > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source solutions > similar to that of Red Hat Network? yum install yum-cron chkconfig yum-cron on service yum-cron start From nmehrotra at riorey.com Thu Jan 12 15:13:01 2012 From: nmehrotra at riorey.com (Nitin Mehrotra) Date: Thu, 12 Jan 2012 16:13:01 -0500 (EST) Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <1591778071.1934.1326402781450.JavaMail.root@zmail.riorey.com> We use puppet - http://puppetlabs.com/. Works good for us. Nitin ----- Original Message ----- From: "Paul Stewart" To: nanog at nanog.org Sent: Thursday, January 12, 2012 4:02:49 PM Subject: Linux Centralized Administration Hey folks. just curious what people are using for automating updates to Linux boxes? Today, we manually do YUM updates to all the CentOS servers . just an example but a good one. I have heard there are some open source solutions similar to that of Red Hat Network? Cheers, Paul From bret at getjive.com Thu Jan 12 15:16:31 2012 From: bret at getjive.com (Bret Palsson) Date: Thu, 12 Jan 2012 14:16:31 -0700 Subject: Linux Centralized Administration In-Reply-To: <1591778071.1934.1326402781450.JavaMail.root@zmail.riorey.com> References: <1591778071.1934.1326402781450.JavaMail.root@zmail.riorey.com> Message-ID: <09956662-73C2-4F69-A191-9D8310034D69@getjive.com> We use SALT, written in python and setup in 10 minutes. Seriously easy! Wickedly fast! http://saltstack.org/ -Bret On Jan 12, 2012, at 2:13 PM, Nitin Mehrotra wrote: > We use puppet - http://puppetlabs.com/. > > Works good for us. > > Nitin > > ----- Original Message ----- > From: "Paul Stewart" > To: nanog at nanog.org > Sent: Thursday, January 12, 2012 4:02:49 PM > Subject: Linux Centralized Administration > > Hey folks. just curious what people are using for automating updates to > Linux boxes? > > > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source solutions > similar to that of Red Hat Network? > > > > Cheers, > > > > Paul > > > > From tom at ninjabadger.net Thu Jan 12 15:20:39 2012 From: tom at ninjabadger.net (Tom Hill) Date: Thu, 12 Jan 2012 21:20:39 +0000 Subject: QinQ switch or similar In-Reply-To: <1A8A762BD508624A8BDAB9F5E1638F94601CBB76F5@comsrv01.fg.local> References: <1A8A762BD508624A8BDAB9F5E1638F94601CBB76F5@comsrv01.fg.local> Message-ID: <1326403239.2441.2.camel@teh-desktop> On Sun, 2012-01-08 at 14:06 -0600, Jensen Tyler wrote: > We have been using Ciena switches for QinQ. > > CN3920 would fit best for low cost. Pretty easy to use. The 3916 is one generation newer, cheaper, has a hardware FIB and therefore also does all the MPLS bits and bobs (though don't use that until 6.10, we're told.) If I remember rightly a 3920 can't pop-off an S-tag on egress, too. There's some silly limitation like that. Tom From orangewinds at gmail.com Thu Jan 12 15:24:10 2012 From: orangewinds at gmail.com (Jacob Taylor) Date: Thu, 12 Jan 2012 13:24:10 -0800 Subject: Linux Centralized Administration In-Reply-To: <09956662-73C2-4F69-A191-9D8310034D69@getjive.com> References: <1591778071.1934.1326402781450.JavaMail.root@zmail.riorey.com> <09956662-73C2-4F69-A191-9D8310034D69@getjive.com> Message-ID: Fabric is also a fine one, if you *don't* want abstraction of what you're doing: http://fabfile.org On Thu, Jan 12, 2012 at 1:16 PM, Bret Palsson wrote: > We use SALT, written in python and setup in 10 minutes. Seriously easy! Wickedly fast! > http://saltstack.org/ > > -Bret > On Jan 12, 2012, at 2:13 PM, Nitin Mehrotra wrote: > >> We use puppet - http://puppetlabs.com/. >> >> Works good for us. >> >> Nitin >> >> ----- Original Message ----- >> From: "Paul Stewart" >> To: nanog at nanog.org >> Sent: Thursday, January 12, 2012 4:02:49 PM >> Subject: Linux Centralized Administration >> >> Hey folks. just curious what people are using for automating updates to >> Linux boxes? >> >> >> >> Today, we manually do YUM updates to all the CentOS servers . just an >> example but a good one. ?I have heard there are some open source solutions >> similar to that of Red Hat Network? >> >> >> >> Cheers, >> >> >> >> Paul >> >> >> >> > > From ikiris at gmail.com Thu Jan 12 15:26:06 2012 From: ikiris at gmail.com (Blake Dunlap) Date: Thu, 12 Jan 2012 15:26:06 -0600 Subject: Linux Centralized Administration In-Reply-To: References: <1591778071.1934.1326402781450.JavaMail.root@zmail.riorey.com> <09956662-73C2-4F69-A191-9D8310034D69@getjive.com> Message-ID: I run spacewalk (as mentioned above), and have for some time. Once you get the errata importing set up, it's pretty much full RHN. -Blake From paul at paulstewart.org Thu Jan 12 15:30:22 2012 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 12 Jan 2012 16:30:22 -0500 Subject: Linux Centralized Administration In-Reply-To: References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <011801ccd171$65ff1fb0$31fd5f10$@paulstewart.org> Awesome! I remember someone telling me about this before and couldn't remember the name til now... Cheers, Paul -----Original Message----- From: Daniel Ankers [mailto:md1clv at md1clv.com] Sent: Thursday, January 12, 2012 4:08 PM To: Paul Stewart Subject: Re: Linux Centralized Administration On 12 January 2012 21:02, Paul Stewart wrote: > Hey folks. just curious what people are using for automating updates > to Linux boxes? > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. ?I have heard there are some open source > solutions similar to that of Red Hat Network? It so happens that just yesterday I stumbled across Spacewalk (http://spacewalk.redhat.com) - which is the open source version of RHN Satellite. I ran into a few problems setting the server up - but nothing too difficult to solve, and client installation is a breeze. Dan From jcdill.lists at gmail.com Thu Jan 12 15:56:38 2012 From: jcdill.lists at gmail.com (JC Dill) Date: Thu, 12 Jan 2012 13:56:38 -0800 Subject: In search of uplink vendor In-Reply-To: <13924436.4750.1326399539460.JavaMail.root@benjamin.baylink.com> References: <13924436.4750.1326399539460.JavaMail.root@benjamin.baylink.com> Message-ID: <4F0F5716.5090907@gmail.com> On 12/01/12 12:18 PM, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Network IP Dog" >> Isn't this Internet censorship? > Repeat after me: It's not censorship unless it's imposed by a government. The wikipedia definition seems more accurate: http://en.wikipedia.org/wiki/Censorship " *Censorship* is the suppression of speech or other public communication which may be considered objectionable, harmful, sensitive, or inconvenient to the general body of people as determined by a government, media outlet, or other controlling body." The key aspect that makes something censorship is that you can't easily get around the block by the "controlling body". Obviously, if you do it yourself or ask someone to do it for you (e.g. ask your upstream to filter) it's not censorship. If it's done by someone else, you have no say in the matter and no (easy and/or legal) opportunity to avoid the filtering, then it's censorship. If Comcast or AT&T decided to filter/block requested data from reaching their customers (e.g. access to .xxx sites, access to torrents), we would all agree that this was censorship. jc From mpalmer at hezmatt.org Thu Jan 12 16:27:19 2012 From: mpalmer at hezmatt.org (Matthew Palmer) Date: Fri, 13 Jan 2012 09:27:19 +1100 Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <20120112222719.GC2949@hezmatt.org> On Thu, Jan 12, 2012 at 04:02:49PM -0500, Paul Stewart wrote: > Hey folks. just curious what people are using for automating updates to > Linux boxes? > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source solutions > similar to that of Red Hat Network? At work, we use (and built) a tool called 'tingle' (https://github.com/anchor/tingle), which handles it all for us across our internal and managed-for-customers infrastructures. Personally, I don't run CentOS, but I use unattended-upgrades on my personal herd of Debian machines, which works well enough. - Matt -- A woman in liquor production / Owns a still of exquisite construction. The alcohol boils / Through magnetic coils. She says that it's "proof by induction." -- http://limerickdb.com/?34 From jna at retina.net Thu Jan 12 16:42:39 2012 From: jna at retina.net (John Adams) Date: Thu, 12 Jan 2012 14:42:39 -0800 Subject: Linux Centralized Administration In-Reply-To: <20120112222719.GC2949@hezmatt.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <20120112222719.GC2949@hezmatt.org> Message-ID: Here at Twitter we make extensive use of Puppet. It's great, but we had a hard learning curve and much customization to get it to work the way we wanted to. I'd also recommend Chef, which is like Puppet but includes more tools (like a machine database) out of the box. -j On Thu, Jan 12, 2012 at 2:27 PM, Matthew Palmer wrote: > On Thu, Jan 12, 2012 at 04:02:49PM -0500, Paul Stewart wrote: > > Hey folks. just curious what people are using for automating updates to > > Linux boxes? > > > > Today, we manually do YUM updates to all the CentOS servers . just an > > example but a good one. I have heard there are some open source > solutions > > similar to that of Red Hat Network? > > At work, we use (and built) a tool called 'tingle' > (https://github.com/anchor/tingle), which handles it all for us across our > internal and managed-for-customers infrastructures. > > Personally, I don't run CentOS, but I use unattended-upgrades on my > personal > herd of Debian machines, which works well enough. > > - Matt > > -- > A woman in liquor production / Owns a still of exquisite construction. > The alcohol boils / Through magnetic coils. > She says that it's "proof by induction." > -- http://limerickdb.com/?34 > > > From source_route at yahoo.com Thu Jan 12 16:57:10 2012 From: source_route at yahoo.com (Philip Lavine) Date: Thu, 12 Jan 2012 14:57:10 -0800 (PST) Subject: community strings for Reliance Globalcom Message-ID: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> does anybody have the community strings for Reliance Globalcom From sfouant at shortestpathfirst.net Thu Jan 12 17:12:48 2012 From: sfouant at shortestpathfirst.net (Stefan Fouant) Date: Thu, 12 Jan 2012 18:12:48 -0500 Subject: community strings for Reliance Globalcom In-Reply-To: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> Message-ID: Not sure how up to date this is, but I believe this is what you are looking for: http://www.onesc.net/communities/as15412/ Cheers, Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Jan 12, 2012, at 5:57 PM, Philip Lavine wrote: > does anybody have the community strings for Reliance Globalcom From mysidia at gmail.com Thu Jan 12 18:43:39 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Thu, 12 Jan 2012 18:43:39 -0600 Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: On Thu, Jan 12, 2012 at 3:02 PM, Paul Stewart wrote: > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source solutions > similar to that of Red Hat Network? > Something to think about before attempting to centrally manage, your systems actually have to be centrally manageable -- that doesn't happen automatically and requires extra work. The just run yum update strategy is only reliable when all packages on the system were installed from RPM and all software RPMs installed are properly maintained by the vendor using Yum. Some packages have updates that are distributed with Yum, but yum updating "breaks" the application, until a manual update procedure is completed. Sometimes an updated kernel won't boot. Sometimes, a third-party driver for RAID card X won't load in the patched kernel, and after a reboot, the OS never comes back up because it's sitting at a kernel panic message indicating no hard drive found. Cacti/OpenNMS are good examples -- after a yum update to a new version, you must manually invoke, a potentially dangerous "installer" program or web page has to be used, after a new update, config files, or database schema have to be edited or patched by hand; until you manually take some action to "fix" the config, the application is broken after update. As soon as you attempt to restart the application it will shutdown OK, but not come back up. Occassionally, there is a library update that breaks binary compatibility with existing applications, for example a certain update to net-snmp-libs in Centos 5.something. yum-updatesd surely doesn't know when auto-applying an update will cause an important service to suddenly break To centrally manage effectively, you basically need a homogenous environment with a configuration that is very close to stock config, so that effective testing is possible; homogenous meaning an identical list of installed packages and software all installed the same way on every system centrally managed as a group, identical SKUs for every hardware component in every installation configured identically, same hw revisions, etc. No "extra" applications or files floating around on a one-off server. So yum-updatesd would be a bad idea for production systems that have any third-party packages; even if YUM maintained. And even if YUM maintained, third party YUM repos may become neglected, or change into 404 errors, causing yum to break entirely. Often commercial third-party software used on CentOS systems will be distributed in another format, such as .tar.gz. Yum cannot do much with that; the third party package will likely get neglected and not updated. Often various applications you require may need versions of libraries or applications that are not yet available in RPM format, or they're part of Fedora instead. In any case, if you wind up rebuilding the RPM for CentOS using rpmbuild or installing from source, Yum update won't help you with those packages, and may break their dependencies later. That might just be a testament to how poor the available packaged software selections are in CentOS, that commonly needed packages aren't part of the distribution; and commonly outdated versions of libraries are present. But YUM-updatesd's usefulness certainly applies to less than 100% of systems. -- -JH From chaim.rieger at gmail.com Thu Jan 12 19:51:58 2012 From: chaim.rieger at gmail.com (chaim.rieger at gmail.com) Date: Thu, 12 Jan 2012 17:51:58 -0800 Subject: Linux Centralized Administration In-Reply-To: References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <4F0F8E3E.2020705@gmail.com> On 1/12/2012 4:43 PM, Jimmy Hess wrote: > On Thu, Jan 12, 2012 at 3:02 PM, Paul Stewart wrote: > >> Today, we manually do YUM updates to all the CentOS servers . just an >> example but a good one. I have heard there are some open source solutions >> similar to that of Red Hat Network? >> > Something to think about before attempting to centrally manage, your > systems actually have to be centrally manageable -- that doesn't happen > automatically and requires extra work. > > this is why i never update. i would rather build a new image and deploy it to the thousands of servers than worry about updates. be it an openssh security notice, or new ntp configuration, for me it is easier to rebuild servers than update config files. From paul at paulgraydon.co.uk Thu Jan 12 19:55:35 2012 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Thu, 12 Jan 2012 15:55:35 -1000 Subject: Linux Centralized Administration In-Reply-To: <4F0F8E3E.2020705@gmail.com> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <4F0F8E3E.2020705@gmail.com> Message-ID: <4F0F8F17.3020107@paulgraydon.co.uk> On 01/12/2012 03:51 PM, chaim.rieger at gmail.com wrote: > On 1/12/2012 4:43 PM, Jimmy Hess wrote: >> On Thu, Jan 12, 2012 at 3:02 PM, Paul Stewart >> wrote: >> >>> Today, we manually do YUM updates to all the CentOS servers . just an >>> example but a good one. I have heard there are some open source >>> solutions >>> similar to that of Red Hat Network? >>> >> Something to think about before attempting to centrally manage, your >> systems actually have to be centrally manageable -- that doesn't happen >> automatically and requires extra work. >> >> > this is why i never update. i would rather build a new image and > deploy it to the thousands of servers than worry about updates. be it > an openssh security notice, or new ntp configuration, for me it is > easier to rebuild servers than update config files. > .. you never update? How frequently do you rebuild your entire server stack, weekly? Paul From paul at paulgraydon.co.uk Thu Jan 12 19:57:19 2012 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Thu, 12 Jan 2012 15:57:19 -1000 Subject: Linux Centralized Administration In-Reply-To: <4F0F8E3E.2020705@gmail.com> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <4F0F8E3E.2020705@gmail.com> Message-ID: <4F0F8F7F.8090208@paulgraydon.co.uk> On 01/12/2012 03:51 PM, chaim.rieger at gmail.com wrote: > On 1/12/2012 4:43 PM, Jimmy Hess wrote: >> On Thu, Jan 12, 2012 at 3:02 PM, Paul Stewart >> wrote: >> >>> Today, we manually do YUM updates to all the CentOS servers . just an >>> example but a good one. I have heard there are some open source >>> solutions >>> similar to that of Red Hat Network? >>> >> Something to think about before attempting to centrally manage, your >> systems actually have to be centrally manageable -- that doesn't happen >> automatically and requires extra work. >> >> > this is why i never update. i would rather build a new image and > deploy it to the thousands of servers than worry about updates. be it > an openssh security notice, or new ntp configuration, for me it is > easier to rebuild servers than update config files. > For that matter, imaging is a bad way to go about handling this, you'd be better served by setting up something like Puppet or Chef and have them handle configuration management for you centrally, along with necessary software packages. Paul From bmanning at vacation.karoshi.com Thu Jan 12 21:32:30 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Fri, 13 Jan 2012 03:32:30 +0000 Subject: In search of uplink vendor In-Reply-To: <4F0F5716.5090907@gmail.com> References: <13924436.4750.1326399539460.JavaMail.root@benjamin.baylink.com> <4F0F5716.5090907@gmail.com> Message-ID: <20120113033230.GB5074@vacation.karoshi.com.> On Thu, Jan 12, 2012 at 01:56:38PM -0800, JC Dill wrote: > On 12/01/12 12:18 PM, Jay Ashworth wrote: > >----- Original Message ----- > >>From: "Network IP Dog" > >>Isn't this Internet censorship? > >Repeat after me: It's not censorship unless it's imposed by a government. > > The wikipedia definition seems more accurate: > > http://en.wikipedia.org/wiki/Censorship > > " *Censorship* is the suppression of speech or other public > communication which may be considered objectionable, harmful, sensitive, > or inconvenient to the general body of people as determined by a > government, media outlet, or other controlling body." > time to update the wikipedia entry then... think parents suppression of "communication [] considered objectionable, harmful, sensitive or inconvenient" wrt their children. the key is "controlling body"... be it ISP, Government, CorporateIT, your mom, or the school board. It might even be -YOU- (you do have control, right?) /bill From md1clv at md1clv.com Fri Jan 13 02:56:42 2012 From: md1clv at md1clv.com (Daniel Ankers) Date: Fri, 13 Jan 2012 08:56:42 +0000 Subject: Linux Centralized Administration In-Reply-To: <4F0F8F7F.8090208@paulgraydon.co.uk> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <4F0F8E3E.2020705@gmail.com> <4F0F8F7F.8090208@paulgraydon.co.uk> Message-ID: On 13 January 2012 01:57, Paul Graydon wrote: > On 01/12/2012 03:51 PM, chaim.rieger at gmail.com wrote: >> >> On 1/12/2012 4:43 PM, Jimmy Hess wrote: >>> Something to think about before attempting to centrally manage, your >>> systems actually have to be centrally manageable -- that doesn't happen >>> automatically and requires extra work. >>> >>> >> this is why i never update. i would rather build a new image and deploy it >> to the thousands of servers than worry about updates. be it an openssh >> security notice, or new ntp configuration, for me it is easier to rebuild >> servers than update config files. >> > For that matter, imaging is a bad way to go about handling this, you'd be > better served by setting up something like Puppet or Chef and have them > handle configuration management for you centrally, along with necessary > software packages. > > Paul I looked into Puppet and though I've got it managing parts of our infrastructure it seems quite difficult to bolt on to an existing setup. There are also some things that I can't see how to do easily with Puppet ("Don't upgrade packages on the live environment until we've tested them in staging" being a big one.) I'm starting to look at Blueprint (http://devstructure.com) to help build the Puppet manifests so that we can deploy Puppet without breaking any existing machines, Puppet for configuration management and Spacewalk to audit what is up-to-date and help schedule security updates. Dan From mpetach at netflight.com Thu Jan 12 17:06:42 2012 From: mpetach at netflight.com (Matthew Petach) Date: Thu, 12 Jan 2012 15:06:42 -0800 Subject: community strings for Reliance Globalcom In-Reply-To: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> Message-ID: On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine wrote: > does anybody have the community strings for Reliance Globalcom > You might check to see if they left the default "public" read-only string in place, but I highly doubt it. Most people are pretty careful to pick at least somewhat hard to guess community strings, and to ACL them off from external querying. Matt From mark at streamservice.nl Fri Jan 13 05:04:42 2012 From: mark at streamservice.nl (Mark Scholten) Date: Fri, 13 Jan 2012 12:04:42 +0100 Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <017d01ccd1e3$269b11e0$73d135a0$@nl> > Hey folks. just curious what people are using for automating updates to > Linux boxes? > > > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source > solutions similar to that of Red Hat Network? We did create our own solution and are still expanding it. Currently we set what a server should look like at the servers, we want to change it to the central system. This would make it easier to deploy extra servers (only entering a MAC address, selecting software and starting a server should be enough to auto-deploy it). Our current solution is designed for Debian/Ubuntu, but should also work on other Linux distributions. A working copy might be available; please contact me offlist and I'll look what I can do. Kind regards, Mark From jared at puck.nether.net Fri Jan 13 05:58:10 2012 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 13 Jan 2012 06:58:10 -0500 Subject: Linux Centralized Administration In-Reply-To: References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <6FA43C09-7D3C-45B6-A0CC-B0DB7DAD3877@puck.nether.net> Sounds like a poorly designed package. Wordpress does a good job of allowing back end updates without impacting the services provided, even with database changes. Part of a well designed and maintained system is the ability to do painless upgrades. Jared Mauch On Jan 12, 2012, at 7:43 PM, Jimmy Hess wrote: > Cacti/OpenNMS are good examples -- after a yum update to a new version, > you must manually invoke, a potentially dangerous "installer" program or > web page has to be used, after a new update, config files, or database > schema have to be edited or patched by hand; until you manually take some > action to "fix" the config, the application is broken after update. > As soon as you attempt to restart the application it will shutdown OK, but > not come back up. From james.braunegg at micron21.com Fri Jan 13 06:36:41 2012 From: james.braunegg at micron21.com (James Braunegg) Date: Fri, 13 Jan 2012 12:36:41 +0000 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Message-ID: Hey All, Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours. We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address. The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic. Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it "ohDeer-RDP" A sample of the traffic is as per below, collected from netflow Source Destination Application Src Port Dst x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP This occurred around 10:30pm AEST Friday the 13th of January 2012 We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected. Kindest Regards James Braunegg W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: james.braunegg at micron21.com | ABN: 12 109 977 666 [Description: Description: Description: M21.jpg] This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2683 bytes Desc: image001.jpg URL: From erik.soosalu at calyxinc.com Fri Jan 13 07:17:28 2012 From: erik.soosalu at calyxinc.com (Erik Soosalu) Date: Fri, 13 Jan 2012 08:17:28 -0500 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 In-Reply-To: References: Message-ID: <0B224A2FE01CC54C860290D42474BF6005230CAB@exchange.nff.local> Wouldn't this just be an indication of that block being scanned for open 3389 ports from that IP? You're just looking at the return traffic to the scanning host. -----Original Message----- From: James Braunegg [mailto:james.braunegg at micron21.com] Sent: Friday, January 13, 2012 7:37 AM To: nanog at nanog.org Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Hey All, Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours. We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address. The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic. Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it "ohDeer-RDP" A sample of the traffic is as per below, collected from netflow Source Destination Application Src Port Dst x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP This occurred around 10:30pm AEST Friday the 13th of January 2012 We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected. Kindest Regards James Braunegg W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: james.braunegg at micron21.com | ABN: 12 109 977 666 [Description: Description: Description: M21.jpg] This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. From james.braunegg at micron21.com Fri Jan 13 07:28:47 2012 From: james.braunegg at micron21.com (James Braunegg) Date: Fri, 13 Jan 2012 13:28:47 +0000 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 In-Reply-To: <0B224A2FE01CC54C860290D42474BF6005230CAB@exchange.nff.local> References: <0B224A2FE01CC54C860290D42474BF6005230CAB@exchange.nff.local> Message-ID: Dear Erik 2mbits to 4mbits of outbound traffic is a fair bit for just a port scan.. We saw around 100ks of inbound traffic to each server and around 2mbits to 4mbits outbound traffic from the servers to the same destination 58.162.67.45 The traffic pattern occurred for around 30 minutes and then simultaneously every host (server) stopped sending traffic. Kindest Regards James Braunegg W:? 1300 769 972? |? M:? 0488 997 207 |? D:? (03) 9751 7616 E:?? james.braunegg at micron21.com? |? ABN:? 12 109 977 666?? This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -----Original Message----- From: Erik Soosalu [mailto:erik.soosalu at calyxinc.com] Sent: Saturday, January 14, 2012 12:17 AM To: James Braunegg; nanog at nanog.org Subject: RE: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Wouldn't this just be an indication of that block being scanned for open 3389 ports from that IP? You're just looking at the return traffic to the scanning host. -----Original Message----- From: James Braunegg [mailto:james.braunegg at micron21.com] Sent: Friday, January 13, 2012 7:37 AM To: nanog at nanog.org Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Hey All, Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours. We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address. The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic. Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it "ohDeer-RDP" A sample of the traffic is as per below, collected from netflow Source Destination Application Src Port Dst x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP This occurred around 10:30pm AEST Friday the 13th of January 2012 We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected. Kindest Regards James Braunegg W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: james.braunegg at micron21.com | ABN: 12 109 977 666 [Description: Description: Description: M21.jpg] This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. From erik.soosalu at calyxinc.com Fri Jan 13 07:38:19 2012 From: erik.soosalu at calyxinc.com (Erik Soosalu) Date: Fri, 13 Jan 2012 08:38:19 -0500 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 In-Reply-To: References: <0B224A2FE01CC54C860290D42474BF6005230CAB@exchange.nff.local> Message-ID: <0B224A2FE01CC54C860290D42474BF6005230CB2@exchange.nff.local> I would agree that it is a large stream. The other thing would be a password crack attempt. There was tool out a couple of years, and I've forgotten the name of it now, that worked at brute forcing RDP passwords. It worked without ending up in the Windows logs, because at the time Windows would only log incorrect RDP password attempts on the 5th try. So it would try 4 passwords, disconnect and then connect again. If it was such a program, trying as fast as it could, there would be a lot of initial "screen renders" being sent to the attack IP with very little traffic coming back - just the login attempts. Thanks, Erik -----Original Message----- From: James Braunegg [mailto:james.braunegg at micron21.com] Sent: Friday, January 13, 2012 8:29 AM To: Erik Soosalu; nanog at nanog.org Subject: RE: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Dear Erik 2mbits to 4mbits of outbound traffic is a fair bit for just a port scan.. We saw around 100ks of inbound traffic to each server and around 2mbits to 4mbits outbound traffic from the servers to the same destination 58.162.67.45 The traffic pattern occurred for around 30 minutes and then simultaneously every host (server) stopped sending traffic. Kindest Regards James Braunegg W:? 1300 769 972? |? M:? 0488 997 207 |? D:? (03) 9751 7616 E:?? james.braunegg at micron21.com? |? ABN:? 12 109 977 666?? This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -----Original Message----- From: Erik Soosalu [mailto:erik.soosalu at calyxinc.com] Sent: Saturday, January 14, 2012 12:17 AM To: James Braunegg; nanog at nanog.org Subject: RE: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Wouldn't this just be an indication of that block being scanned for open 3389 ports from that IP? You're just looking at the return traffic to the scanning host. -----Original Message----- From: James Braunegg [mailto:james.braunegg at micron21.com] Sent: Friday, January 13, 2012 7:37 AM To: nanog at nanog.org Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Hey All, Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours. We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address. The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic. Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it "ohDeer-RDP" A sample of the traffic is as per below, collected from netflow Source Destination Application Src Port Dst x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP This occurred around 10:30pm AEST Friday the 13th of January 2012 We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected. Kindest Regards James Braunegg W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: james.braunegg at micron21.com | ABN: 12 109 977 666 [Description: Description: Description: M21.jpg] This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. From askoorb+nanog at gmail.com Fri Jan 13 07:38:44 2012 From: askoorb+nanog at gmail.com (Alex Brooks) Date: Fri, 13 Jan 2012 13:38:44 +0000 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 In-Reply-To: References: Message-ID: Hello, On Fri, Jan 13, 2012 at 12:36 PM, James Braunegg wrote: > > Hey All, > > Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours. > > We witnessed an alarming amount of completely independent Microsoft Windows Servers, ?each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address. > Have you contacted Microsoft yet? https://support.microsoft.com/oas/default.aspx?gprid=1163&st=1&wfxredirect=1&sd=gn If you have a support contract (which you probably do) you'll get a very quick response if you choose the "security" option. Whatever you do, do let everyone know what the problem turns out to be. Alex From me at anuragbhatia.com Fri Jan 13 08:19:29 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Fri, 13 Jan 2012 19:49:29 +0530 Subject: community strings for Reliance Globalcom In-Reply-To: References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> Message-ID: Additionally, http://ubs.flagtel.com/lg Their looking glass. You can do basic traceroute and BGP from here. On Fri, Jan 13, 2012 at 4:36 AM, Matthew Petach wrote: > On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine > wrote: > > does anybody have the community strings for Reliance Globalcom > > > > You might check to see if they left the default "public" read-only > string in place, but I highly doubt it. Most people are pretty careful > to pick at least somewhat hard to guess community strings, and > to ACL them off from external querying. > > Matt > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From sfouant at shortestpathfirst.net Fri Jan 13 08:41:47 2012 From: sfouant at shortestpathfirst.net (Stefan Fouant) Date: Fri, 13 Jan 2012 09:41:47 -0500 Subject: community strings for Reliance Globalcom In-Reply-To: References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> Message-ID: I could be wrong, but I think OP was requesting for BGP communities. I don't think he was asking for their SNMP community strings - I've never heard of a situation where a provider would allow their customers to poll their routers via SNMP. Or did I miss something? Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Jan 12, 2012, at 6:06 PM, Matthew Petach wrote: > On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine wrote: >> does anybody have the community strings for Reliance Globalcom >> > > You might check to see if they left the default "public" read-only > string in place, but I highly doubt it. Most people are pretty careful > to pick at least somewhat hard to guess community strings, and > to ACL them off from external querying. > > Matt > From source_route at yahoo.com Fri Jan 13 08:57:19 2012 From: source_route at yahoo.com (Philip Lavine) Date: Fri, 13 Jan 2012 06:57:19 -0800 (PST) Subject: community strings for Reliance Globalcom In-Reply-To: References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> Message-ID: <1326466639.3892.YahooMailNeo@web30805.mail.mud.yahoo.com> nail on the head. I need the XXXX:XXXX notation for the BGP preference. I need to be able to set a provider as a backup, for example: qwest would be 209:70 ________________________________ From: Stefan Fouant To: Matthew Petach Cc: Philip Lavine ; "nanog at nanog.org" Sent: Friday, January 13, 2012 6:41 AM Subject: Re: community strings for Reliance Globalcom I could be wrong, but I think OP was requesting for BGP communities. I don't think he was asking for their SNMP community strings - I've never heard of a situation where a provider would allow their customers to poll their routers via SNMP. Or did I miss something? Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Jan 12, 2012, at 6:06 PM, Matthew Petach wrote: > On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine wrote: >> does anybody have the community strings for Reliance Globalcom >> > > You might check to see if they left the default "public" read-only > string in place, but I highly doubt it.? Most people are pretty careful > to pick at least somewhat hard to guess community strings, and > to ACL them off from external querying. > > Matt > From me at anuragbhatia.com Fri Jan 13 09:04:02 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Fri, 13 Jan 2012 20:34:02 +0530 Subject: community strings for Reliance Globalcom In-Reply-To: <1326466639.3892.YahooMailNeo@web30805.mail.mud.yahoo.com> References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> <1326466639.3892.YahooMailNeo@web30805.mail.mud.yahoo.com> Message-ID: Here's the info from their IRR: remarks: Communities applied at ingress remarks: ======================================================= remarks: 15412:1xxx PoP remarks: 15412:1101 New York remarks: 15412:1201 Los Angeles remarks: 15412:1202 Palo Alto remarks: 15412:1301 Tokyo remarks: 15412:1311 Hong Kong remarks: 15412:1316 Singapore remarks: 15412:1321 Seoul remarks: 15412:1331 Singapore remarks: 15412:1341 Taipei remarks: 15412:1401 Cairo remarks: 15412:1411 Bahrain remarks: 15412:1402 Alexandria remarks: 15412:1412 Jeddah remarks: 15412:1413 Al Khobar remarks: 15412:1414 Dubai remarks: 15412:1415 Doha remarks: 15412:1431 Mumbai remarks: 15412:1432 Chennai remarks: 15412:1501 London remarks: 15412:1511 Paris remarks: 15412:1521 Madrid remarks: 15412:1531 Frankfurt remarks: 15412:1514 Amsterdam remarks: ======================================================= remarks: 15412:7xx Customer remarks: 15412:701 Aggregate remarks: 15412:702 Statically Routed remarks: 15412:703 BGP Routed remarks: 15412:705 BGP Routed (Suppress MED to upstreams) remarks: ======================================================= remarks: 15412:8xx Peer remarks: 15412:800 PRIVATE PEER remarks: 15412:801 PAIX remarks: 15412:802 NYIIX remarks: 15412:803 JPIX remarks: 15412:804 KINX remarks: 15412:805 HKIX remarks: 15412:806 LINX remarks: 15412:807 SFINX remarks: 15412:808 LAIX remarks: 15412:809 AMSIX remarks: 15412:810 DECIX remarks: 15412:813 JPNAP remarks: 15412:814 EQUINIX ASHBURN VA remarks: 15412:815 EQUINIX SINGAPORE remarks: 15412:816 EQUINIX TOKYO remarks: 15412:817 ANY2 remarks: 15412:820 EQUINIX PARIS remarks: 15412:821 EQUINIX HONG KONG remarks: ======================================================= remarks: 15412:9xx Upstream remarks: 15412:902 LEVEL3 AS3356remarks: 15412:903 NTT/VERIO AS2914 remarks: ======================================================= remarks: BGP Communities available to customers for traffic engineering remarks: ======================================================= remarks: Modify LocalPref remarks: remarks: 15412:80 = 80 remarks: 15412:200 = 200 (e.g. backup link) remarks: 15412:300 = 300 remarks: Default (Customer/Transit/Peer) = 250/100/100 remarks: ======================================================= remarks: Suppression/Prepend remarks: ======================================================= remarks: 15412:4100 Do not announce to any upstream remarks: ======================================================= remarks: 15412:4120 Do not announce to LEVEL3 AS3356 remarks: 15412:4121 Prepend 15412 to LEVEL3 AS3356 remarks: 15412:4122 Prepend 15412 15412 to LEVEL3 AS3356 remarks: ======================================================= remarks: 15412:4130 Do not announce to NTT/Verio AS2914 remarks: 15412:4131 Prepend 15412 to NTT/Verio AS2914 remarks: 15412:4132 Prepend 15412 15412 to NTT/Verio AS2914 remarks: ======================================================= remarks: 15412:4500 Do not announce to FLAG peers remarks: ======================================================= remarks: 15412:4510 Do not announce to PAIX Peers remarks: 15412:4511 Prepend 15412 to PAIX Peers remarks: 15412:4512 Prepend 15412 15412 to PAIX Peers remarks: ======================================================= remarks: 15412:4520 Do not announce to NYIIX Peers remarks: 15412:4521 Prepend 15412 to NYIIX Peers remarks: 15412:4522 Prepend 15412 15412 to NYIIX Peers remarks: ======================================================= remarks: 15412:4530 Do not announce to JPIX Peers remarks: 15412:4531 Prepend 15412 to JPIX Peers remarks: 15412:4532 Prepend 15412 15412 to JPIX Peers remarks: ======================================================= remarks: 15412:4540 Do not announce to KINX Peers remarks: 15412:4541 Prepend 15412 to KINX Peers remarks: 15412:4542 Prepend 15412 15412 to KINX Peers remarks: ======================================================= remarks: 15412:4550 Do not announce to HKIX Peers remarks: 15412:4551 Prepend 15412 to HKIX Peers remarks: 15412:4552 Prepend 15412 15412 to HKIX Peers remarks: ======================================================= remarks: 15412:4560 Do not announce to LINX Peers remarks: 15412:4561 Prepend 15412 to LINX Peers remarks: 15412:4562 Prepend 15412 15412 to LINX Peers remarks: ======================================================= remarks: 15412:4570 Do not announce to SFINX Peers remarks: 15412:4571 Prepend 15412 to SFINX Peers remarks: 15412:4572 Prepend 15412 15412 to SFINX Peers remarks: ======================================================= remarks: 15412:4580 Do not announce to LAIX Peers remarks: 15412:4581 Prepend 15412 to LAIX Peers remarks: 15412:4582 Prepend 15412 15412 to LAIX Peers remarks: ======================================================= remarks: 15412:4590 Do not announce to DECIX Peers remarks: 15412:4591 Prepend 15412 to DECIX Peers remarks: 15412:4592 Prepend 15412 15412 to DECIX Peers remarks: ======================================================= remarks: 15412:4600 Do not announce to AMSIX Peers remarks: 15412:4601 Prepend 15412 to AMSIX Peers remarks: 15412:4602 Prepend 15412 15412 to AMSIX Peers remarks: ======================================================= remarks: 15412:4610 Do not announce to EQUINIX ASHBURN peers remarks: 15412:4611 Prepend 15412 to EQUINIX ASHBURN peers remarks: 15412:4612 Prepend 15412 15412 to EQUINIX ASHBURN peers remarks: ======================================================= remarks: 15412:4620 Do not announce to JPNAP peers remarks: 15412:4621 Prepend 15412 to JPNAP peers remarks: 15412:4622 Prepend 15412 15412 to JPNAP peers remarks: ======================================================= remarks: 15412:4640 Do not announce to EQUINIX SINGAPORE peers remarks: 15412:4641 Prepend 15412 to EQUINIX SINGAPORE peers remarks: 15412:4642 Prepend 15412 15412 to EQUINIX SINGAPORE peers remarks: ======================================================= remarks: 15412:4660 Do not announce to EQUINIX TOKYO peers remarks: 15412:4661 Prepend 15412 to EQUINIX TOKYO peers remarks: 15412:4662 Prepend 15412 15412 to EQUINIX TOKYO peers remarks: ======================================================= remarks: 15412:4670 Do not announce to ANY2 peers remarks: 15412:4671 Prepend 15412 to ANY2 peers remarks: 15412:4672 Prepend 15412 15412 to ANY2 peers remarks: ======================================================= remarks: 15412:4700 Do not announce to EQUINIX PARIS peers remarks: 15412:4701 Prepend 15412 to EQUINIX PARIS peers remarks: 15412:4702 Prepend 15412 15412 to EQUINIX PARIS peers Hope that will help you. On Fri, Jan 13, 2012 at 8:27 PM, Philip Lavine wrote: > nail on the head. I need the XXXX:XXXX notation for the BGP preference. I > need to be able to set a provider as a backup, for example: qwest would be > 209:70 > > > > ________________________________ > From: Stefan Fouant > To: Matthew Petach > Cc: Philip Lavine ; "nanog at nanog.org" < > nanog at nanog.org> > Sent: Friday, January 13, 2012 6:41 AM > Subject: Re: community strings for Reliance Globalcom > > I could be wrong, but I think OP was requesting for BGP communities. I > don't think he was asking for their SNMP community strings - I've never > heard of a situation where a provider would allow their customers to poll > their routers via SNMP. > > Or did I miss something? > > Stefan Fouant > JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI > Technical Trainer, Juniper Networks > > Follow us on Twitter @JuniperEducate > > Sent from my iPad > > On Jan 12, 2012, at 6:06 PM, Matthew Petach wrote: > > > On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine > wrote: > >> does anybody have the community strings for Reliance Globalcom > >> > > > > You might check to see if they left the default "public" read-only > > string in place, but I highly doubt it. Most people are pretty careful > > to pick at least somewhat hard to guess community strings, and > > to ACL them off from external querying. > > > > Matt > > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From mark at viviotech.net Fri Jan 13 11:02:03 2012 From: mark at viviotech.net (Mark Keymer) Date: Fri, 13 Jan 2012 09:02:03 -0800 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 In-Reply-To: References: Message-ID: <4F10638B.3060109@viviotech.net> Hi, We have had 2 of the below hit us this week. First time was apx 11:20am 1/10/2012 (PST). The 2nd was 1/12/2012 (Yesterday) 4:45pm. We had done some research and had already planed to switch to Network Level Authentication (NLA) as it looks like that would help with the screen not getting dumped. Unfortunately we had not done the change to that yet as we were getting looking for and found a new RDP client on linux that would support it. However last night we did start doing the changes to NLA. I am not saying NLA is a fix or that it is the best option. Just one of the things we are trying. When we can, locking down access to the RDP port I think would be best. Ohh, as for the destination. The first day was to 221.251.194.42. Yesterday was for 115.236.185.167. Sincerely, Mark Keymer On 1/13/2012 4:36 AM, James Braunegg wrote: > Hey All, > > Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours. > > We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address. > > The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic. > > Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic > > Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it "ohDeer-RDP" > > A sample of the traffic is as per below, collected from netflow > > Source Destination Application Src Port Dst > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP > > This occurred around 10:30pm AEST Friday the 13th of January 2012 > > We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected. > > Kindest Regards > > James Braunegg > W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 > E: james.braunegg at micron21.com | ABN: 12 109 977 666 > > [Description: Description: Description: M21.jpg] > > This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. > > From jerry at jdixon.com Fri Jan 13 11:07:20 2012 From: jerry at jdixon.com (Jerry Dixon) Date: Fri, 13 Jan 2012 12:07:20 -0500 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 In-Reply-To: <4F10638B.3060109@viviotech.net> References: <4F10638B.3060109@viviotech.net> Message-ID: Another possibility is the use of this tool as well: http://www.sensepost.com/labs/tools/pentest/reduh (Reduh) Jerry jerry at jdixon.com On Fri, Jan 13, 2012 at 12:02 PM, Mark Keymer wrote: > Hi, > > We have had 2 of the below hit us this week. First time was apx 11:20am > 1/10/2012 (PST). The 2nd was 1/12/2012 (Yesterday) 4:45pm. We had done some > research and had already planed to switch to Network Level Authentication > (NLA) as it looks like that would help with the screen not getting dumped. > Unfortunately we had not done the change to that yet as we were getting > looking for and found a new RDP client on linux that would support it. > However last night we did start doing the changes to NLA. > > I am not saying NLA is a fix or that it is the best option. Just one of > the things we are trying. When we can, locking down access to the RDP port > I think would be best. > > Ohh, as for the destination. The first day was to 221.251.194.42. > Yesterday was for 115.236.185.167. > > Sincerely, > > Mark Keymer > > > On 1/13/2012 4:36 AM, James Braunegg wrote: > >> Hey All, >> >> Just posting to see if anyone has seen any strange outbound traffic on >> port 3389 from Microsoft Windows Server over the last few hours. >> >> We witnessed an alarming amount of completely independent Microsoft >> Windows Servers, each on separate vlan and subnets (ie all /30 and /29 >> allocations) with separate gateways on and completely separate customers, >> but all services were within the same 1.x.x.x/16 allocation all >> simultaneously send around 2mbit or so data to a specific target IP address. >> >> The only common link was / is terminal services port 3389 is open to the >> public. Obviously someone (Mr 133t dude) scanned an allocation within our >> network, and like a worm was able to simultaneously control every Microsoft >> Windows Server to send outbound traffic. >> >> Microsoft Windows Servers within the 1.x.x.x/16 allocation which were >> behind a firewall or VPN and did not have public 3389 access did not send >> the unknown traffic >> >> Would be very interested if anyone else has seen this behavior before ! >> Or is this the start of a lovely new Zero Day Vulnerability with Windows >> RDP, if so I name it "ohDeer-RDP" >> >> A sample of the traffic is as per below, collected from netflow >> >> Source Destination Application Src >> Port Dst >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 >> TCP >> >> This occurred around 10:30pm AEST Friday the 13th of January 2012 >> >> We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges >> which were totally unaffected. >> >> Kindest Regards >> >> James Braunegg >> W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 >> E: james.braunegg at micron21.com<**mailto:james.braunegg@**micron21.com> >> | ABN: 12 109 977 666 >> >> [Description: Description: Description: M21.jpg] >> >> This message is intended for the addressee named above. It may contain >> privileged or confidential information. If you are not the intended >> recipient of this message you must not use, copy, distribute or disclose it >> to anyone other than the addressee. If you have received this message in >> error please return the message to the sender by replying to it and then >> delete the message from your computer. >> >> >> > > -- Jerry jerry at jdixon.com From mpetach at netflight.com Fri Jan 13 11:22:40 2012 From: mpetach at netflight.com (Matthew Petach) Date: Fri, 13 Jan 2012 09:22:40 -0800 Subject: community strings for Reliance Globalcom In-Reply-To: References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> Message-ID: On Fri, Jan 13, 2012 at 6:41 AM, Stefan Fouant wrote: > I could be wrong, but I think OP was requesting for BGP communities. I don't think he was asking for their SNMP community strings - I've never heard of a situation where a provider would allow their customers to poll their routers via SNMP. > > Or did I miss something? Sorry--I was knee-deep in digging through IPv6 OIDs, so my brain was all awash with SNMP community strings when I saw the post. You're right, in retrospect BGP communities made more sense. Apologies for the confusion. Matt > Stefan Fouant > JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI > Technical Trainer, Juniper Networks > > Follow us on Twitter @JuniperEducate > > Sent from my iPad > > On Jan 12, 2012, at 6:06 PM, Matthew Petach wrote: > >> On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine wrote: >>> does anybody have the community strings for Reliance Globalcom >>> >> >> You might check to see if they left the default "public" read-only >> string in place, but I highly doubt it. ?Most people are pretty careful >> to pick at least somewhat hard to guess community strings, and >> to ACL them off from external querying. >> >> Matt >> > From jlewis at lewis.org Fri Jan 13 11:42:30 2012 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 13 Jan 2012 12:42:30 -0500 (EST) Subject: Linux Centralized Administration In-Reply-To: References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <4F0F8E3E.2020705@gmail.com> <4F0F8F7F.8090208@paulgraydon.co.uk> Message-ID: On Fri, 13 Jan 2012, Daniel Ankers wrote: > I looked into Puppet and though I've got it managing parts of our > infrastructure it seems quite difficult to bolt on to an existing > setup. There are also some things that I can't see how to do easily > with Puppet ("Don't upgrade packages on the live environment until > we've tested them in staging" being a big one.) Has anyone mentioned cluster ssh yet? Depending on your scale, cluster ssh and a "really big screen" may be a suitable way to manage N servers and do things like apply updates or make identical changes to all at once (or in groups). It also gives you the flexibility to apply commands to all or single out a system and do things just in the one window, then to back to talking to all. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From David at crmls.org Fri Jan 13 12:01:45 2012 From: David at crmls.org (David Siegrist) Date: Fri, 13 Jan 2012 18:01:45 +0000 Subject: Verizon FIOS/DSL - Southern California DNS Issues Message-ID: <92C7B37E445C314BB2AF771D119F244A7FB608@MrMAILp02.MRODD.MRMLS> Hi, Has anyone been experiencing Verizon FIOS/DSL DNS issues for the past 72 hours? Looks like Verizon FIOS/DSL is blocking legitimate sites, ours being one of them. We have over 300 of our members throughout California on Verizon FIOS/DSL experiencing issues getting to sites. One of the big ones is Bank of America. I have started a post on Verizon's site and directed our members to post their issues there. http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/highlight/true I can't seem to get the issue escalated. Thought I would get the opinion of the group to see how to get this issue to the actually engineers that have access to Verizon's DNS servers. Thanks in advance. David Siegrist IT Systems Manager david at crmls.org From rchen at mpi-sws.org Fri Jan 13 12:02:01 2012 From: rchen at mpi-sws.org (Ruichuan Chen) Date: Fri, 13 Jan 2012 19:02:01 +0100 Subject: Address-based Route Reflection Message-ID: Dear all, The document below may be of interest: "Address-based Route Reflection" at http://bgp.mpi-sws.org/papers/abrr-CoNEXT11.pdf by Ruichuan Chen (MPI-SWS), Aman Shaikh (AT&T Labs Research), Jia Wang (AT&T Labs Research), Paul Francis (MPI-SWS) ==== Abstract ==== This work presents Address-Based Route Reflection (ABRR): the first iBGP solution that completely solves all oscillation and looping problems, has no path inefficiencies, and puts no constraints on RR placement. ABRR does this by emulating the semantics of full-mesh iBGP, and thereby adopting the correctness and path efficiency properties of full-mesh iBGP. Both traditional Topology-Based Route Reflection (TBRR) and ABRR take a divide-and-conquer approach. While TBRR scales by making each RR responsible for all prefixes from some fraction of routers, ABRR scales by making each RR responsible for some fraction of prefixes from all routers. Best regards, --Ruichuan From me at anuragbhatia.com Fri Jan 13 12:14:53 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Fri, 13 Jan 2012 23:44:53 +0530 Subject: Verizon FIOS/DSL - Southern California DNS Issues In-Reply-To: <92C7B37E445C314BB2AF771D119F244A7FB608@MrMAILp02.MRODD.MRMLS> References: <92C7B37E445C314BB2AF771D119F244A7FB608@MrMAILp02.MRODD.MRMLS> Message-ID: Hello David Can you share dig result along with +trace ? Something like: dig store.steampowered.com +trace This will give exact idea of where DNS resolution is failing. It might be that one of these servers failed: ns3.valvesoftware.com. ns1.valvesoftware.com. ns2.valvesoftware.com. or something like that. On Fri, Jan 13, 2012 at 11:31 PM, David Siegrist wrote: > Hi, > > Has anyone been experiencing Verizon FIOS/DSL DNS issues for the past 72 > hours? > Looks like Verizon FIOS/DSL is blocking legitimate sites, ours being one > of them. We have over 300 of our members throughout California on Verizon > FIOS/DSL experiencing issues getting to sites. One of the big ones is Bank > of America. I have started a post on Verizon's site and directed our > members to post their issues there. > > > http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/highlight/true > > I can't seem to get the issue escalated. Thought I would get the opinion > of the group to see how to get this issue to the actually engineers that > have access to Verizon's DNS servers. > > Thanks in advance. > > David Siegrist > IT Systems Manager > david at crmls.org > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From jamesl at mythostech.com Fri Jan 13 12:21:59 2012 From: jamesl at mythostech.com (James Laszko) Date: Fri, 13 Jan 2012 18:21:59 +0000 Subject: Verizon FIOS/DSL - Southern California DNS Issues In-Reply-To: <92C7B37E445C314BB2AF771D119F244A7FB608@MrMAILp02.MRODD.MRMLS> References: <92C7B37E445C314BB2AF771D119F244A7FB608@MrMAILp02.MRODD.MRMLS> Message-ID: <8078ED370ADA824281219A7B5BADC39B1444F522@MBX023-W1-CA-5> >Has anyone been experiencing Verizon FIOS/DSL DNS issues for the past 72 hours? >Looks like Verizon FIOS/DSL is blocking legitimate sites, ours being one of them. We have over 300 of our members throughout California on Verizon FIOS/DSL experiencing issues getting to sites. >One of the big ones is Bank of America. I have started a post on Verizon's site and directed our members to post their issues there. > >http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/highlight/true > >I can't seem to get the issue escalated. Thought I would get the opinion of the group to see how to get this issue to the actually engineers that have access to Verizon's DNS servers. > >Thanks in advance. > >David Siegrist >IT Systems Manager >david at crmls.org We are seeing all kinds of oddities through Verizon FIOS for a ton of our customers in the Riverside County area as well. Looks like HTTP / HTTPS filtering or something. Some sites can get to places that others (right next door) cant. Pings and traceroutes work, but HTTP / HTTPS connections fail to various places. We are also seeing HORRIBLE performance of VOIP to multiple providers for every one of our FIOS customers..... We have been unable to get any support from Verizon ourselves... If anyone knows anyone who knows anything at Verizon, please pass the information along! Thanks, James Laszko Mythos Technology Inc jamesl at mythostech.com From David at crmls.org Fri Jan 13 12:25:40 2012 From: David at crmls.org (David Siegrist) Date: Fri, 13 Jan 2012 18:25:40 +0000 Subject: Verizon FIOS/DSL - Southern California DNS Issues In-Reply-To: <8078ED370ADA824281219A7B5BADC39B1444F522@MBX023-W1-CA-5> References: <92C7B37E445C314BB2AF771D119F244A7FB608@MrMAILp02.MRODD.MRMLS> <8078ED370ADA824281219A7B5BADC39B1444F522@MBX023-W1-CA-5> Message-ID: <92C7B37E445C314BB2AF771D119F244A7FB642@MrMAILp02.MRODD.MRMLS> Hi James, Can you do me a favor and post what you are seeing on the link I provided. http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/highlight/true Maybe enough of the community post it may get Verizon's attention. David Siegrist IT Systems Manager david at crmls.org -----Original Message----- From: James Laszko [mailto:jamesl at mythostech.com] Sent: Friday, January 13, 2012 10:22 AM To: David Siegrist; nanog at nanog.org Subject: RE: Verizon FIOS/DSL - Southern California DNS Issues >Has anyone been experiencing Verizon FIOS/DSL DNS issues for the past 72 hours? >Looks like Verizon FIOS/DSL is blocking legitimate sites, ours being one of them. We have over 300 of our members throughout California on Verizon FIOS/DSL experiencing issues getting to sites. >One of the big ones is Bank of America. I have started a post on Verizon's site and directed our members to post their issues there. > >http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/highlight/true > >I can't seem to get the issue escalated. Thought I would get the opinion of the group to see how to get this issue to the actually engineers that have access to Verizon's DNS servers. > >Thanks in advance. > >David Siegrist >IT Systems Manager >david at crmls.org We are seeing all kinds of oddities through Verizon FIOS for a ton of our customers in the Riverside County area as well. Looks like HTTP / HTTPS filtering or something. Some sites can get to places that others (right next door) cant. Pings and traceroutes work, but HTTP / HTTPS connections fail to various places. We are also seeing HORRIBLE performance of VOIP to multiple providers for every one of our FIOS customers..... We have been unable to get any support from Verizon ourselves... If anyone knows anyone who knows anything at Verizon, please pass the information along! Thanks, James Laszko Mythos Technology Inc jamesl at mythostech.com From bhmccie at gmail.com Fri Jan 13 13:19:31 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 13 Jan 2012 13:19:31 -0600 Subject: VPC=S/MLT? Message-ID: <4F1083C3.9030804@gmail.com> OK, So I'm doing a lot of reading lately on Nexus as we are about to get into the 7k/5k game and of course a lot of the marketing revolves around VPC. Every time I see it referenced, I keep remembering a reasonably reliable Nortel implementation called Split MLT (Multi Link Trunk). Is there something fancy here that I'm missing in the docs or am I wrong in equating the two? Isn't VPC just S/MLT? It's just that Cisco has shown up 8 years late and is trying to hype it up to compensate? -- -Hammer- "I was a normal American nerd" -Jack Herer From nikky at mnet.bg Fri Jan 13 13:22:31 2012 From: nikky at mnet.bg (Nickola Kolev) Date: Fri, 13 Jan 2012 21:22:31 +0200 Subject: Linux Centralized Administration In-Reply-To: References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <4F0F8E3E.2020705@gmail.com> <4F0F8F7F.8090208@paulgraydon.co.uk> Message-ID: <20120113212231.e2bb797d.nikky@mnet.bg> Hello, On Fri, 13 Jan 2012 12:42:30 -0500 (EST) Jon Lewis wrote: > On Fri, 13 Jan 2012, Daniel Ankers wrote: > > > I looked into Puppet and though I've got it managing parts of our > > infrastructure it seems quite difficult to bolt on to an existing > > setup. There are also some things that I can't see how to do easily > > with Puppet ("Don't upgrade packages on the live environment until > > we've tested them in staging" being a big one.) > > Has anyone mentioned cluster ssh yet? Depending on your scale, > cluster ssh and a "really big screen" may be a suitable way to manage > N servers and do things like apply updates or make identical changes > to all at once (or in groups). It also gives you the flexibility to > apply commands to all or single out a system and do things just in > the one window, then to back to talking to all. Continuing that line of tools, I'm using parallel-ssh (http://code.google.com/p/parallel-ssh/) with great success for managing several hundred servers, spread all over the world. -- Best regards, Nickola Kolev From cscora at apnic.net Fri Jan 13 13:29:10 2012 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 14 Jan 2012 05:29:10 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201201131929.q0DJTA6o023161@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 14 Jan, 2012 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 390792 Prefixes after maximum aggregation: 168714 Deaggregation factor: 2.32 Unique aggregates announced to Internet: 190828 Total ASes present in the Internet Routing Table: 39823 Prefixes per ASN: 9.81 Origin-only ASes present in the Internet Routing Table: 32590 Origin ASes announcing only one prefix: 15510 Transit ASes present in the Internet Routing Table: 5382 Transit-only ASes present in the Internet Routing Table: 143 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 33 Max AS path prepend of ASN (48687) 24 Prefixes from unregistered ASNs in the Routing Table: 2098 Unregistered ASNs in the Routing Table: 1058 Number of 32-bit ASNs allocated by the RIRs: 2178 Number of 32-bit ASNs visible in the Routing Table: 1851 Prefixes from 32-bit ASNs in the Routing Table: 4455 Special use prefixes present in the Routing Table: 2 Prefixes being announced from unallocated address space: 120 Number of addresses announced to Internet: 2509165880 Equivalent to 149 /8s, 142 /16s and 213 /24s Percentage of available address space announced: 67.7 Percentage of allocated address space announced: 67.7 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 91.9 Total number of prefixes smaller than registry allocations: 165725 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 96436 Total APNIC prefixes after maximum aggregation: 31482 APNIC Deaggregation factor: 3.06 Prefixes being announced from the APNIC address blocks: 92792 Unique aggregates announced from the APNIC address blocks: 38873 APNIC Region origin ASes present in the Internet Routing Table: 4636 APNIC Prefixes per ASN: 20.02 APNIC Region origin ASes announcing only one prefix: 1249 APNIC Region transit ASes present in the Internet Routing Table: 731 Average APNIC Region AS path length visible: 4.3 Max APNIC Region AS path length visible: 18 Number of APNIC region 32-bit ASNs visible in the Routing Table: 133 Number of APNIC addresses announced to Internet: 634071944 Equivalent to 37 /8s, 203 /16s and 43 /24s Percentage of available APNIC address space announced: 80.4 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-132095, 132096-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 147469 Total ARIN prefixes after maximum aggregation: 75118 ARIN Deaggregation factor: 1.96 Prefixes being announced from the ARIN address blocks: 119452 Unique aggregates announced from the ARIN address blocks: 49103 ARIN Region origin ASes present in the Internet Routing Table: 14847 ARIN Prefixes per ASN: 8.05 ARIN Region origin ASes announcing only one prefix: 5677 ARIN Region transit ASes present in the Internet Routing Table: 1584 Average ARIN Region AS path length visible: 4.0 Max ARIN Region AS path length visible: 25 Number of ARIN region 32-bit ASNs visible in the Routing Table: 14 Number of ARIN addresses announced to Internet: 804708544 Equivalent to 47 /8s, 246 /16s and 224 /24s Percentage of available ARIN address space announced: 64.0 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 96603 Total RIPE prefixes after maximum aggregation: 51929 RIPE Deaggregation factor: 1.86 Prefixes being announced from the RIPE address blocks: 88466 Unique aggregates announced from the RIPE address blocks: 55570 RIPE Region origin ASes present in the Internet Routing Table: 16238 RIPE Prefixes per ASN: 5.45 RIPE Region origin ASes announcing only one prefix: 7979 RIPE Region transit ASes present in the Internet Routing Table: 2582 Average RIPE Region AS path length visible: 4.6 Max RIPE Region AS path length visible: 33 Number of RIPE region 32-bit ASNs visible in the Routing Table: 1284 Number of RIPE addresses announced to Internet: 497328072 Equivalent to 29 /8s, 164 /16s and 159 /24s Percentage of available RIPE address space announced: 80.1 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 196608-198655 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 185/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 37209 Total LACNIC prefixes after maximum aggregation: 8038 LACNIC Deaggregation factor: 4.63 Prefixes being announced from the LACNIC address blocks: 36808 Unique aggregates announced from the LACNIC address blocks: 19247 LACNIC Region origin ASes present in the Internet Routing Table: 1560 LACNIC Prefixes per ASN: 23.59 LACNIC Region origin ASes announcing only one prefix: 446 LACNIC Region transit ASes present in the Internet Routing Table: 287 Average LACNIC Region AS path length visible: 4.4 Max LACNIC Region AS path length visible: 28 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 416 Number of LACNIC addresses announced to Internet: 95387016 Equivalent to 5 /8s, 175 /16s and 125 /24s Percentage of available LACNIC address space announced: 63.2 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 8459 Total AfriNIC prefixes after maximum aggregation: 2074 AfriNIC Deaggregation factor: 4.08 Prefixes being announced from the AfriNIC address blocks: 6501 Unique aggregates announced from the AfriNIC address blocks: 2075 AfriNIC Region origin ASes present in the Internet Routing Table: 506 AfriNIC Prefixes per ASN: 12.85 AfriNIC Region origin ASes announcing only one prefix: 159 AfriNIC Region transit ASes present in the Internet Routing Table: 115 Average AfriNIC Region AS path length visible: 4.5 Max AfriNIC Region AS path length visible: 25 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 4 Number of AfriNIC addresses announced to Internet: 30834432 Equivalent to 1 /8s, 214 /16s and 127 /24s Percentage of available AfriNIC address space announced: 45.9 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 2473 11100 971 Korea Telecom (KIX) 17974 1715 503 36 PT TELEKOMUNIKASI INDONESIA 7545 1609 303 83 TPG Internet Pty Ltd 4755 1516 385 156 TATA Communications formerly 7552 1425 1064 7 Vietel Corporation 9829 1163 989 28 BSNL National Internet Backbo 9583 1118 81 495 Sify Limited 4808 1103 2053 314 CNCGROUP IP network: China169 24560 1010 384 167 Bharti Airtel Ltd., Telemedia 18101 976 130 155 Reliance Infocom Ltd Internet Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3455 3807 207 bellsouth.net, inc. 7029 3222 1017 200 Windstream Communications Inc 18566 2093 382 177 Covad Communications 1785 1865 680 123 PaeTec Communications, Inc. 20115 1618 1552 619 Charter Communications 4323 1604 1062 382 Time Warner Telecom 22773 1517 2909 108 Cox Communications, Inc. 30036 1489 264 696 Mediacom Communications Corp 19262 1388 4683 401 Verizon Global Networks 7018 1299 7012 850 AT&T WorldNet Services Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8402 1665 480 15 Corbina telecom 15557 1096 2161 64 LDCOM NETWORKS 2118 927 99 14 EUnet/RELCOM Autonomous Syste 31148 657 35 9 FreeNet ISP 6830 644 1928 413 UPC Distribution Services 34984 639 188 174 BILISIM TELEKOM 20940 562 182 448 Akamai Technologies European 12479 551 636 53 Uni2 Autonomous System 8551 521 360 81 Bezeq International 3320 517 8157 393 Deutsche Telekom AG Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 10620 1738 321 159 TVCABLE BOGOTA 28573 1579 1066 77 NET Servicos de Comunicao S.A 8151 1462 2997 343 UniNet S.A. de C.V. 7303 1256 756 179 Telecom Argentina Stet-France 27947 634 73 95 Telconet S.A 22047 582 322 17 VTR PUNTO NET S.A. 7738 551 1050 31 Telecomunicacoes da Bahia S.A 3816 550 238 92 Empresa Nacional de Telecomun 6503 541 434 68 AVANTEL, S.A. 11172 535 102 101 Servicios Alestra S.A de C.V Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1013 958 13 TEDATA 24863 795 146 36 LINKdotNET AS number 3741 280 939 229 The Internet Solution 6713 250 649 18 Itissalat Al-MAGHRIB 33776 240 13 8 Starcomms Nigeria Limited 15706 239 32 6 Sudatel Internet Exchange Aut 29571 218 17 12 Ci Telecom Autonomous system 12258 195 28 60 Vodacom Internet Company 24835 188 80 8 RAYA Telecom - Egypt 16637 160 664 82 MTN Network Solutions Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3455 3807 207 bellsouth.net, inc. 7029 3222 1017 200 Windstream Communications Inc 4766 2473 11100 971 Korea Telecom (KIX) 18566 2093 382 177 Covad Communications 1785 1865 680 123 PaeTec Communications, Inc. 10620 1738 321 159 TVCABLE BOGOTA 17974 1715 503 36 PT TELEKOMUNIKASI INDONESIA 8402 1665 480 15 Corbina telecom 20115 1618 1552 619 Charter Communications 7545 1609 303 83 TPG Internet Pty Ltd Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 7029 3222 3022 Windstream Communications Inc 18566 2093 1916 Covad Communications 1785 1865 1742 PaeTec Communications, Inc. 17974 1715 1679 PT TELEKOMUNIKASI INDONESIA 8402 1665 1650 Corbina telecom 10620 1738 1579 TVCABLE BOGOTA 7545 1609 1526 TPG Internet Pty Ltd 4766 2473 1502 Korea Telecom (KIX) 28573 1579 1502 NET Servicos de Comunicao S.A 7552 1425 1418 Vietel Corporation Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.14.170.0/24 4323 Time Warner Telecom 32567 UNALLOCATED 12.25.107.0/24 4323 Time Warner Telecom 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic 13317 UNALLOCATED 12.44.10.0/24 7018 AT&T WorldNet Servic 23502 UNALLOCATED 12.44.44.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.103.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.110.0/24 701 UUNET Technologies, 16476 UNALLOCATED 12.46.27.0/24 7018 AT&T WorldNet Servic 32873 UNALLOCATED 12.46.100.0/23 10912 InterNAP Network Ser Complete listing at http://thyme.rand.apnic.net/current/data-badAS Prefixes from private and non-routed address space (Global) ----------------------------------------------------------- Prefix Origin AS Description 128.0.0.0/21 12654 RIPE NCC RIS Project 128.0.24.0/24 12654 RIPE NCC RIS Project Complete listing at http://thyme.rand.apnic.net/current/data-dsua Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 14.192.0.0/22 45464 Room 201, TGU Bldg 14.192.4.0/22 45464 Room 201, TGU Bldg 14.192.8.0/22 45464 Room 201, TGU Bldg 14.192.12.0/22 45464 Room 201, TGU Bldg 14.192.16.0/22 45464 Room 201, TGU Bldg 14.192.20.0/22 45464 Room 201, TGU Bldg 14.192.24.0/22 45464 Room 201, TGU Bldg 14.192.28.0/22 45464 Room 201, TGU Bldg 37.46.80.0/21 23456 32-bit ASN transition 41.222.79.0/24 37345 MEDALLION Communications Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:12 /10:27 /11:81 /12:234 /13:463 /14:817 /15:1459 /16:12118 /17:6147 /18:10195 /19:20203 /20:27995 /21:28534 /22:38863 /23:36419 /24:203565 /25:1181 /26:1420 /27:782 /28:171 /29:56 /30:13 /31:0 /32:18 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 7029 2842 3222 Windstream Communications Inc 6389 2116 3455 bellsouth.net, inc. 18566 2042 2093 Covad Communications 8402 1644 1665 Corbina telecom 10620 1633 1738 TVCABLE BOGOTA 30036 1448 1489 Mediacom Communications Corp 11492 1115 1152 Cable One 1785 1066 1865 PaeTec Communications, Inc. 15557 1046 1096 LDCOM NETWORKS 7011 1042 1159 Citizens Utilities Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:494 2:464 4:15 5:1 6:3 8:368 12:1950 13:1 14:586 15:11 16:3 17:6 20:9 23:98 24:1710 27:1170 31:812 32:67 33:2 34:2 36:8 37:87 38:794 40:114 41:2895 42:85 43:1 44:3 46:1216 47:3 49:317 50:506 52:13 55:7 56:2 57:41 58:946 59:491 60:344 61:1182 62:950 63:1966 64:4119 65:2298 66:4375 67:2005 68:1155 69:3149 70:918 71:427 72:1805 74:2649 75:446 76:320 77:948 78:899 79:497 80:1187 81:863 82:550 83:530 84:586 85:1155 86:748 87:908 88:338 89:1598 90:267 91:4418 92:534 93:1543 94:1351 95:1062 96:394 97:296 98:798 99:38 100:18 101:127 103:637 106:10 107:133 108:125 109:1422 110:684 111:839 112:427 113:519 114:610 115:756 116:868 117:726 118:907 119:1235 120:357 121:679 122:1624 123:1050 124:1336 125:1352 128:535 129:192 130:201 131:588 132:162 133:21 134:226 135:58 136:213 137:151 138:288 139:144 140:490 141:261 142:379 143:393 144:504 145:68 146:484 147:223 148:635 149:279 150:166 151:193 152:447 153:170 154:7 155:393 156:210 157:366 158:155 159:511 160:320 161:222 162:337 163:188 164:529 165:391 166:562 167:456 168:853 169:147 170:830 171:103 172:4 173:1778 174:589 175:418 176:348 177:454 178:1183 180:1219 181:43 182:687 183:264 184:430 185:1 186:1490 187:831 188:1034 189:1156 190:5321 192:5991 193:5462 194:3943 195:3313 196:1281 197:167 198:3627 199:4295 200:5583 201:1703 202:8417 203:8588 204:4353 205:2430 206:2734 207:2806 208:4020 209:3551 210:2742 211:1480 212:1968 213:1818 214:838 215:94 216:4938 217:1472 218:560 219:337 220:1247 221:557 222:324 223:267 End of report From joelja at bogus.com Fri Jan 13 13:31:56 2012 From: joelja at bogus.com (Joel jaeggli) Date: Fri, 13 Jan 2012 11:31:56 -0800 Subject: VPC=S/MLT? In-Reply-To: <4F1083C3.9030804@gmail.com> References: <4F1083C3.9030804@gmail.com> Message-ID: <4F1086AC.9050201@bogus.com> On 1/13/12 11:19 , -Hammer- wrote: > OK, So I'm doing a lot of reading lately on Nexus as we are about to get > into the 7k/5k game and of course a lot of the marketing revolves around > VPC. Every time I see it referenced, I keep remembering a reasonably > reliable Nortel implementation called Split MLT (Multi Link Trunk). Is > there something fancy here that I'm missing in the docs or am I wrong in > equating the two? Isn't VPC just S/MLT? It's just that Cisco has shown > up 8 years late and is trying to hype it up to compensate? vpc/vlt/mlag/s/mlt From bhmccie at gmail.com Fri Jan 13 13:38:49 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 13 Jan 2012 13:38:49 -0600 Subject: VPC=S/MLT? In-Reply-To: <4F1086AC.9050201@bogus.com> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> Message-ID: <4F108849.8040002@gmail.com> Wow. A fellow greybeard. OK. That's what I needed to know. I'm trying to understand if VPC has any more recent enhancements that weren't around for some older multi-chassis channel methods but I don't see anything specific in the docs other than some FHRP (HSRP only it appears) and PIM tweaks. If anyone has some really deep docs on VPC I'd appreciate the links. Thanks. -Hammer- "I was a normal American nerd" -Jack Herer On 1/13/2012 1:31 PM, Joel jaeggli wrote: > On 1/13/12 11:19 , -Hammer- wrote: >> OK, So I'm doing a lot of reading lately on Nexus as we are about to get >> into the 7k/5k game and of course a lot of the marketing revolves around >> VPC. Every time I see it referenced, I keep remembering a reasonably >> reliable Nortel implementation called Split MLT (Multi Link Trunk). Is >> there something fancy here that I'm missing in the docs or am I wrong in >> equating the two? Isn't VPC just S/MLT? It's just that Cisco has shown >> up 8 years late and is trying to hype it up to compensate? > vpc/vlt/mlag/s/mlt > > > From leigh.porter at ukbroadband.com Fri Jan 13 14:10:49 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Fri, 13 Jan 2012 20:10:49 +0000 Subject: VPC=S/MLT? In-Reply-To: <4F1086AC.9050201@bogus.com> References: <4F1083C3.9030804@gmail.com>,<4F1086AC.9050201@bogus.com> Message-ID: <01A2B25C-719F-4A99-A681-A5BA5B7FB9EF@ukbroadband.com> On 13 Jan 2012, at 19:35, "Joel jaeggli" wrote: > On 1/13/12 11:19 , -Hammer- wrote: >> OK, So I'm doing a lot of reading lately on Nexus as we are about to get >> into the 7k/5k game and of course a lot of the marketing revolves around >> VPC. Every time I see it referenced, I keep remembering a reasonably >> reliable Nortel implementation called Split MLT (Multi Link Trunk). Is >> there something fancy here that I'm missing in the docs or am I wrong in >> equating the two? Isn't VPC just S/MLT? It's just that Cisco has shown >> up 8 years late and is trying to hype it up to compensate? > > vpc/vlt/mlag/s/mlt > I am using the Brocade version, Multi Chassis Trunking (MCT), and it really does make things a lot nicer. -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From c.spurgeon at mail.utexas.edu Fri Jan 13 14:10:00 2012 From: c.spurgeon at mail.utexas.edu (Charles Spurgeon) Date: Fri, 13 Jan 2012 14:10:00 -0600 Subject: VPC=S/MLT? In-Reply-To: <4F108849.8040002@gmail.com> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> Message-ID: <20120113201000.GA88108@argus.gw.utexas.edu> On Fri, Jan 13, 2012 at 01:38:26PM -0600, -Hammer- wrote: > Wow. A fellow greybeard. OK. That's what I needed to know. I'm trying to > understand if VPC has any more recent enhancements that weren't around > for some older multi-chassis channel methods but I don't see anything > specific in the docs other than some FHRP (HSRP only it appears) and PIM > tweaks. If anyone has some really deep docs on VPC I'd appreciate the > links. Thanks. These two docs provide a lot of details: vPC fundamental concepts: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf "Data Center Access Design with Cisco Nexus 5000 Series Switches and 2000 Series Fabric Extenders and Virtual PortChannels Updated to Cisco NX-OS Software Release 5.1(3)N1(1): http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurgeon at its.utexas.edu / 512.475.9265 From bhmccie at gmail.com Fri Jan 13 14:14:40 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 13 Jan 2012 14:14:40 -0600 Subject: VPC=S/MLT? In-Reply-To: <20120113201000.GA88108@argus.gw.utexas.edu> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> Message-ID: <4F1090B0.6030609@gmail.com> Thanks Charles. Good stuff. -Hammer- "I was a normal American nerd" -Jack Herer On 1/13/2012 2:10 PM, Charles Spurgeon wrote: > On Fri, Jan 13, 2012 at 01:38:26PM -0600, -Hammer- wrote: >> Wow. A fellow greybeard. OK. That's what I needed to know. I'm trying to >> understand if VPC has any more recent enhancements that weren't around >> for some older multi-chassis channel methods but I don't see anything >> specific in the docs other than some FHRP (HSRP only it appears) and PIM >> tweaks. If anyone has some really deep docs on VPC I'd appreciate the >> links. Thanks. > These two docs provide a lot of details: > > vPC fundamental concepts: > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf > > "Data Center Access Design with Cisco Nexus 5000 Series Switches and 2000 Series Fabric Extenders and Virtual PortChannels Updated to Cisco NX-OS Software Release 5.1(3)N1(1): > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf > > -Charles > > Charles E. Spurgeon / UTnet > UT Austin ITS / Networking > c.spurgeon at its.utexas.edu / 512.475.9265 > From mkarir at merit.edu Fri Jan 13 14:19:04 2012 From: mkarir at merit.edu (Manish Karir) Date: Fri, 13 Jan 2012 15:19:04 -0500 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS Message-ID: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> All, We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables essentially processes the data collected at routeviews and makes is available in a somewhat easier to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the vantage point of the various bgp table views as seen at routeviews. The data is currently updated nightly (EST) but we hope to improve this over time. Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. Some examples: - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. Thanks. -The Merit Network Research and Development Team From bhmccie at gmail.com Fri Jan 13 15:06:08 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 13 Jan 2012 15:06:08 -0600 Subject: VPC=S/MLT? In-Reply-To: <20120113201000.GA88108@argus.gw.utexas.edu> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> Message-ID: <4F109CC0.8000800@gmail.com> Charles, The first link references "chapter 3". I found chapter 5 as well but I can't find the full index. Do you have that link by any chance? -Hammer- "I was a normal American nerd" -Jack Herer On 1/13/2012 2:10 PM, Charles Spurgeon wrote: > On Fri, Jan 13, 2012 at 01:38:26PM -0600, -Hammer- wrote: >> Wow. A fellow greybeard. OK. That's what I needed to know. I'm trying to >> understand if VPC has any more recent enhancements that weren't around >> for some older multi-chassis channel methods but I don't see anything >> specific in the docs other than some FHRP (HSRP only it appears) and PIM >> tweaks. If anyone has some really deep docs on VPC I'd appreciate the >> links. Thanks. > These two docs provide a lot of details: > > vPC fundamental concepts: > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf > > "Data Center Access Design with Cisco Nexus 5000 Series Switches and 2000 Series Fabric Extenders and Virtual PortChannels Updated to Cisco NX-OS Software Release 5.1(3)N1(1): > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf > > -Charles > > Charles E. Spurgeon / UTnet > UT Austin ITS / Networking > c.spurgeon at its.utexas.edu / 512.475.9265 > From sh.vahabzadeh at gmail.com Fri Jan 13 15:24:27 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Sat, 14 Jan 2012 00:54:27 +0330 Subject: IP Management Software In-Reply-To: References: Message-ID: Hi, Would you please tell me what is the advantages of noc-project? It takes hours to install it and it looks like a software with lots of bugs? I have it now but many problems in their scripts, Isn't it? Thanks On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied wrote: > Try noc project > > > On Friday, December 16, 2011, Shahab Vahabzadeh > wrote: > > Hi everybody, > > Can anybody share his/her experience with IP Management software's? > Which I > > can use it managing near 100K IP Address? > > IPPlan is not good enough, I think its > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From joshbaird at gmail.com Fri Jan 13 15:50:03 2012 From: joshbaird at gmail.com (Josh Baird) Date: Fri, 13 Jan 2012 16:50:03 -0500 Subject: IP Management Software In-Reply-To: References: Message-ID: We use Men & Mice, but it is a commercial product. ?Solarwinds andInfoblox also have commercial offerings that are worth looking at. Ifyou looking at an IPAM platform with emphasis on IPv6, check outwww.6connect.com. ?They offer a free product that is prettycomprehensive. Josh On Fri, Jan 13, 2012 at 4:24 PM, Shahab Vahabzadeh wrote: > Hi, > Would you please tell me what is the advantages of noc-project? > It takes hours to install it and it looks like a software with lots of bugs? > I have it now but many problems in their scripts, Isn't it? > Thanks > > On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied wrote: > >> Try noc project >> >> >> On Friday, December 16, 2011, Shahab Vahabzadeh >> wrote: >> > Hi everybody, >> > Can anybody share his/her experience with IP Management software's? >> Which I >> > can use it managing near 100K IP Address? >> > IPPlan is not good enough, I think its >> > >> > > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 ?C2EE 76A2 46C2 5367 BF90 From sh.vahabzadeh at gmail.com Fri Jan 13 15:51:18 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Sat, 14 Jan 2012 01:21:18 +0330 Subject: IP Management Software In-Reply-To: References: Message-ID: I am looking for an open source one, nocproject.org is good but it need lots of patches to be normal, I think they are not developing it too much because its internal project for them. On Sat, Jan 14, 2012 at 1:20 AM, Josh Baird wrote: > We use Men & Mice, but it is a commercial product. Solarwinds > andInfoblox also have commercial offerings that are worth looking at. > Ifyou looking at an IPAM platform with emphasis on IPv6, check > outwww.6connect.com. They offer a free product that is > prettycomprehensive. > > Josh > On Fri, Jan 13, 2012 at 4:24 PM, Shahab Vahabzadeh > wrote: > > Hi, > > Would you please tell me what is the advantages of noc-project? > > It takes hours to install it and it looks like a software with lots of > bugs? > > I have it now but many problems in their scripts, Isn't it? > > Thanks > > > > On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied > wrote: > > > >> Try noc project > >> > >> > >> On Friday, December 16, 2011, Shahab Vahabzadeh < > sh.vahabzadeh at gmail.com> > >> wrote: > >> > Hi everybody, > >> > Can anybody share his/her experience with IP Management software's? > >> Which I > >> > can use it managing near 100K IP Address? > >> > IPPlan is not good enough, I think its > >> > > >> > > > > > > > > -- > > Regards, > > Shahab Vahabzadeh, Network Engineer and System Administrator > > > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From cidr-report at potaroo.net Fri Jan 13 16:00:01 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 13 Jan 2012 22:00:01 GMT Subject: BGP Update Report Message-ID: <201201132200.q0DM01L2070557@wattle.apnic.net> BGP Update Report Interval: 05-Jan-12 -to- 12-Jan-12 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS42116 102673 6.3% 1711.2 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 2 - AS15706 62272 3.8% 322.7 -- Sudatel 3 - AS9829 43384 2.7% 65.2 -- BSNL-NIB National Internet Backbone 4 - AS8402 38569 2.4% 46.6 -- CORBINA-AS OJSC "Vimpelcom" 5 - AS32528 24044 1.5% 6011.0 -- ABBOTT Abbot Labs 6 - AS7552 23372 1.4% 16.5 -- VIETEL-AS-AP Vietel Corporation 7 - AS24560 22324 1.4% 52.4 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 8 - AS5800 21762 1.3% 81.8 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 9 - AS6072 20608 1.3% 1472.0 -- UNISYS-6072 For routing issues, email hostmaster at unisys.com 10 - AS20632 20374 1.2% 20374.0 -- PETERSTAR-AS PeterStar 11 - AS27738 14226 0.9% 41.6 -- Ecuadortelecom S.A. 12 - AS27947 14084 0.9% 27.1 -- Telconet S.A 13 - AS19223 12795 0.8% 12795.0 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 14 - AS17639 12159 0.8% 2026.5 -- COMCLARK-AS ComClark Network & Technology Corp. 15 - AS3215 11844 0.7% 3.0 -- AS3215 France Telecom - Orange 16 - AS12479 11527 0.7% 72.5 -- UNI2-AS France Telecom Espana SA 17 - AS14522 10593 0.7% 38.5 -- Satnet 18 - AS9498 8907 0.6% 15.2 -- BBIL-AP BHARTI Airtel Ltd. 19 - AS25620 8587 0.5% 53.0 -- COTAS LTDA. 20 - AS28683 7966 0.5% 137.3 -- BENINTELECOM TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS20632 20374 1.2% 20374.0 -- PETERSTAR-AS PeterStar 2 - AS19223 12795 0.8% 12795.0 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 3 - AS32528 24044 1.5% 6011.0 -- ABBOTT Abbot Labs 4 - AS10209 4808 0.3% 4808.0 -- SYNOPSYS-AS-JP-AP Japan HUB and Data Center 5 - AS49648 3507 0.2% 3507.0 -- SVTEL-AS "SvyazTelecom" LTD 6 - AS17408 3191 0.2% 3191.0 -- ABOVE-AS-AP AboveNet Communications Taiwan 7 - AS17639 12159 0.8% 2026.5 -- COMCLARK-AS ComClark Network & Technology Corp. 8 - AS26341 1904 0.1% 1904.0 -- OSI-ASP - Open Solutions Inc. 9 - AS42116 102673 6.3% 1711.2 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 10 - AS6072 20608 1.3% 1472.0 -- UNISYS-6072 For routing issues, email hostmaster at unisys.com 11 - AS65273 1329 0.1% 1329.0 -- -Private Use AS- 12 - AS45723 1031 0.1% 1031.0 -- OMADATA-AS-ID Omadata Indonesia, PT 13 - AS53362 852 0.1% 852.0 -- MIXIT-AS - Mixit, Inc. 14 - AS34480 3348 0.2% 837.0 -- GSC-AS GrandService PP. 15 - AS3 720 0.0% 1587.0 -- BANKPERSHIY-AS PJSC Bank Pershyi 16 - AS56915 702 0.0% 702.0 -- ASELITTELECOM Elit Telecom Ltd. 17 - AS52849 584 0.0% 584.0 -- 18 - AS21271 557 0.0% 557.0 -- SOTELMABGP 19 - AS6719 535 0.0% 535.0 -- KNOPP-AS Limited Liability Company KNOPP 20 - AS10445 1966 0.1% 491.5 -- HTG - Huntleigh Telcom TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 84.204.132.0/24 20374 1.2% AS20632 -- PETERSTAR-AS PeterStar 2 - 67.97.156.0/24 12795 0.7% AS19223 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 3 - 130.36.34.0/24 12015 0.7% AS32528 -- ABBOTT Abbot Labs 4 - 130.36.35.0/24 12015 0.7% AS32528 -- ABBOTT Abbot Labs 5 - 122.161.0.0/16 7240 0.4% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 6 - 202.92.235.0/24 6706 0.4% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 7 - 202.56.215.0/24 6597 0.4% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 8 - 111.125.126.0/24 6489 0.4% AS17639 -- COMCLARK-AS ComClark Network & Technology Corp. 9 - 95.78.4.0/22 6342 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 10 - 46.147.88.0/22 6341 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 11 - 46.147.120.0/22 6333 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 12 - 95.78.96.0/22 6325 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 13 - 95.78.88.0/22 6323 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 14 - 46.147.124.0/22 6321 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 15 - 46.147.108.0/22 6319 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 16 - 95.78.116.0/22 6314 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 17 - 95.78.84.0/22 6311 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 18 - 95.78.100.0/22 6309 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 19 - 95.78.92.0/22 6301 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 20 - 176.213.100.0/22 6293 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jan 13 16:00:00 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 13 Jan 2012 22:00:00 GMT Subject: The Cidr Report Message-ID: <201201132200.q0DM00jN070550@wattle.apnic.net> This report has been generated at Fri Jan 13 21:12:24 2012 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 06-01-12 391121 227929 07-01-12 390649 228024 08-01-12 391004 228100 09-01-12 390964 228214 10-01-12 391281 228081 11-01-12 391432 228387 12-01-12 391955 228706 13-01-12 392583 228745 AS Summary 39939 Number of ASes in routing system 16759 Number of ASes announcing only one prefix 3454 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 109424128 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 13Jan12 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 392867 228759 164108 41.8% All ASes AS6389 3454 209 3245 93.9% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS7029 3204 1488 1716 53.6% WINDSTREAM - Windstream Communications Inc AS18566 2093 413 1680 80.3% COVAD - Covad Communications Co. AS4766 2477 994 1483 59.9% KIXS-AS-KR Korea Telecom AS22773 1517 117 1400 92.3% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4755 1512 196 1316 87.0% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS4323 1605 384 1221 76.1% TWTC - tw telecom holdings, inc. AS28573 1579 398 1181 74.8% NET Servicos de Comunicao S.A. AS1785 1867 783 1084 58.1% AS-PAETEC-NET - PaeTec Communications, Inc. AS7552 1425 391 1034 72.6% VIETEL-AS-AP Vietel Corporation AS19262 1388 402 986 71.0% VZGNI-TRANSIT - Verizon Online LLC AS10620 1738 759 979 56.3% Telmex Colombia S.A. AS7303 1256 368 888 70.7% Telecom Argentina S.A. AS8402 1600 741 859 53.7% CORBINA-AS OJSC "Vimpelcom" AS2118 927 77 850 91.7% RELCOM-AS OOO "NPO Relcom" AS8151 1464 662 802 54.8% Uninet S.A. de C.V. AS18101 946 155 791 83.6% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS30036 1489 704 785 52.7% MEDIACOM-ENTERPRISE-BUSINESS - Mediacom Communications Corp AS4808 1103 345 758 68.7% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS15557 1096 368 728 66.4% LDCOMNET Societe Francaise du Radiotelephone S.A AS24560 1010 290 720 71.3% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS7545 1597 923 674 42.2% TPG-INTERNET-AP TPG Internet Pty Ltd AS3356 1105 459 646 58.5% LEVEL3 Level 3 Communications AS17676 677 74 603 89.1% GIGAINFRA Softbank BB Corp. AS17974 1716 1132 584 34.0% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS4804 661 95 566 85.6% MPX-AS Microplex PTY LTD AS9498 867 302 565 65.2% BBIL-AP BHARTI Airtel Ltd. AS4780 785 227 558 71.1% SEEDNET Digital United Inc. AS20115 1618 1061 557 34.4% CHARTER-NET-HKY-NC - Charter Communications AS3549 977 424 553 56.6% GBLX Global Crossing Ltd. Total 44753 14941 29812 66.6% Top 30 total Possible Bogus Routes 10.86.64.32/30 AS65530 -Private Use AS- 10.86.64.36/30 AS65530 -Private Use AS- 10.86.65.32/30 AS65530 -Private Use AS- 10.86.65.36/30 AS65530 -Private Use AS- 10.255.255.0/30 AS65530 -Private Use AS- 10.255.255.4/30 AS65530 -Private Use AS- 10.255.255.8/30 AS65530 -Private Use AS- 14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 41.222.79.0/24 AS37345 MEDALLION 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.21.192.0/20 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.212.0/22 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.216.0/21 AS11610 INETNEBR-1 - Internet Nebraska Corporation 66.129.0.0/19 AS3901 ARRAKIS - Higher Technology Services 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications 69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A. 72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC 80.88.10.0/24 AS33774 DJAWEB 98.159.96.0/20 AS46975 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services Inc. 171.25.183.0/24 AS29649 LIMES-AS LIMES Internet Communication 172.45.1.0/24 AS3356 LEVEL3 Level 3 Communications 172.45.2.0/24 AS29571 CITelecom-AS 172.45.3.0/24 AS29571 CITelecom-AS 172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group) 190.104.32.0/21 AS27882 Telef?nica Celular de Bolivia S.A. 193.0.22.0/23 AS3333 RIPE-NCC-AS RIPE Network Coordination Centre 200.6.93.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.6.94.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.6.95.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.23.84.0/24 AS8151 Uninet S.A. de C.V. 200.24.73.0/24 AS26061 Equant Colombia 200.33.40.0/24 AS11172 Alestra, S. de R.L. de C.V. 200.34.0.0/20 AS6342 Instituto Tecnol?gico y de Estudios Superiores de Monterrey 200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd. 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.61.108.0/24 AS55812 202.61.118.0/24 AS55833 202.83.120.0/21 AS37972 202.83.124.0/24 AS37972 202.83.125.0/24 AS37972 202.83.126.0/24 AS37972 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.160.152.0/22 AS10113 DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.142.219.0/24 AS45149 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A. 206.123.129.0/24 AS10790 INREACH-AS - InReach Internet 206.180.240.0/20 AS12083 KNOLOGY-NET - KNOLOGY, Inc. 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.91.56.0/21 AS22241 IC2NET - IC2NET 208.91.56.0/24 AS22241 IC2NET - IC2NET 208.91.57.0/24 AS22241 IC2NET - IC2NET 208.91.58.0/24 AS22241 IC2NET - IC2NET 208.91.59.0/24 AS22241 IC2NET - IC2NET 208.91.60.0/24 AS22241 IC2NET - IC2NET 208.91.61.0/24 AS22241 IC2NET - IC2NET 208.91.62.0/24 AS22241 IC2NET - IC2NET 208.91.63.0/24 AS22241 IC2NET - IC2NET 209.133.224.0/19 AS4323 TWTC - tw telecom holdings, inc. 209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.222.240.0/22 AS19747 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc. 216.21.160.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport 216.194.160.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From brett at the-watsons.org Fri Jan 13 16:18:02 2012 From: brett at the-watsons.org (Brett Watson) Date: Fri, 13 Jan 2012 15:18:02 -0700 Subject: IP Management Software In-Reply-To: References: Message-ID: <21302280-0687-4F2F-AE77-375FB2F87E3E@the-watsons.org> Infoblox is pretty nice but not a stand-alone IPAM solution. It's bundled DNS, DHCP, and IPAM. 6Connect definitely has a nice IPAM solution, right now more tailored for service providers but it's linked to the regional registries and helps you do requests for address space, etc. I think they're working on an enterprise-based version as well. -b On Jan 13, 2012, at 2:50 PM, Josh Baird wrote: > We use Men & Mice, but it is a commercial product. Solarwinds > andInfoblox also have commercial offerings that are worth looking at. > Ifyou looking at an IPAM platform with emphasis on IPv6, check > outwww.6connect.com. They offer a free product that is > prettycomprehensive. > > Josh > On Fri, Jan 13, 2012 at 4:24 PM, Shahab Vahabzadeh > wrote: >> Hi, >> Would you please tell me what is the advantages of noc-project? >> It takes hours to install it and it looks like a software with lots of bugs? >> I have it now but many problems in their scripts, Isn't it? >> Thanks >> >> On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied wrote: >> >>> Try noc project >>> >>> >>> On Friday, December 16, 2011, Shahab Vahabzadeh >>> wrote: >>>> Hi everybody, >>>> Can anybody share his/her experience with IP Management software's? >>> Which I >>>> can use it managing near 100K IP Address? >>>> IPPlan is not good enough, I think its >>>> >>> >> >> >> >> -- >> Regards, >> Shahab Vahabzadeh, Network Engineer and System Administrator >> >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > From joshbaird at gmail.com Fri Jan 13 16:20:03 2012 From: joshbaird at gmail.com (Josh Baird) Date: Fri, 13 Jan 2012 17:20:03 -0500 Subject: IP Management Software In-Reply-To: References: Message-ID: In that case, there aren't too many options. I have used IPPLAN in the past, and I have found it difficult to use and manage. Most of the other open source IPAM packages are now vaporware. Josh On Fri, Jan 13, 2012 at 4:51 PM, Shahab Vahabzadeh wrote: > I am looking for an open source one, nocproject.org is good but it need lots > of patches to be normal, I think they are not developing it too much because > its internal project for them. > > > On Sat, Jan 14, 2012 at 1:20 AM, Josh Baird wrote: >> >> We use Men & Mice, but it is a commercial product. ?Solarwinds >> andInfoblox also have commercial offerings that are worth looking at. >> Ifyou looking at an IPAM platform with emphasis on IPv6, check >> outwww.6connect.com. ?They offer a free product that is >> prettycomprehensive. >> >> Josh >> On Fri, Jan 13, 2012 at 4:24 PM, Shahab Vahabzadeh >> wrote: >> > Hi, >> > Would you please tell me what is the advantages of noc-project? >> > It takes hours to install it and it looks like a software with lots of >> > bugs? >> > I have it now but many problems in their scripts, Isn't it? >> > Thanks >> > >> > On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied >> > wrote: >> > >> >> Try noc project >> >> >> >> >> >> On Friday, December 16, 2011, Shahab Vahabzadeh >> >> >> >> wrote: >> >> > Hi everybody, >> >> > Can anybody share his/her experience with IP Management software's? >> >> Which I >> >> > can use it managing near 100K IP Address? >> >> > IPPlan is not good enough, I think its >> >> > >> >> >> > >> > >> > >> > -- >> > Regards, >> > Shahab Vahabzadeh, Network Engineer and System Administrator >> > >> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 ?C2EE 76A2 46C2 5367 BF90 > > > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81? C2EE 76A2 46C2 5367 BF90 > From regnauld at nsrc.org Fri Jan 13 16:31:23 2012 From: regnauld at nsrc.org (Phil Regnauld) Date: Fri, 13 Jan 2012 22:31:23 +0000 Subject: IP Management Software In-Reply-To: References: Message-ID: <20120113223123.GF24045@macbook.bluepipe.net> Josh Baird (joshbaird) writes: > In that case, there aren't too many options. I have used IPPLAN in > the past, and I have found it difficult to use and manage. Most of > the other open source IPAM packages are now vaporware. Like, TIPP or Netdot ? http://tipp.tobez.org/ http://netdot.uoregon.edu/ From nick at foobar.org Fri Jan 13 17:00:43 2012 From: nick at foobar.org (Nick Hilliard) Date: Fri, 13 Jan 2012 23:00:43 +0000 Subject: IP Management Software In-Reply-To: <20120113223123.GF24045@macbook.bluepipe.net> References: <20120113223123.GF24045@macbook.bluepipe.net> Message-ID: <4F10B79B.3000607@foobar.org> On 13/01/2012 22:31, Phil Regnauld wrote: > Like, TIPP or Netdot ? > > http://tipp.tobez.org/ > http://netdot.uoregon.edu/ Unfortunately, netdot is a complete curse to install. It's not necessarily a bad idea to use the preinstalled VM image, although I don't know how they intend to deal with upgrade. Once it's up and running, it actually works quite well. Certainly a lot better than nocproject (which looks like it could be awesome in lots of other ways, if only I could figure out how on earth to use it...). I built myself a freebsd Port for netdot 0.99, which I really ought to do something about like getting it put into the ports tree. The dependency list is pretty astounding, but it does work. When some copious free time appears (any day now), I'll get around do doing something with it.. Nick From matt.addison at lists.evilgeni.us Fri Jan 13 20:16:23 2012 From: matt.addison at lists.evilgeni.us (Matt Addison) Date: Fri, 13 Jan 2012 21:16:23 -0500 Subject: IP Management Software In-Reply-To: <21302280-0687-4F2F-AE77-375FB2F87E3E@the-watsons.org> References: <21302280-0687-4F2F-AE77-375FB2F87E3E@the-watsons.org> Message-ID: On Fri, Jan 13, 2012 at 17:18, Brett Watson wrote: > 6Connect definitely has a nice IPAM solution, right now more tailored for service providers but it's linked to the regional registries and helps you do requests for address space, etc. I think they're working on an enterprise-based version as well. I'd love 6connect if they supported VRF in some fashion. The only decent tool (in the foss/inexpensive corner of the market) I've found so far which supports multiple overlapping address space for VRF management (and enforcing uniqueness within VRF) is nocproject which has it's own set of quirks/problems. I can kind of fake it in 6connect with tags and adding duplicate blocks, but then I'm doing a lot of legwork on the human side to make sure the blocks are actually unique within VRF. From Brent.Bowers at cox.com Fri Jan 13 20:48:01 2012 From: Brent.Bowers at cox.com (Brent.Bowers at cox.com) Date: Fri, 13 Jan 2012 21:48:01 -0500 Subject: Verizon FIOS MTU issues in Southern California Message-ID: <8512DE788D9BA54FB3E515EFF888AB313F9974FF42@CATL0MS100.corp.cox.com> Can anyone from the Verizon FiOS NOC contact me off-list. We believe we've identified a network issue in the Southern California FiOS network impacting your residential subscribers. Brent Bowers Director, CB/Network/Transport Engineering CCIE #13530 Cox Communications, Inc. From betty at newnog.org Fri Jan 13 22:06:23 2012 From: betty at newnog.org (Betty Burke ) Date: Fri, 13 Jan 2012 23:06:23 -0500 Subject: [NANOG-announce] NANOG 54 Agenda and Reminders Message-ID: Colleagues: A short NANOG 54 reminder and update. NANOG 54 will be held in San Diego, CA February 5 - 8, 2012. NANOG 54 will begin with tutorials starting early Sunday afternoon, February 5. The meeting will adjourn approximately 12 noon on Wednesday, February 8. Thank you to our NANOG 54 Speakers and to the NANOG Program Committee. Attendees are sure to enjoy another fantastic program! The posted agenda continues to be updated, however, the largest part of the NANOG 54 program is now posted. Do not delay, register for NANOG 54 now as the registration rate will increase on Monday, January 30, 2012. http://www.nanog.org/meetings/nanog54/agenda.html http://www.nanog.org/meetings/nanog54/nanog54_registration.html Please note the Westin Gaslamp Hotel Group Rate Expires on Friday, January 20, 2012. Make your reservation as soon as possible. http://www.nanog.org/meetings/nanog54/hotel.php In addition to a wonderful program, attendees will be treated to our famous "Sponsor Socials". NANOG 54 Attendees will have ample social networking opportunities during each day and through out the evening. After 16 years, NANOG is pleased to return to San Diego. There are a number of local activities and attractions for all to take advantage of. Make your travel plans, become a NANOG member, register for NANOG 54 and become be a part of the NANOG experience. Should you have any questions or concerns regarding your reservation, the hotel, or NANOG 54 in general, please be sure to send a note to nanog-support at nanog.org or phone us at +1 510 492 4030. Betty -- Betty Burke NewNOG/NANOG Executive Director Office (810) 214-1218 NANOG Office (510) 492-4030 -------------- next part -------------- _______________________________________________ NANOG-announce mailing list NANOG-announce at nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-announce From me at anuragbhatia.com Sat Jan 14 01:33:12 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Sat, 14 Jan 2012 13:03:12 +0530 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> Message-ID: Hello Manish Nice work on bgptables.merit.edu Couple of things: 1. It doesn't recognizes individual IP directly but needs complete block in CIDR to get info about it like e.g search for 8.8.8.8 gives nothing but 8.8.8.0/24 gives information about Google. It would be worth it to have it looking at block to which an IP belongs to. 2. You might consider adding graphs on AS connections - those are best for easy & quick reading. Something like for Google (AS15169) - http://bgp.he.net/AS15169#_graph4 Nice work, keep it going! On Sat, Jan 14, 2012 at 1:49 AM, Manish Karir wrote: > > All, > > We would like to announce the availability of the bgpTables Project at > Merit at: http://bgptables.merit.edu > bgpTables allows users to easily navigate global routing table data > collected via routviews.org. bgptables > essentially processes the data collected at routeviews and makes is > available in a somewhat easier > to use interface. The goal of bgpTables is to represent global prefix and > AS visibility information from the > vantage point of the various bgp table views as seen at routeviews. > The data is currently updated nightly (EST) but we hope to improve this > over time. > Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple > examples of how you can use bgpTables. > > Some examples: > - You can query for a specific ASN by entering the text 'as' followed by > the AS number into the search box. For example to query for information > about AS 237 you would enter 'as237' [without quotation marks] into the > search box and then click 'search'. You can then use the view navigator map > to switch to different routing table views for this ASN > > - You can query for a specific prefix by directly entering the prefix into > the search box. For example to query for information about prefix > 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] > into the search box and then click 'search'. You can then use the view > navigator map to switch to different routing table views for the prefix. > > - You can find a particular prefix that you might be interested in by > running a 'contained within' query via the search box. For example to > quickly browse a list of prefixes contained within 1.0.0.0/8 to find the > particular prefix you might be interested in, you can enter the text > 'cw1.0.0.0/8' [without quotation marks] into the search box and click > 'search'. You can then browse the resulting table to select the particular > prefix you might be interested in. > > - You can simply enter the text 'as' followed by the company name into the > search box then click search to view a list of possible matches for that > text. For example, to view all matching google ASNs you can simply enter > 'asgoogle' into the search box and click search. A list of possible > matching ASNs that reference Google by name will be returned from which you > an then select the particular ASN that is of interest to you. > > > Comments, corrections, and suggestions are very welcome. Please send them > to mkarir at merit.edu. Hopefully folks will find this useful. > > Thanks. > -The Merit Network Research and Development Team > > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From c.spurgeon at mail.utexas.edu Sat Jan 14 19:10:15 2012 From: c.spurgeon at mail.utexas.edu (Charles Spurgeon) Date: Sat, 14 Jan 2012 19:10:15 -0600 Subject: VPC=S/MLT? In-Reply-To: <4F109CC0.8000800@gmail.com> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> <4F109CC0.8000800@gmail.com> Message-ID: <20120115011015.GA14746@argus.gw.utexas.edu> On Fri, Jan 13, 2012 at 03:05:45PM -0600, -Hammer- wrote: > > The first link references "chapter 3". I found chapter 5 as well > but I can't find the full index. Do you have that link by any chance? I don't have a link to a full index. The links I sent are from a set of Nexus design and operation chapters I've found. Each chapter is a guide to a specific aspect of Nexus and vPC operation and DC design. The set doesn't appear to have been turned into standard Cisco docs with indexes etc. Here are the links that I've been able to find: Chapter 1: Data Center Design with Cisco Nexus Switches and Virtual PortChannel: Overview http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572831-00_Dsgn_Nexus_vPC_DG.pdf Chapter 2: Cisco NX-OS Software Command-Line Interface Primer http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572833-00_NX-OS_CLI.pdf Chapter 3: Cisco NX-OS Software Virtual PortChannel: Fundamental Concepts http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf Chapter 4: Spanning Tree Design Guidelines for Cisco NX-OS Software and Virtual PortChannels http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572834-00_STDG_NX-OS_vPC_DG.pdf Chapter 5: Data Center Aggregation Layer Design and Configuration with Cisco Nexus Switches and Virtual PortChannels http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-00_Agg_Dsgn_Config_DG.pdf Chapter 6 Data Center Access Design with Cisco Nexus 5000 Series Switches and 2000 Series Fabric Extenders and Virtual PortChannels http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf Chapter 7 10 Gigabit Ethernet Connectivity with Microsoft Windows Servers http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572828-00_10Gb_Conn_Win_DG.pdf Chapter 8 Data Center Design with VMware ESX 4.0 and Cisco Nexus 5000 and 1000V Series Switches 4.0(4)SV1(1) and 2000 Series Fabric Extenders http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572832-00_VMware_ESX4_Nexus_DG.pdf -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurgeon at its.utexas.edu / 512.475.9265 From nathan at atlasnetworks.us Sat Jan 14 21:36:53 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Sun, 15 Jan 2012 03:36:53 +0000 Subject: IP Management Software In-Reply-To: References: Message-ID: <8C26A4FDAE599041A13EB499117D3C286B671AB1@ex-mb-1.corp.atlasnetworks.us> Racktables seems pretty decent, and it's open source. Seems to still be alive, too! http://racktables.org/demo.php > -----Original Message----- > From: Josh Baird [mailto:joshbaird at gmail.com] > Sent: Friday, January 13, 2012 2:20 PM > To: Shahab Vahabzadeh > Cc: nanog at nanog.org > Subject: Re: IP Management Software > > In that case, there aren't too many options. I have used IPPLAN in the past, > and I have found it difficult to use and manage. Most of the other open > source IPAM packages are now vaporware. > > Josh > > On Fri, Jan 13, 2012 at 4:51 PM, Shahab Vahabzadeh > wrote: > > I am looking for an open source one, nocproject.org is good but it > > need lots of patches to be normal, I think they are not developing it > > too much because its internal project for them. > > > > > > On Sat, Jan 14, 2012 at 1:20 AM, Josh Baird wrote: > >> > >> We use Men & Mice, but it is a commercial product. ?Solarwinds > >> andInfoblox also have commercial offerings that are worth looking at. > >> Ifyou looking at an IPAM platform with emphasis on IPv6, check > >> outwww.6connect.com. ?They offer a free product that is > >> prettycomprehensive. > >> > >> Josh > >> On Fri, Jan 13, 2012 at 4:24 PM, Shahab Vahabzadeh > >> wrote: > >> > Hi, > >> > Would you please tell me what is the advantages of noc-project? > >> > It takes hours to install it and it looks like a software with lots > >> > of bugs? > >> > I have it now but many problems in their scripts, Isn't it? > >> > Thanks > >> > > >> > On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied > > >> > wrote: > >> > > >> >> Try noc project > >> >> > >> >> > >> >> On Friday, December 16, 2011, Shahab Vahabzadeh > >> >> > >> >> wrote: > >> >> > Hi everybody, > >> >> > Can anybody share his/her experience with IP Management > software's? > >> >> Which I > >> >> > can use it managing near 100K IP Address? > >> >> > IPPlan is not good enough, I think its > >> >> > > >> >> > >> > > >> > > >> > > >> > -- > >> > Regards, > >> > Shahab Vahabzadeh, Network Engineer and System Administrator > >> > > >> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 ?C2EE 76A2 46C2 5367 > >> > BF90 > > > > > > > > > > -- > > Regards, > > Shahab Vahabzadeh, Network Engineer and System Administrator > > > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81? C2EE 76A2 46C2 5367 > > BF90 > > > From ted at fred.net Sun Jan 15 01:37:25 2012 From: ted at fred.net (Ted Fischer) Date: Sun, 15 Jan 2012 02:37:25 -0500 Subject: Whois 172/12 Message-ID: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> Hi all, Tearing what's left of my hair out. A customer is getting scanned by a host claiming to be "172.0.1.216". I know this is bogus, but I want to go back to the customer with as much authoritative umph as I can (heaven forbid they just take my word). I'm pretty sure I read somewhere once that 172/12 was "reserved" or something like that. All I can find now is that 172/8 is "administered by ARIN". Lots of information on 172.16/12, but not a peep about 172/12. If anybody could provide some insight as to the allocation/non-allocation of this block, it would be much appreciated. Thanks. Ted Fischer From r.hyunseog at ieee.org Sun Jan 15 01:53:17 2012 From: r.hyunseog at ieee.org (Alex Ryu) Date: Sun, 15 Jan 2012 01:53:17 -0600 Subject: Whois 172/12 In-Reply-To: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> Message-ID: As far as I know, 172.0.1.216 is not assigned, yet. whois -h whois.arin.net 172.0.1.216 [whois.arin.net] # # Query terms are ambiguous. The query is assumed to be: # "n 172.0.1.216" # # Use "?" to get help. # No match found for 172.0.1.216. # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # Also, when you check BGP routing table, it is not routed at all. route-server.as3257.net>sh ip bgp 172.0.1.216 % Network not in table route-server.as3257.net> So it seems like forged IP address. Alex On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer wrote: > Hi all, > > ? Tearing what's left of my hair out. > > ? A customer is getting scanned by a host claiming to be "172.0.1.216". > > ? I know this is bogus, but I want to go back to the customer with as > much authoritative umph as I can (heaven forbid they just take my > word). > > ? I'm pretty sure I read somewhere once that 172/12 was "reserved" or > something like that. ?All I can find now is that 172/8 is "administered by > ARIN". ?Lots of information on 172.16/12, but not a peep about > 172/12. > > ? If anybody could provide some insight as to the > allocation/non-allocation of this block, it would be much appreciated. > > ? Thanks. > > Ted Fischer > > > > > > > From patrick at ianai.net Sun Jan 15 01:58:11 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Sun, 15 Jan 2012 02:58:11 -0500 Subject: Whois 172/12 In-Reply-To: References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> Message-ID: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> Read RFC1918. Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. But that is not guaranteed. A packet with a source address of 172.0.x.x could be hitting his machine. Depends on how well you filter. Many networks only look at destination IP address, source can be anything - spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back to it (unless it was on the local LAN, as I mention above). -- TTFN, patrick On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote: > As far as I know, 172.0.1.216 is not assigned, yet. > > whois -h whois.arin.net 172.0.1.216 > [whois.arin.net] > # > # Query terms are ambiguous. The query is assumed to be: > # "n 172.0.1.216" > # > # Use "?" to get help. > # > > No match found for 172.0.1.216. > > > > # > # ARIN WHOIS data and services are subject to the Terms of Use > # available at: https://www.arin.net/whois_tou.html > # > > Also, when you check BGP routing table, it is not routed at all. > > route-server.as3257.net>sh ip bgp 172.0.1.216 > % Network not in table > route-server.as3257.net> > > So it seems like forged IP address. > > Alex > > > On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer wrote: >> Hi all, >> >> Tearing what's left of my hair out. >> >> A customer is getting scanned by a host claiming to be "172.0.1.216". >> >> I know this is bogus, but I want to go back to the customer with as >> much authoritative umph as I can (heaven forbid they just take my >> word). >> >> I'm pretty sure I read somewhere once that 172/12 was "reserved" or >> something like that. All I can find now is that 172/8 is "administered by >> ARIN". Lots of information on 172.16/12, but not a peep about >> 172/12. >> >> If anybody could provide some insight as to the >> allocation/non-allocation of this block, it would be much appreciated. >> >> Thanks. >> >> Ted Fischer >> >> >> >> >> >> >> > From leigh.porter at ukbroadband.com Sun Jan 15 02:17:20 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Sun, 15 Jan 2012 08:17:20 +0000 Subject: Whois 172/12 In-Reply-To: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> Message-ID: <5D0DB325-557B-440F-B308-8F70670036F4@ukbroadband.com> On 15 Jan 2012, at 07:39, "Ted Fischer" wrote: > Hi all, > > Tearing what's left of my hair out. > > A customer is getting scanned by a host claiming to be "172.0.1.216". > > I know this is bogus, but I want to go back to the customer with as > much authoritative umph as I can (heaven forbid they just take my > word). > > I'm pretty sure I read somewhere once that 172/12 was "reserved" or > something like that. All I can find now is that 172/8 is "administered by > ARIN". Lots of information on 172.16/12, but not a peep about > 172/12. > > If anybody could provide some insight as to the > allocation/non-allocation of this block, it would be much appreciated. > > Thanks. > > Ted Fischer I would look for the prefix in your BGP table and in a couple of looking glasses and show the empty output. If its not there, then it is bogus. -- Leigh ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From ted at fred.net Sun Jan 15 02:20:17 2012 From: ted at fred.net (Ted Fischer) Date: Sun, 15 Jan 2012 03:20:17 -0500 Subject: Whois 172/12 In-Reply-To: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> Message-ID: <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> Thanks for the replies so far, but not what I was looking for. I should have specified that I've done several ns & dig lookups just to make sure. We were supposed to have lit up the last of IPv4 last year. I would have presumed that meant that there was nothing left. Since I can't find a reference to 172/12 anywhere, one might be led to presume that it was allocated somehow, to someone (perhaps inadvertently not recorded) since there are - supposedly - no fresh IPv4 addresses left to allocate, and the only reference to this block is that 172/8 is allocated to ARIN. It doesn't even appear in RFC 5735. We all know about 172.16/12 - nothing left of that horse but glue. My question is about 172/12. Where is it, what is it's supposed purpose. I'm almost sure it's an internal box. I just find it better to give a professional answer to "why can't I use this" than just "you can't use this and why is this address scanning you for udp/137 anyway". If someone can point out to me what was done with 172/12 I'd appreciate it. Patrick opined: > Read RFC1918. I didn't remember seeing anything about 172/12 in RFC1918. Looked at it again. Is there something about 172/12 I missed? Thanks. > Likely a machine on his local network (i.e. behind the same NAT box) is > hitting him. > > But that is not guaranteed. A packet with a source address of 172.0.x.x > could be hitting his machine. Depends on how well you filter. Many > networks only look at destination IP address, source can be anything - > spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back > to it (unless it was on the local LAN, as I mention above). > > -- > TTFN, > patrick > > > On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote: > >> As far as I know, 172.0.1.216 is not assigned, yet. >> >> whois -h whois.arin.net 172.0.1.216 >> [whois.arin.net] >> # >> # Query terms are ambiguous. The query is assumed to be: >> # "n 172.0.1.216" >> # >> # Use "?" to get help. >> # >> >> No match found for 172.0.1.216. >> >> >> >> # >> # ARIN WHOIS data and services are subject to the Terms of Use >> # available at: https://www.arin.net/whois_tou.html >> # >> >> Also, when you check BGP routing table, it is not routed at all. >> >> route-server.as3257.net>sh ip bgp 172.0.1.216 >> % Network not in table >> route-server.as3257.net> >> >> So it seems like forged IP address. >> >> Alex >> >> >> On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer wrote: >>> Hi all, >>> >>> Tearing what's left of my hair out. >>> >>> A customer is getting scanned by a host claiming to be "172.0.1.216". >>> >>> I know this is bogus, but I want to go back to the customer with as >>> much authoritative umph as I can (heaven forbid they just take my >>> word). >>> >>> I'm pretty sure I read somewhere once that 172/12 was "reserved" or >>> something like that. All I can find now is that 172/8 is "administered >>> by >>> ARIN". Lots of information on 172.16/12, but not a peep about >>> 172/12. >>> >>> If anybody could provide some insight as to the >>> allocation/non-allocation of this block, it would be much appreciated. >>> >>> Thanks. >>> >>> Ted Fischer >>> >>> >>> >>> >>> >>> >>> >> > > > From ops.lists at gmail.com Sun Jan 15 02:35:17 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sun, 15 Jan 2012 14:05:17 +0530 Subject: Whois 172/12 In-Reply-To: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> Message-ID: Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly unallocated. On Sun, Jan 15, 2012 at 1:28 PM, Patrick W. Gilmore wrote: > Read RFC1918. > > Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. > > But that is not guaranteed. ?A packet with a source address of 172.0.x.x -- Suresh Ramasubramanian (ops.lists at gmail.com) From jeroen at unfix.org Sun Jan 15 02:43:46 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Sun, 15 Jan 2012 09:43:46 +0100 Subject: Whois 172/12 In-Reply-To: <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> Message-ID: On 15 Jan 2012, at 09:20, "Ted Fischer" wrote: > My question is about 172/12. Where is it, what is it's supposed purpose. See IANA which tells you at http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml That ARIN is handling it. As their whois does not have anything for it, and BGP does not have it it obviously is unused as of yet and somebody is just spoofing. Solution: implement BCP38 in your network. Note that IANA has run out of v4, the RIRs themselves have quite a bit left, obviously, ARIN still has big chunks of 172/8. > I'm almost sure it's an internal box. Then apply BCP38 and figure out where it lives. > I just find it better to give a > professional answer to "why can't I use this" than just "you can't use > this and why is this address scanning you for udp/137 anyway" It is not their address space, as such they are not supposed to use it. What is so difficult about that answer?! Greets, Jeroen From mysidia at gmail.com Sun Jan 15 02:44:29 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Sun, 15 Jan 2012 02:44:29 -0600 Subject: Whois 172/12 In-Reply-To: <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> Message-ID: On Sun, Jan 15, 2012 at 2:20 AM, Ted Fischer wrote: > We were supposed to have lit up the last of IPv4 last year. I would have > presumed that meant that there was nothing left. Since I can't find a > Not a good assumption. There remains IPv4 address space that has not yet been assigned to any network, but is available for assignment. 172/12 appears to likely fall into that category. there are - supposedly - no fresh IPv4 addresses left to allocate, and the > only reference to this block is that 172/8 is allocated to ARIN. It > doesn't even appear in RFC 5735. > Just because ARIN does not appear to have allocated networks from 172/12 yet does not mean this address space is unavailable, not part of the free pool, or will not be allocated from by ARIN in the future. Just a /12 is a very small shard of IP address space. This is also part of a legacy /8. My question is about 172/12. Where is it, what is it's supposed purpose. > This falls under IP addresses that can be assigned to networks but have not yet been recorded as assigned to any networks. > I'm almost sure it's an internal box. I just find it better to give a > professional answer to "why can't I use this" than just "you can't use > Only the RFC1918 IP address space is reserved for use by private networks. 172/12 is not reserved by RFC, therefore portions of it that are unallocated could be allocated at any time. this and why is this address scanning you for udp/137 anyway". > Something is generating packets sourced with an IP address in that range which should not be using that source IP address. It could be a device misconfiguration, or it could be intentional IP address spoofing. > If someone can point out to me what was done with 172/12 I'd appreciate it. > -- -JH From bonomi at mail.r-bonomi.com Sun Jan 15 06:36:12 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Sun, 15 Jan 2012 06:36:12 -0600 (CST) Subject: Whois 172/12 In-Reply-To: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> Message-ID: <201201151236.q0FCaCSF047779@mail.r-bonomi.com> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Sun Jan 15 02:02:00 2012 > Subject: Re: Whois 172/12 > From: "Patrick W. Gilmore" > Date: Sun, 15 Jan 2012 02:58:11 -0500 > To: NANOG list > > Read RFC1918. > > Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. Patrick, I'v read RFC-1918. I cannot find *any* reference to 172.0/12, as the OP was asking about. 172.16/12, yes. but not 172.0/12. Can you please clarify your advice? ZZ From bmanning at vacation.karoshi.com Sun Jan 15 06:47:19 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Sun, 15 Jan 2012 12:47:19 +0000 Subject: Whois 172/12 In-Reply-To: <201201151236.q0FCaCSF047779@mail.r-bonomi.com> References: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <201201151236.q0FCaCSF047779@mail.r-bonomi.com> Message-ID: <20120115124719.GA20706@vacation.karoshi.com.> On Sun, Jan 15, 2012 at 06:36:12AM -0600, Robert Bonomi wrote: > > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Sun Jan 15 02:02:00 2012 > > Subject: Re: Whois 172/12 > > From: "Patrick W. Gilmore" > > Date: Sun, 15 Jan 2012 02:58:11 -0500 > > To: NANOG list > > > > Read RFC1918. > > > > Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. > > > Patrick, > I'v read RFC-1918. I cannot find *any* reference to 172.0/12, as the OP > was asking about. 172.16/12, yes. but not 172.0/12. Can you please clarify > your advice? > > ZZ so as a stylistic point, 172/12 is supposed to equal 172.0.0.0/12? if memory serves, back in the day, there were records of allocations in this space, pre-ARIN. When RFC 1918 was settled on, there were some folks blocking 172.0.0.0/8 so there was talk of relocating those folks into other space. /bill From jlewis at lewis.org Sun Jan 15 07:54:34 2012 From: jlewis at lewis.org (Jon Lewis) Date: Sun, 15 Jan 2012 08:54:34 -0500 (EST) Subject: Whois 172/12 In-Reply-To: <20120115124719.GA20706@vacation.karoshi.com.> References: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <201201151236.q0FCaCSF047779@mail.r-bonomi.com> <20120115124719.GA20706@vacation.karoshi.com.> Message-ID: On Sun, 15 Jan 2012 bmanning at vacation.karoshi.com wrote: > so as a stylistic point, 172/12 is supposed to equal 172.0.0.0/12? Yeah...it's pretty common to drop the zeros when talkind CIDR. > if memory serves, back in the day, there were records of allocations in this space, > pre-ARIN. When RFC 1918 was settled on, there were some folks blocking 172.0.0.0/8 > so there was talk of relocating those folks into other space. AOL has and uses (publicly) a bunch of space in 172/8. In fact, looking at a BGP table, I'd say they're by far the largest user (one of the only) in that /8. For the OP...that scan traffic coming from 172.0.1.216 could be locally generated, or could be coming from the internet, either from someone announcing it briefly, or from a leaky NAT (just because it's not rfc1918 space doesn't mean someone didn't pick it out of their nether regions as the "private network" for some NAT'd network). There are resources where you can check to see if 172.0.1/24 or larger networks have been announced recently (left as an exercise for the reader). If it hasn't, then the "scans" probably aren't being very effective since there can be no reply. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From patrick at ianai.net Sun Jan 15 08:46:41 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Sun, 15 Jan 2012 09:46:41 -0500 Subject: Whois 172/12 In-Reply-To: <201201151236.q0FCaCSF047779@mail.r-bonomi.com> References: <201201151236.q0FCaCSF047779@mail.r-bonomi.com> Message-ID: On Jan 15, 2012, at 7:36 AM, Robert Bonomi wrote: > I'v read RFC-1918. I cannot find *any* reference to 172.0/12, as the OP > was asking about. 172.16/12, yes. but not 172.0/12. Can you please clarify > your advice? My advice is not to post when you are tired. :) -- TTFN, patrick From r.hyunseog at ieee.org Sun Jan 15 09:43:24 2012 From: r.hyunseog at ieee.org (Alex Ryu) Date: Sun, 15 Jan 2012 09:43:24 -0600 Subject: Whois 172/12 In-Reply-To: <4f12ccbd.84c6e00a.78a9.19a3SMTPIN_ADDED@mx.google.com> References: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <201201151236.q0FCaCSF047779@mail.r-bonomi.com> <4f12ccbd.84c6e00a.78a9.19a3SMTPIN_ADDED@mx.google.com> Message-ID: Similar to 1.0.0.0/8 case, which was allocated to APNIC last year or so... On Sun, Jan 15, 2012 at 6:47 AM, wrote: > On Sun, Jan 15, 2012 at 06:36:12AM -0600, Robert Bonomi wrote: >> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org ?Sun Jan 15 02:02:00 2012 >> > Subject: Re: Whois 172/12 >> > From: "Patrick W. Gilmore" >> > Date: Sun, 15 Jan 2012 02:58:11 -0500 >> > To: NANOG list >> > >> > Read RFC1918. >> > >> > Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. >> >> >> Patrick, >> ? I'v read RFC-1918. ? I cannot find *any* reference to ?172.0/12, as the OP >> was asking about. ?172.16/12, yes. but not 172.0/12. ?Can you please clarify >> your advice? >> >> ZZ > > > ? ? ? ?so as a stylistic point, ? 172/12 ?is supposed to equal 172.0.0.0/12? > > ? ? ? ?if memory serves, back in the day, there were records of allocations in this space, > ? ? ? ?pre-ARIN. When RFC 1918 was settled on, there were some folks blocking 172.0.0.0/8 > ? ? ? ?so there was talk of relocating those folks into other space. > > /bill > From network.ipdog at gmail.com Sun Jan 15 10:16:42 2012 From: network.ipdog at gmail.com (Network IP Dog) Date: Sun, 15 Jan 2012 08:16:42 -0800 Subject: Whois 172/12 In-Reply-To: References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> Message-ID: <4f12fbf5.a24de70a.66e1.fffff79b@mx.google.com> Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly unallocated. What's with the language? Ephesians 4:32 & Cheers!!! -----Original Message----- From: Suresh Ramasubramanian [mailto:ops.lists at gmail.com] Sent: Sunday, January 15, 2012 12:35 AM To: Patrick W. Gilmore Cc: NANOG list Subject: Re: Whois 172/12 Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly unallocated. On Sun, Jan 15, 2012 at 1:28 PM, Patrick W. Gilmore wrote: > Read RFC1918. > > Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. > > But that is not guaranteed. A packet with a source address of 172.0.x.x -- Suresh Ramasubramanian (ops.lists at gmail.com) From mtinka at globaltransit.net Sun Jan 15 10:17:55 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 16 Jan 2012 00:17:55 +0800 Subject: Monday Night Footbal -- on Google? In-Reply-To: <15429452.4628.1326341202514.JavaMail.root@benjamin.baylink.com> References: <15429452.4628.1326341202514.JavaMail.root@benjamin.baylink.com> Message-ID: <201201160017.59546.mtinka@globaltransit.net> On Thursday, January 12, 2012 12:06:42 PM Jay Ashworth wrote: > I'm not saying you need the whole 19mbps (though, > remember here, we are not talking about "Additional > Carriage"; we are talking about *being the only way > people can see that game* -- and my example was the > Super Bowl).. but unless MPEG algorithms have gotten > *much* better than I'm aware of, 5mb/s is probably not > enough for the Super Bowl. And you'd really be better > off with some FEC, too, even if it costs you a couple > frames extra delay. For broadcast networks, what we're seeing they like is that unlike satellite transmissions, there is more flexibility for them on IP (IPTv), which would let them lift compression rates and pack more data into a stream. But because most of them are primarily satellite broadcasting houses, only starting to roll-out IPTv, they need to maintain parity on both transmission media. Whatever the case, 5Mbps would be too low. At 1080i, we have a customer pushing HD channels at about 13Mbps a piece, give or take. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From ops.lists at gmail.com Sun Jan 15 10:29:53 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sun, 15 Jan 2012 21:59:53 +0530 Subject: Whois 172/12 In-Reply-To: <4f12fbf5.a24de70a.66e1.fffff79b@mx.google.com> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <4f12fbf5.a24de70a.66e1.fffff79b@mx.google.com> Message-ID: So kind, compassionate and forgiving that I'll buy Patrick a beer when I see him next, its been a long time. --srs On Sun, Jan 15, 2012 at 9:46 PM, Network IP Dog wrote: > Jesus. 172.16/12 fine .. that's rfc1918. ? The rest of 172/8 is mostly unallocated. > > What's with the language? > > Ephesians 4:32 ?& ?Cheers!!! -- Suresh Ramasubramanian (ops.lists at gmail.com) From jay+NANOG at tp.org Sun Jan 15 10:39:48 2012 From: jay+NANOG at tp.org (Jay Moran) Date: Sun, 15 Jan 2012 11:39:48 -0500 Subject: Whois 172/12 In-Reply-To: References: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <201201151236.q0FCaCSF047779@mail.r-bonomi.com> <20120115124719.GA20706@vacation.karoshi.com.> Message-ID: On Sun, Jan 15, 2012 at 8:54 AM, Jon Lewis wrote: > AOL has and uses (publicly) a bunch of space in 172/8. In fact, looking > at a BGP table, I'd say they're by far the largest user (one of the only) > in that /8. > We, AOL, have 172.128/10, 172.192/12, 172.208/13, 172.216/16. These blocks represent our dial-up ISP customers that can't seem to get broadband or for whatever reason, stay on dial-up. Also pretty amazingly is how high the simultaneous user count has stayed, guess the folks that left weren't the ones on in the evenings between 7-10pm ET. We (mostly me) are looking into solutions to be able to remove the reliance on this space. Unfortunately, most of the developers, who created the various servers/applications that dole out these addresses, all left in the late 90's with some pretty fat wallets; at this point... it's an archeology dig. Jay -- Jay Moran http://tp.org/jay From a.almalki1402 at gmail.com Sun Jan 15 11:52:50 2012 From: a.almalki1402 at gmail.com (Abdullah Al-Malki) Date: Sun, 15 Jan 2012 20:52:50 +0300 Subject: accessing multiple devices via a script Message-ID: Hi fellows, I am supporting a big service provider and sometimes I face this problem. Sometimes I want to access my customer network and want to extract some verification output "show commands" from a large number of devices. What kind of scripting solutions you guys are using this case. Appreciate the feedback, Abdullah From regnauld at nsrc.org Sun Jan 15 11:56:55 2012 From: regnauld at nsrc.org (Phil Regnauld) Date: Sun, 15 Jan 2012 18:56:55 +0100 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: <20120115175655.GB35765@macbook.bluepipe.net> Abdullah Al-Malki (a.almalki1402) writes: > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. Hi Abdullah, rancid ? http://www.shrubbery.net/rancid/ Cheers, Phil From joelja at bogus.com Sun Jan 15 12:01:29 2012 From: joelja at bogus.com (Joel jaeggli) Date: Sun, 15 Jan 2012 10:01:29 -0800 Subject: accessing multiple devices via a script In-Reply-To: <20120115175655.GB35765@macbook.bluepipe.net> References: <20120115175655.GB35765@macbook.bluepipe.net> Message-ID: <4F131479.6040805@bogus.com> On 1/15/12 09:56 , Phil Regnauld wrote: > Abdullah Al-Malki (a.almalki1402) writes: >> Hi fellows, >> I am supporting a big service provider and sometimes I face this problem. >> Sometimes I want to access my customer network and want to extract some >> verification output "show commands" from a large number of devices. >> >> What kind of scripting solutions you guys are using this case. > > Hi Abdullah, > > rancid ? > > http://www.shrubbery.net/rancid/ clogin from rancid features prominently in a lot of our network level automation... so does pdsh... http://code.google.com/p/pdsh/ Particularly when it involves hosts. > Cheers, > Phil > From jkrejci at usinternet.com Sun Jan 15 12:41:09 2012 From: jkrejci at usinternet.com (Justin Krejci) Date: Sun, 15 Jan 2012 18:41:09 +0000 Subject: accessing multiple devices via a script Message-ID: <1400261429-1326652872-cardhu_decombobulator_blackberry.rim.net-359265357-@b1.c4.bise6.blackberry> Parallel ssh (pssh) might help you too ------Original Message------ From: Abdullah Al-Malki To: nanog at nanog.org Subject: accessing multiple devices via a script Sent: Jan 15, 2012 11:52 AM Hi fellows, I am supporting a big service provider and sometimes I face this problem. Sometimes I want to access my customer network and want to extract some verification output "show commands" from a large number of devices. What kind of scripting solutions you guys are using this case. Appreciate the feedback, Abdullah From kurth.bemis at gmail.com Sun Jan 15 12:46:13 2012 From: kurth.bemis at gmail.com (Kurth Bemis) Date: Sun, 15 Jan 2012 13:46:13 -0500 Subject: accessing multiple devices via a script In-Reply-To: <20120115175655.GB35765@macbook.bluepipe.net> References: <20120115175655.GB35765@macbook.bluepipe.net> Message-ID: <1326653173.3288.4.camel@kurth-gsm> On Sun, 2012-01-15 at 18:56 +0100, Phil Regnauld wrote: > Abdullah Al-Malki (a.almalki1402) writes: > > Hi fellows, > > I am supporting a big service provider and sometimes I face this problem. > > Sometimes I want to access my customer network and want to extract some > > verification output "show commands" from a large number of devices. > > > > What kind of scripting solutions you guys are using this case. > > Hi Abdullah, > > rancid ? > > http://www.shrubbery.net/rancid/ > > Cheers, > Phil > Back in the day (~2001 era) I used expect to do a lot of tasks across (in that day) telnet. http://www.linuxjournal.com/article/3065 Good Luck, ~k From kmedcalf at dessus.com Sun Jan 15 12:49:22 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Sun, 15 Jan 2012 11:49:22 -0700 Subject: Whois 172/12 In-Reply-To: <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> Message-ID: <4317db7bf189e74dad2ded425777378e@mail.dessus.com> As port 137 is the Netbios Name Service port are you *sure* this is a port scan and not a windows box (or other OS running NetBIOS crud) that simply has fat-fingered addresses configured? --- ()? ascii ribbon campaign against html e-mail /\? www.asciiribbon.org > -----Original Message----- > From: Ted Fischer [mailto:ted at fred.net] > Sent: Sunday, 15 January, 2012 01:20 > To: nanog at nanog.org > Subject: Re: Whois 172/12 > > Thanks for the replies so far, but not what I was looking for. > > I should have specified that I've done several ns & dig lookups just to > make sure. > > We were supposed to have lit up the last of IPv4 last year. I would have > presumed that meant that there was nothing left. Since I can't find a > reference to 172/12 anywhere, one might be led to presume that it was > allocated somehow, to someone (perhaps inadvertently not recorded) since > there are - supposedly - no fresh IPv4 addresses left to allocate, and the > only reference to this block is that 172/8 is allocated to ARIN. It > doesn't even appear in RFC 5735. > > We all know about 172.16/12 - nothing left of that horse but glue. > > My question is about 172/12. Where is it, what is it's supposed purpose. > I'm almost sure it's an internal box. I just find it better to give a > professional answer to "why can't I use this" than just "you can't use > this and why is this address scanning you for udp/137 anyway". > > If someone can point out to me what was done with 172/12 I'd appreciate it. > > > Patrick opined: > > Read RFC1918. > > I didn't remember seeing anything about 172/12 in RFC1918. Looked at it > again. Is there something about 172/12 I missed? Thanks. > > > Likely a machine on his local network (i.e. behind the same NAT box) is > > hitting him. > > > > But that is not guaranteed. A packet with a source address of 172.0.x.x > > could be hitting his machine. Depends on how well you filter. Many > > networks only look at destination IP address, source can be anything - > > spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back > > to it (unless it was on the local LAN, as I mention above). > > > > -- > > TTFN, > > patrick > > > > > > On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote: > > > >> As far as I know, 172.0.1.216 is not assigned, yet. > >> > >> whois -h whois.arin.net 172.0.1.216 > >> [whois.arin.net] > >> # > >> # Query terms are ambiguous. The query is assumed to be: > >> # "n 172.0.1.216" > >> # > >> # Use "?" to get help. > >> # > >> > >> No match found for 172.0.1.216. > >> > >> > >> > >> # > >> # ARIN WHOIS data and services are subject to the Terms of Use > >> # available at: https://www.arin.net/whois_tou.html > >> # > >> > >> Also, when you check BGP routing table, it is not routed at all. > >> > >> route-server.as3257.net>sh ip bgp 172.0.1.216 > >> % Network not in table > >> route-server.as3257.net> > >> > >> So it seems like forged IP address. > >> > >> Alex > >> > >> > >> On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer wrote: > >>> Hi all, > >>> > >>> Tearing what's left of my hair out. > >>> > >>> A customer is getting scanned by a host claiming to be "172.0.1.216". > >>> > >>> I know this is bogus, but I want to go back to the customer with as > >>> much authoritative umph as I can (heaven forbid they just take my > >>> word). > >>> > >>> I'm pretty sure I read somewhere once that 172/12 was "reserved" or > >>> something like that. All I can find now is that 172/8 is "administered > >>> by > >>> ARIN". Lots of information on 172.16/12, but not a peep about > >>> 172/12. > >>> > >>> If anybody could provide some insight as to the > >>> allocation/non-allocation of this block, it would be much appreciated. > >>> > >>> Thanks. > >>> > >>> Ted Fischer > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >> > > > > > > > > From scot.loach at gmail.com Sun Jan 15 12:56:45 2012 From: scot.loach at gmail.com (Scot Loach) Date: Sun, 15 Jan 2012 13:56:45 -0500 Subject: NANOG Digest, Vol 48, Issue 41 In-Reply-To: References: Message-ID: On 1/15/12, nanog-request at nanog.org wrote: > Send NANOG mailing list submissions to > nanog at nanog.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mailman.nanog.org/mailman/listinfo/nanog > or, via email, send a message with subject or body 'help' to > nanog-request at nanog.org > > You can reach the person managing the list at > nanog-owner at nanog.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of NANOG digest..." > > > Today's Topics: > > 1. Re: Whois 172/12 (Alex Ryu) > 2. RE: Whois 172/12 (Network IP Dog) > 3. Re: Monday Night Footbal -- on Google? (Mark Tinka) > 4. Re: Whois 172/12 (Suresh Ramasubramanian) > 5. Re: Whois 172/12 (Jay Moran) > 6. accessing multiple devices via a script (Abdullah Al-Malki) > 7. Re: accessing multiple devices via a script (Phil Regnauld) > 8. Re: accessing multiple devices via a script (Joel jaeggli) > 9. Re: accessing multiple devices via a script (Justin Krejci) > 10. Re: accessing multiple devices via a script (Kurth Bemis) > 11. RE: Whois 172/12 (Keith Medcalf) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 15 Jan 2012 09:43:24 -0600 > From: Alex Ryu > To: bmanning at vacation.karoshi.com > Cc: nanog at nanog.org > Subject: Re: Whois 172/12 > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Similar to 1.0.0.0/8 case, which was allocated to APNIC last year or so... > > > On Sun, Jan 15, 2012 at 6:47 AM, wrote: >> On Sun, Jan 15, 2012 at 06:36:12AM -0600, Robert Bonomi wrote: >>> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org ?Sun Jan 15 >>> > 02:02:00 2012 >>> > Subject: Re: Whois 172/12 >>> > From: "Patrick W. Gilmore" >>> > Date: Sun, 15 Jan 2012 02:58:11 -0500 >>> > To: NANOG list >>> > >>> > Read RFC1918. >>> > >>> > Likely a machine on his local network (i.e. behind the same NAT box) is >>> > hitting him. >>> >>> >>> Patrick, >>> ? I'v read RFC-1918. ? I cannot find *any* reference to ?172.0/12, as the >>> OP >>> was asking about. ?172.16/12, yes. but not 172.0/12. ?Can you please >>> clarify >>> your advice? >>> >>> ZZ >> >> >> ? ? ? ?so as a stylistic point, ? 172/12 ?is supposed to equal >> 172.0.0.0/12? >> >> ? ? ? ?if memory serves, back in the day, there were records of >> allocations in this space, >> ? ? ? ?pre-ARIN. When RFC 1918 was settled on, there were some folks >> blocking 172.0.0.0/8 >> ? ? ? ?so there was talk of relocating those folks into other space. >> >> /bill >> > > > > ------------------------------ > > Message: 2 > Date: Sun, 15 Jan 2012 08:16:42 -0800 > From: "Network IP Dog" > To: "'Suresh Ramasubramanian'" , "'Patrick W. > Gilmore'" > Cc: 'NANOG list' > Subject: RE: Whois 172/12 > Message-ID: <4f12fbf5.a24de70a.66e1.fffff79b at mx.google.com> > Content-Type: text/plain; charset="UTF-8" > > Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is > mostly unallocated. > > What's with the language? > > Ephesians 4:32 & Cheers!!! > > -----Original Message----- > From: Suresh Ramasubramanian [mailto:ops.lists at gmail.com] > Sent: Sunday, January 15, 2012 12:35 AM > To: Patrick W. Gilmore > Cc: NANOG list > Subject: Re: Whois 172/12 > > Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly > unallocated. > > On Sun, Jan 15, 2012 at 1:28 PM, Patrick W. Gilmore > wrote: >> Read RFC1918. >> >> Likely a machine on his local network (i.e. behind the same NAT box) is >> hitting him. >> >> But that is not guaranteed. A packet with a source address of 172.0.x.x > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > > > > > ------------------------------ > > Message: 3 > Date: Mon, 16 Jan 2012 00:17:55 +0800 > From: Mark Tinka > To: nanog at nanog.org > Subject: Re: Monday Night Footbal -- on Google? > Message-ID: <201201160017.59546.mtinka at globaltransit.net> > Content-Type: text/plain; charset="us-ascii" > > On Thursday, January 12, 2012 12:06:42 PM Jay Ashworth > wrote: > >> I'm not saying you need the whole 19mbps (though, >> remember here, we are not talking about "Additional >> Carriage"; we are talking about *being the only way >> people can see that game* -- and my example was the >> Super Bowl).. but unless MPEG algorithms have gotten >> *much* better than I'm aware of, 5mb/s is probably not >> enough for the Super Bowl. And you'd really be better >> off with some FEC, too, even if it costs you a couple >> frames extra delay. > > For broadcast networks, what we're seeing they like is that > unlike satellite transmissions, there is more flexibility > for them on IP (IPTv), which would let them lift compression > rates and pack more data into a stream. > > But because most of them are primarily satellite > broadcasting houses, only starting to roll-out IPTv, they > need to maintain parity on both transmission media. > > Whatever the case, 5Mbps would be too low. At 1080i, we have > a customer pushing HD channels at about 13Mbps a piece, give > or take. > > Mark. > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 836 bytes > Desc: This is a digitally signed message part. > URL: > > > ------------------------------ > > Message: 4 > Date: Sun, 15 Jan 2012 21:59:53 +0530 > From: Suresh Ramasubramanian > To: Network IP Dog > Cc: NANOG list > Subject: Re: Whois 172/12 > Message-ID: > > Content-Type: text/plain; charset=UTF-8 > > So kind, compassionate and forgiving that I'll buy Patrick a beer when > I see him next, its been a long time. > > --srs > > On Sun, Jan 15, 2012 at 9:46 PM, Network IP Dog > wrote: >> Jesus. 172.16/12 fine .. that's rfc1918. ? The rest of 172/8 is >> mostly unallocated. >> >> What's with the language? >> >> Ephesians 4:32 ?& ?Cheers!!! > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > > > > ------------------------------ > > Message: 5 > Date: Sun, 15 Jan 2012 11:39:48 -0500 > From: Jay Moran > To: NANOG > Subject: Re: Whois 172/12 > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > On Sun, Jan 15, 2012 at 8:54 AM, Jon Lewis wrote: > > >> AOL has and uses (publicly) a bunch of space in 172/8. In fact, looking >> at a BGP table, I'd say they're by far the largest user (one of the only) >> in that /8. >> > > We, AOL, have 172.128/10, 172.192/12, 172.208/13, 172.216/16. These blocks > represent our dial-up ISP customers that can't seem to get broadband or for > whatever reason, stay on dial-up. Also pretty amazingly is how high the > simultaneous user count has stayed, guess the folks that left weren't the > ones on in the evenings between 7-10pm ET. We (mostly me) are looking into > solutions to be able to remove the reliance on this space. Unfortunately, > most of the developers, who created the various servers/applications that > dole out these addresses, all left in the late 90's with some pretty fat > wallets; at this point... it's an archeology dig. > > Jay > -- > Jay Moran > http://tp.org/jay > > > ------------------------------ > > Message: 6 > Date: Sun, 15 Jan 2012 20:52:50 +0300 > From: Abdullah Al-Malki > To: nanog at nanog.org > Subject: accessing multiple devices via a script > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah > > > ------------------------------ > > Message: 7 > Date: Sun, 15 Jan 2012 18:56:55 +0100 > From: Phil Regnauld > To: Abdullah Al-Malki > Cc: nanog at nanog.org > Subject: Re: accessing multiple devices via a script > Message-ID: <20120115175655.GB35765 at macbook.bluepipe.net> > Content-Type: text/plain; charset=us-ascii > > Abdullah Al-Malki (a.almalki1402) writes: >> Hi fellows, >> I am supporting a big service provider and sometimes I face this problem. >> Sometimes I want to access my customer network and want to extract some >> verification output "show commands" from a large number of devices. >> >> What kind of scripting solutions you guys are using this case. > > Hi Abdullah, > > rancid ? > > http://www.shrubbery.net/rancid/ > > Cheers, > Phil > > > > ------------------------------ > > Message: 8 > Date: Sun, 15 Jan 2012 10:01:29 -0800 > From: Joel jaeggli > To: Phil Regnauld > Cc: nanog at nanog.org > Subject: Re: accessing multiple devices via a script > Message-ID: <4F131479.6040805 at bogus.com> > Content-Type: text/plain; charset=ISO-8859-1 > > On 1/15/12 09:56 , Phil Regnauld wrote: >> Abdullah Al-Malki (a.almalki1402) writes: >>> Hi fellows, >>> I am supporting a big service provider and sometimes I face this problem. >>> Sometimes I want to access my customer network and want to extract some >>> verification output "show commands" from a large number of devices. >>> >>> What kind of scripting solutions you guys are using this case. >> >> Hi Abdullah, >> >> rancid ? >> >> http://www.shrubbery.net/rancid/ > > clogin from rancid features prominently in a lot of our network level > automation... > > so does pdsh... > > http://code.google.com/p/pdsh/ > > Particularly when it involves hosts. > >> Cheers, >> Phil >> > > > > > ------------------------------ > > Message: 9 > Date: Sun, 15 Jan 2012 18:41:09 +0000 > From: "Justin Krejci" > To: "Abdullah Al-Malki" , nanog at nanog.org > Subject: Re: accessing multiple devices via a script > Message-ID: > <1400261429-1326652872-cardhu_decombobulator_blackberry.rim.net-359265357- at b1.c4.bise6.blackberry> > > Content-Type: text/plain > > Parallel ssh (pssh) might help you too > > > ------Original Message------ > From: Abdullah Al-Malki > To: nanog at nanog.org > Subject: accessing multiple devices via a script > Sent: Jan 15, 2012 11:52 AM > > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah > > > > > ------------------------------ > > Message: 10 > Date: Sun, 15 Jan 2012 13:46:13 -0500 > From: Kurth Bemis > To: Phil Regnauld > Cc: nanog at nanog.org > Subject: Re: accessing multiple devices via a script > Message-ID: <1326653173.3288.4.camel at kurth-gsm> > Content-Type: text/plain; charset="UTF-8" > > On Sun, 2012-01-15 at 18:56 +0100, Phil Regnauld wrote: >> Abdullah Al-Malki (a.almalki1402) writes: >> > Hi fellows, >> > I am supporting a big service provider and sometimes I face this >> > problem. >> > Sometimes I want to access my customer network and want to extract some >> > verification output "show commands" from a large number of devices. >> > >> > What kind of scripting solutions you guys are using this case. >> >> Hi Abdullah, >> >> rancid ? >> >> http://www.shrubbery.net/rancid/ >> >> Cheers, >> Phil >> > > Back in the day (~2001 era) I used expect to do a lot of tasks across > (in that day) telnet. > > http://www.linuxjournal.com/article/3065 > > Good Luck, > ~k > > > > > ------------------------------ > > Message: 11 > Date: Sun, 15 Jan 2012 11:49:22 -0700 > From: "Keith Medcalf" > To: "nanog at nanog.org" > Subject: RE: Whois 172/12 > Message-ID: <4317db7bf189e74dad2ded425777378e at mail.dessus.com> > Content-Type: text/plain; charset="iso-8859-1" > > > As port 137 is the Netbios Name Service port are you *sure* this is a port > scan and not a windows box (or other OS running NetBIOS crud) that simply > has fat-fingered addresses configured? > > > --- > ()? ascii ribbon campaign against html e-mail > /\? www.asciiribbon.org > > >> -----Original Message----- >> From: Ted Fischer [mailto:ted at fred.net] >> Sent: Sunday, 15 January, 2012 01:20 >> To: nanog at nanog.org >> Subject: Re: Whois 172/12 >> >> Thanks for the replies so far, but not what I was looking for. >> >> I should have specified that I've done several ns & dig lookups just to >> make sure. >> >> We were supposed to have lit up the last of IPv4 last year. I would have >> presumed that meant that there was nothing left. Since I can't find a >> reference to 172/12 anywhere, one might be led to presume that it was >> allocated somehow, to someone (perhaps inadvertently not recorded) since >> there are - supposedly - no fresh IPv4 addresses left to allocate, and the >> only reference to this block is that 172/8 is allocated to ARIN. It >> doesn't even appear in RFC 5735. >> >> We all know about 172.16/12 - nothing left of that horse but glue. >> >> My question is about 172/12. Where is it, what is it's supposed purpose. >> I'm almost sure it's an internal box. I just find it better to give a >> professional answer to "why can't I use this" than just "you can't use >> this and why is this address scanning you for udp/137 anyway". >> >> If someone can point out to me what was done with 172/12 I'd appreciate >> it. >> >> >> Patrick opined: >> > Read RFC1918. >> >> I didn't remember seeing anything about 172/12 in RFC1918. Looked at it >> again. Is there something about 172/12 I missed? Thanks. >> >> > Likely a machine on his local network (i.e. behind the same NAT box) is >> > hitting him. >> > >> > But that is not guaranteed. A packet with a source address of 172.0.x.x >> > could be hitting his machine. Depends on how well you filter. Many >> > networks only look at destination IP address, source can be anything - >> > spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back >> > to it (unless it was on the local LAN, as I mention above). >> > >> > -- >> > TTFN, >> > patrick >> > >> > >> > On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote: >> > >> >> As far as I know, 172.0.1.216 is not assigned, yet. >> >> >> >> whois -h whois.arin.net 172.0.1.216 >> >> [whois.arin.net] >> >> # >> >> # Query terms are ambiguous. The query is assumed to be: >> >> # "n 172.0.1.216" >> >> # >> >> # Use "?" to get help. >> >> # >> >> >> >> No match found for 172.0.1.216. >> >> >> >> >> >> >> >> # >> >> # ARIN WHOIS data and services are subject to the Terms of Use >> >> # available at: https://www.arin.net/whois_tou.html >> >> # >> >> >> >> Also, when you check BGP routing table, it is not routed at all. >> >> >> >> route-server.as3257.net>sh ip bgp 172.0.1.216 >> >> % Network not in table >> >> route-server.as3257.net> >> >> >> >> So it seems like forged IP address. >> >> >> >> Alex >> >> >> >> >> >> On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer wrote: >> >>> Hi all, >> >>> >> >>> Tearing what's left of my hair out. >> >>> >> >>> A customer is getting scanned by a host claiming to be >> >>> "172.0.1.216". >> >>> >> >>> I know this is bogus, but I want to go back to the customer with as >> >>> much authoritative umph as I can (heaven forbid they just take my >> >>> word). >> >>> >> >>> I'm pretty sure I read somewhere once that 172/12 was "reserved" or >> >>> something like that. All I can find now is that 172/8 is >> >>> "administered >> >>> by >> >>> ARIN". Lots of information on 172.16/12, but not a peep about >> >>> 172/12. >> >>> >> >>> If anybody could provide some insight as to the >> >>> allocation/non-allocation of this block, it would be much appreciated. >> >>> >> >>> Thanks. >> >>> >> >>> Ted Fischer >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >> >> > >> > >> > >> >> > > > > > > > > End of NANOG Digest, Vol 48, Issue 41 > ************************************* > -- Sent from my mobile device From tayeb.meftah at gmail.com Sat Jan 14 11:28:22 2012 From: tayeb.meftah at gmail.com (Meftah Tayeb) Date: Sat, 14 Jan 2012 19:28:22 +0200 Subject: OpenTransit contact needed Message-ID: hello, if someone from opentransit is on this list, please contact me thank you Meftah Tayeb IT Consulting http://www.tmvoip.com/ phone: +21321656139 Mobile: +213660347746 __________ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From jhell at DataIX.net Sun Jan 15 13:11:02 2012 From: jhell at DataIX.net (Jason Hellenthal) Date: Sun, 15 Jan 2012 14:11:02 -0500 Subject: NANOG Digest, Vol 48, Issue 41 In-Reply-To: References: Message-ID: <20120115191102.GA7697@DataIX.net> On Sun, Jan 15, 2012 at 01:56:45PM -0500, Scot Loach wrote: > On 1/15/12, nanog-request at nanog.org wrote: > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of NANOG digest..." > > These are good tips. Might also help to strip some of the context from what you are replying as well. From rhys at rhavenindustrys.com Sun Jan 15 13:13:24 2012 From: rhys at rhavenindustrys.com (Rhys Rhaven) Date: Sun, 15 Jan 2012 13:13:24 -0600 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: <4F132554.3030805@rhavenindustrys.com> I do this with cluster-ssh, as in some networks I have a generic script-daemon login that use to log into them all simultaneously. cssh uses tk and xterm, so its a bit long in the tooth. New hotness to do this is something like keyboardcast, which can broadcast keyboard input to however many windows you want. Its currently broken on Ubuntu 11.10, but I think it works in .04. On 01/15/2012 11:52 AM, Abdullah Al-Malki wrote: > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah From saku at ytti.fi Sun Jan 15 13:14:56 2012 From: saku at ytti.fi (Saku Ytti) Date: Sun, 15 Jan 2012 21:14:56 +0200 Subject: Monday Night Footbal -- on Google? In-Reply-To: References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> Message-ID: <20120115191456.GA25486@pob.ytti.fi> On (2012-01-11 17:45 -0500), Justin M. Streiner wrote: > >If multicast is used it shouldn't take 150pbps, it should be much lower. > > That could be one of the things that helps spur v6 adoption - > multicast being somewhat less of an afterthought :) > > While v4 multicast works, and delivering video is one of the things > it can do very well, some networks don't route v4 multicast or > exchange v4 multicast prefixes, so its utility on a wide scale can > be limited. This is misguided, IPV6 does no magic to help scale multicast to Internet scale compared to IPV4. Scaling multicast to Internet scale would make our core routers essentially flow based routers. And as there is finite amount of how many of these flows you could hold, we would need some way to globally regulate how and who can push their content as multicast and save lot of money and who will have to pay the full price. Those who are left out, might feel like multicast is used to stop competition. Now maybe we could specify some sort of stateless 'manycast' in IPv6, where you'd map destination AS numbers as source address. Needing to send only one copy of traffic per destination ASN (or less if you can map multiple ASN in source address), and then destination ASN would need to have Magic Box to do stateful magic and could cherry-pick what they care about. But that's lot of complexity for very incomplete solution, as it would only remove states from transit. -- ++ytti From creynolds at tsieda.com Sun Jan 15 13:21:43 2012 From: creynolds at tsieda.com (Chuck Reynolds) Date: Sun, 15 Jan 2012 14:21:43 -0500 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: <007e01ccd3ba$ec07be50$c4173af0$@com> Hi Abdullah - Have you seen the new Resource Manager product from QualiSystems? It has this capability built into it and out of the box to support large numbers of devices. Let me know off line where you are located and I can hook you up. Regards, Chuck -----Original Message----- From: Abdullah Al-Malki [mailto:a.almalki1402 at gmail.com] Sent: Sunday, January 15, 2012 12:53 PM To: nanog at nanog.org Subject: accessing multiple devices via a script Hi fellows, I am supporting a big service provider and sometimes I face this problem. Sometimes I want to access my customer network and want to extract some verification output "show commands" from a large number of devices. What kind of scripting solutions you guys are using this case. Appreciate the feedback, Abdullah From kking at yammer-inc.com Sun Jan 15 13:30:46 2012 From: kking at yammer-inc.com (Ken King) Date: Sun, 15 Jan 2012 11:30:46 -0800 Subject: enterprise 802.11 Message-ID: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> I need to choose a wireless solution for a new office. up to 600 devices will connect. most devices are mac books and mobile phones. we can see hundreds of access points in close proximity to our new office space. what are the thoughts these days on the best enterprise solution/vendor? Thanks for your replies. Ken King From streiner at cluebyfour.org Sun Jan 15 09:39:12 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Sun, 15 Jan 2012 10:39:12 -0500 (EST) Subject: Whois 172/12 In-Reply-To: <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> Message-ID: On Sun, 15 Jan 2012, Ted Fischer wrote: > Thanks for the replies so far, but not what I was looking for. > > I should have specified that I've done several ns & dig lookups just to > make sure. > > We were supposed to have lit up the last of IPv4 last year. I would have > presumed that meant that there was nothing left. Since I can't find a > reference to 172/12 anywhere, one might be led to presume that it was > allocated somehow, to someone (perhaps inadvertently not recorded) since > there are - supposedly - no fresh IPv4 addresses left to allocate, and the > only reference to this block is that 172/8 is allocated to ARIN. It > doesn't even appear in RFC 5735. While IANA allocated the last of the free IPv4 address pool to the 5 recognized RIRs on 3 Feb 2011, that doesn't mean that all of those IPv4 addresses were immediately assigned to providers or end-users. The RIRs will exhaust their supplies of assignable IPv4 address space at different times, depend on their 'end game' assignment strategies and their overall consumption rate. APNIC exhausted most of their available address space by last April. 172/8 was a legacy block, from which 172.16/12 was allocated for RFC 1918. Looking at http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml shows many of the legacy allocations being administered by ARIN, but also a few being administered by RIPE and APNIC. There is a difference between an RIR being tasked with administering a chunk of legacy space and being officially allocated a chunk of space by IANA. In the case of 172/8, it was allocated in the InterNIC days, so users could be scattered all over the world, but ARIN handles in-addr.arpa delegation for it. Since ARIN was not (as far as I know) formally tasked with allocating remaining space from 172/8, that space it will not be assigned to SPs or users by ARIN. > My question is about 172/12. Where is it, what is it's supposed purpose. > I'm almost sure it's an internal box. I just find it better to give a > professional answer to "why can't I use this" than just "you can't use > this and why is this address scanning you for udp/137 anyway". As others have pointed out, if 172.0.0.0/12 or some subset of it doesn't exist in the global routing table, then the packets you saw are either coming from outside of your network - spoofed - or coming from somewhere inside your network. > If someone can point out to me what was done with 172/12 I'd appreciate it. I'm not aware of anything more detailed that what I've noted above or what other posted have contributed to this thread. jms From tayeb.meftah at gmail.com Sat Jan 14 11:59:03 2012 From: tayeb.meftah at gmail.com (Meftah Tayeb) Date: Sat, 14 Jan 2012 19:59:03 +0200 Subject: enterprise 802.11 References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: Ubiquity or ubikity, maybe is miss spelled Someone correct the spelling for him please thank you ----- Original Message ----- From: "Ken King" To: Sent: Sunday, January 15, 2012 9:30 PM Subject: enterprise 802.11 I need to choose a wireless solution for a new office. up to 600 devices will connect. most devices are mac books and mobile phones. we can see hundreds of access points in close proximity to our new office space. what are the thoughts these days on the best enterprise solution/vendor? Thanks for your replies. Ken King __________ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From rhys at rhavenindustrys.com Sun Jan 15 13:42:29 2012 From: rhys at rhavenindustrys.com (Rhys Rhaven) Date: Sun, 15 Jan 2012 13:42:29 -0600 Subject: accessing multiple devices via a script In-Reply-To: <007e01ccd3ba$ec07be50$c4173af0$@com> References: <007e01ccd3ba$ec07be50$c4173af0$@com> Message-ID: <4F132C25.3080608@rhavenindustrys.com> Is "full disclosure" expected on NANOG, or is it just polite? Like mentioning that Chuck Reynolds is a salesman for QualiSystems, and not just another network operator passing on what they might think will help? On 01/15/2012 01:21 PM, Chuck Reynolds wrote: > Hi Abdullah - Have you seen the new Resource Manager product from > QualiSystems? It has this capability built into it and out of the box to > support large numbers of devices. > > Let me know off line where you are located and I can hook you up. > > Regards, > > Chuck > > > -----Original Message----- > From: Abdullah Al-Malki [mailto:a.almalki1402 at gmail.com] > Sent: Sunday, January 15, 2012 12:53 PM > To: nanog at nanog.org > Subject: accessing multiple devices via a script > > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah > > From tony at lavanauts.org Sun Jan 15 13:47:19 2012 From: tony at lavanauts.org (Antonio Querubin) Date: Sun, 15 Jan 2012 09:47:19 -1000 (HST) Subject: Monday Night Footbal -- on Google? In-Reply-To: <20120115191456.GA25486@pob.ytti.fi> References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> <20120115191456.GA25486@pob.ytti.fi> Message-ID: On Sun, 15 Jan 2012, Saku Ytti wrote: > This is misguided, IPV6 does no magic to help scale multicast to Internet > scale compared to IPV4. Actually, IPv6 embedded RP improves scalability over IPv4 MSDP peering and ASM. -- Antonio Querubin e-mail: tony at lavanauts.org xmpp: antonioquerubin at gmail.com From sh.vahabzadeh at gmail.com Sun Jan 15 13:48:28 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Sun, 15 Jan 2012 23:18:28 +0330 Subject: accessing multiple devices via a script In-Reply-To: <4F132C25.3080608@rhavenindustrys.com> References: <007e01ccd3ba$ec07be50$c4173af0$@com> <4F132C25.3080608@rhavenindustrys.com> Message-ID: Like Rhys Rhaven. On Sun, Jan 15, 2012 at 11:12 PM, Rhys Rhaven wrote: > Is "full disclosure" expected on NANOG, or is it just polite? Like > mentioning that Chuck Reynolds is a salesman for QualiSystems, and not > just another network operator passing on what they might think will help? > > On 01/15/2012 01:21 PM, Chuck Reynolds wrote: > > Hi Abdullah - Have you seen the new Resource Manager product from > > QualiSystems? It has this capability built into it and out of the box to > > support large numbers of devices. > > > > Let me know off line where you are located and I can hook you up. > > > > Regards, > > > > Chuck > > > > > > -----Original Message----- > > From: Abdullah Al-Malki [mailto:a.almalki1402 at gmail.com] > > Sent: Sunday, January 15, 2012 12:53 PM > > To: nanog at nanog.org > > Subject: accessing multiple devices via a script > > > > Hi fellows, > > I am supporting a big service provider and sometimes I face this problem. > > Sometimes I want to access my customer network and want to extract some > > verification output "show commands" from a large number of devices. > > > > What kind of scripting solutions you guys are using this case. > > > > Appreciate the feedback, > > Abdullah > > > > > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From mike.lyon at gmail.com Sun Jan 15 13:53:40 2012 From: mike.lyon at gmail.com (Mike Lyon) Date: Sun, 15 Jan 2012 11:53:40 -0800 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <-6994651995925716053@unknownmsgid> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new in the marketspace and this, working out the bugs. I use their other products exclusively for outdoor wireless. However, in the offices ive done, ive used Cisco's WLC 4402 controller which supports 12 access points. They have controllers which support more APs as well. Hit me up offlist if you have any quesrions. -mike Sent from my iPhone On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: > Ubiquity > or ubikity, maybe is miss spelled > Someone correct the spelling for him please > thank you > ----- Original Message ----- From: "Ken King" > To: > Sent: Sunday, January 15, 2012 9:30 PM > Subject: enterprise 802.11 > > > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile phones. > > we can see hundreds of access points in close proximity to our new office space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > From saku at ytti.fi Sun Jan 15 13:56:18 2012 From: saku at ytti.fi (Saku Ytti) Date: Sun, 15 Jan 2012 21:56:18 +0200 Subject: Monday Night Footbal -- on Google? In-Reply-To: References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> <20120115191456.GA25486@pob.ytti.fi> Message-ID: <20120115195618.GA25502@pob.ytti.fi> On (2012-01-15 09:47 -1000), Antonio Querubin wrote: > >This is misguided, IPV6 does no magic to help scale multicast to Internet > >scale compared to IPV4. > > Actually, IPv6 embedded RP improves scalability over IPv4 MSDP > peering and ASM. Unfortunately that does exactly nothing to help with Internet scale. Now scaling for your local environment embedded RP might be beneficial, but actual practical applications where you need ASM are very few. -- ++ytti From eyeronic.design at gmail.com Sun Jan 15 13:57:01 2012 From: eyeronic.design at gmail.com (Mike Hale) Date: Sun, 15 Jan 2012 11:57:01 -0800 Subject: enterprise 802.11 In-Reply-To: <-6994651995925716053@unknownmsgid> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> Message-ID: Cisco's wireless solutions are pretty badass. The APs I've used are absolutely rock solid. Set up will take a bit of time, but once you're done, maintenance is minimal. On Jan 15, 2012 11:54 AM, "Mike Lyon" wrote: > Ubiquity (www.ubnt.com) has their Unifi line of products. It's still > pretty new in the marketspace and this, working out the bugs. I use > their other products exclusively for outdoor wireless. > > However, in the offices ive done, ive used Cisco's WLC 4402 controller > which supports 12 access points. They have controllers which support > more APs as well. > > Hit me up offlist if you have any quesrions. > > -mike > > Sent from my iPhone > > On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: > > > Ubiquity > > or ubikity, maybe is miss spelled > > Someone correct the spelling for him please > > thank you > > ----- Original Message ----- From: "Ken King" > > To: > > Sent: Sunday, January 15, 2012 9:30 PM > > Subject: enterprise 802.11 > > > > > > I need to choose a wireless solution for a new office. > > > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > > > we can see hundreds of access points in close proximity to our new > office space. > > > > what are the thoughts these days on the best enterprise solution/vendor? > > > > Thanks for your replies. > > > > > > Ken King > > > > > > > > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6793 (20120113) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6793 (20120113) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > > > From streiner at cluebyfour.org Sun Jan 15 10:14:38 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Sun, 15 Jan 2012 11:14:38 -0500 (EST) Subject: accessing multiple devices via a script In-Reply-To: <4F132C25.3080608@rhavenindustrys.com> References: <007e01ccd3ba$ec07be50$c4173af0$@com> <4F132C25.3080608@rhavenindustrys.com> Message-ID: On Sun, 15 Jan 2012, Rhys Rhaven wrote: > Is "full disclosure" expected on NANOG, or is it just polite? Like > mentioning that Chuck Reynolds is a salesman for QualiSystems, and not > just another network operator passing on what they might think will help? I think it's reasonable to expect that sales people identify themselves as such - including what vendor or re-seller they represent - on technical mailing lists. If sales solicitations are not permitted on the list, then it's also reasonable to expect that sales people respect that rule, same as everyone else on the list. jms From rhys at rhavenindustrys.com Sun Jan 15 14:13:11 2012 From: rhys at rhavenindustrys.com (Rhys Rhaven) Date: Sun, 15 Jan 2012 14:13:11 -0600 Subject: accessing multiple devices via a script In-Reply-To: References: <007e01ccd3ba$ec07be50$c4173af0$@com> <4F132C25.3080608@rhavenindustrys.com> Message-ID: <4F133357.60902@rhavenindustrys.com> Pseudonyms and declaring conflicts of interest are two separate things. On 01/15/2012 01:48 PM, Shahab Vahabzadeh wrote: > Like Rhys Rhaven. > > On Sun, Jan 15, 2012 at 11:12 PM, Rhys Rhaven > > wrote: > > Is "full disclosure" expected on NANOG, or is it just polite? Like > mentioning that Chuck Reynolds is a salesman for QualiSystems, and not > just another network operator passing on what they might think > will help? > > On 01/15/2012 01:21 PM, Chuck Reynolds wrote: > > Hi Abdullah - Have you seen the new Resource Manager product from > > QualiSystems? It has this capability built into it and out of > the box to > > support large numbers of devices. > > > > Let me know off line where you are located and I can hook you up. > > > > Regards, > > > > Chuck > > > > > > -----Original Message----- > > From: Abdullah Al-Malki [mailto:a.almalki1402 at gmail.com > ] > > Sent: Sunday, January 15, 2012 12:53 PM > > To: nanog at nanog.org > > Subject: accessing multiple devices via a script > > > > Hi fellows, > > I am supporting a big service provider and sometimes I face this > problem. > > Sometimes I want to access my customer network and want to > extract some > > verification output "show commands" from a large number of devices. > > > > What kind of scripting solutions you guys are using this case. > > > > Appreciate the feedback, > > Abdullah > > > > > > > > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > From nathan at atlasnetworks.us Sun Jan 15 14:52:49 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Sun, 15 Jan 2012 20:52:49 +0000 Subject: enterprise 802.11 In-Reply-To: <-6994651995925716053@unknownmsgid> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. In a clean environment, I've seen decent performance with 70 - 100 devices / AP. Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. You really can't argue with Unifi's price. If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. They're more expensive, though. And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. Nathan > -----Original Message----- > From: Mike Lyon [mailto:mike.lyon at gmail.com] > Sent: Sunday, January 15, 2012 11:54 AM > To: Meftah Tayeb > Cc: nanog at nanog.org > Subject: Re: enterprise 802.11 > > Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new > in the marketspace and this, working out the bugs. I use their other products > exclusively for outdoor wireless. > > However, in the offices ive done, ive used Cisco's WLC 4402 controller which > supports 12 access points. They have controllers which support more APs as > well. > > Hit me up offlist if you have any quesrions. > > -mike > > Sent from my iPhone > > On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: > > > Ubiquity > > or ubikity, maybe is miss spelled > > Someone correct the spelling for him please thank you > > ----- Original Message ----- From: "Ken King" > > To: > > Sent: Sunday, January 15, 2012 9:30 PM > > Subject: enterprise 802.11 > > > > > > I need to choose a wireless solution for a new office. > > > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > > > we can see hundreds of access points in close proximity to our new office > space. > > > > what are the thoughts these days on the best enterprise solution/vendor? > > > > Thanks for your replies. > > > > > > Ken King > > > > > > > > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6793 (20120113) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6793 (20120113) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > > From seth.mos at dds.nl Sun Jan 15 14:55:24 2012 From: seth.mos at dds.nl (Seth Mos) Date: Sun, 15 Jan 2012 21:55:24 +0100 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> Message-ID: Hi, We chose the 3Com, now H3C wx3012 controller and AP9552 accesspoints. Initial issues where that blackberries could not connect to the wifi, the support initially was mediocre. Do note that this was at the time that everything got sold to HP. And they did pick up the issue and came around with a fix in about a month time. It's been working swell since then, I mean, the spelling errors in the UI I can live with. It's been stable so far. It was also by far the most reasonably priced. That counts for something. Vlans, radius, captive portal etc, worked for me. Ui is good enough to use and diagnose clients. Wireless coverage, is ... well, it's wireless. Reliable wireless isn't. Unless it's 5Ghz, and stopped by 1 floor or wall. I digress. Regards, Seth Op 15 jan 2012, om 20:57 heeft Mike Hale het volgende geschreven: > Cisco's wireless solutions are pretty badass. The APs I've used are > absolutely rock solid. Set up will take a bit of time, but once you're > done, maintenance is minimal. > On Jan 15, 2012 11:54 AM, "Mike Lyon" wrote: > >> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still >> pretty new in the marketspace and this, working out the bugs. I use >> their other products exclusively for outdoor wireless. >> >> However, in the offices ive done, ive used Cisco's WLC 4402 controller >> which supports 12 access points. They have controllers which support >> more APs as well. >> >> Hit me up offlist if you have any quesrions. >> >> -mike >> >> Sent from my iPhone >> >> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >> >>> Ubiquity >>> or ubikity, maybe is miss spelled >>> Someone correct the spelling for him please >>> thank you >>> ----- Original Message ----- From: "Ken King" >>> To: >>> Sent: Sunday, January 15, 2012 9:30 PM >>> Subject: enterprise 802.11 >>> >>> >>> I need to choose a wireless solution for a new office. >>> >>> up to 600 devices will connect. most devices are mac books and mobile >> phones. >>> >>> we can see hundreds of access points in close proximity to our new >> office space. >>> >>> what are the thoughts these days on the best enterprise solution/vendor? >>> >>> Thanks for your replies. >>> >>> >>> Ken King >>> >>> >>> >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >> >> From leigh.porter at ukbroadband.com Sun Jan 15 15:02:41 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Sun, 15 Jan 2012 21:02:41 +0000 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <0F9F2509-8BEB-42F2-8D3D-FD1486894551@ukbroadband.com> I use ruckus in town and city installs and despite rather a lot of other APs it performs very well. I don't have experience of them in high connected station density though. -- Leigh Porter On 15 Jan 2012, at 19:33, "Ken King" wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile phones. > > we can see hundreds of access points in close proximity to our new office space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > > > > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From sh.vahabzadeh at gmail.com Sun Jan 15 15:26:02 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Mon, 16 Jan 2012 00:56:02 +0330 Subject: OSS Systems In-Reply-To: <6E5615AD-CD76-4599-8164-2B6B41687751@ukbroadband.com> References: <6E5615AD-CD76-4599-8164-2B6B41687751@ukbroadband.com> Message-ID: Hi there again, I think Leigh is not available this week, anybody else idea about such a system? Which loadbalancer is good to use? LVS or hardware one? or radius as a proxy? How database must be placed? How radius servers talk to DB? And which radius server you suggest? Radiator? Thanks On Fri, Jan 6, 2012 at 1:45 AM, Leigh Porter wrote: > > > On 5 Jan 2012, at 22:02, "Shahab Vahabzadeh" > wrote: > > > Hi there, > > Has anybody experience about running and OSS System in enterprise level? > > And do you have any idea about it? > > For example for an ISP who is running users more than 20K or 30K, there > > must be some good solutions to integrate all systems like: > > Radius, Billing Systems and CRM > > For example after searching and asking friends I have some ideas about > > Radius to use: radiator > > Is there anybody who has analyse such a systems before in his ISP? Need > > sharing here :) > > Thanks > > We did this a few years ago and ended up writing the while thing > ourselves. This included billing, subscriber management etc etc. > > We integrates to salesforce.com for the internal front end and the user > facing stuff we did ourselves. > > It was a big project and took a team of six about six months. But we ended > up with a perfect solution that did exactly what we needed and it was > pretty good. > > It handled within the order of users you mention, but we designed to 100k > users. > > We used radiator (highly recommended) with openldap back end. Multiple > load balanced servers etc etc. > > The worst thing we did was to build our own mail system. Not that it was > an issue, it never went wrong, but these days I'd just send people to gmail > or something. > > -- > Leigh Porter > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From packetjockey at gmail.com Sun Jan 15 15:31:14 2012 From: packetjockey at gmail.com (Rafael Rodriguez) Date: Sun, 15 Jan 2012 16:31:14 -0500 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: I'd recommend Aruba. Not a fan of the Cisco wifi controller gear. On Sun, Jan 15, 2012 at 2:30 PM, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > > > > > From network.ipdog at gmail.com Sun Jan 15 15:34:42 2012 From: network.ipdog at gmail.com (Network IP Dog) Date: Sun, 15 Jan 2012 13:34:42 -0800 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <4f13467f.c557320a.721a.ffff9f84@mx.google.com> Meraki... ;^) http://www.meraki.com/ Ephesians 4:32 & Cheers!!! -----Original Message----- From: Ken King [mailto:kking at yammer-inc.com] Sent: Sunday, January 15, 2012 11:31 AM To: nanog at nanog.org Subject: enterprise 802.11 I need to choose a wireless solution for a new office. up to 600 devices will connect. most devices are mac books and mobile phones. we can see hundreds of access points in close proximity to our new office space. what are the thoughts these days on the best enterprise solution/vendor? Thanks for your replies. Ken King From tayeb.meftah at gmail.com Sat Jan 14 13:58:45 2012 From: tayeb.meftah at gmail.com (Meftah Tayeb) Date: Sat, 14 Jan 2012 21:58:45 +0200 Subject: enterprise 802.11 References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <1F1F6DCFA8A84E958CBFCEA9F7277801@work> cisco made the controller only to buy it? ubiquity or Mikrotik. END! ----- Original Message ----- From: "Rafael Rodriguez" To: "Ken King" Cc: Sent: Sunday, January 15, 2012 11:31 PM Subject: Re: enterprise 802.11 > I'd recommend Aruba. Not a fan of the Cisco wifi controller gear. > > On Sun, Jan 15, 2012 at 2:30 PM, Ken King wrote: > >> I need to choose a wireless solution for a new office. >> >> up to 600 devices will connect. most devices are mac books and mobile >> phones. >> >> we can see hundreds of access points in close proximity to our new office >> space. >> >> what are the thoughts these days on the best enterprise solution/vendor? >> >> Thanks for your replies. >> >> >> Ken King >> >> >> >> >> >> > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6797 (20120115) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 6797 (20120115) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From jared at puck.nether.net Sun Jan 15 15:40:03 2012 From: jared at puck.nether.net (Jared Mauch) Date: Sun, 15 Jan 2012 16:40:03 -0500 Subject: Monday Night Footbal -- on Google? In-Reply-To: <20120115195618.GA25502@pob.ytti.fi> References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> <20120115191456.GA25486@pob.ytti.fi> <20120115195618.GA25502@pob.ytti.fi> Message-ID: <3A75F85F-AE00-499E-9052-0005F506ADA6@puck.nether.net> On Jan 15, 2012, at 2:56 PM, Saku Ytti wrote: > Unfortunately that does exactly nothing to help with Internet scale. > > Now scaling for your local environment embedded RP might be beneficial, but > actual practical applications where you need ASM are very few. > Most vendors took out hardware multicast support and do it via recirculation these days. I'm more interested in other topics, this would likely be served by a CDN, and I'm curious if any CDNs have started placing gear behind CGN/LSN. I've also noticed some hotels and other 'guest net' folks capturing 4.2.2.1 and comparable open recursive name servers in-house. Two weeks ago I could ping 4.2.2.1 and get responses when TTL was set to 1 on my outgoing packets. - Jared From sh.vahabzadeh at gmail.com Sun Jan 15 15:41:40 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Mon, 16 Jan 2012 01:11:40 +0330 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: Any body tried "Proxim ORiNOCO AP-8000", I have them in two airport and they really sucks ;) On Sun, Jan 15, 2012 at 11:00 PM, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > > > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From joe at riversidecg.com Sun Jan 15 15:44:06 2012 From: joe at riversidecg.com (Joe Johnson) Date: Sun, 15 Jan 2012 15:44:06 -0600 Subject: enterprise 802.11 In-Reply-To: <4f13467f.c557320a.721a.ffff9f84@mx.google.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <4f13467f.c557320a.721a.ffff9f84@mx.google.com> Message-ID: > Meraki... ;^) Seconded! Joe Johnson Chief Information Officer Riverside Consulting Group, Ltd. Innovative Technology Solutions 365 Addison Road Riverside, Illinois 60546 Phone: 708.442.6033 x3456 Fax: 708.443.4496 joe at riversidecg.com www.riversidecg.com From cb.list6 at gmail.com Sun Jan 15 15:51:18 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Sun, 15 Jan 2012 13:51:18 -0800 Subject: Monday Night Footbal -- on Google? In-Reply-To: <3A75F85F-AE00-499E-9052-0005F506ADA6@puck.nether.net> References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> <20120115191456.GA25486@pob.ytti.fi> <20120115195618.GA25502@pob.ytti.fi> <3A75F85F-AE00-499E-9052-0005F506ADA6@puck.nether.net> Message-ID: On Jan 15, 2012 1:40 PM, "Jared Mauch" wrote: > > > On Jan 15, 2012, at 2:56 PM, Saku Ytti wrote: > > > Unfortunately that does exactly nothing to help with Internet scale. > > > > Now scaling for your local environment embedded RP might be beneficial, but > > actual practical applications where you need ASM are very few. > > > > Most vendors took out hardware multicast support and do it via recirculation > these days. > > I'm more interested in other topics, this would likely be served by a CDN, > and I'm curious if any CDNs have started placing gear behind CGN/LSN. > CDNs have shown hesitation to receiving traffic from non-unique ipv4 space despite the obvious benefits of CGN bypass. Cb > I've also noticed some hotels and other 'guest net' folks capturing 4.2.2.1 > and comparable open recursive name servers in-house. Two weeks ago I could ping > 4.2.2.1 and get responses when TTL was set to 1 on my outgoing packets. > > - Jared From netfortius at gmail.com Sun Jan 15 16:05:41 2012 From: netfortius at gmail.com (Stefan) Date: Sun, 15 Jan 2012 16:05:41 -0600 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: +1 f/Aruba ... and check out the BlackHat conferences, also. On Jan 15, 2012 3:31 PM, "Rafael Rodriguez" wrote: > I'd recommend Aruba. Not a fan of the Cisco wifi controller gear. > > On Sun, Jan 15, 2012 at 2:30 PM, Ken King wrote: > > > I need to choose a wireless solution for a new office. > > > > up to 600 devices will connect. most devices are mac books and mobile > > phones. > > > > we can see hundreds of access points in close proximity to our new office > > space. > > > > what are the thoughts these days on the best enterprise solution/vendor? > > > > Thanks for your replies. > > > > > > Ken King > > > > > > > > > > > > > From brent at brentrjones.com Sun Jan 15 15:09:13 2012 From: brent at brentrjones.com (Brent Jones) Date: Sun, 15 Jan 2012 13:09:13 -0800 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: On Sun, Jan 15, 2012 at 11:30 AM, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > I have had great success with Ruckus Wireless gear, specifically their 7962 access points. Our offices are pretty noisy radio environments, typically over 70 access points show up on scans, mostly in the 2.4 range though. We use WPA2 with 802.11X for auth, plus a guest zone managed by the Ruckus wireless controller, works smooth haven't had any problems so far. Part of my decision was based on a Tom's Hardware review of access points: http://www.tomshardware.com/reviews/beamforming-wifi-ruckus,2390.html http://www.tomshardware.com/reviews/wi-fi-performance,2985.html Brent Jones From scott at virtuaprise.com Sun Jan 15 17:26:26 2012 From: scott at virtuaprise.com (Scott Bethke) Date: Sun, 15 Jan 2012 18:26:26 -0500 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <4f13467f.c557320a.721a.ffff9f84@mx.google.com> Message-ID: <718EA5C8-C0ED-45DC-87B5-CD972100CD92@virtuaprise.com> On Jan 15, 2012, at 4:44 PM, Joe Johnson wrote: >> Meraki... ;^) > > Seconded! > I'd like to stick my neck out for Meraki also.. They rock. -Scott From os10rules at gmail.com Sun Jan 15 17:36:26 2012 From: os10rules at gmail.com (Greg Ihnen) Date: Sun, 15 Jan 2012 19:06:26 -0430 Subject: enterprise 802.11 In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> Message-ID: Since we're already top-posting? I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. To get around that limitation, folks are using proprietary protocols with "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the "Canopy" line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. Stay away from "mesh" solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. Greg On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote: > Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. > > In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. In a clean environment, I've seen decent performance with 70 - 100 devices / AP. Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. You really can't argue with Unifi's price. > > If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. They're more expensive, though. > > And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. > > Nathan > >> -----Original Message----- >> From: Mike Lyon [mailto:mike.lyon at gmail.com] >> Sent: Sunday, January 15, 2012 11:54 AM >> To: Meftah Tayeb >> Cc: nanog at nanog.org >> Subject: Re: enterprise 802.11 >> >> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new >> in the marketspace and this, working out the bugs. I use their other products >> exclusively for outdoor wireless. >> >> However, in the offices ive done, ive used Cisco's WLC 4402 controller which >> supports 12 access points. They have controllers which support more APs as >> well. >> >> Hit me up offlist if you have any quesrions. >> >> -mike >> >> Sent from my iPhone >> >> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >> >>> Ubiquity >>> or ubikity, maybe is miss spelled >>> Someone correct the spelling for him please thank you >>> ----- Original Message ----- From: "Ken King" >>> To: >>> Sent: Sunday, January 15, 2012 9:30 PM >>> Subject: enterprise 802.11 >>> >>> >>> I need to choose a wireless solution for a new office. >>> >>> up to 600 devices will connect. most devices are mac books and mobile >> phones. >>> >>> we can see hundreds of access points in close proximity to our new office >> space. >>> >>> what are the thoughts these days on the best enterprise solution/vendor? >>> >>> Thanks for your replies. >>> >>> >>> Ken King >>> >>> >>> >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >> > > From khatfield at socllc.net Sun Jan 15 17:40:11 2012 From: khatfield at socllc.net (khatfield at socllc.net) Date: Sun, 15 Jan 2012 18:40:11 -0500 (EST) Subject: OSS Systems In-Reply-To: References: <6E5615AD-CD76-4599-8164-2B6B41687751@ukbroadband.com> Message-ID: <1326670811.98616415@apps.rackspace.com> My personal opinion has been that we have seen great success in large environments with FreeRadius and using radrelay for mysql synchronization then an OpenLDAP-backend. We used FreeBSD/CARP and/or FreeVRRPd for failover but this can be accomplished in other methods. FreeRadius has a built-in CLUSTERIP module which allows clustering/load-balancing/failover or you could AnyCast the systems for redundancy. As for load balancing other Radius servers which may not have it built in - I would say a hardware solution is usually great because you get support, etc. However, if you don't need the support then there are a ton of options available. You could go as far as load balancing it with LVS (which I personally do not like but MANY do :)) or software load balancers like pen/pound/haproxy. Best of luck! -----Original Message----- From: "Shahab Vahabzadeh" Sent: Sunday, January 15, 2012 4:26pm To: "Leigh Porter" Cc: "nanog at nanog.org" Subject: Re: OSS Systems Hi there again, I think Leigh is not available this week, anybody else idea about such a system? Which loadbalancer is good to use? LVS or hardware one? or radius as a proxy? How database must be placed? How radius servers talk to DB? And which radius server you suggest? Radiator? Thanks On Fri, Jan 6, 2012 at 1:45 AM, Leigh Porter wrote: > > > On 5 Jan 2012, at 22:02, "Shahab Vahabzadeh" > wrote: > > > Hi there, > > Has anybody experience about running and OSS System in enterprise level? > > And do you have any idea about it? > > For example for an ISP who is running users more than 20K or 30K, there > > must be some good solutions to integrate all systems like: > > Radius, Billing Systems and CRM > > For example after searching and asking friends I have some ideas about > > Radius to use: radiator > > Is there anybody who has analyse such a systems before in his ISP? Need > > sharing here :) > > Thanks > > We did this a few years ago and ended up writing the while thing > ourselves. This included billing, subscriber management etc etc. > > We integrates to salesforce.com for the internal front end and the user > facing stuff we did ourselves. > > It was a big project and took a team of six about six months. But we ended > up with a perfect solution that did exactly what we needed and it was > pretty good. > > It handled within the order of users you mention, but we designed to 100k > users. > > We used radiator (highly recommended) with openldap back end. Multiple > load balanced servers etc etc. > > The worst thing we did was to build our own mail system. Not that it was > an issue, it never went wrong, but these days I'd just send people to gmail > or something. > > -- > Leigh Porter > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From mike.lyon at gmail.com Sun Jan 15 17:42:51 2012 From: mike.lyon at gmail.com (Mike Lyon) Date: Sun, 15 Jan 2012 15:42:51 -0800 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> Message-ID: <-7665060707062421807@unknownmsgid> Another one which looks promising for high-density locations is Xirrus (www.xirrus.com) Haven't ever used them though. -mike Sent from my iPhone On Jan 15, 2012, at 15:36, Greg Ihnen wrote: > Since we're already top-posting? > > I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. > > To get around that limitation, folks are using proprietary protocols with "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the "Canopy" line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. > > Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. > > Stay away from "mesh" solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. > > Greg > > On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote: > >> Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. >> >> In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. In a clean environment, I've seen decent performance with 70 - 100 devices / AP. Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. You really can't argue with Unifi's price. >> >> If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. They're more expensive, though. >> >> And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. >> >> Nathan >> >>> -----Original Message----- >>> From: Mike Lyon [mailto:mike.lyon at gmail.com] >>> Sent: Sunday, January 15, 2012 11:54 AM >>> To: Meftah Tayeb >>> Cc: nanog at nanog.org >>> Subject: Re: enterprise 802.11 >>> >>> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new >>> in the marketspace and this, working out the bugs. I use their other products >>> exclusively for outdoor wireless. >>> >>> However, in the offices ive done, ive used Cisco's WLC 4402 controller which >>> supports 12 access points. They have controllers which support more APs as >>> well. >>> >>> Hit me up offlist if you have any quesrions. >>> >>> -mike >>> >>> Sent from my iPhone >>> >>> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >>> >>>> Ubiquity >>>> or ubikity, maybe is miss spelled >>>> Someone correct the spelling for him please thank you >>>> ----- Original Message ----- From: "Ken King" >>>> To: >>>> Sent: Sunday, January 15, 2012 9:30 PM >>>> Subject: enterprise 802.11 >>>> >>>> >>>> I need to choose a wireless solution for a new office. >>>> >>>> up to 600 devices will connect. most devices are mac books and mobile >>> phones. >>>> >>>> we can see hundreds of access points in close proximity to our new office >>> space. >>>> >>>> what are the thoughts these days on the best enterprise solution/vendor? >>>> >>>> Thanks for your replies. >>>> >>>> >>>> Ken King >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 6793 (20120113) __________ >>>> >>>> The message was checked by ESET NOD32 Antivirus. >>>> >>>> http://www.eset.com >>>> >>>> >>>> >>>> >>>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 6793 (20120113) __________ >>>> >>>> The message was checked by ESET NOD32 Antivirus. >>>> >>>> http://www.eset.com >>>> >>>> >>>> >>>> >>> >> >> > From jmkeller at houseofzen.org Sun Jan 15 18:12:07 2012 From: jmkeller at houseofzen.org (James Michael Keller) Date: Sun, 15 Jan 2012 19:12:07 -0500 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: <4F136B57.9080207@houseofzen.org> On 01/15/2012 12:52 PM, Abdullah Al-Malki wrote: > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah > clogin which is part of the RANCID suite. I've even done wrapper front ends that give operations device lists and configlets they can push with it. Or you can feed it command line options for one off pushes, etc. -- -James From sgtcasey at gmail.com Sun Jan 15 18:50:22 2012 From: sgtcasey at gmail.com (David Casey) Date: Sun, 15 Jan 2012 17:50:22 -0700 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> Message-ID: I like Cisco's WLC's as well. Where I am working we have a few hundred AP's at one of our sites with WLC's running the show. The 5500 controllers with CleanAir AP's is awesome. Dave Sent from my iPad On Jan 15, 2012, at 12:57, Mike Hale wrote: > Cisco's wireless solutions are pretty badass. The APs I've used are > absolutely rock solid. Set up will take a bit of time, but once you're > done, maintenance is minimal. > On Jan 15, 2012 11:54 AM, "Mike Lyon" wrote: > >> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still >> pretty new in the marketspace and this, working out the bugs. I use >> their other products exclusively for outdoor wireless. >> >> However, in the offices ive done, ive used Cisco's WLC 4402 controller >> which supports 12 access points. They have controllers which support >> more APs as well. >> >> Hit me up offlist if you have any quesrions. >> >> -mike >> >> Sent from my iPhone >> >> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >> >>> Ubiquity >>> or ubikity, maybe is miss spelled >>> Someone correct the spelling for him please >>> thank you >>> ----- Original Message ----- From: "Ken King" >>> To: >>> Sent: Sunday, January 15, 2012 9:30 PM >>> Subject: enterprise 802.11 >>> >>> >>> I need to choose a wireless solution for a new office. >>> >>> up to 600 devices will connect. most devices are mac books and mobile >> phones. >>> >>> we can see hundreds of access points in close proximity to our new >> office space. >>> >>> what are the thoughts these days on the best enterprise solution/vendor? >>> >>> Thanks for your replies. >>> >>> >>> Ken King >>> >>> >>> >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >> >> From jof at thejof.com Sun Jan 15 19:05:57 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Sun, 15 Jan 2012 17:05:57 -0800 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> Message-ID: On Sun, Jan 15, 2012 at 3:36 PM, Greg Ihnen wrote: > Since we're already top-posting? > > I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. > > To get around that limitation, folks are using proprietary protocols with "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the "Canopy" line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. > > Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. > > Stay away from "mesh" solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. After working in some WISP-like and access environments, I con corroborate that this is pretty much true. It becomes worse the lower the SNR is and the more that clients are spread out. It just makes the 'hidden node' problem worse. Making APs as low power and "local" as possible is good advice. Where possible, feed everything with hardlines back to your Ethernet switching environment. If client roaming and client-client traffic is important, using a central controller that can tunnel 802.11 frames over whatever wired L2 network you like is a good win. It means that to clients they can associate and/or authenticate to one AP and roam from place to place while keeping the same session to the controller. As far as vendor gear goes, if roaming and client-client stuff isn't as important, Ubiquiti UnFi is great stuff for the price. Next rung up in my book would be Meraki, followed by Cisco or Aruba. Good luck! Cheers, jof From blake at pfankuch.me Sun Jan 15 19:39:23 2012 From: blake at pfankuch.me (Blake T. Pfankuch) Date: Mon, 16 Jan 2012 01:39:23 +0000 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: I have been using PLINK (putty's lesser known sibling) scripts for some of our smaller customers to execute information gathering before a project in case of "excellent" documentation. I can usually whip up a script in a few minutes to get sh ru, sh ver and sh diag from 20 devices. Also been using it for a couple of small customers for config backup from webservers, switches, routers, firewalls and anything else with a telnet/ssh login. Blake -----Original Message----- From: Abdullah Al-Malki [mailto:a.almalki1402 at gmail.com] Sent: Sunday, January 15, 2012 10:53 AM To: nanog at nanog.org Subject: accessing multiple devices via a script Hi fellows, I am supporting a big service provider and sometimes I face this problem. Sometimes I want to access my customer network and want to extract some verification output "show commands" from a large number of devices. What kind of scripting solutions you guys are using this case. Appreciate the feedback, Abdullah From dale.shaw+nanog at gmail.com Sun Jan 15 20:02:18 2012 From: dale.shaw+nanog at gmail.com (Dale Shaw) Date: Mon, 16 Jan 2012 13:02:18 +1100 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: Hi Abdullah, On Mon, Jan 16, 2012 at 4:52 AM, Abdullah Al-Malki wrote: > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. Have a look at Notch: http://code.google.com/p/notch/ Other people have already mentioned RANCID, which I agree is a very handy set of tools and is worth investigating also. Cheers, Dale From packetjockey at gmail.com Sun Jan 15 20:05:12 2012 From: packetjockey at gmail.com (Rafael Rodriguez) Date: Sun, 15 Jan 2012 21:05:12 -0500 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: If your looking for something interactive, check out Mr. CLI Sent from my iPhone On Jan 15, 2012, at 12:52, Abdullah Al-Malki wrote: > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah From jkrejci at usinternet.com Sun Jan 15 20:09:22 2012 From: jkrejci at usinternet.com (Justin Krejci) Date: Mon, 16 Jan 2012 02:09:22 +0000 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> Message-ID: <905504983-1326679762-cardhu_decombobulator_blackberry.rim.net-779541151-@b1.c4.bise6.blackberry> No one has mentioned Belair yet? Serves the Minneapolis network pretty well. http://www.belairnetworks.com/ -----Original Message----- From: Greg Ihnen Date: Sun, 15 Jan 2012 19:06:26 To: Nathan Eisenberg Cc: nanog at nanog.org Subject: Re: enterprise 802.11 Since we're already top-posting? I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. To get around that limitation, folks are using proprietary protocols with "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the "Canopy" line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. Stay away from "mesh" solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. Greg On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote: > Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. > > In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. In a clean environment, I've seen decent performance with 70 - 100 devices / AP. Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. You really can't argue with Unifi's price. > > If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. They're more expensive, though. > > And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. > > Nathan > >> -----Original Message----- >> From: Mike Lyon [mailto:mike.lyon at gmail.com] >> Sent: Sunday, January 15, 2012 11:54 AM >> To: Meftah Tayeb >> Cc: nanog at nanog.org >> Subject: Re: enterprise 802.11 >> >> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new >> in the marketspace and this, working out the bugs. I use their other products >> exclusively for outdoor wireless. >> >> However, in the offices ive done, ive used Cisco's WLC 4402 controller which >> supports 12 access points. They have controllers which support more APs as >> well. >> >> Hit me up offlist if you have any quesrions. >> >> -mike >> >> Sent from my iPhone >> >> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >> >>> Ubiquity >>> or ubikity, maybe is miss spelled >>> Someone correct the spelling for him please thank you >>> ----- Original Message ----- From: "Ken King" >>> To: >>> Sent: Sunday, January 15, 2012 9:30 PM >>> Subject: enterprise 802.11 >>> >>> >>> I need to choose a wireless solution for a new office. >>> >>> up to 600 devices will connect. most devices are mac books and mobile >> phones. >>> >>> we can see hundreds of access points in close proximity to our new office >> space. >>> >>> what are the thoughts these days on the best enterprise solution/vendor? >>> >>> Thanks for your replies. >>> >>> >>> Ken King >>> >>> >>> >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >> > > From r.engehausen at gmail.com Sun Jan 15 23:26:28 2012 From: r.engehausen at gmail.com (Roy) Date: Sun, 15 Jan 2012 21:26:28 -0800 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <4F13B504.2090504@gmail.com> On 1/15/2012 11:30 AM, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile phones. > > we can see hundreds of access points in close proximity to our new office space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > > > > > How about Unifi? http://www.ubnt.com/unifi From nathan at atlasnetworks.us Sun Jan 15 23:38:24 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Mon, 16 Jan 2012 05:38:24 +0000 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B67383F@ex-mb-1.corp.atlasnetworks.us> > Making APs as low power and "local" as possible is good advice ^ Ignoring this advice is one of the biggest mistakes people make. They think "Oh, I'll just drown out the noise", but the problem is almost never how well the clients can see the AP - it's the AP seeing the clients. It's hard to hear anyone talking when you're shouting! ;) Low power, high AP density, and small channel widths are the way to go. The smaller channels keep theoretical bandwidth lower, but you end up with higher throughput in the end. One other thing specific to the unifi's - they are meant to be ceiling or wallmounted. They transmit and receive in a cone. They *DO NOT* work well if you set them on a table pointed at the ceiling. I've already seen a half dozen deployments of them done this way, just slapped on tables, and it *does not work*. In one case, moving them from the tables to the walls resulted in a 20x performance increase. Nathan From eugen at imacandi.net Sun Jan 15 23:49:48 2012 From: eugen at imacandi.net (Eugeniu Patrascu) Date: Mon, 16 Jan 2012 07:49:48 +0200 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: On Sun, Jan 15, 2012 at 21:30, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. ?most devices are mac books and mobile phones. > > we can see hundreds of access points in close proximity to our new office space. > > what are the thoughts these days on the best enterprise solution/vendor? > You may want to look at Ruckus Wireless. They are extremely easy to setup and they just work. Eugeniu From ryan.g at atwgpc.net Mon Jan 16 00:46:51 2012 From: ryan.g at atwgpc.net (Ryan Gelobter) Date: Mon, 16 Jan 2012 00:46:51 -0600 Subject: Monday Night Footbal -- on Google? In-Reply-To: References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> <20120115191456.GA25486@pob.ytti.fi> <20120115195618.GA25502@pob.ytti.fi> <3A75F85F-AE00-499E-9052-0005F506ADA6@puck.nether.net> Message-ID: It will be at least 9-10 years before Google could bid. I think the TV networks get a chance to renew before anyone else can even bid. Unless the NFL decides to do something with the NFL Network games they are likely SOL. ESPN renewed their MNF contract through 2021. http://www.nytimes.com/2011/09/09/sports/football/espn-extends-deal-with-nfl-for-15-billion.html CBS, FOX, and NBC have renewed their contracts through 2022. http://www.engadget.com/2011/12/19/nfl-renews-tv-deals-with-cbs-fox-nbc-for-nine-more-years-mone/ From ops.lists at gmail.com Mon Jan 16 03:16:20 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 16 Jan 2012 14:46:20 +0530 Subject: Paging Occaid - can someone please contact me Message-ID: I have a (grandfathered) free v6 tunnel from y'all and it went away today. The endpoint isn't pingable, and email to occaid (@) cnacs.occaid.org and haesu (@) towardex.com both bounce. thanks --srs -- Suresh Ramasubramanian (ops.lists at gmail.com) From m.hotze at hotze.com Mon Jan 16 06:47:14 2012 From: m.hotze at hotze.com (Martin Hotze) Date: Mon, 16 Jan 2012 12:47:14 +0000 Subject: enterprise 802.11 Message-ID: <9DDD3733AE0DB544B7E2B78F81BFDCD31DA365F9@SBSSRV.hotze.local> Hi, the wireless itself is not the big problem, most of your devices (Mac) will be the problem (BTDTGNS). And my wild guess is that mobile phones will also be mostly iphones, plus some ipads. ZyXEL has good WLAN controllers, as does LANCOM. Both have very good products for the money. No need - IMHO - to look into $isco. As for the iOS problem, read on here: http://www.net.princeton.edu/apple-ios/ios41-allows-lease-to-expire-keeps-using-IP-address.html #m > -----Original Message----- > Date: Sun, 15 Jan 2012 11:30:46 -0800 > From: Ken King > To: nanog at nanog.org > Subject: enterprise 802.11 > Message-ID: <36170983-EAA1-4BDD-B0AF-5B045FD53321 at yammer-inc.com> > Content-Type: text/plain; charset=us-ascii > > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > From me at anuragbhatia.com Mon Jan 16 07:04:54 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Mon, 16 Jan 2012 18:34:54 +0530 Subject: Paging Occaid - can someone please contact me In-Reply-To: References: Message-ID: I would suggest using Tunnel Broker for v6 tunnel. It performs pretty well and quite a large number of end points is available. http://tunnelbroker.com On Mon, Jan 16, 2012 at 2:46 PM, Suresh Ramasubramanian wrote: > I have a (grandfathered) free v6 tunnel from y'all and it went away today. > > The endpoint isn't pingable, and email to occaid (@) cnacs.occaid.org > and haesu (@) towardex.com both bounce. > > thanks > --srs > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From ops.lists at gmail.com Mon Jan 16 07:37:00 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 16 Jan 2012 19:07:00 +0530 Subject: Paging Occaid - can someone please contact me In-Reply-To: References: Message-ID: On Mon, Jan 16, 2012 at 2:46 PM, Suresh Ramasubramanian wrote: > I have a (grandfathered) free v6 tunnel from y'all and it went away today. Fixed. Thanks for the response -- Suresh Ramasubramanian (ops.lists at gmail.com) From me at anuragbhatia.com Mon Jan 16 09:44:22 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Mon, 16 Jan 2012 21:14:22 +0530 Subject: enterprise 802.11 In-Reply-To: <9DDD3733AE0DB544B7E2B78F81BFDCD31DA365F9@SBSSRV.hotze.local> References: <9DDD3733AE0DB544B7E2B78F81BFDCD31DA365F9@SBSSRV.hotze.local> Message-ID: Hi I personally feel more then devices what matters is topology in deployment. I have used Cisco AP's and they are pretty much fine. Ubnt - true used lot more for outside wifi deployment specially for point to point (and multipoint links). You need to do a bit of site survey to get idea of how many AP's you really need. Remember it's open spectrum and running different bands from adjacent AP's, you get really high capacity. With more AP's you can eventually re-use lot of spectrum running them at low power till an extent it doesn't effect coverage. Hope that will help. On Mon, Jan 16, 2012 at 6:17 PM, Martin Hotze wrote: > Hi, > > the wireless itself is not the big problem, most of your devices (Mac) > will be the problem (BTDTGNS). And my wild guess is that mobile phones will > also be mostly iphones, plus some ipads. > > ZyXEL has good WLAN controllers, as does LANCOM. Both have very good > products for the money. No need - IMHO - to look into $isco. > > As for the iOS problem, read on here: > > http://www.net.princeton.edu/apple-ios/ios41-allows-lease-to-expire-keeps-using-IP-address.html > > #m > > > > -----Original Message----- > > Date: Sun, 15 Jan 2012 11:30:46 -0800 > > From: Ken King > > To: nanog at nanog.org > > Subject: enterprise 802.11 > > Message-ID: <36170983-EAA1-4BDD-B0AF-5B045FD53321 at yammer-inc.com> > > Content-Type: text/plain; charset=us-ascii > > > > I need to choose a wireless solution for a new office. > > > > up to 600 devices will connect. most devices are mac books and mobile > > phones. > > > > we can see hundreds of access points in close proximity to our new office > > space. > > > > what are the thoughts these days on the best enterprise solution/vendor? > > > > Thanks for your replies. > > > > > > Ken King > > > > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From m.hotze at hotze.com Mon Jan 16 09:49:20 2012 From: m.hotze at hotze.com (Martin Hotze) Date: Mon, 16 Jan 2012 15:49:20 +0000 Subject: enterprise 802.11 In-Reply-To: References: <9DDD3733AE0DB544B7E2B78F81BFDCD31DA365F9@SBSSRV.hotze.local> Message-ID: <9DDD3733AE0DB544B7E2B78F81BFDCD31DA37CCD@SBSSRV.hotze.local> a WLAN controller will help you detect rogue APs, rescan the area and also changing frequencies/channels in use (depending on configuration, etc.). but this will not replace a site survey. :) and it will not prevent you from having Macs on your network. #m From: Anurag Bhatia [mailto:me at anuragbhatia.com] Sent: Monday, January 16, 2012 4:44 PM To: Martin Hotze Cc: nanog at nanog.org Subject: Re: enterprise 802.11 (...) You need to do a bit of site survey to get idea of how many AP's you really need. Remember it's open spectrum and running different bands from adjacent AP's, you get really high capacity. With more AP's you can eventually re-use lot of spectrum running them at low power till an extent it doesn't effect coverage. (...) From os10rules at gmail.com Sun Jan 15 17:58:19 2012 From: os10rules at gmail.com (Greg Ihnen) Date: Sun, 15 Jan 2012 19:28:19 -0430 Subject: enterprise 802.11 In-Reply-To: <-7665060707062421807@unknownmsgid> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> <-7665060707062421807@unknownmsgid> Message-ID: <4116F547-151D-4B2C-B100-8BA706DF7D55@gmail.com> Very cool. Because all the individual APs are in one enclosure and I assume are under control of one central controller, I bet they're sync'ing all the AP's transmitters to transmit and listen at the same time so the APs don't interfere with each other. Cisco does that in their Canopy line with GPS sync. Greg On Jan 15, 2012, at 7:12 PM, Mike Lyon wrote: > Another one which looks promising for high-density locations is Xirrus > (www.xirrus.com) > > Haven't ever used them though. > > -mike > > Sent from my iPhone > > On Jan 15, 2012, at 15:36, Greg Ihnen wrote: > >> Since we're already top-posting? >> >> I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. >> >> To get around that limitation, folks are using proprietary protocols with "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the "Canopy" line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. >> >> Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. >> >> Stay away from "mesh" solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. >> >> Greg >> >> On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote: >> >>> Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. >>> >>> In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. In a clean environment, I've seen decent performance with 70 - 100 devices / AP. Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. You really can't argue with Unifi's price. >>> >>> If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. They're more expensive, though. >>> >>> And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. >>> >>> Nathan >>> >>>> -----Original Message----- >>>> From: Mike Lyon [mailto:mike.lyon at gmail.com] >>>> Sent: Sunday, January 15, 2012 11:54 AM >>>> To: Meftah Tayeb >>>> Cc: nanog at nanog.org >>>> Subject: Re: enterprise 802.11 >>>> >>>> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new >>>> in the marketspace and this, working out the bugs. I use their other products >>>> exclusively for outdoor wireless. >>>> >>>> However, in the offices ive done, ive used Cisco's WLC 4402 controller which >>>> supports 12 access points. They have controllers which support more APs as >>>> well. >>>> >>>> Hit me up offlist if you have any quesrions. >>>> >>>> -mike >>>> >>>> Sent from my iPhone >>>> >>>> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >>>> >>>>> Ubiquity >>>>> or ubikity, maybe is miss spelled >>>>> Someone correct the spelling for him please thank you >>>>> ----- Original Message ----- From: "Ken King" >>>>> To: >>>>> Sent: Sunday, January 15, 2012 9:30 PM >>>>> Subject: enterprise 802.11 >>>>> >>>>> >>>>> I need to choose a wireless solution for a new office. >>>>> >>>>> up to 600 devices will connect. most devices are mac books and mobile >>>> phones. >>>>> >>>>> we can see hundreds of access points in close proximity to our new office >>>> space. >>>>> >>>>> what are the thoughts these days on the best enterprise solution/vendor? >>>>> >>>>> Thanks for your replies. >>>>> >>>>> >>>>> Ken King >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> __________ Information from ESET NOD32 Antivirus, version of virus >>>> signature database 6793 (20120113) __________ >>>>> >>>>> The message was checked by ESET NOD32 Antivirus. >>>>> >>>>> http://www.eset.com >>>>> >>>>> >>>>> >>>>> >>>>> __________ Information from ESET NOD32 Antivirus, version of virus >>>> signature database 6793 (20120113) __________ >>>>> >>>>> The message was checked by ESET NOD32 Antivirus. >>>>> >>>>> http://www.eset.com >>>>> >>>>> >>>>> >>>>> >>>> >>> >>> >> From tim at pelican.org Mon Jan 16 10:52:56 2012 From: tim at pelican.org (Tim Franklin) Date: Mon, 16 Jan 2012 16:52:56 -0000 (GMT) Subject: enterprise 802.11 In-Reply-To: <9DDD3733AE0DB544B7E2B78F81BFDCD31DA365F9@SBSSRV.hotze.local> Message-ID: <696f037e-ac55-496e-89ed-3392a5b06c21@mail.pelican.org> > As for the iOS problem, read on here: > http://www.net.princeton.edu/apple-ios/ios41-allows-lease-to-expire-keeps-using-IP-address.html That's the iOS issue - out of curiosity, what's the Mac issue? Regards, Tim. From jared at puck.nether.net Mon Jan 16 11:05:17 2012 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 16 Jan 2012 12:05:17 -0500 Subject: enterprise 802.11 In-Reply-To: <696f037e-ac55-496e-89ed-3392a5b06c21@mail.pelican.org> References: <696f037e-ac55-496e-89ed-3392a5b06c21@mail.pelican.org> Message-ID: <416410D3-653F-4716-BF68-84E0F81E3F1F@puck.nether.net> On Jan 16, 2012, at 11:52 AM, Tim Franklin wrote: >> As for the iOS problem, read on here: >> http://www.net.princeton.edu/apple-ios/ios41-allows-lease-to-expire-keeps-using-IP-address.html > > That's the iOS issue - out of curiosity, what's the Mac issue? That's a poorly maintained device issue. The good news is the DHCP requests for those devices (if you log them) commonly include information about the device owner, e.g.: Jan 15 16:56:35 nat dhcpd[1046]: DHCPACK on 10.0.0.168 to 18:e7:f4:5c:b1:d7 (MATTS-IPOD-3) via eth0 or client-hostname "iPhone-Touch"; client-hostname "Her-iPod"; client-hostname "iPad"; client-hostname "Amys-iPod"; Also, citing a single software release with a defect can be done for any platform. http://support.microsoft.com/kb/928233 These issues are commonly solved by upgrading to the most recent release of software. Reading the princeton article says setting your lease time to 3600 seconds seems to workaround the problem from the network side. I'm personally not convinced of the value of very short lease times (less than an hour). Even IPv6 privacy addresses stay around longer than that. MacOS Kernel (11.2.0) net.inet6.ip6.temppltime: 86400 net.inet6.ip6.tempvltime: 604800 Linux Kernel (3.1.1) net.ipv6.conf.default.use_tempaddr = 0 net.ipv6.conf.default.temp_valid_lft = 604800 net.ipv6.conf.default.temp_prefered_lft = 86400 FreeBSD 9.0-RELEASE (GENERIC) net.inet6.ip6.use_tempaddr: 0 net.inet6.ip6.temppltime: 86400 net.inet6.ip6.tempvltime: 604800 - Jared From brent at brentrjones.com Sun Jan 15 13:43:48 2012 From: brent at brentrjones.com (Brent Jones) Date: Sun, 15 Jan 2012 11:43:48 -0800 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: On Sun, Jan 15, 2012 at 11:30 AM, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > I have had great success with Ruckus Wireless gear, specifically their 7962 access points. Our offices are pretty noisy radio environments, typically over 70 access points show up on scans, mostly in the 2.4 range though. We use WPA2 with 802.11X for auth, plus a guest zone managed by the Ruckus wireless controller, works smooth haven't had any problems so far. Part of my decision was based on a Tom's Hardware review of access points: http://www.tomshardware.com/reviews/beamforming-wifi-ruckus,2390.html http://www.tomshardware.com/reviews/wi-fi-performance,2985.html Brent Jones From joelja at bogus.com Mon Jan 16 11:38:49 2012 From: joelja at bogus.com (Joel jaeggli) Date: Mon, 16 Jan 2012 09:38:49 -0800 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <4F1460A9.50502@bogus.com> On 1/15/12 11:30 , Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile phones. > > we can see hundreds of access points in close proximity to our new office space. > > what are the thoughts these days on the best enterprise solution/vendor? My normal advice is fairly vendor independant. use dual band dual radio APs. 802.11A attenuates much more effectively in residential/commercial construction so the cells are smaller and there's a lot more spectrum... you'll attract all macs, as well as ipads and most enterprise laptops to 802.11a/n Don't run mixed mode in the 2.4ghz band. drop the output power on the 2.4ghz radios to ~30mw, turn off the 802.11b rates, and increase the multicast rate to at least 12Mb/s plan for not more that 50 people per ap (remember the aps have dual radios). if you're going to use 40mhz channels (and n-rates) do so only on 5.8ghz where the map coloring problem is tractable. > Thanks for your replies. > > > Ken King > > > > > > From jra at baylink.com Mon Jan 16 11:43:33 2012 From: jra at baylink.com (Jay Ashworth) Date: Mon, 16 Jan 2012 12:43:33 -0500 (EST) Subject: enterprise 802.11 In-Reply-To: <416410D3-653F-4716-BF68-84E0F81E3F1F@puck.nether.net> Message-ID: <5290984.5313.1326735813483.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Jared Mauch" > network side. I'm personally not convinced of the value of very short > lease times (less than an hour) Less than an hour, perhaps not. On small residential networks, though -- generally, anything where the router (which will need to get rebooted occasionally) *is* the DHCP server -- I tend to set the timeout to 30-60 minutes, to reduce the race window between when a router is rebooted, and when a new device shows up and conflicts because it's given an IP another device still thinks it owns. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From mdavids at forfun.net Mon Jan 16 11:43:38 2012 From: mdavids at forfun.net (Marco Davids (Prive)) Date: Mon, 16 Jan 2012 18:43:38 +0100 (CET) Subject: Paging OpenDNS Message-ID: Hi, Can someone responsible for 'malware-block at opendns.com' please contact me offline? Thank you. -- Marco From arturo.servin at gmail.com Mon Jan 16 11:53:51 2012 From: arturo.servin at gmail.com (Arturo Servin) Date: Mon, 16 Jan 2012 15:53:51 -0200 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> Message-ID: Manish, Nice tool. Is it possible to see the "history" of a prefix? Regards, .as On 13 Jan 2012, at 18:19, Manish Karir wrote: > > All, > > We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu > bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables > essentially processes the data collected at routeviews and makes is available in a somewhat easier > to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the > vantage point of the various bgp table views as seen at routeviews. > The data is currently updated nightly (EST) but we hope to improve this over time. > Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. > > Some examples: > - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN > > - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. > > - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. > > - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. > > > Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. > > Thanks. > -The Merit Network Research and Development Team > From jon.p.sevier at gmail.com Mon Jan 16 11:55:29 2012 From: jon.p.sevier at gmail.com (Jon Sevier) Date: Mon, 16 Jan 2012 09:55:29 -0800 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: On Sun, Jan 15, 2012 at 11:30 AM, Ken King wrote: > I need to choose a wireless solution for a new office. > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > Others have mentioned Ubiquiti- while a great and affordable solution for point-to-point/backhaul and WISPs, their Unifi product has a ways to go to be considered 'enterprise ready'. It's at best coffee shop ready based on their latest updates. Their support is basically their forums (which have very good participation of both users and vendor folks). The Unifi AP is 2.4GHz only as well. -Jon From Valdis.Kletnieks at vt.edu Mon Jan 16 13:37:54 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 16 Jan 2012 14:37:54 -0500 Subject: enterprise 802.11 In-Reply-To: Your message of "Mon, 16 Jan 2012 09:55:29 PST." References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <113303.1326742674@turing-police.cc.vt.edu> On Mon, 16 Jan 2012 09:55:29 PST, Jon Sevier said: > be considered 'enterprise ready'. It's at best coffee shop ready based on "coffee shop ready". I'll have to remember that one, thanks. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From colin.gibbons at neovera.com Mon Jan 16 13:52:36 2012 From: colin.gibbons at neovera.com (Colin Gibbons) Date: Mon, 16 Jan 2012 14:52:36 -0500 Subject: Public route server in Hawaii Message-ID: <4F148004.9000103@neovera.com> Can anyone recommend a public route server in Hawaii? Efforts to locate one through conventional means have so far been unsuccessful. Any helpful suggestions are appreciated. From andreas.larsen at ip-only.se Mon Jan 16 13:54:18 2012 From: andreas.larsen at ip-only.se (Andreas Larsen) Date: Mon, 16 Jan 2012 20:54:18 +0100 Subject: SV: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: I have made a couple of school installations with Ubiquiti products and they are rock solid for enterprise they are very good. Easy to setup etc. And very affordable. Regards -----Ursprungligt meddelande----- Fr?n: Ken King [mailto:kking at yammer-inc.com] Skickat: den 15 januari 2012 20:31 Till: nanog at nanog.org ?mne: enterprise 802.11 I need to choose a wireless solution for a new office. up to 600 devices will connect. most devices are mac books and mobile phones. we can see hundreds of access points in close proximity to our new office space. what are the thoughts these days on the best enterprise solution/vendor? Thanks for your replies. Ken King From brandon.kim at brandontek.com Mon Jan 16 14:19:29 2012 From: brandon.kim at brandontek.com (Brandon Kim) Date: Mon, 16 Jan 2012 15:19:29 -0500 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu>, Message-ID: I'm getting a database error when I search for an AS.... > Subject: Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS > From: arturo.servin at gmail.com > Date: Mon, 16 Jan 2012 15:53:51 -0200 > To: mkarir at merit.edu > CC: nanog at nanog.org > > Manish, > > Nice tool. > > Is it possible to see the "history" of a prefix? > > > Regards, > ..as > > > > On 13 Jan 2012, at 18:19, Manish Karir wrote: > > > > > All, > > > > We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu > > bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables > > essentially processes the data collected at routeviews and makes is available in a somewhat easier > > to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the > > vantage point of the various bgp table views as seen at routeviews. > > The data is currently updated nightly (EST) but we hope to improve this over time. > > Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. > > > > Some examples: > > - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN > > > > - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. > > > > - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. > > > > - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. > > > > > > Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. > > > > Thanks. > > -The Merit Network Research and Development Team > > > > From mkarir at merit.edu Mon Jan 16 14:44:08 2012 From: mkarir at merit.edu (Manish Karir) Date: Mon, 16 Jan 2012 15:44:08 -0500 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu>, Message-ID: Please remember to add the "as" before the number for your query. so for AS 65000 your search term should be "as65000" Thanks. -manish On Jan 16, 2012, at 3:19 PM, Brandon Kim wrote: > I'm getting a database error when I search for an AS.... > > > > > Subject: Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS > > From: arturo.servin at gmail.com > > Date: Mon, 16 Jan 2012 15:53:51 -0200 > > To: mkarir at merit.edu > > CC: nanog at nanog.org > > > > Manish, > > > > Nice tool. > > > > Is it possible to see the "history" of a prefix? > > > > > > Regards, > > ..as > > > > > > > > On 13 Jan 2012, at 18:19, Manish Karir wrote: > > > > > > > > All, > > > > > > We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu > > > bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables > > > essentially processes the data collected at routeviews and makes is available in a somewhat easier > > > to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the > > > vantage point of the various bgp table views as seen at routeviews. > > > The data is currently updated nightly (EST) but we hope to improve this over time. > > > Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. > > > > > > Some examples: > > > - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN > > > > > > - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. > > > > > > - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. > > > > > > - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. > > > > > > > > > Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. > > > > > > Thanks. > > > -The Merit Network Research and Development Team > > > > > > > From brandon.kim at brandontek.com Mon Jan 16 15:15:15 2012 From: brandon.kim at brandontek.com (Brandon Kim) Date: Mon, 16 Jan 2012 16:15:15 -0500 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu>, , Message-ID: Thanks everyone, yes adding AS works... Will it be updated to just accept 65000 without the "AS" in the near future? > Subject: Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS > From: mkarir at merit.edu > Date: Mon, 16 Jan 2012 15:44:08 -0500 > CC: nanog at nanog.org > To: brandon.kim at brandontek.com > > > Please remember to add the "as" before the number for your query. > so for AS 65000 your search term should be "as65000" > > Thanks. > -manish > > > On Jan 16, 2012, at 3:19 PM, Brandon Kim wrote: > > > I'm getting a database error when I search for an AS.... > > > > > > > > > Subject: Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS > > > From: arturo.servin at gmail.com > > > Date: Mon, 16 Jan 2012 15:53:51 -0200 > > > To: mkarir at merit.edu > > > CC: nanog at nanog.org > > > > > > Manish, > > > > > > Nice tool. > > > > > > Is it possible to see the "history" of a prefix? > > > > > > > > > Regards, > > > ..as > > > > > > > > > > > > On 13 Jan 2012, at 18:19, Manish Karir wrote: > > > > > > > > > > > All, > > > > > > > > We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu > > > > bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables > > > > essentially processes the data collected at routeviews and makes is available in a somewhat easier > > > > to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the > > > > vantage point of the various bgp table views as seen at routeviews. > > > > The data is currently updated nightly (EST) but we hope to improve this over time. > > > > Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. > > > > > > > > Some examples: > > > > - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN > > > > > > > > - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. > > > > > > > > - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. > > > > > > > > - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. > > > > > > > > > > > > Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. > > > > > > > > Thanks. > > > > -The Merit Network Research and Development Team > > > > > > > > > > > From leon at dexterous.org Mon Jan 16 16:55:37 2012 From: leon at dexterous.org (Leon Kyneur) Date: Tue, 17 Jan 2012 09:55:37 +1100 Subject: IP Management Software In-Reply-To: References: Message-ID: I have been playing phpipam as a replacement for ipplan.. Support for IPv6, VRF and VLAN tracking as well. My only limiting factor has been that it only supports 2 levels of subnet nesting.. http://sourceforge.net/projects/phpipam/ Leon On Sat, Dec 17, 2011 at 3:03 AM, Shahab Vahabzadeh wrote: > Hi everybody, > Can anybody share his/her experience with IP Management software's? Which I > can use it managing near 100K IP Address? > IPPlan is not good enough, I think its covering all my need and not fully > flexible. > If you have discuss this before here please share me the link. > Thanks > > -- > Regards, > Shahab Vahabzadeh, IP Engineer, *nix Admin and Geek From sgtcasey at gmail.com Mon Jan 16 17:22:58 2012 From: sgtcasey at gmail.com (David Casey) Date: Mon, 16 Jan 2012 16:22:58 -0700 Subject: Southwest US DNS issues? Message-ID: My organization is getting SERVFAIL when attempting to look up www.wikipedia.org and some other URL's. Is anyone else seeing similar issues? Dave Sent from my iPhone From shortdudey123 at gmail.com Mon Jan 16 17:24:48 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Mon, 16 Jan 2012 17:24:48 -0600 Subject: Southwest US DNS issues? In-Reply-To: References: Message-ID: Hi Dave, What DNS servers are you using and who is your internet provider? -Grant On Mon, Jan 16, 2012 at 5:22 PM, David Casey wrote: > My organization is getting SERVFAIL when attempting to look up > www.wikipedia.org and some other URL's. > > Is anyone else seeing similar issues? > > Dave > > Sent from my iPhone > From sgtcasey at gmail.com Mon Jan 16 17:39:35 2012 From: sgtcasey at gmail.com (David Casey) Date: Mon, 16 Jan 2012 16:39:35 -0700 Subject: Southwest US DNS issues? In-Reply-To: References: Message-ID: <7FB04FE5-54DC-4F52-BDC7-ED9311176492@gmail.com> Never mind everyone. Security made a change on the firewall. Backed out and all good now. I was concerned because we were seeing this issue with just specific websites and only when we tried to lookup their IP addresses. Thanks for the quick replies! Dave Sent from my iPad On Jan 16, 2012, at 16:24, Grant Ridder wrote: > Hi Dave, > > What DNS servers are you using and who is your internet provider? > > -Grant > > On Mon, Jan 16, 2012 at 5:22 PM, David Casey wrote: > My organization is getting SERVFAIL when attempting to look up www.wikipedia.org and some other URL's. > > Is anyone else seeing similar issues? > > Dave > > Sent from my iPhone > From cburwell at gmail.com Mon Jan 16 11:44:22 2012 From: cburwell at gmail.com (Chris Burwell) Date: Mon, 16 Jan 2012 12:44:22 -0500 Subject: enterprise 802.11 In-Reply-To: <-7665060707062421807@unknownmsgid> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> <-7665060707062421807@unknownmsgid> Message-ID: I used Xirrus before about 2-3 years ago. They are great for addressing density issues without adding a large amount of APs in one area. As with any wireless solution, it does have it's limitations. In our case the building was very challenging with solid concrete walls on top of lockers on each wall. The number of APs (IIRC they call them arrays) needed didn't really save us much in the end. One thing I did not like is that you had to use their power injectors because, at the time, their arrays needed more power than any switch could provide. Pricing ended up being the ultimate fall of Xirrus in our environment. To get the coverage that we needed (real world) they were considerably more than the early HP/Colubris solution that we ended up with. - Chris On Sun, Jan 15, 2012 at 6:42 PM, Mike Lyon wrote: > Another one which looks promising for high-density locations is Xirrus > (www.xirrus.com) > > Haven't ever used them though. > > -mike > > Sent from my iPhone > > On Jan 15, 2012, at 15:36, Greg Ihnen wrote: > >> Since we're already top-posting? >> >> I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. >> >> To get around that limitation, folks are using proprietary protocols with "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the "Canopy" line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. >> >> Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. >> >> Stay away from "mesh" solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. >> >> Greg >> >> On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote: >> >>> Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). ?In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. ?The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. ?They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. >>> >>> In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. ?In a clean environment, I've seen decent performance with 70 - 100 devices / AP. ?Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. ?You really can't argue with Unifi's price. >>> >>> If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. ?They're more expensive, though. >>> >>> And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. >>> >>> Nathan >>> >>>> -----Original Message----- >>>> From: Mike Lyon [mailto:mike.lyon at gmail.com] >>>> Sent: Sunday, January 15, 2012 11:54 AM >>>> To: Meftah Tayeb >>>> Cc: nanog at nanog.org >>>> Subject: Re: enterprise 802.11 >>>> >>>> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new >>>> in the marketspace and this, working out the bugs. I use their other products >>>> exclusively for outdoor wireless. >>>> >>>> However, in the offices ive done, ive used Cisco's WLC 4402 controller which >>>> supports 12 access points. They have controllers which support more APs as >>>> well. >>>> >>>> Hit me up offlist if you have any quesrions. >>>> >>>> -mike >>>> >>>> Sent from my iPhone >>>> >>>> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >>>> >>>>> Ubiquity >>>>> or ubikity, maybe is miss spelled >>>>> Someone correct the spelling for him please thank you >>>>> ----- Original Message ----- From: "Ken King" >>>>> To: >>>>> Sent: Sunday, January 15, 2012 9:30 PM >>>>> Subject: enterprise 802.11 >>>>> >>>>> >>>>> I need to choose a wireless solution for a new office. >>>>> >>>>> up to 600 devices will connect. ?most devices are mac books and mobile >>>> phones. >>>>> >>>>> we can see hundreds of access points in close proximity to our new office >>>> space. >>>>> >>>>> what are the thoughts these days on the best enterprise solution/vendor? >>>>> >>>>> Thanks for your replies. >>>>> >>>>> >>>>> Ken King >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> __________ Information from ESET NOD32 Antivirus, version of virus >>>> signature database 6793 (20120113) __________ >>>>> >>>>> The message was checked by ESET NOD32 Antivirus. >>>>> >>>>> http://www.eset.com >>>>> >>>>> >>>>> >>>>> >>>>> __________ Information from ESET NOD32 Antivirus, version of virus >>>> signature database 6793 (20120113) __________ >>>>> >>>>> The message was checked by ESET NOD32 Antivirus. >>>>> >>>>> http://www.eset.com >>>>> >>>>> >>>>> >>>>> >>>> >>> >>> >> > From labguy at gmail.com Mon Jan 16 21:24:58 2012 From: labguy at gmail.com (Troy Martin) Date: Mon, 16 Jan 2012 20:24:58 -0700 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> Message-ID: <-4257578966735167716@unknownmsgid> Why not avoid controllers entirely? I recommend Aerohive. In their solution, there is NO controller, rather the APs communicate with each other. (Imagine what OSPF would be like with a centralized router) Check them out www.aerohive.com Kindest regards, Troy Sent from my iPhone. Apologies for spelling and grammatical errors. On Jan 15, 2012, at 5:50 PM, David Casey wrote: > I like Cisco's WLC's as well. Where I am working we have a few hundred AP's at one of our sites with WLC's running the show. The 5500 controllers with CleanAir AP's is awesome. > > Dave > > Sent from my iPad > > On Jan 15, 2012, at 12:57, Mike Hale wrote: > >> Cisco's wireless solutions are pretty badass. The APs I've used are >> absolutely rock solid. Set up will take a bit of time, but once you're >> done, maintenance is minimal. >> On Jan 15, 2012 11:54 AM, "Mike Lyon" wrote: >> >>> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still >>> pretty new in the marketspace and this, working out the bugs. I use >>> their other products exclusively for outdoor wireless. >>> >>> However, in the offices ive done, ive used Cisco's WLC 4402 controller >>> which supports 12 access points. They have controllers which support >>> more APs as well. >>> >>> Hit me up offlist if you have any quesrions. >>> >>> -mike >>> >>> Sent from my iPhone >>> >>> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >>> >>>> Ubiquity >>>> or ubikity, maybe is miss spelled >>>> Someone correct the spelling for him please >>>> thank you >>>> ----- Original Message ----- From: "Ken King" >>>> To: >>>> Sent: Sunday, January 15, 2012 9:30 PM >>>> Subject: enterprise 802.11 >>>> >>>> >>>> I need to choose a wireless solution for a new office. >>>> >>>> up to 600 devices will connect. most devices are mac books and mobile >>> phones. >>>> >>>> we can see hundreds of access points in close proximity to our new >>> office space. >>>> >>>> what are the thoughts these days on the best enterprise solution/vendor? >>>> >>>> Thanks for your replies. >>>> >>>> >>>> Ken King >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 6793 (20120113) __________ >>>> >>>> The message was checked by ESET NOD32 Antivirus. >>>> >>>> http://www.eset.com >>>> >>>> >>>> >>>> >>>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 6793 (20120113) __________ >>>> >>>> The message was checked by ESET NOD32 Antivirus. >>>> >>>> http://www.eset.com >>>> >>>> >>>> >>>> >>> >>> > From estover at stoversnc.com Tue Jan 17 09:05:41 2012 From: estover at stoversnc.com (Eugene Stover) Date: Tue, 17 Jan 2012 10:05:41 -0500 Subject: CoLo Alwaysonline..... offline..... Message-ID: <8CB2A246FE084B4E95EB379B64296ECC01D6266C8EF6@SERVER-001.127-001.local> Anyone have any info? Not responding to anything. Enjoy the day! From bhmccie at gmail.com Tue Jan 17 09:16:26 2012 From: bhmccie at gmail.com (-Hammer-) Date: Tue, 17 Jan 2012 09:16:26 -0600 Subject: VPC=S/MLT? In-Reply-To: <20120115011015.GA14746@argus.gw.utexas.edu> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> <4F109CC0.8000800@gmail.com> <20120115011015.GA14746@argus.gw.utexas.edu> Message-ID: <4F1590CA.6090609@gmail.com> Thanks Charles. It's a start. -Hammer- "I was a normal American nerd" -Jack Herer On 1/14/2012 7:10 PM, Charles Spurgeon wrote: > On Fri, Jan 13, 2012 at 03:05:45PM -0600, -Hammer- wrote: >> The first link references "chapter 3". I found chapter 5 as well >> but I can't find the full index. Do you have that link by any chance? > I don't have a link to a full index. The links I sent are from a set > of Nexus design and operation chapters I've found. Each chapter is a > guide to a specific aspect of Nexus and vPC operation and DC design. > The set doesn't appear to have been turned into standard Cisco docs > with indexes etc. > > Here are the links that I've been able to find: > > Chapter 1: Data Center Design with Cisco Nexus Switches and Virtual PortChannel: Overview > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572831-00_Dsgn_Nexus_vPC_DG.pdf > > Chapter 2: Cisco NX-OS Software Command-Line Interface Primer > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572833-00_NX-OS_CLI.pdf > > Chapter 3: Cisco NX-OS Software Virtual PortChannel: Fundamental Concepts > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf > > Chapter 4: Spanning Tree Design Guidelines for Cisco NX-OS Software and Virtual PortChannels > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572834-00_STDG_NX-OS_vPC_DG.pdf > > Chapter 5: Data Center Aggregation Layer Design and Configuration with > Cisco Nexus Switches and Virtual PortChannels > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-00_Agg_Dsgn_Config_DG.pdf > > Chapter 6 Data Center Access Design with Cisco Nexus 5000 Series > Switches and 2000 Series Fabric Extenders and Virtual PortChannels > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf > > Chapter 7 10 Gigabit Ethernet Connectivity with Microsoft Windows Servers > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572828-00_10Gb_Conn_Win_DG.pdf > > Chapter 8 Data Center Design with VMware ESX 4.0 and Cisco Nexus 5000 > and 1000V Series Switches 4.0(4)SV1(1) and 2000 Series Fabric > Extenders > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572832-00_VMware_ESX4_Nexus_DG.pdf > > -Charles > > Charles E. Spurgeon / UTnet > UT Austin ITS / Networking > c.spurgeon at its.utexas.edu / 512.475.9265 > From mikea at mikea.ath.cx Tue Jan 17 11:41:16 2012 From: mikea at mikea.ath.cx (Mike Andrews) Date: Tue, 17 Jan 2012 11:41:16 -0600 Subject: CoLo Alwaysonline..... offline..... In-Reply-To: <8CB2A246FE084B4E95EB379B64296ECC01D6266C8EF6@SERVER-001.127-001.local> References: <8CB2A246FE084B4E95EB379B64296ECC01D6266C8EF6@SERVER-001.127-001.local> Message-ID: <20120117174116.GC9070@mikea.ath.cx> On Tue, Jan 17, 2012 at 10:05:41AM -0500, Eugene Stover wrote: > Anyone have any info? Not responding to anything. I don't see anything that I can ID as anomalous. What are you (not) seeing? -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From a.almalki1402 at gmail.com Tue Jan 17 13:44:50 2012 From: a.almalki1402 at gmail.com (Abdullah Al-Malki) Date: Tue, 17 Jan 2012 22:44:50 +0300 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: Thank you all for your recommendations. I will sit this weekend and evaluate what fits into my requirements. Thanks all On Mon, Jan 16, 2012 at 5:05 AM, Rafael Rodriguez wrote: > If your looking for something interactive, check out Mr. CLI > > Sent from my iPhone > > On Jan 15, 2012, at 12:52, Abdullah Al-Malki > wrote: > > > Hi fellows, > > I am supporting a big service provider and sometimes I face this problem. > > Sometimes I want to access my customer network and want to extract some > > verification output "show commands" from a large number of devices. > > > > What kind of scripting solutions you guys are using this case. > > > > Appreciate the feedback, > > Abdullah > From mike.lyon at gmail.com Tue Jan 17 13:59:16 2012 From: mike.lyon at gmail.com (Mike Lyon) Date: Tue, 17 Jan 2012 11:59:16 -0800 Subject: Slighty OT: GoDaddy and SPF records... Message-ID: Howdy folks, Was curious to see if anyone on the list has ever been successful with setting up SPF records on their domains that are hosted on GD nameservers... It appears they only let you configure TXT spf records, not actual SPF records. Anyone ever come across this before? Cheers, Mike From me at anuragbhatia.com Tue Jan 17 14:12:12 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Wed, 18 Jan 2012 01:42:12 +0530 Subject: Slighty OT: GoDaddy and SPF records... In-Reply-To: References: Message-ID: Hi Mike spf records are actually a special syntax based txt records starting with v=spf1 you can checkout http://openspf.org for bit of details. It is project's official site and also has simple wizard tool for generating req. spf which is published as txt record. Hope that will help you. On 1/18/12, Mike Lyon wrote: > Howdy folks, > > Was curious to see if anyone on the list has ever been successful with > setting up SPF records on their domains that are hosted on GD > nameservers... It appears they only let you configure TXT spf records, not > actual SPF records. > > Anyone ever come across this before? > > Cheers, > Mike > -- Sent from my mobile device Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From rohan at rs3net.net Tue Jan 17 14:20:09 2012 From: rohan at rs3net.net (Rohan Sheth) Date: Tue, 17 Jan 2012 12:20:09 -0800 Subject: Slighty OT: GoDaddy and SPF records... In-Reply-To: References: Message-ID: On Tue, Jan 17, 2012 at 11:59 AM, Mike Lyon wrote: > Howdy folks, > > Was curious to see if anyone on the list has ever been successful with > setting up SPF records on their domains that are hosted on GD > nameservers... It appears they only let you configure TXT spf records, not > actual SPF records. > I believe this is because historically GoDaddy used bboy's MyDNS[1] which does not support SPF type records[2]. However it seems they are now using Verisign's ATLAS[3] so perhaps the UI and some backend code simply has yet to be developed? -Rohan [1] http://mydns.bboy.net/ [2] http://mydns.bboy.net/doc/html/mydns_11.html#SEC11 [3] rohan at dragonite:~> fpdns ns35.domaincontrol.com 2>/dev/null fingerprint (ns35.domaincontrol.com, 216.69.185.18): VeriSign ATLAS From shrdlu at deaddrop.org Tue Jan 17 14:29:03 2012 From: shrdlu at deaddrop.org (Lynda) Date: Tue, 17 Jan 2012 12:29:03 -0800 Subject: Slighty OT: GoDaddy and SPF records... In-Reply-To: References: Message-ID: <4F15DA0F.6010508@deaddrop.org> On 1/17/2012 11:59 AM, Mike Lyon wrote: > Was curious to see if anyone on the list has ever been successful with > setting up SPF records on their domains that are hosted on GD > nameservers... It appears they only let you configure TXT spf records, not > actual SPF records. Let me quickly reiterate what Anurag Bhatia has already told you. TXT records are what you need. I went through a LOT of completely unnecessary suffering, and discovered that while you CAN create an SPF record, what you really need is a TXT record that performs this service. Save yourself some suffering, and don't even bother with the SPF record (this is for those of you who are just now considering making such a thing). GoDaddy (for once) has saved you some sadness, here. -- Those proud of keeping an orderly desk never know the thrill of finding something they thought they had irretrievably lost. From mysidia at gmail.com Tue Jan 17 14:32:25 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Tue, 17 Jan 2012 14:32:25 -0600 Subject: Slighty OT: GoDaddy and SPF records... In-Reply-To: References: Message-ID: On Tue, Jan 17, 2012 at 2:12 PM, Anurag Bhatia wrote: > Hi Mike > > spf records are actually a special syntax based txt records starting with > v=spf1 > > A SPF DNS record is RR TYPE CODE 99 http://www.iana.org/assignments/dns-parameters RFC4408 A SPF compliant domain should have BOTH the TXT RR and a SPF RR. -- -JH From fdelmotte1 at mac.com Tue Jan 17 14:43:33 2012 From: fdelmotte1 at mac.com (Fabien Delmotte) Date: Tue, 17 Jan 2012 21:43:33 +0100 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: Hello, You can use also rancid. Regards Fabien Le 17 janv. 2012 ? 20:44, Abdullah Al-Malki a ?crit : > Thank you all for your recommendations. > I will sit this weekend and evaluate what fits into my requirements. > > Thanks all > > On Mon, Jan 16, 2012 at 5:05 AM, Rafael Rodriguez wrote: > >> If your looking for something interactive, check out Mr. CLI >> >> Sent from my iPhone >> >> On Jan 15, 2012, at 12:52, Abdullah Al-Malki >> wrote: >> >>> Hi fellows, >>> I am supporting a big service provider and sometimes I face this problem. >>> Sometimes I want to access my customer network and want to extract some >>> verification output "show commands" from a large number of devices. >>> >>> What kind of scripting solutions you guys are using this case. >>> >>> Appreciate the feedback, >>> Abdullah >> From mkarir at merit.edu Tue Jan 17 15:52:21 2012 From: mkarir at merit.edu (Manish Karir) Date: Tue, 17 Jan 2012 16:52:21 -0500 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> Message-ID: <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> Hi Arturo, We could easily archive older copies of the database when we update the data, but I think our issue right now is that we dont fully understand how to add the notion of time to the user interface and we dont understand how folks might want to use it. Do you have a simple use case description of an example which might help us figure out how the notion of time can help answer a question.? What would be an example of a query that uses time? Thanks. -manish On Jan 16, 2012, at 12:53 PM, Arturo Servin wrote: > Manish, > > Nice tool. > > Is it possible to see the "history" of a prefix? > > > Regards, > .as > > > > On 13 Jan 2012, at 18:19, Manish Karir wrote: > >> >> All, >> >> We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu >> bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables >> essentially processes the data collected at routeviews and makes is available in a somewhat easier >> to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the >> vantage point of the various bgp table views as seen at routeviews. >> The data is currently updated nightly (EST) but we hope to improve this over time. >> Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. >> >> Some examples: >> - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN >> >> - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. >> >> - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. >> >> - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. >> >> >> Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. >> >> Thanks. >> -The Merit Network Research and Development Team >> > From rcarpen at network1.net Tue Jan 17 16:04:02 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Tue, 17 Jan 2012 17:04:02 -0500 (EST) Subject: How are you doing DHCPv6 ? In-Reply-To: <36695b3d-02a4-466c-a19a-1fe4747d38e1@zimbra.network1.net> Message-ID: <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> I am wondering how people out there are using DHCPv6 to handle assigning prefixes to end users. We have a requirement for it to be a redundant server that is centrally located. DHCPv6 will be relayed from each customer access segment. We have been looking at using ISC dhcpd, as that is what we use for v4. However, it currently does not support any redundancy. It also does not do very much useful logging for DHCPv6 requests. Certainly not enough to keep track of users and devices. So, my questions are: How are you doing DHCPv6 with Prefix Delegation? What software are you using? When DHCPv6 with Prefix Delegation seems to be about the only way to deploy IPv6 to end users in a generic device-agnostic fashion, I am wondering why it is so difficult to find a working solution. thanks, -Randy -- | Randy Carpenter | Vice President - IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (800)578-6381, Opt. 1 ---- From tayeb.meftah at gmail.com Mon Jan 16 14:33:32 2012 From: tayeb.meftah at gmail.com (Meftah Tayeb) Date: Mon, 16 Jan 2012 22:33:32 +0200 Subject: How are you doing DHCPv6 ? References: <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> Message-ID: Mikrotik Routeros ----- Original Message ----- From: "Randy Carpenter" To: "Nanog" Sent: Wednesday, January 18, 2012 12:04 AM Subject: How are you doing DHCPv6 ? > > I am wondering how people out there are using DHCPv6 to handle assigning > prefixes to end users. > > We have a requirement for it to be a redundant server that is centrally > located. DHCPv6 will be relayed from each customer access segment. > > We have been looking at using ISC dhcpd, as that is what we use for v4. > However, it currently does not support any redundancy. It also does not do > very much useful logging for DHCPv6 requests. Certainly not enough to keep > track of users and devices. > > So, my questions are: > > > How are you doing DHCPv6 with Prefix Delegation? > > What software are you using? > > > When DHCPv6 with Prefix Delegation seems to be about the only way to > deploy IPv6 to end users in a generic device-agnostic fashion, I am > wondering why it is so difficult to find a working solution. > > thanks, > -Randy > > -- > | Randy Carpenter > | Vice President - IT Services > | Red Hat Certified Engineer > | First Network Group, Inc. > | (800)578-6381, Opt. 1 > ---- > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6804 (20120117) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 6804 (20120117) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From dwessels at verisign.com Tue Jan 17 16:51:58 2012 From: dwessels at verisign.com (Wessels, Duane) Date: Tue, 17 Jan 2012 17:51:58 -0500 Subject: DNS Track at NANOG 54 Message-ID: <47211D96-BA5C-4111-A6B2-747B4BCBBEA4@verisign.com> Greetings, The DNS Track takes place at NANOG 54 on Tuesday from 4:30 to 6:00. This is a very informal (BOF-like) gathering for folks interested in DNS topics. If you have material to present or suggested topics for discussion, I'd welcome your contribution. Duane W. From John_Brzozowski at Cable.Comcast.com Tue Jan 17 17:06:54 2012 From: John_Brzozowski at Cable.Comcast.com (Brzozowski, John) Date: Tue, 17 Jan 2012 23:06:54 +0000 Subject: How are you doing DHCPv6 ? In-Reply-To: <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> References: <36695b3d-02a4-466c-a19a-1fe4747d38e1@zimbra.network1.net>, <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> Message-ID: You might want to give this a read: http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt -------- Original Message -------- From: Randy Carpenter Sent: Tue, Jan 17, 2012 5:4 PM To: Nanog CC: Subject: How are you doing DHCPv6 ? I am wondering how people out there are using DHCPv6 to handle assigning prefixes to end users. We have a requirement for it to be a redundant server that is centrally located. DHCPv6 will be relayed from each customer access segment. We have been looking at using ISC dhcpd, as that is what we use for v4. However, it currently does not support any redundancy. It also does not do very much useful logging for DHCPv6 requests. Certainly not enough to keep track of users and devices. So, my questions are: How are you doing DHCPv6 with Prefix Delegation? What software are you using? When DHCPv6 with Prefix Delegation seems to be about the only way to deploy IPv6 to end users in a generic device-agnostic fashion, I am wondering why it is so difficult to find a working solution. thanks, -Randy -- | Randy Carpenter | Vice President - IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (800)578-6381, Opt. 1 ---- From rcarpen at network1.net Tue Jan 17 17:19:28 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Tue, 17 Jan 2012 18:19:28 -0500 (EST) Subject: How are you doing DHCPv6 ? In-Reply-To: Message-ID: <3957a03c-881d-46aa-a26a-862d1f7dfa58@zimbra.network1.net> > You might want to give this a read: > > http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt That doesn't really help us if we want to deploy before that draft becomes a standard. Are there any DHCPv6 servers currently that actually function in a fashion that is suitable for service providers? -Randy > -------- Original Message -------- > From: Randy Carpenter > Sent: Tue, Jan 17, 2012 5:4 PM > To: Nanog > CC: > Subject: How are you doing DHCPv6 ? > > > I am wondering how people out there are using DHCPv6 to handle > assigning prefixes to end users. > > We have a requirement for it to be a redundant server that is > centrally located. DHCPv6 will be relayed from each customer access > segment. > > We have been looking at using ISC dhcpd, as that is what we use for > v4. However, it currently does not support any redundancy. It also > does not do very much useful logging for DHCPv6 requests. Certainly > not enough to keep track of users and devices. > > So, my questions are: > > > How are you doing DHCPv6 with Prefix Delegation? > > What software are you using? > > > When DHCPv6 with Prefix Delegation seems to be about the only way to > deploy IPv6 to end users in a generic device-agnostic fashion, I am > wondering why it is so difficult to find a working solution. > > thanks, > -Randy > > -- > | Randy Carpenter > | Vice President - IT Services > | Red Hat Certified Engineer > | First Network Group, Inc. > | (800)578-6381, Opt. 1 > ---- > > > > From dr at cluenet.de Tue Jan 17 17:37:01 2012 From: dr at cluenet.de (Daniel Roesen) Date: Wed, 18 Jan 2012 00:37:01 +0100 Subject: How are you doing DHCPv6 ? In-Reply-To: <3957a03c-881d-46aa-a26a-862d1f7dfa58@zimbra.network1.net> References: <3957a03c-881d-46aa-a26a-862d1f7dfa58@zimbra.network1.net> Message-ID: <20120117233701.GA13633@srv03.cluenet.de> On Tue, Jan 17, 2012 at 06:19:28PM -0500, Randy Carpenter wrote: > > You might want to give this a read: > > > > http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt > > That doesn't really help us if we want to deploy before that draft > becomes a standard. Well, it more or less just presents options (workarounds for missing proper HA sync). > Are there any DHCPv6 servers currently that actually function in a > fashion that is suitable for service providers? Without specifying your requirements, that's hard to say. If you're looking for fully state-sync'ed DHCPv6 server HA, I'm not aware of any. Cisco unfortunately pushed that another year into the future for CNR, so we're resorting for now to the "Split Prefixes" model described in abovementioned draft, effectively halving our DHCPv6-PD pools and thus exacerbates the negative effects of RIPE's overly converservative policy (HD-Ratio 0.94) on IPv6 by effectively stealing one bit (half the address space) just for redundancy. :-( Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From paul4004 at gmail.com Tue Jan 17 17:58:52 2012 From: paul4004 at gmail.com (PC) Date: Tue, 17 Jan 2012 16:58:52 -0700 Subject: How are you doing DHCPv6 ? In-Reply-To: <20120117233701.GA13633@srv03.cluenet.de> References: <3957a03c-881d-46aa-a26a-862d1f7dfa58@zimbra.network1.net> <20120117233701.GA13633@srv03.cluenet.de> Message-ID: The good news is that doubling your IP address allocation requirements for v6 is far better than doubling v4... On Tue, Jan 17, 2012 at 4:37 PM, Daniel Roesen wrote: > On Tue, Jan 17, 2012 at 06:19:28PM -0500, Randy Carpenter wrote: > > > You might want to give this a read: > > > > > > > http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt > > > > That doesn't really help us if we want to deploy before that draft > > becomes a standard. > > Well, it more or less just presents options (workarounds for missing > proper HA sync). > > > Are there any DHCPv6 servers currently that actually function in a > > fashion that is suitable for service providers? > > Without specifying your requirements, that's hard to say. If you're > looking for fully state-sync'ed DHCPv6 server HA, I'm not aware of any. > > Cisco unfortunately pushed that another year into the future for CNR, so > we're resorting for now to the "Split Prefixes" model described in > abovementioned draft, effectively halving our DHCPv6-PD pools and thus > exacerbates the negative effects of RIPE's overly converservative > policy (HD-Ratio 0.94) on IPv6 by effectively stealing one bit (half > the address space) just for redundancy. :-( > > Best regards, > Daniel > > -- > CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 > > From ekim.ittag at gmail.com Tue Jan 17 18:05:43 2012 From: ekim.ittag at gmail.com (Mike Gatti) Date: Tue, 17 Jan 2012 16:05:43 -0800 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: <11ACED16-F364-497A-8FBE-0741A1CD823B@gmail.com> Hey did anyone mention Rancid..., just kidding.... I've used ciscocmd in the past, a little outdated but worth looking at (http://sourceforge.net/projects/cosi-nms/files/ciscocmd/) You might also have some fun writing your own expect scripts. -- Michael Gatti main. 949.371.5474 (UTC -8) On Jan 17, 2012, at 12:43 PM, Fabien Delmotte wrote: > Hello, > > You can use also rancid. > > Regards > > Fabien > > Le 17 janv. 2012 ? 20:44, Abdullah Al-Malki a ?crit : > >> Thank you all for your recommendations. >> I will sit this weekend and evaluate what fits into my requirements. >> >> Thanks all >> >> On Mon, Jan 16, 2012 at 5:05 AM, Rafael Rodriguez wrote: >> >>> If your looking for something interactive, check out Mr. CLI >>> >>> Sent from my iPhone >>> >>> On Jan 15, 2012, at 12:52, Abdullah Al-Malki >>> wrote: >>> >>>> Hi fellows, >>>> I am supporting a big service provider and sometimes I face this problem. >>>> Sometimes I want to access my customer network and want to extract some >>>> verification output "show commands" from a large number of devices. >>>> >>>> What kind of scripting solutions you guys are using this case. >>>> >>>> Appreciate the feedback, >>>> Abdullah >>> > > From John_Brzozowski at Cable.Comcast.com Tue Jan 17 18:27:48 2012 From: John_Brzozowski at Cable.Comcast.com (Brzozowski, John) Date: Wed, 18 Jan 2012 00:27:48 +0000 Subject: How are you doing DHCPv6 ? In-Reply-To: <3957a03c-881d-46aa-a26a-862d1f7dfa58@zimbra.network1.net> Message-ID: The draft does help you, it is a BCP and does not specify a standard. It outlines some BCPs that are usable today. I believe I tested and verified that what I outlined works with the ISC DHCPv6 server. It also works with other DHCPv6 servers as well. John ========================================= John Jason Brzozowski Comcast Cable e) mailto:john_brzozowski at cable.comcast.com o) 609-377-6594 m) 484-962-0060 w) http://www.comcast6.net ========================================= On 1/17/12 6:19 PM, "Randy Carpenter" wrote: > >> You might want to give this a read: >> >> http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt > >That doesn't really help us if we want to deploy before that draft >becomes a standard. > >Are there any DHCPv6 servers currently that actually function in a >fashion that is suitable for service providers? > >-Randy > > >> -------- Original Message -------- >> From: Randy Carpenter >> Sent: Tue, Jan 17, 2012 5:4 PM >> To: Nanog >> CC: >> Subject: How are you doing DHCPv6 ? >> >> >> I am wondering how people out there are using DHCPv6 to handle >> assigning prefixes to end users. >> >> We have a requirement for it to be a redundant server that is >> centrally located. DHCPv6 will be relayed from each customer access >> segment. >> >> We have been looking at using ISC dhcpd, as that is what we use for >> v4. However, it currently does not support any redundancy. It also >> does not do very much useful logging for DHCPv6 requests. Certainly >> not enough to keep track of users and devices. >> >> So, my questions are: >> >> >> How are you doing DHCPv6 with Prefix Delegation? >> >> What software are you using? >> >> >> When DHCPv6 with Prefix Delegation seems to be about the only way to >> deploy IPv6 to end users in a generic device-agnostic fashion, I am >> wondering why it is so difficult to find a working solution. >> >> thanks, >> -Randy >> >> -- >> | Randy Carpenter >> | Vice President - IT Services >> | Red Hat Certified Engineer >> | First Network Group, Inc. >> | (800)578-6381, Opt. 1 >> ---- >> >> >> >> From John_Brzozowski at Cable.Comcast.com Tue Jan 17 18:31:25 2012 From: John_Brzozowski at Cable.Comcast.com (Brzozowski, John) Date: Wed, 18 Jan 2012 00:31:25 +0000 Subject: How are you doing DHCPv6 ? In-Reply-To: <20120117233701.GA13633@srv03.cluenet.de> Message-ID: On 1/17/12 6:37 PM, "Daniel Roesen" wrote: >On Tue, Jan 17, 2012 at 06:19:28PM -0500, Randy Carpenter wrote: >> > You might want to give this a read: >> > >> > >>http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt >> >> That doesn't really help us if we want to deploy before that draft >> becomes a standard. > >Well, it more or less just presents options (workarounds for missing >proper HA sync). [jjmb] correct. FWIW the IETF dhcwg is currently working on DHCPv6 failover/redundancy. See here for the requirements: http://tools.ietf.org/html/draft-mrugalski-dhc-dhcpv6-failover-requirements -00 > >> Are there any DHCPv6 servers currently that actually function in a >> fashion that is suitable for service providers? > >Without specifying your requirements, that's hard to say. If you're >looking for fully state-sync'ed DHCPv6 server HA, I'm not aware of any. [jjmb] same here, I expect a specification would be required first. > >Cisco unfortunately pushed that another year into the future for CNR, so >we're resorting for now to the "Split Prefixes" model described in >abovementioned draft, effectively halving our DHCPv6-PD pools and thus >exacerbates the negative effects of RIPE's overly converservative >policy (HD-Ratio 0.94) on IPv6 by effectively stealing one bit (half >the address space) just for redundancy. :-( [jjmb] we have to do what we have to do, the good news migration to a proper failover model should be straight forward. > >Best regards, >Daniel > >-- >CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 > From rcarpen at network1.net Tue Jan 17 19:01:50 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Tue, 17 Jan 2012 20:01:50 -0500 (EST) Subject: How are you doing DHCPv6 ? In-Reply-To: Message-ID: <149d723c-2418-443a-9b9f-c0ca3b033ae0@zimbra.network1.net> ----- Original Message ----- > > On 1/17/12 6:37 PM, "Daniel Roesen" wrote: > > >On Tue, Jan 17, 2012 at 06:19:28PM -0500, Randy Carpenter wrote: > >> > You might want to give this a read: > >> > > >> > > >>http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt > >> > >> That doesn't really help us if we want to deploy before that draft > >> becomes a standard. > > > >Well, it more or less just presents options (workarounds for missing > >proper HA sync). > [jjmb] correct. FWIW the IETF dhcwg is currently working on DHCPv6 > failover/redundancy. See here for the requirements: > > http://tools.ietf.org/html/draft-mrugalski-dhc-dhcpv6-failover-requirements > -00 I already had the two documents up and got them mixed up when I was reading through them. I'll have to go over the link from John in detail, and see if it gives us some ways to work around the limitations in our situation. thanks, -Randy From derek at derekivey.com Tue Jan 17 19:02:22 2012 From: derek at derekivey.com (Derek Ivey) Date: Tue, 17 Jan 2012 20:02:22 -0500 Subject: World IPv6 Launch Day - June 6, 2012 Message-ID: <4F161A1E.7040903@derekivey.com> Just saw this new site: http://www.worldipv6launch.org/ Many large companies and ISPs are planning to finally go live with IPv6 by June 6, 2012. I don't see Verizon (my ISP) on the list though :(. I'm glad to see companies moving forward with IPv6! Derek From sethm at rollernet.us Tue Jan 17 19:17:45 2012 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 17 Jan 2012 17:17:45 -0800 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <4F161A1E.7040903@derekivey.com> References: <4F161A1E.7040903@derekivey.com> Message-ID: <4F161DB9.7000806@rollernet.us> On 1/17/12 5:02 PM, Derek Ivey wrote: > Just saw this new site: http://www.worldipv6launch.org/ > > Many large companies and ISPs are planning to finally go live with IPv6 > by June 6, 2012. > > I don't see Verizon (my ISP) on the list though :(. I'm glad to see > companies moving forward with IPv6! > I kind of feel left out with all the fanfare now, having launched IPv6 many years ago. ~Seth From robertg at garlic.com Tue Jan 17 19:26:11 2012 From: robertg at garlic.com (Robert Glover) Date: Tue, 17 Jan 2012 17:26:11 -0800 Subject: Postini / Google admin needed Message-ID: <4F161FB3.3090505@garlic.com> I apologize for the noise. We are not getting anywhere regarding issues with Postini through the normal support channels. Can someone from Postini please contact me off-list? Sincerely, Bobby Glover Director of Information Services SVI Incorporated From xenophage at godshell.com Tue Jan 17 20:24:18 2012 From: xenophage at godshell.com (Jason 'XenoPhage' Frisvold) Date: Tue, 17 Jan 2012 21:24:18 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <4F161DB9.7000806@rollernet.us> References: <4F161A1E.7040903@derekivey.com> <4F161DB9.7000806@rollernet.us> Message-ID: <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> On Jan 17, 2012, at 8:17 PM, Seth Mattinen wrote: > I kind of feel left out with all the fanfare now, having launched IPv6 > many years ago. You can always do the Grand Re-Opening thing.. :P > ~Seth --------------------------- Jason 'XenoPhage' Frisvold xenophage at godshell.com --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: Message signed with OpenPGP using GPGMail URL: From Valdis.Kletnieks at vt.edu Tue Jan 17 20:28:45 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 17 Jan 2012 21:28:45 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: Your message of "Tue, 17 Jan 2012 21:24:18 EST." <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> References: <4F161A1E.7040903@derekivey.com> <4F161DB9.7000806@rollernet.us> <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> Message-ID: <36160.1326853725@turing-police.cc.vt.edu> On Tue, 17 Jan 2012 21:24:18 EST, "Jason 'XenoPhage' Frisvold" said: > On Jan 17, 2012, at 8:17 PM, Seth Mattinen wrote: > > I kind of feel left out with all the fanfare now, having launched IPv6 > > many years ago. > > You can always do the Grand Re-Opening thing.. :P Can we have a "What took you guys so long?" banner? :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From ops.lists at gmail.com Tue Jan 17 22:16:35 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 18 Jan 2012 09:46:35 +0530 Subject: Slighty OT: GoDaddy and SPF records... In-Reply-To: <4F15DA0F.6010508@deaddrop.org> References: <4F15DA0F.6010508@deaddrop.org> Message-ID: I fully agree. http://www.circleid.com/posts/spf_loses_mindshare/ dates back to 2005. On Wed, Jan 18, 2012 at 1:59 AM, Lynda wrote: > Let me quickly reiterate what Anurag Bhatia has already told you. TXT > records are what you need. I went through a LOT of completely unnecessary > suffering, and discovered that while you CAN create an SPF record, what you > really need is a TXT record that performs this service. > > Save yourself some suffering, and don't even bother with the SPF record > (this is for those of you who are just now considering making such a thing). > GoDaddy (for once) has saved you some sadness, here. -- Suresh Ramasubramanian (ops.lists at gmail.com) From owen at delong.com Tue Jan 17 22:17:40 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 17 Jan 2012 20:17:40 -0800 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <4F161A1E.7040903@derekivey.com> References: <4F161A1E.7040903@derekivey.com> Message-ID: Another very sad thing about it: delong-dhcp202:owen (9) ~ % host www.worldipv6launch.org 2012/01/16 21:24:21 www.worldipv6launch.org is an alias for www.worldipv6launch.org.edgesuite.net. www.worldipv6launch.org.edgesuite.net is an alias for a1448.b.akamai.net. a1448.b.akamai.net has address 72.246.53.104 a1448.b.akamai.net has address 72.246.53.8 I don't seem to be able to get to the site on IPv6. Owen On Jan 17, 2012, at 5:02 PM, Derek Ivey wrote: > Just saw this new site: http://www.worldipv6launch.org/ > > Many large companies and ISPs are planning to finally go live with IPv6 by June 6, 2012. > > I don't see Verizon (my ISP) on the list though :(. I'm glad to see companies moving forward with IPv6! > > Derek From ops.lists at gmail.com Tue Jan 17 22:22:19 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 18 Jan 2012 09:52:19 +0530 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> Message-ID: Well - for starters, if you get a prefix that was announced by ASN xxxx from [timestamp] to [timestamp], went to ASN yyyy on [timestamp] etc. Quite useful if you want to tie this into route leak, prefix hijack, malicious ASN etc tracking tools. --srs On Wed, Jan 18, 2012 at 3:22 AM, Manish Karir wrote: > > Hi Arturo, > > We could easily archive older copies of the database when we update the data, but I think our issue right now > is that we dont fully understand how to add the notion of time to the user interface and we dont understand how > folks might want to use it. ?Do you have a simple use case description of an example which might help us > figure out how the notion of time can help answer a question.? ?What would be an example of a query > that uses time? > > Thanks. > -manish > > > On Jan 16, 2012, at 12:53 PM, Arturo Servin wrote: > >> Manish, >> >> ? ? ? Nice tool. >> >> ? ? ? Is it possible to see the "history" of a prefix? >> >> >> Regards, >> .as >> >> >> >> On 13 Jan 2012, at 18:19, Manish Karir wrote: >> >>> >>> All, >>> >>> We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu >>> bgpTables allows users to easily navigate global routing table data collected via routviews.org. ?bgptables >>> essentially processes the data collected at routeviews and makes is available in a somewhat easier >>> to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the >>> vantage point of the various bgp table views as seen at routeviews. >>> The data is currently updated nightly (EST) but we hope to improve this over time. >>> Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. >>> >>> Some examples: >>> - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN >>> >>> - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. >>> >>> - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. >>> >>> - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. >>> >>> >>> Comments, corrections, and suggestions are very welcome. ?Please send them to mkarir at merit.edu. ?Hopefully folks will find this useful. >>> >>> Thanks. >>> -The Merit Network Research and Development Team >>> >> > > -- Suresh Ramasubramanian (ops.lists at gmail.com) From dave.nanog at alfordmedia.com Tue Jan 17 22:23:54 2012 From: dave.nanog at alfordmedia.com (Dave Pooser) Date: Tue, 17 Jan 2012 22:23:54 -0600 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: Message-ID: On 1/17/12 10:17 PM, "Owen DeLong" wrote: >I don't seem to be able to get to the site on IPv6. Well not before June 6, duh! You don't open Christmas presents in August either! :^) -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com From shuque at isc.upenn.edu Tue Jan 17 22:38:05 2012 From: shuque at isc.upenn.edu (Shumon Huque) Date: Tue, 17 Jan 2012 23:38:05 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> Message-ID: <20120118043805.GA5455@isc.upenn.edu> On Tue, Jan 17, 2012 at 08:17:40PM -0800, Owen DeLong wrote: > Another very sad thing about it: > > delong-dhcp202:owen (9) ~ % host www.worldipv6launch.org 2012/01/16 21:24:21 > www.worldipv6launch.org is an alias for www.worldipv6launch.org.edgesuite.net. > www.worldipv6launch.org.edgesuite.net is an alias for a1448.b.akamai.net. > a1448.b.akamai.net has address 72.246.53.104 > a1448.b.akamai.net has address 72.246.53.8 > > > I don't seem to be able to get to the site on IPv6. > > Owen I heard that it initially had AAAA records. After the site couldn't keep up with the initial load, it was migrated to Akamai's CDN (the DNS records you see now are those), and Akamai doesn't yet offer IPv6 in production, so no IPv6. Akamai does have a trial IPv6 program though - we host IPv6 capable Akamai nodes on our campus for example, and a non production version of our university website is using it - so ISOC could try seeing if they could be hosted on that infrastructure. -- Shumon Huque University of Pennsylvania. From lists at 1337.mx Tue Jan 17 23:04:54 2012 From: lists at 1337.mx (toor) Date: Wed, 18 Jan 2012 13:04:54 +0800 Subject: DNS Attacks Message-ID: Hi list, I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this: - Attacks most commonly between the hours of 4AM-4PM UTC - DNS queries appear to be for real domains that the DNS servers in question are authoritive for (I can't really see any pattern there, there are about 150,000 zones on the servers in question) - From a range of IP's there will be an attack for approximately 5-10 minutes before stopping and then a break of 30 minutes or so before another attack from a different IP range - Every IP range has been from China I have limited the number of queries that can be done to mitigate this but its messing up my pretty netflow graphs due to the spikes in flows/packets being sent. Does anyone have any ideas what the reasoning behind this could be? I would also be interested to hear from anyone else experiencing this too. I can provide IP ranges from where I am seeing the issue but it does vary a lot between the attacks with the only pattern every time being the source address is located in China. I read a thread earlier, http://seclists.org/nanog/2011/Nov/920, which sounds like the exact thing I am seeing. Thanks From marka at isc.org Tue Jan 17 23:15:19 2012 From: marka at isc.org (Mark Andrews) Date: Wed, 18 Jan 2012 16:15:19 +1100 Subject: DNS Attacks In-Reply-To: Your message of "Wed, 18 Jan 2012 13:04:54 +0800." References: Message-ID: <20120118051519.7D6241B8BF06@drugs.dv.isc.org> In message , toor writes: > Hi list, > > I am wondering if anyone else has seen a large amount of DNS queries > coming from various IP ranges in China. I have been trying to find a > pattern in the attacks but so far I have come up blank. I am completly > guessing these are possibly DNS amplification attacks but I am not > sure. Usually what I see is this: > > - Attacks most commonly between the hours of 4AM-4PM UTC > - DNS queries appear to be for real domains that the DNS servers in > question are authoritive for (I can't really see any pattern there, > there are about 150,000 zones on the servers in question) > - From a range of IP's there will be an attack for approximately 5-10 > minutes before stopping and then a break of 30 minutes or so before > another attack from a different IP range > - Every IP range has been from China > > I have limited the number of queries that can be done to mitigate this > but its messing up my pretty netflow graphs due to the spikes in > flows/packets being sent. > > Does anyone have any ideas what the reasoning behind this could be? I > would also be interested to hear from anyone else experiencing this > too. > > I can provide IP ranges from where I am seeing the issue but it does > vary a lot between the attacks with the only pattern every time being > the source address is located in China. I read a thread earlier, > http://seclists.org/nanog/2011/Nov/920, which sounds like the exact > thing I am seeing. > > Thanks Most of the time you will be being used as a amplifier and the source traffic is spoofed. The short periods are so that it is harder to trace the compromised machines. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From morrowc.lists at gmail.com Tue Jan 17 23:34:19 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 18 Jan 2012 00:34:19 -0500 Subject: DNS Attacks In-Reply-To: References: Message-ID: On Wed, Jan 18, 2012 at 12:04 AM, toor wrote: > Hi list, > > I am wondering if anyone else has seen a large amount of DNS queries > coming from various IP ranges in China. I have been trying to find a china is a big country.... > pattern in the attacks but so far I have come up blank. I am completly > guessing these are possibly DNS amplification attacks but I am not > sure. Usually what I see is this: > > - Attacks most commonly between the hours of 4AM-4PM UTC > - DNS queries appear to be for real domains that the DNS servers in > question are authoritive for (I can't really see any pattern there, > there are about 150,000 zones on the servers in question) yup > - From a range of IP's there will be an attack for approximately 5-10 > minutes before stopping and then a break of 30 minutes or so before > another attack from a different IP range marka noted that the source is really the thing being attacked, that seems to be the case in the incidents I've seen (and which I"ve seen other folks also make note of, over the last ~2-3 months) > - Every IP range has been from China > yup, probably over .cn peer links? if you have them... > I have limited the number of queries that can be done to mitigate this > but its messing up my pretty netflow graphs due to the spikes in > flows/packets being sent. yea... you can't really limit queries, unless you can react in almost real-time to drop the queries on the floor before your servers see them :( or capacity-plan for the spikes, which is... rough. > > Does anyone have any ideas what the reasoning behind this could be? I > would also be interested to hear from anyone else experiencing this > too. > lots of folks are chattering privately about this, it's something in china attacking chinese users.The BW and PPS rates involved are likely quite high... > I can provide IP ranges from where I am seeing the issue but it does > vary a lot between the attacks with the only pattern every time being > the source address is located in China. I read a thread earlier, > http://seclists.org/nanog/2011/Nov/920, which sounds like the exact > thing I am seeing. > it probably is... if you run decently large auth complexes with lots of domains, welcome to the party. -chris > Thanks > From tcannon at c2company.com Tue Jan 17 23:40:39 2012 From: tcannon at c2company.com (Thomas Cannon) Date: Wed, 18 Jan 2012 05:40:39 +0000 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> References: <4F161A1E.7040903@derekivey.com> <4F161DB9.7000806@rollernet.us> <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> Message-ID: "Under new mismanagement!" :) -t > > You can always do the Grand Re-Opening thing.. :P > >> ~Seth > > --------------------------- > Jason 'XenoPhage' Frisvold > xenophage at godshell.com > --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - Niven's Inverse of Clarke's Third Law > > > From tcannon at c2company.com Tue Jan 17 23:53:26 2012 From: tcannon at c2company.com (Thomas Cannon) Date: Wed, 18 Jan 2012 05:53:26 +0000 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> References: <4F161A1E.7040903@derekivey.com> <4F161DB9.7000806@rollernet.us> <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> Message-ID: "Under new mismanagement!" :) -t > > You can always do the Grand Re-Opening thing.. :P > >> ~Seth > > --------------------------- > Jason 'XenoPhage' Frisvold > xenophage at godshell.com > --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - Niven's Inverse of Clarke's Third Law > > > From dr at cluenet.de Wed Jan 18 00:14:59 2012 From: dr at cluenet.de (Daniel Roesen) Date: Wed, 18 Jan 2012 07:14:59 +0100 Subject: How are you doing DHCPv6 ? In-Reply-To: References: <20120117233701.GA13633@srv03.cluenet.de> Message-ID: <20120118061459.GA27784@srv03.cluenet.de> On Wed, Jan 18, 2012 at 12:31:25AM +0000, Brzozowski, John wrote: > >> Are there any DHCPv6 servers currently that actually function in a > >> fashion that is suitable for service providers? > > > >Without specifying your requirements, that's hard to say. If you're > >looking for fully state-sync'ed DHCPv6 server HA, I'm not aware of any. > [jjmb] same here, I expect a specification would be required first. Well, there's nothing preventing vendors to implement proprietary state synchronization schemes like they did for DHCPv4 too. I think that "we need to wait for the standard" is just a mere excuse. Revamping CI of the user interface is a much higher priority these days. :) Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From leigh.porter at ukbroadband.com Wed Jan 18 01:45:22 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Wed, 18 Jan 2012 07:45:22 +0000 Subject: DNS Attacks In-Reply-To: References: Message-ID: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> On 18 Jan 2012, at 05:06, "toor" wrote: > Hi list, > > I am wondering if anyone else has seen a large amount of DNS queries > coming from various IP ranges in China. I have been trying to find a > pattern in the attacks but so far I have come up blank. I am completly > guessing these are possibly DNS amplification attacks but I am not > sure. Usually what I see is this: > At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..). It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port. -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From rdobbins at arbor.net Wed Jan 18 02:05:36 2012 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 18 Jan 2012 08:05:36 +0000 Subject: DNS Attacks In-Reply-To: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> References: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> Message-ID: On Jan 18, 2012, at 2:45 AM, Leigh Porter wrote: > The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..). DNS servers (nor any other kind of server, for that matter) should never be placed behind stateful firewalls - the largest firewall one can build or buy will choke under even moderate DDoS attacks due to state-table exhaustion: ----------------------------------------------------------------------- Roland Dobbins // The basis of optimism is sheer terror. -- Oscar Wilde From joelja at bogus.com Wed Jan 18 02:35:07 2012 From: joelja at bogus.com (Joel jaeggli) Date: Wed, 18 Jan 2012 00:35:07 -0800 Subject: DNS Attacks In-Reply-To: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> References: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> Message-ID: <4F16843B.50600@bogus.com> On 1/17/12 23:45 , Leigh Porter wrote: > > > On 18 Jan 2012, at 05:06, "toor" wrote: > >> Hi list, >> >> I am wondering if anyone else has seen a large amount of DNS >> queries coming from various IP ranges in China. I have been trying >> to find a pattern in the attacks but so far I have come up blank. I >> am completly guessing these are possibly DNS amplification attacks >> but I am not sure. Usually what I see is this: >> > > At various seemingly random times over the past week I have had a DNS > which is behind a firewall come under attack. The firewall is > significant because the attacks killed the firewall as it is rather > under specified (not my idea..). Given the the pps rate and the cps rate of DNS requests are rather similar one expects the value of inspecting unsolicited queries to your nameserver to be rather low. > It did originate from Chinese address space and consisted of DNS > queries for lots of hosts. There was also a port-scan in the traffic > and a SYN attack on a few hosts on the same small subnet as the DNS, > a web server and an open SSH port. > From dennis at justipit.com Wed Jan 18 06:53:23 2012 From: dennis at justipit.com (Dennis) Date: Wed, 18 Jan 2012 07:53:23 -0500 Subject: DNS Attacks Message-ID: I agree with Roland on the firewall placement. I add that the attack would have likely succeeded to exhaust the servers. There is alot of recent ddos activity on DNS with what looks like legitimate queries. You should also look at some DOS/ application level protections; Radware and Arbor top the list. Leigh Porter wrote: > > >On 18 Jan 2012, at 05:06, "toor" wrote: > >> Hi list, >> >> I am wondering if anyone else has seen a large amount of DNS queries >> coming from various IP ranges in China. I have been trying to find a >> pattern in the attacks but so far I have come up blank. I am completly >> guessing these are possibly DNS amplification attacks but I am not >> sure. Usually what I see is this: >> > >At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..). > >It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port. > >-- >Leigh Porter > > >______________________________________________________________________ >This email has been scanned by the Symantec Email Security.cloud service. >For more information please visit http://www.symanteccloud.com >______________________________________________________________________ > > From virendra.rode at gmail.com Wed Jan 18 07:57:42 2012 From: virendra.rode at gmail.com (virendra rode) Date: Wed, 18 Jan 2012 05:57:42 -0800 Subject: DNS Attacks In-Reply-To: References: Message-ID: <4F16CFD6.9080106@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi - We've been victims of these attacks many a times and more recently towards our customer dns servers which was rated at ~ 4gbps for a duration of 30mins. Tracking the source of an attack is simplified when the source is more likely to be "valid". The nature of these attacks for us was a combination of amplification and spoofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good idea not saying its a fix but certainly the attack methodology will significantly lessen. As Matt Katz put it rightly so, "Distributed denial of service can only be solved with distributed delivery of service". regards, /virendra On 01/17/2012 09:04 PM, toor wrote: > Hi list, > > I am wondering if anyone else has seen a large amount of DNS queries > coming from various IP ranges in China. I have been trying to find a > pattern in the attacks but so far I have come up blank. I am completly > guessing these are possibly DNS amplification attacks but I am not > sure. Usually what I see is this: > > - Attacks most commonly between the hours of 4AM-4PM UTC > - DNS queries appear to be for real domains that the DNS servers in > question are authoritive for (I can't really see any pattern there, > there are about 150,000 zones on the servers in question) > - From a range of IP's there will be an attack for approximately 5-10 > minutes before stopping and then a break of 30 minutes or so before > another attack from a different IP range > - Every IP range has been from China > > I have limited the number of queries that can be done to mitigate this > but its messing up my pretty netflow graphs due to the spikes in > flows/packets being sent. > > Does anyone have any ideas what the reasoning behind this could be? I > would also be interested to hear from anyone else experiencing this > too. > > I can provide IP ranges from where I am seeing the issue but it does > vary a lot between the attacks with the only pattern every time being > the source address is located in China. I read a thread earlier, > http://seclists.org/nanog/2011/Nov/920, which sounds like the exact > thing I am seeing. > > Thanks > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L =HsEg -----END PGP SIGNATURE----- From deric.kwok2000 at gmail.com Wed Jan 18 07:58:09 2012 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Wed, 18 Jan 2012 08:58:09 -0500 Subject: bgp question In-Reply-To: References: Message-ID: Hi Justin Thank you Could you tell me more about "routing registries"? I would like to learn it 2nd questions? Are you familiar to quagga? ls it supporting equally multipath in different bgp connections? Thank you so much On Tue, Jan 10, 2012 at 7:58 PM, Justin M. Streiner wrote: > On Tue, 10 Jan 2012, Deric Kwok wrote: > >> When we get ?newip, we should let the upstream know to expor it as >> there should have rule in their side. > > > Correct. ?Ideally, two things happen: > 1. You tell your upstreams and peers about the new space, and they update > whatever prefix filters they have in place for your network. > 2. You update you own outbound BGP filters wherever necessary so that you > can announce the new prefix, aggregated to the extent possible, when you're > ready. > > >> how about upstream provider, does they need to let their all bgp >> interconnect to know those our newip? > > > They might. ?It depends on the relationship your upstreams have with their > neighbors. ?Different providers have different criteria for what they'll > accept and how they manage their filters. > > If your upstreams need to have their upstreams and/or peers update their BGP > filters, it is their responsibility to notify them. ?Note that this can add > to the amount of time it will take before your direct upstreams are ready to > accept and propagate your new prefix. > > Some providers might require that your new prefix be registered in one of > several routing registries, and they'll update their filters based on your > new registry data. > > jms > From drew.weaver at thenap.com Wed Jan 18 08:01:08 2012 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 18 Jan 2012 09:01:08 -0500 Subject: DNS Attacks In-Reply-To: <4F16CFD6.9080106@gmail.com> References: <4F16CFD6.9080106@gmail.com> Message-ID: We ran into a 25Gbps SNMP 'reply/amplification attack' from a cable modem network about a month ago. Hopefully the particular network has fixed that issue now, but it was a banner day to be sure. Thanks, -Drew -----Original Message----- From: virendra rode [mailto:virendra.rode at gmail.com] Sent: Wednesday, January 18, 2012 8:58 AM To: nanog at nanog.org Subject: Re: DNS Attacks -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi - We've been victims of these attacks many a times and more recently towards our customer dns servers which was rated at ~ 4gbps for a duration of 30mins. Tracking the source of an attack is simplified when the source is more likely to be "valid". The nature of these attacks for us was a combination of amplification and spoofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good idea not saying its a fix but certainly the attack methodology will significantly lessen. As Matt Katz put it rightly so, "Distributed denial of service can only be solved with distributed delivery of service". regards, /virendra On 01/17/2012 09:04 PM, toor wrote: > Hi list, > > I am wondering if anyone else has seen a large amount of DNS queries > coming from various IP ranges in China. I have been trying to find a > pattern in the attacks but so far I have come up blank. I am completly > guessing these are possibly DNS amplification attacks but I am not > sure. Usually what I see is this: > > - Attacks most commonly between the hours of 4AM-4PM UTC > - DNS queries appear to be for real domains that the DNS servers in > question are authoritive for (I can't really see any pattern there, > there are about 150,000 zones on the servers in question) > - From a range of IP's there will be an attack for approximately 5-10 > minutes before stopping and then a break of 30 minutes or so before > another attack from a different IP range > - Every IP range has been from China > > I have limited the number of queries that can be done to mitigate this > but its messing up my pretty netflow graphs due to the spikes in > flows/packets being sent. > > Does anyone have any ideas what the reasoning behind this could be? I > would also be interested to hear from anyone else experiencing this > too. > > I can provide IP ranges from where I am seeing the issue but it does > vary a lot between the attacks with the only pattern every time being > the source address is located in China. I read a thread earlier, > http://seclists.org/nanog/2011/Nov/920, which sounds like the exact > thing I am seeing. > > Thanks > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L =HsEg -----END PGP SIGNATURE----- From leigh.porter at ukbroadband.com Wed Jan 18 08:18:32 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Wed, 18 Jan 2012 14:18:32 +0000 Subject: DNS Attacks In-Reply-To: References: Message-ID: Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-) -- Leigh Porter > -----Original Message----- > From: Dennis [mailto:dennis at justipit.com] > Sent: 18 January 2012 12:55 > To: Leigh Porter; toor > Cc: nanog at nanog.org > Subject: Re: DNS Attacks > > I agree with Roland on the firewall placement. I add that the attack > would have likely succeeded to exhaust the servers. There is alot of > recent ddos activity on DNS with what looks like legitimate queries. > You should also look at some DOS/ application level protections; > Radware and Arbor top the list. > > > Leigh Porter wrote: > > > > > > >On 18 Jan 2012, at 05:06, "toor" wrote: > > > >> Hi list, > >> > >> I am wondering if anyone else has seen a large amount of DNS queries > >> coming from various IP ranges in China. I have been trying to find a > >> pattern in the attacks but so far I have come up blank. I am > completly > >> guessing these are possibly DNS amplification attacks but I am not > >> sure. Usually what I see is this: > >> > > > >At various seemingly random times over the past week I have had a DNS > which is behind a firewall come under attack. The firewall is > significant because the attacks killed the firewall as it is rather > under specified (not my idea..). > > > >It did originate from Chinese address space and consisted of DNS > queries for lots of hosts. There was also a port-scan in the traffic > and a SYN attack on a few hosts on the same small subnet as the DNS, a > web server and an open SSH port. > > > >-- > >Leigh Porter > > > > > >______________________________________________________________________ > >This email has been scanned by the Symantec Email Security.cloud > service. > >For more information please visit http://www.symanteccloud.com > >______________________________________________________________________ > > > > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud > service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From arturo.servin at gmail.com Wed Jan 18 08:22:46 2012 From: arturo.servin at gmail.com (Arturo Servin) Date: Wed, 18 Jan 2012 12:22:46 -0200 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> Message-ID: <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> For example for any given prefix to get which ASNs have originated that prefix over time and when. I think that could be interesting for discovering if a prefix has been hijacked in the past. RIS from RIPE NCC provides something like this: http://www.ripe.net/data-tools/stats/ris/routing-information-service We have used it to verify some "suspicious" announcements of prefixes. Regards, as On 17 Jan 2012, at 19:52, Manish Karir wrote: > > Hi Arturo, > > We could easily archive older copies of the database when we update the data, but I think our issue right now > is that we dont fully understand how to add the notion of time to the user interface and we dont understand how > folks might want to use it. Do you have a simple use case description of an example which might help us > figure out how the notion of time can help answer a question.? What would be an example of a query > that uses time? > > Thanks. > -manish > > > On Jan 16, 2012, at 12:53 PM, Arturo Servin wrote: > >> Manish, >> >> Nice tool. >> >> Is it possible to see the "history" of a prefix? >> >> >> Regards, >> .as >> >> >> >> On 13 Jan 2012, at 18:19, Manish Karir wrote: >> >>> >>> All, >>> >>> We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu >>> bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables >>> essentially processes the data collected at routeviews and makes is available in a somewhat easier >>> to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the >>> vantage point of the various bgp table views as seen at routeviews. >>> The data is currently updated nightly (EST) but we hope to improve this over time. >>> Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. >>> >>> Some examples: >>> - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN >>> >>> - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. >>> >>> - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. >>> >>> - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. >>> >>> >>> Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. >>> >>> Thanks. >>> -The Merit Network Research and Development Team >>> >> > From robert at ripe.net Wed Jan 18 08:37:11 2012 From: robert at ripe.net (Robert Kisteleki) Date: Wed, 18 Jan 2012 15:37:11 +0100 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> Message-ID: <4F16D917.2060408@ripe.net> On 2012.01.18. 15:22, Arturo Servin wrote: > > For example for any given prefix to get which ASNs have originated that prefix over time and when. > > I think that could be interesting for discovering if a prefix has been hijacked in the past. > > RIS from RIPE NCC provides something like this: > > http://www.ripe.net/data-tools/stats/ris/routing-information-service > > We have used it to verify some "suspicious" announcements of prefixes. > > Regards, > as One can also try RIPEstat for this: http://stat.ripe.net/ Amongst other modules it gives full (~10 year) BGP history for prefixes. (Disclaimer: our team is working on this tool.) Robert From nick at foobar.org Wed Jan 18 09:05:06 2012 From: nick at foobar.org (Nick Hilliard) Date: Wed, 18 Jan 2012 15:05:06 +0000 Subject: DNS Attacks In-Reply-To: References: Message-ID: <4F16DFA2.8030208@foobar.org> On 18/01/2012 14:18, Leigh Porter wrote: > Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long > as it is not *my* firewalls I really don't care what they do ;-) As you're posting here, it looks like it's become your problem. :-D Seriously, though, there is no value to maintaining state for DNS queries. You would be much better off to put your firewall production interfaces on a routed port on a hardware router so that you can implement ASIC packet filtering. This will operate at wire speed without dumping you into the colloquial poo every time someone decides to take out your critical infrastructure. Nick From morrowc.lists at gmail.com Wed Jan 18 09:41:30 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 18 Jan 2012 10:41:30 -0500 Subject: DNS Attacks In-Reply-To: <4F16DFA2.8030208@foobar.org> References: <4F16DFA2.8030208@foobar.org> Message-ID: On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard wrote: > On 18/01/2012 14:18, Leigh Porter wrote: >> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long >> as it is not *my* firewalls I really don't care what they do ;-) > > As you're posting here, it looks like it's become your problem. :-D > > Seriously, though, there is no value to maintaining state for DNS queries. > ?You would be much better off to put your firewall production interfaces on > a routed port on a hardware router so that you can implement ASIC packet > filtering. ?This will operate at wire speed without dumping you into the > colloquial poo every time someone decides to take out your critical > infrastructure. I get the feeling that leigh had implemented this against his own advice for a client... that he's onboard with 'putting a firewall in front of a dns server is dumb' meme... From smb at cs.columbia.edu Wed Jan 18 10:34:19 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Wed, 18 Jan 2012 11:34:19 -0500 Subject: DNS Attacks In-Reply-To: References: <4F16DFA2.8030208@foobar.org> Message-ID: <0C0D0264-E925-4CE0-8F6A-5BE4DE70F543@cs.columbia.edu> On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote: > On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard wrote: >> On 18/01/2012 14:18, Leigh Porter wrote: >>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long >>> as it is not *my* firewalls I really don't care what they do ;-) >> >> As you're posting here, it looks like it's become your problem. :-D >> >> Seriously, though, there is no value to maintaining state for DNS queries. >> You would be much better off to put your firewall production interfaces on >> a routed port on a hardware router so that you can implement ASIC packet >> filtering. This will operate at wire speed without dumping you into the >> colloquial poo every time someone decides to take out your critical >> infrastructure. > > I get the feeling that leigh had implemented this against his own > advice for a client... that he's onboard with 'putting a firewall in > front of a dns server is dumb' meme... In principle, this is certainly correct (and I've often said the same thing about web servers); in practice, though, a lot depends on the specs. For example: can the firewall discard useless requests more quickly? Does it do a better job of discarding malformed packets? Is the vendor better about supplying patches to new vulnerabilities? Can it do a better job filtering on source IP address? Does it do load-balancing? Are there other services on the same server IP address that do require stateful filtering? As I said, most of the time a dedicated DNS appliance doesn't benefit from firewall protection. Occasionally, though, it might. --Steve Bellovin, https://www.cs.columbia.edu/~smb From morrowc.lists at gmail.com Wed Jan 18 10:42:42 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 18 Jan 2012 11:42:42 -0500 Subject: DNS Attacks In-Reply-To: <0C0D0264-E925-4CE0-8F6A-5BE4DE70F543@cs.columbia.edu> References: <4F16DFA2.8030208@foobar.org> <0C0D0264-E925-4CE0-8F6A-5BE4DE70F543@cs.columbia.edu> Message-ID: On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin wrote: > > On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote: > >> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard wrote: >>> On 18/01/2012 14:18, Leigh Porter wrote: >>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long >>>> as it is not *my* firewalls I really don't care what they do ;-) >>> >>> As you're posting here, it looks like it's become your problem. :-D >>> >>> Seriously, though, there is no value to maintaining state for DNS queries. >>> ?You would be much better off to put your firewall production interfaces on >>> a routed port on a hardware router so that you can implement ASIC packet >>> filtering. ?This will operate at wire speed without dumping you into the >>> colloquial poo every time someone decides to take out your critical >>> infrastructure. >> >> I get the feeling that leigh had implemented this against his own >> advice for a client... that he's onboard with 'putting a firewall in >> front of a dns server is dumb' meme... > > In principle, this is certainly correct (and I've often said the same thing > about web servers); in practice, though, a lot depends on the specs. ?For > example: can the firewall discard useless requests more quickly? ?Does it do > a better job of discarding malformed packets? ?Is the vendor better about > supplying patches to new vulnerabilities? ?Can it do a better job filtering > on source IP address? ?Does it do load-balancing? ?Are there other services > on the same server IP address that do require stateful filtering? yup... I think roland and nick (he can correct me, roland I KNOW is saying this) are basically saying: permit tcp any any eq 80 permit tcp any any eq 443 deny ip any any is far, far better than state management in a firewall. Anything more complex and your firewall fails long before the 7206's interface/filter will :( Some folks would say you'd be better off doing some LB/filtering-in-software behind said router interface filter, I can't argue with that. > As I said, most of the time a dedicated DNS appliance doesn't benefit from > firewall protection. ?Occasionally, though, it might. I suspect the cases where it MAY benefit are the 'lower packet rate, ping-o-death-type' attacks only though. Essentially 'use a proxy to remove unknown cruft' as a frontend to your more complex dns/web answering system, eh? under load though, high pps rate attacks/instances (victoria secret fashion-show sorts of things) your firewall/proxy is likely to die before the backend does ;( -chris > > ? ? ? ? ? ? ? ?--Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > From morrowc.lists at gmail.com Wed Jan 18 10:46:24 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 18 Jan 2012 11:46:24 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <20120118043805.GA5455@isc.upenn.edu> References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: On Tue, Jan 17, 2012 at 11:38 PM, Shumon Huque wrote: > On Tue, Jan 17, 2012 at 08:17:40PM -0800, Owen DeLong wrote: >> Another very sad thing about it: >> >> delong-dhcp202:owen (9) ~ % host www.worldipv6launch.org ? ? ? ? ? ? ? ? ? 2012/01/16 21:24:21 >> www.worldipv6launch.org is an alias for www.worldipv6launch.org.edgesuite.net. >> www.worldipv6launch.org.edgesuite.net is an alias for a1448.b.akamai.net. >> a1448.b.akamai.net has address 72.246.53.104 >> a1448.b.akamai.net has address 72.246.53.8 >> >> >> I don't seem to be able to get to the site on IPv6. >> >> Owen > > I heard that it initially had AAAA records. After the site > couldn't keep up with the initial load, it was migrated to > Akamai's CDN (the DNS records you see now are those), and > Akamai doesn't yet offer IPv6 in production, so no IPv6. there are places in this world with working v6 at scale.... the folk involved COULD use them. (I thought, actually, that akamai's v6 offering was actually production, just not wide-spread?) > Akamai does have a trial IPv6 program though - we host IPv6 > capable Akamai nodes on our campus for example, and a non > production version of our university website is using it - > so ISOC could try seeing if they could be hosted on that > infrastructure. My question is when is FiOS going to get v6 natively? could we get the engineers there to actually do something as opposed to trials of non-production systems that'll never actually get deployed? :) -chris > > -- > Shumon Huque > University of Pennsylvania. > From chip.gwyn at gmail.com Wed Jan 18 10:48:02 2012 From: chip.gwyn at gmail.com (chip) Date: Wed, 18 Jan 2012 11:48:02 -0500 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: Like many others on here, I utilize rancid's set of scripts to handle all the different platform's quirks for access. I then wrap that inside a perl script that can do things in parallel. I'm no developer by any stretch of the imagination but I can poke around in perl badly enough to write some tools. One perl module I've come across is Parallel::Fork::BossWorkerAsync. Using this module makes it incredibly easily to run many instances in parallel while each instance is just a bit different and then can gather data back from each session. Using some form of parallelization can significantly decrease the amount of time things take. I hope you find it as useful as I have. http://search.cpan.org/~jvannucci/Parallel-Fork-BossWorkerAsync-0.06/lib/Parallel/Fork/BossWorkerAsync.pm Good Luck! --chip On Sun, Jan 15, 2012 at 12:52 PM, Abdullah Al-Malki wrote: > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah -- Just my $.02, your mileage may vary,? batteries not included, etc.... From shuque at upenn.edu Wed Jan 18 11:03:55 2012 From: shuque at upenn.edu (Shumon Huque) Date: Wed, 18 Jan 2012 12:03:55 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: <20120118170355.GA1918@isc.upenn.edu> On Wed, Jan 18, 2012 at 11:46:24AM -0500, Christopher Morrow wrote: > On Tue, Jan 17, 2012 at 11:38 PM, Shumon Huque wrote: > > > > I heard that it initially had AAAA records. After the site > > couldn't keep up with the initial load, it was migrated to > > Akamai's CDN (the DNS records you see now are those), and > > Akamai doesn't yet offer IPv6 in production, so no IPv6. > > there are places in this world with working v6 at scale.... the folk > involved COULD use them. > (I thought, actually, that akamai's v6 offering was actually > production, just not wide-spread?) Not sure - our Akamai support people have so far not told us that it's production ready (we ask periodically; maybe we aren't talking to the right people). And thus far, they haven't permitted us to point the www.upenn.edu AAAA record to Akamai. A non production name (ipv6.upenn.edu) mirroring the same content does have a AAAA to Akamai though. But, checking www.worldipv6launch.org just now shows that it have IPv6 records now: ;; QUESTION SECTION: ;www.worldipv6launch.org. IN AAAA ;; ANSWER SECTION: www.worldipv6launch.org. 297 IN CNAME www.worldipv6launch.org.edgesuite.net. www.worldipv6launch.org.edgesuite.net. 6167 IN CNAME a1448.dscb.akamai.net. a1448.dscb.akamai.net. 20 IN AAAA 2001:590:1:400::451f:4859 a1448.dscb.akamai.net. 20 IN AAAA 2001:590:1:400::451f:4868 -- Shumon Huque University of Pennsylvania. From owen at delong.com Wed Jan 18 11:04:20 2012 From: owen at delong.com (Owen DeLong) Date: Wed, 18 Jan 2012 09:04:20 -0800 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: On Jan 18, 2012, at 8:46 AM, Christopher Morrow wrote: > On Tue, Jan 17, 2012 at 11:38 PM, Shumon Huque wrote: >> On Tue, Jan 17, 2012 at 08:17:40PM -0800, Owen DeLong wrote: >>> Another very sad thing about it: >>> >>> delong-dhcp202:owen (9) ~ % host www.worldipv6launch.org 2012/01/16 21:24:21 >>> www.worldipv6launch.org is an alias for www.worldipv6launch.org.edgesuite.net. >>> www.worldipv6launch.org.edgesuite.net is an alias for a1448.b.akamai.net. >>> a1448.b.akamai.net has address 72.246.53.104 >>> a1448.b.akamai.net has address 72.246.53.8 >>> >>> >>> I don't seem to be able to get to the site on IPv6. >>> >>> Owen >> >> I heard that it initially had AAAA records. After the site >> couldn't keep up with the initial load, it was migrated to >> Akamai's CDN (the DNS records you see now are those), and >> Akamai doesn't yet offer IPv6 in production, so no IPv6. > > there are places in this world with working v6 at scale.... the folk > involved COULD use them. > (I thought, actually, that akamai's v6 offering was actually > production, just not wide-spread?) > In fairness, it is up on IPv6 today. I don't know exactly when that happened, but, kudos to ISOC and Akamai for getting it done fairly quickly. >> Akamai does have a trial IPv6 program though - we host IPv6 >> capable Akamai nodes on our campus for example, and a non >> production version of our university website is using it - >> so ISOC could try seeing if they could be hosted on that >> infrastructure. > > My question is when is FiOS going to get v6 natively? could we get the > engineers there to actually do something as opposed to trials of > non-production systems that'll never actually get deployed? :) > My understanding is that some areas have native IPv6 on FIOS. Owen From me at anuragbhatia.com Wed Jan 18 11:12:18 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Wed, 18 Jan 2012 22:42:18 +0530 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: Btw did someone noticed DNS setup of project site is really crazy! anurag at laptop:~$ ping worldipv6launch.org ping: unknown host worldipv6launch.org anurag at laptop:~$ dig worldipv6launch.org ns +short ns5.he.net. ns4.he.net. ns2.he.net. ns3.he.net. anurag at laptop:~$ dig worldipv6launch.org soa +short ns1.he.net. hostmaster.he.net. 2012011801 10800 1800 604800 86400 anurag at laptop:~$ dig worldipv6launch.org a +short anurag at laptop:~$ dig worldipv6launch.org aaaa +short anurag at laptop:~$ dig www.worldipv6launch.org +short www.worldipv6launch.org.edgesuite.net. a1448.dscb.akamai.net. 58.27.22.162 58.27.22.163 1. No A or AAAA record on main worldipv6launch.org 2. www.worldipv6launch.org has cname to Akamai -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From cb.list6 at gmail.com Wed Jan 18 11:15:22 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Wed, 18 Jan 2012 09:15:22 -0800 Subject: DNS Attacks In-Reply-To: References: <4F16DFA2.8030208@foobar.org> <0C0D0264-E925-4CE0-8F6A-5BE4DE70F543@cs.columbia.edu> Message-ID: On Jan 18, 2012 8:43 AM, "Christopher Morrow" wrote: > > On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin wrote: > > > > On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote: > > > >> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard wrote: > >>> On 18/01/2012 14:18, Leigh Porter wrote: > >>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long > >>>> as it is not *my* firewalls I really don't care what they do ;-) > >>> > >>> As you're posting here, it looks like it's become your problem. :-D > >>> > >>> Seriously, though, there is no value to maintaining state for DNS queries. > >>> You would be much better off to put your firewall production interfaces on > >>> a routed port on a hardware router so that you can implement ASIC packet > >>> filtering. This will operate at wire speed without dumping you into the > >>> colloquial poo every time someone decides to take out your critical > >>> infrastructure. > >> > >> I get the feeling that leigh had implemented this against his own > >> advice for a client... that he's onboard with 'putting a firewall in > >> front of a dns server is dumb' meme... > > > > In principle, this is certainly correct (and I've often said the same thing > > about web servers); in practice, though, a lot depends on the specs. For > > example: can the firewall discard useless requests more quickly? Does it do > > a better job of discarding malformed packets? Is the vendor better about > > supplying patches to new vulnerabilities? Can it do a better job filtering > > on source IP address? Does it do load-balancing? Are there other services > > on the same server IP address that do require stateful filtering? > > > yup... I think roland and nick (he can correct me, roland I KNOW is > saying this) are basically saying: > > permit tcp any any eq 80 > permit tcp any any eq 443 > deny ip any any > > is far, far better than state management in a firewall. Anything more > complex and your firewall fails long before the 7206's > interface/filter will :( Some folks would say you'd be better off > doing some LB/filtering-in-software behind said router interface > filter, I can't argue with that. > > > As I said, most of the time a dedicated DNS appliance doesn't benefit from > > firewall protection. Occasionally, though, it might. > > I suspect the cases where it MAY benefit are the 'lower packet rate, > ping-o-death-type' attacks only though. Essentially 'use a proxy to > remove unknown cruft' as a frontend to your more complex dns/web > answering system, eh? > > under load though, high pps rate attacks/instances (victoria secret > fashion-show sorts of things) your firewall/proxy is likely to die > before the backend does ;( > Very refreshing tone of conversation. Normally I hear a chorus of "defense in depth" blah when we should be talking about fundamental host / protocol based robustness.... and matching risks with controls ...not boxes with places on a network map. It leads to: security is like an onion, it makes you cry The ng stateful firewall is no firewall (tm) I like https://www.opengroup.org/jericho/index.htm Cb > -chris > > > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > > > > > > > From fred at cisco.com Wed Jan 18 11:27:16 2012 From: fred at cisco.com (Fred Baker) Date: Wed, 18 Jan 2012 09:27:16 -0800 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <20120118170355.GA1918@isc.upenn.edu> References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> <20120118170355.GA1918@isc.upenn.edu> Message-ID: <4EAEABEB-1F53-4B74-8B4F-28F204DE3D87@cisco.com> On Jan 18, 2012, at 9:03 AM, Shumon Huque wrote: > But, checking www.worldipv6launch.org just now shows that it > have IPv6 records now: I just successfully accessed it using IPv6. The service is real, not just the DNS record. The address I accessed it at was 2600:809:600::3f50:411. From me at anuragbhatia.com Wed Jan 18 11:30:50 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Wed, 18 Jan 2012 23:00:50 +0530 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <4EAEABEB-1F53-4B74-8B4F-28F204DE3D87@cisco.com> References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> <20120118170355.GA1918@isc.upenn.edu> <4EAEABEB-1F53-4B74-8B4F-28F204DE3D87@cisco.com> Message-ID: Hi Fred You can access on www.worldipv6launch.org but not http://worldipv6launch.org (without www) It's available on IPv6 on www since Akami node has AAAA and seems fine. anurag at laptop:~$ dig www.worldipv6launch.org aaaa +short www.worldipv6launch.org.edgesuite.net. a1448.dscb.akamai.net. 2600:140e:1::3cfe:83ca 2600:140e:1::3cfe:83d1 Someone missed a redirection record for worldipv6launch.org to www.worldipv6launch.org On Wed, Jan 18, 2012 at 10:57 PM, Fred Baker wrote: > > On Jan 18, 2012, at 9:03 AM, Shumon Huque wrote: > > > But, checking www.worldipv6launch.org just now shows that it > > have IPv6 records now: > > I just successfully accessed it using IPv6. The service is real, not just > the DNS record. The address I accessed it at was 2600:809:600::3f50:411. > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From morrowc.lists at gmail.com Wed Jan 18 11:31:30 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 18 Jan 2012 12:31:30 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: On Wed, Jan 18, 2012 at 12:04 PM, Owen DeLong wrote: >> >> My question is when is FiOS going to get v6 natively? could we get the >> engineers there to actually do something as opposed to trials of >> non-production systems that'll never actually get deployed? :) >> > > My understanding is that some areas have native IPv6 on FIOS. really? I terminate on the same CO/l3 device the testing was done (you know, the one that was press-released ~1.5 years ago?) ... no v6 for me... and as near as I can tell each sales/support person I talk to says: "ipvwhat?" I would bet that the VERIZON fios deployments are non-v6 everywhere... which is just sad, for the internet and for verizon. -chris From morrowc.lists at gmail.com Wed Jan 18 11:31:57 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 18 Jan 2012 12:31:57 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> <20120118170355.GA1918@isc.upenn.edu> <4EAEABEB-1F53-4B74-8B4F-28F204DE3D87@cisco.com> Message-ID: On Wed, Jan 18, 2012 at 12:30 PM, Anurag Bhatia wrote: > Hi Fred > > You can access on www.worldipv6launch.org but not > http://worldipv6launch.org (without > www) > > not everyone puts their web content on their domain? nothing to see here, please drive through... From jsahala at gmail.com Wed Jan 18 11:57:05 2012 From: jsahala at gmail.com (joshua sahala) Date: Wed, 18 Jan 2012 10:57:05 -0700 Subject: VPC=S/MLT? In-Reply-To: <4F1590CA.6090609@gmail.com> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> <4F109CC0.8000800@gmail.com> <20120115011015.GA14746@argus.gw.utexas.edu> <4F1590CA.6090609@gmail.com> Message-ID: vpc has a long list of unclear and/or seemingly contradictory caveats (spread across multiple cisco docs/webpages). when it doesn't work (as expected), it can be challenging to find someone with tac who can actually tell you why (or how to fix it properly). if your needs are fairly basic, are all cisco, follow their dc3.0 verbatim, and don't mind the lack of features on the nexus platform, then it isn't a bad box (if rather expensive for the lack of features...like ipv6 for is-is). also, be prepared to keep spanning-tree around and keep bugging your cisco se/am about trill support (as opposed to fabricpath...see tdp vs ldp) if you *might* want to involve the n7k in routing at all, then http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/ offers a much clearer explanation than cisco.com about what works and what doesn't (and whether-or-not tac might try to help) hth /joshua From rs at seastrom.com Wed Jan 18 12:00:37 2012 From: rs at seastrom.com (Robert E. Seastrom) Date: Wed, 18 Jan 2012 13:00:37 -0500 Subject: enterprise 802.11 In-Reply-To: <5290984.5313.1326735813483.JavaMail.root@benjamin.baylink.com> (Jay Ashworth's message of "Mon, 16 Jan 2012 12:43:33 -0500 (EST)") References: <5290984.5313.1326735813483.JavaMail.root@benjamin.baylink.com> Message-ID: <86ipk8lwl6.fsf@seastrom.com> Jay Ashworth writes: > ----- Original Message ----- >> From: "Jared Mauch" > >> network side. I'm personally not convinced of the value of very short >> lease times (less than an hour) > > Less than an hour, perhaps not. > > On small residential networks, though -- generally, anything where the > router (which will need to get rebooted occasionally) *is* the DHCP server -- > I tend to set the timeout to 30-60 minutes, to reduce the race window between > when a router is rebooted, and when a new device shows up and conflicts > because it's given an IP another device still thinks it owns. Another thing that works (in environments where you can get away with it) is an enormous dhcp pool and super long leases with walking-the-whole-space behavior and persistent-across-reboots behavior on the part of the DHCP server. The built-in server on the Mikrotik platforms will do this. Configuring a /16 worth of 1918 space with a 3 week lease for a campground that typically hosts 1 week long events has handily dodged the issue for me. Admittedly this is a corner case... -r From bhmccie at gmail.com Wed Jan 18 12:12:19 2012 From: bhmccie at gmail.com (-Hammer-) Date: Wed, 18 Jan 2012 12:12:19 -0600 Subject: VPC=S/MLT? In-Reply-To: <20120115011015.GA14746@argus.gw.utexas.edu> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> <4F109CC0.8000800@gmail.com> <20120115011015.GA14746@argus.gw.utexas.edu> Message-ID: <4F170B83.4010207@gmail.com> Found them all on the same page. Not exactly what I was looking for but it's worth sharing. http://www.cisco.com/en/US/products/ps9670/products_implementation_design_guides_list.html -Hammer- "I was a normal American nerd" -Jack Herer On 1/14/2012 7:10 PM, Charles Spurgeon wrote: > On Fri, Jan 13, 2012 at 03:05:45PM -0600, -Hammer- wrote: >> The first link references "chapter 3". I found chapter 5 as well >> but I can't find the full index. Do you have that link by any chance? > I don't have a link to a full index. The links I sent are from a set > of Nexus design and operation chapters I've found. Each chapter is a > guide to a specific aspect of Nexus and vPC operation and DC design. > The set doesn't appear to have been turned into standard Cisco docs > with indexes etc. > > Here are the links that I've been able to find: > > Chapter 1: Data Center Design with Cisco Nexus Switches and Virtual PortChannel: Overview > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572831-00_Dsgn_Nexus_vPC_DG.pdf > > Chapter 2: Cisco NX-OS Software Command-Line Interface Primer > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572833-00_NX-OS_CLI.pdf > > Chapter 3: Cisco NX-OS Software Virtual PortChannel: Fundamental Concepts > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf > > Chapter 4: Spanning Tree Design Guidelines for Cisco NX-OS Software and Virtual PortChannels > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572834-00_STDG_NX-OS_vPC_DG.pdf > > Chapter 5: Data Center Aggregation Layer Design and Configuration with > Cisco Nexus Switches and Virtual PortChannels > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-00_Agg_Dsgn_Config_DG.pdf > > Chapter 6 Data Center Access Design with Cisco Nexus 5000 Series > Switches and 2000 Series Fabric Extenders and Virtual PortChannels > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf > > Chapter 7 10 Gigabit Ethernet Connectivity with Microsoft Windows Servers > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572828-00_10Gb_Conn_Win_DG.pdf > > Chapter 8 Data Center Design with VMware ESX 4.0 and Cisco Nexus 5000 > and 1000V Series Switches 4.0(4)SV1(1) and 2000 Series Fabric > Extenders > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572832-00_VMware_ESX4_Nexus_DG.pdf > > -Charles > > Charles E. Spurgeon / UTnet > UT Austin ITS / Networking > c.spurgeon at its.utexas.edu / 512.475.9265 > From bhmccie at gmail.com Wed Jan 18 12:25:33 2012 From: bhmccie at gmail.com (-Hammer-) Date: Wed, 18 Jan 2012 12:25:33 -0600 Subject: VPC=S/MLT? In-Reply-To: References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> <4F109CC0.8000800@gmail.com> <20120115011015.GA14746@argus.gw.utexas.edu> <4F1590CA.6090609@gmail.com> Message-ID: <4F170E9D.6010504@gmail.com> Nice link. Thanks Joshua. -Hammer- "I was a normal American nerd" -Jack Herer On 1/18/2012 11:57 AM, joshua sahala wrote: > vpc has a long list of unclear and/or seemingly contradictory caveats > (spread across multiple cisco docs/webpages). when it doesn't work > (as expected), it can be challenging to find someone with tac who can > actually tell you why (or how to fix it properly). if your needs are > fairly basic, are all cisco, follow their dc3.0 verbatim, and don't > mind the lack of features on the nexus platform, then it isn't a bad > box (if rather expensive for the lack of features...like ipv6 for > is-is). also, be prepared to keep spanning-tree around and keep > bugging your cisco se/am about trill support (as opposed to > fabricpath...see tdp vs ldp) > > if you *might* want to involve the n7k in routing at all, then > http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/ > offers a much clearer explanation than cisco.com about what works and > what doesn't (and whether-or-not tac might try to help) > > hth > /joshua > > From drew.weaver at thenap.com Wed Jan 18 13:26:57 2012 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 18 Jan 2012 14:26:57 -0500 Subject: DNS Attacks In-Reply-To: References: <4F16DFA2.8030208@foobar.org> <0C0D0264-E925-4CE0-8F6A-5BE4DE70F543@cs.columbia.edu> Message-ID: -----Original Message----- From: Christopher Morrow [mailto:morrowc.lists at gmail.com] Sent: Wednesday, January 18, 2012 11:43 AM To: Steven Bellovin Cc: nanog at nanog.org Subject: Re: DNS Attacks yup... I think roland and nick (he can correct me, roland I KNOW is saying this) are basically saying: permit tcp any any eq 80 permit tcp any any eq 443 deny ip any any is far, far better than state management in a firewall. Anything more complex and your firewall fails long before the 7206's interface/filter will :( Some folks would say you'd be better off doing some LB/filtering-in-software behind said router interface filter, I can't argue with that. >>>>> But you don't get the benefit of UNIFIED THREAT MANAGEMENT or syn-authentication with an access-list or what happens if someone sends your wordpress blog a malformed GET request which causes it to give the attacker root? Or Slowloris, or one of any thousand other HTTP protocol based attacks? (I'm being sarcastic but that is the argument you will hear). Seriously though if there is one thing I wish people would stop doing it is releasing web vulnerability scanners for free (like acunetix), they're easy enough to catch because they use sitemaps but they can be a bit annoying and generate a lot of load =) -Drew From me at anuragbhatia.com Wed Jan 18 13:36:56 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Thu, 19 Jan 2012 01:06:56 +0530 Subject: Tata AS6453 not peering with NTT AS2914 in Japan Message-ID: Hello everyone! Was wondering is there's anyone from Tata Communications (VSNL/TeleGlobe) or NTT Communications? I can see Tata Comm's AS6453 is not exchanging traffic with NTT AS2914 in Japan. Is there's any specific reason for that? I can see traffic exchange is being done at London, New York, San Jose but not in Japan. Thus packets from Tokyo (Tata) to Tokyo (NTT) and having a round trip to US. This is screwing up performance of networks which are in downstream for NTT e.g Akamai. Route to Akamai.com webserver from Indian networks is going like India - UK - Japan adding over 200ms of overhead latency. If someone is interested in detailed data, I have blogged about it here . Any ideas what's preventing them peering in Japan itself? -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From me at anuragbhatia.com Wed Jan 18 16:10:17 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Thu, 19 Jan 2012 03:40:17 +0530 Subject: Tata AS6453 not peering with NTT AS2914 in Japan In-Reply-To: References: Message-ID: Call it funny or what - so far I have got 4 replies and in total 10emails in one to one discussion. No one replied in mailing list! On Thu, Jan 19, 2012 at 1:06 AM, Anurag Bhatia wrote: > Hello everyone! > > Was wondering is there's anyone from Tata Communications (VSNL/TeleGlobe) > or NTT Communications? I can see Tata Comm's AS6453 is not exchanging > traffic with NTT AS2914 in Japan. Is there's any specific reason for that? > I can see traffic exchange is being done at London, New York, San Jose but > not in Japan. Thus packets from Tokyo (Tata) to Tokyo (NTT) and having a > round trip to US. This is screwing up performance of networks which are in > downstream for NTT e.g Akamai. Route to Akamai.com webserver from Indian > networks is going like India - UK - Japan adding over 200ms of overhead > latency. If someone is interested in detailed data, I have blogged about it > here . > > > Any ideas what's preventing them peering in Japan itself? > -- > > Anurag Bhatia > > anuragbhatia.com > > or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected > network! > > Twitter: @anurag_bhatia > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From jrhett at netconsonance.com Wed Jan 18 17:01:07 2012 From: jrhett at netconsonance.com (Jo Rhett) Date: Wed, 18 Jan 2012 15:01:07 -0800 Subject: bgp question In-Reply-To: References: Message-ID: On Jan 18, 2012, at 5:58 AM, Deric Kwok wrote: > Could you tell me more about "routing registries"? > I would like to learn it google it, and RADB for example. > 2nd questions? Are you familiar to quagga? > ls it supporting equally multipath in different bgp connections? Yes, absolutely. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness From randy at psg.com Wed Jan 18 17:08:38 2012 From: randy at psg.com (Randy Bush) Date: Thu, 19 Jan 2012 08:08:38 +0900 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <4F16D917.2060408@ripe.net> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> <4F16D917.2060408@ripe.net> Message-ID: > One can also try RIPEstat for this: http://stat.ripe.net/ wfm > (Disclaimer: our team is working on this tool.) and you used your work email address. thank you. randy From streiner at cluebyfour.org Wed Jan 18 17:48:12 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 18 Jan 2012 18:48:12 -0500 (EST) Subject: bgp question In-Reply-To: References: Message-ID: On Wed, 18 Jan 2012, Deric Kwok wrote: > Could you tell me more about "routing registries"? > I would like to learn it In a nutshell, Internet Routing Registries (IRRs) are places where networks can store information that describes their routing policies. Other networks can query this information and use the results to build or update their filtering policies. You can find an extensive list of registries and more background information at http://www.irr.net/ > 2nd questions? Are you familiar to quagga? > ls it supporting equally multipath in different bgp connections? I haven't messed around too much with quagga, so I can't give you a good answer on that at the moment. jms From streiner at cluebyfour.org Wed Jan 18 17:56:28 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 18 Jan 2012 18:56:28 -0500 (EST) Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: On Wed, 18 Jan 2012, Christopher Morrow wrote: > My question is when is FiOS going to get v6 natively? could we get the > engineers there to actually do something as opposed to trials of > non-production systems that'll never actually get deployed? :) I wonder when Comcast and Verizon will get into an IPv6 advertising war. "v6... smhee-6! Ditch that cable modem and switch to Fios!" jms From joelja at bogus.com Wed Jan 18 18:18:38 2012 From: joelja at bogus.com (Joel jaeggli) Date: Wed, 18 Jan 2012 16:18:38 -0800 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: <4F17615E.1090108@bogus.com> On 1/18/12 15:56 , Justin M. Streiner wrote: > On Wed, 18 Jan 2012, Christopher Morrow wrote: > >> My question is when is FiOS going to get v6 natively? could we get the >> engineers there to actually do something as opposed to trials of >> non-production systems that'll never actually get deployed? :) > > I wonder when Comcast and Verizon will get into an IPv6 advertising war. > "v6... smhee-6! Ditch that cable modem and switch to Fios!" LTE has V6 natively and it gets used today... joel > jms > From jof at thejof.com Wed Jan 18 18:24:28 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Wed, 18 Jan 2012 16:24:28 -0800 Subject: bgp question In-Reply-To: References: Message-ID: On Wed, Jan 18, 2012 at 5:58 AM, Deric Kwok wrote: > ls it supporting equally multipath in different bgp connections? Most software routing protocols have support for this in their RIBs, but the actual forwarding ability of the underlying kernel will determine the support for this. What platform do you route on? Cheers, jof From streiner at cluebyfour.org Wed Jan 18 18:45:16 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 18 Jan 2012 19:45:16 -0500 (EST) Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <4F17615E.1090108@bogus.com> References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> <4F17615E.1090108@bogus.com> Message-ID: On Wed, 18 Jan 2012, Joel jaeggli wrote: > On 1/18/12 15:56 , Justin M. Streiner wrote: >> On Wed, 18 Jan 2012, Christopher Morrow wrote: >> >> I wonder when Comcast and Verizon will get into an IPv6 advertising war. >> "v6... smhee-6! Ditch that cable modem and switch to Fios!" > > LTE has V6 natively and it gets used today... True, but VZW and VZO are two different animals. jms From mpetach at netflight.com Wed Jan 18 19:17:15 2012 From: mpetach at netflight.com (Matthew Petach) Date: Wed, 18 Jan 2012 17:17:15 -0800 Subject: Tata AS6453 not peering with NTT AS2914 in Japan In-Reply-To: References: Message-ID: On Wed, Jan 18, 2012 at 2:10 PM, Anurag Bhatia wrote: > Call it funny or what - so far I have got 4 replies and in total 10emails > in one to one discussion. > > No one replied in mailing list! People are often hesitant to discuss dirty laundry in public; not least because it can sometimes have employment implications. Most requests on the lists are thus phrased as "please contact me about X" or "It would be really nice if you could fix your misconfiguration at site Y" so that there's no onus placed on an engineer to discuss the issue publicly; fixing the issue, or responding with a private message about the issue is usually considered sufficient response. Matt From tony at lavanauts.org Wed Jan 18 22:41:32 2012 From: tony at lavanauts.org (Antonio Querubin) Date: Wed, 18 Jan 2012 18:41:32 -1000 (HST) Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: On Wed, 18 Jan 2012, Anurag Bhatia wrote: > 1. No A or AAAA record on main worldipv6launch.org Odd and annoying. So 20th century... :) Antonio Querubin e-mail: tony at lavanauts.org xmpp: antonioquerubin at gmail.com From joelja at bogus.com Thu Jan 19 00:10:58 2012 From: joelja at bogus.com (Joel Jaeggli) Date: Wed, 18 Jan 2012 22:10:58 -0800 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> <4F17615E.1090108@bogus.com> Message-ID: <73AF1D48-8A9D-45CA-B740-6D8C922091DF@bogus.com> By the same token, The mobile broadband network is not some also-ran adjunct to the residential broadband service. On Jan 18, 2012, at 16:45, "Justin M. Streiner" wrote: > On Wed, 18 Jan 2012, Joel jaeggli wrote: > >> On 1/18/12 15:56 , Justin M. Streiner wrote: >>> On Wed, 18 Jan 2012, Christopher Morrow wrote: >>> >>> I wonder when Comcast and Verizon will get into an IPv6 advertising war. >>> "v6... smhee-6! Ditch that cable modem and switch to Fios!" >> >> LTE has V6 natively and it gets used today... > > True, but VZW and VZO are two different animals. > > jms > From ops.lists at gmail.com Thu Jan 19 00:57:45 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 19 Jan 2012 12:27:45 +0530 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <4F16D917.2060408@ripe.net> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> <4F16D917.2060408@ripe.net> Message-ID: On Wed, Jan 18, 2012 at 8:07 PM, Robert Kisteleki wrote: > One can also try RIPEstat for this: http://stat.ripe.net/ > > Amongst other modules it gives full (~10 year) BGP history for prefixes. Does it also give a similar history for ASN announcements? I see a lot many shady ASNs that simply move from one prefix to another, in batches -- Suresh Ramasubramanian (ops.lists at gmail.com) From robert at ripe.net Thu Jan 19 02:28:37 2012 From: robert at ripe.net (Robert Kisteleki) Date: Thu, 19 Jan 2012 09:28:37 +0100 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> <4F16D917.2060408@ripe.net> Message-ID: <4F17D435.6030204@ripe.net> On 2012.01.19. 7:57, Suresh Ramasubramanian wrote: > On Wed, Jan 18, 2012 at 8:07 PM, Robert Kisteleki wrote: >> One can also try RIPEstat for this: http://stat.ripe.net/ >> >> Amongst other modules it gives full (~10 year) BGP history for prefixes. > > Does it also give a similar history for ASN announcements? I see a > lot many shady ASNs that simply move from one prefix to another, in > batches > Yes. See for example (only the routing module): http://stat.ripe.net/query/routing-history/AS3333?params={%27value%27:+%27AS3333%27} You can turn on the "first transit AS" with the checkbox on the top right. Robert From ops.lists at gmail.com Thu Jan 19 02:35:39 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 19 Jan 2012 14:05:39 +0530 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <4F17D435.6030204@ripe.net> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> <4F16D917.2060408@ripe.net> <4F17D435.6030204@ripe.net> Message-ID: Superb. Thank you. On Thu, Jan 19, 2012 at 1:58 PM, Robert Kisteleki wrote: > > > Yes. See for example (only the routing module): > > http://stat.ripe.net/query/routing-history/AS3333?params={%27value%27:+%27AS3333%27} > > You can turn on the "first transit AS" with the checkbox on the top right. -- Suresh Ramasubramanian (ops.lists at gmail.com) From andra.lutu at imdea.org Thu Jan 19 05:24:04 2012 From: andra.lutu at imdea.org (andra.lutu at imdea.org) Date: Thu, 19 Jan 2012 12:24:04 +0100 (CET) Subject: RIS raw data Message-ID: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Hi all, I am working on getting a better grasp on what data we have in the RIS project from RIPE. To this end, I am checking the export policies of the ASes peering with RIPE AS12654 at different IXPs. I am wondering if anybody knows what these ASes actually announce to the RIPE repositories? Do they dump their entire routing tables (including their internal routes) ?? In some cases I saw the export policy ANNOUNCE ANY, is this consistent with a particular AS behaving like the RIPE AS was its customer? Another type of export policy is for example 'to AS12654:? ANNOUNCE AS "YYY" '(where? "YYY" is any AS peering with RIPE in the RIS project). How is this policy different from the previous one from the point of view of the routing feed the RIPE repository receives? Thank you for your help! Best regards, Andra From nick at foobar.org Thu Jan 19 06:12:14 2012 From: nick at foobar.org (Nick Hilliard) Date: Thu, 19 Jan 2012 12:12:14 +0000 Subject: RIS raw data In-Reply-To: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Message-ID: <4F18089E.9070609@foobar.org> On 19/01/2012 11:24, andra.lutu at imdea.org wrote: > I am working on getting a better grasp on what data we > have in the RIS project from RIPE. > To this end, I am checking the > export policies of the ASes peering with RIPE AS12654 at different > IXPs. > I am wondering if anybody knows what these ASes actually > announce to the RIPE repositories? Do they dump their entire routing > tables (including their internal routes) ? > In some cases I saw > the export policy ANNOUNCE ANY, is this consistent with a particular AS > behaving like the RIPE AS was its customer? > Another type of export > policy is for example 'to AS12654: ANNOUNCE AS "YYY" > '(where "YYY" is any AS peering with RIPE in the RIS > project). > How is this policy different from the previous one from > the point of view of the routing feed the RIPE repository receives? Hi Andra, INEX used to maintain two peering matrices. One was based on RIPE IRRDB data; the other was based on netflow/sflow BGP data sampled from the IXP infrastructure. The difference between the two was shocking. Nick From greg at bestnet.kharkov.ua Thu Jan 19 06:20:29 2012 From: greg at bestnet.kharkov.ua (Gregory Edigarov) Date: Thu, 19 Jan 2012 14:20:29 +0200 Subject: dial-peer authenticaton in ios 12.3? Message-ID: <20120119142029.7c4d67e7@greg.bestnet.kharkov.ua> Hello everybody, Is there a good person who could try to remember how to configure authentication in dial-peer on IOS (tm) MC3810 Software (MC3810-A2ISV5-M), Version 12.3(13), RELEASE SOFTWARE (fc2)? dial-peer voice 1 pots authentication username someuser password somepassword does not seem to be any help as it points an error on "authentication" keyword. Is there anything I could try to do about this before I through it out from my balcony? Thank you. -- With best regards, Gregory Edigarov From randy at psg.com Thu Jan 19 06:52:52 2012 From: randy at psg.com (Randy Bush) Date: Thu, 19 Jan 2012 21:52:52 +0900 Subject: RIS raw data In-Reply-To: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Message-ID: > In some cases I saw the export policy ANNOUNCE ANY, is this consistent > with a particular AS behaving like the RIPE AS was its customer? well, if i was to take that literally, that would include internal prefixes, e.g. some of p2p inter-router links, loopbacks, ... of course, taking anything from the IRR literally is na?ve at best. some years back, i asked for a *simple minimal* tagging of announcements to route views, just peer, customer, internal. it got ietfed to utter uselessness, with more crap welded on to it than envisioned in mad max. randy From deric.kwok2000 at gmail.com Thu Jan 19 07:27:45 2012 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Thu, 19 Jan 2012 08:27:45 -0500 Subject: bgp question In-Reply-To: References: Message-ID: Hi Thank you all of you Can I have one question? We are planning to have 3 x 1G bgp connections (full tables) eg: Path A, B, C Can I say that we have 3G output totally? >From my understanding, the bgp chooses the best path to route automatically If the path A is best route and that path 1G bandwidth is used up, will bgp try to use path B and path C automatically? or the bgp still choose to path A whatever the bandwidth is used up How can I use up those 3G? Thank you so much PS: my platform is linu On Wed, Jan 18, 2012 at 7:24 PM, Jonathan Lassoff wrote: > On Wed, Jan 18, 2012 at 5:58 AM, Deric Kwok wrote: >> ls it supporting equally multipath in different bgp connections? > > Most software routing protocols have support for this in their RIBs, > but the actual forwarding ability of the underlying kernel will > determine the support for this. > What platform do you route on? > > Cheers, > jof From danny at tcb.net Thu Jan 19 07:51:42 2012 From: danny at tcb.net (Danny McPherson) Date: Thu, 19 Jan 2012 08:51:42 -0500 Subject: RIS raw data In-Reply-To: References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Message-ID: <44E1EB40-903A-4C8B-A512-26B0931AA5D3@tcb.net> On Jan 19, 2012, at 7:52 AM, Randy Bush wrote: > of course, taking anything from the IRR literally is na?ve at best. Unfortunately, if the BGPSEC, RPKI and SIDR work stays course in the IETF, we're still going to need IRR-esque policy capabilities (outside of route server and prefix origin bindings in that work), so we best starting figuring out how to make them suck less. > some years back, i asked for a *simple minimal* tagging of announcements > to route views, just peer, customer, internal. it got ietfed to utter > uselessness, with more crap welded on to it than envisioned in mad max. I agree, it's important to analyze systemic cost/benefit and complexity analysis and new operational impacts various standards work is introducing. -danny From jmaslak at antelope.net Thu Jan 19 08:23:11 2012 From: jmaslak at antelope.net (Joel Maslak) Date: Thu, 19 Jan 2012 07:23:11 -0700 Subject: bgp question In-Reply-To: References: Message-ID: On Thu, Jan 19, 2012 at 6:27 AM, Deric Kwok wrote: > We are planning to have 3 x 1G bgp connections (full tables) eg: Path A, B, C > > Can I say that we have 3G output totally? Sure. > From my understanding, the bgp chooses the best path to route automatically It doesn't. It typically chooses the path with the least number of autonomous systems for a given destination. That can actually result in longer physical paths in many cases. Let's say provider C buys bandwidth from A and B (and nobody else). If that's the case, you will only use C for things directly connected to C's network (typically only things that pay C), but every other internet destination would use A or B. (unless you adjust things to not do this). > If the path A is best route and that path 1G bandwidth is used up, > will bgp try to use path B and path C automatically? No, with one caveat. If you fill up the pipe enough that routing messages don't get through, those routes will eventually time out and the path won't be used at all. > How can I use up those 3G? You will need to manually adjust routes, preferences, etc. You'll still have one path that is hotter than the others (although hopefully not too much hotter). Are you worried about incoming or outgoing bandwidth, or both? For incoming, you will need to do things like: 1) Announce all of your prefixes aggregated out all 3 links 2) Announce parts of your prefixes out ONLY ONE link. So announce /24 #1 out A, /24 #2 out B, /24 #3 out C. This means you're forcing incoming traffic to generally come in one link per /24. The problem with this is that a really active /24 will get more traffic still. It also requires you to have at least 3 /24s (you can't route longer prefixes, which means you can't route PART of a /24). For outbound, the easy and obvious way would be for your providers to just announce 0/0 to you and for you to do some sort of flow-based load balancing. But if one provider had reachability problems, you'd go down. So without that, you'll have to adjust the preferences of incoming routes. Alternatively use BGP multipath and buy from one provider (and connect to the same router on the provider side). Bandwidth from one provider isn't necessarily a horrible thing, if you pick a good one provider. Even with multiple BGP feeds, unless you are really, really careful (and, most likely, spend tons of money for things like fiber redundancy so the different fibers don't all end up on one pole or going into the same telco building) you'll still have single points of failure. From andra.lutu at imdea.org Thu Jan 19 08:30:05 2012 From: andra.lutu at imdea.org (andra.lutu at imdea.org) Date: Thu, 19 Jan 2012 15:30:05 +0100 (CET) Subject: RIS raw data In-Reply-To: References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Message-ID: <47839.163.117.139.80.1326983405.squirrel@mail.imdea.org> Hi Randy, Thank you for your reply. I do, however, have one more question, please find it bellow. >> In some cases I saw the export policy ANNOUNCE ANY, is this consistent >> with a particular AS behaving like the RIPE AS was its customer? > > well, if i was to take that literally, that would include internal > prefixes, e.g. some of p2p inter-router links, loopbacks, ... > What would be then the difference between this ANNOUNCE ANY policy and this other policy I have found "ANNOUNCE AS-YYY" (where AS YYY is the AS exporting its routes)? What are the ASes actually exporting in this case? > of course, taking anything from the IRR literally is na?ve at best. > > some years back, i asked for a *simple minimal* tagging of announcements > to route views, just peer, customer, internal. it got ietfed to utter > uselessness, with more crap welded on to it than envisioned in mad max. > > randy > Best regards, Andra From shane at castlepoint.net Thu Jan 19 09:26:05 2012 From: shane at castlepoint.net (Shane Amante) Date: Thu, 19 Jan 2012 08:26:05 -0700 Subject: RIS raw data In-Reply-To: References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Message-ID: <85D843DC-9481-47E1-904A-035C758A66DE@castlepoint.net> On Jan 19, 2012, at 5:52 AM, Randy Bush wrote: >> In some cases I saw the export policy ANNOUNCE ANY, is this consistent >> with a particular AS behaving like the RIPE AS was its customer? > > well, if i was to take that literally, that would include internal > prefixes, e.g. some of p2p inter-router links, loopbacks, ... > > of course, taking anything from the IRR literally is na?ve at best. Please don't conflate the policy mechanisms enabled by the IRR policy *language*/specification itself with the *data* contained in the IRR ... > some years back, i asked for a *simple minimal* tagging of announcements > to route views, just peer, customer, internal. it got ietfed to utter > uselessness, with more crap welded on to it than envisioned in mad max. Wrt your last paragraph: care to share a link the I-D (or, RFC) that you allude to above? I think your last paragraph is alluding to tagging routes with standard BGP communities, based on your "simple minimal" criteria, before they are sent to route-views. That strikes me as potentially orthogonal to issues with the present data in the IRR. -shane From Valdis.Kletnieks at vt.edu Thu Jan 19 09:46:32 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 19 Jan 2012 10:46:32 -0500 Subject: RIS raw data In-Reply-To: Your message of "Thu, 19 Jan 2012 21:52:52 +0900." References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Message-ID: <3547.1326987992@turing-police.cc.vt.edu> On Thu, 19 Jan 2012 21:52:52 +0900, Randy Bush said: > uselessness, with more crap welded on to it than envisioned in mad max. oooh... steampunk BGP. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From ka at pacific.net Thu Jan 19 09:54:21 2012 From: ka at pacific.net (Ken A) Date: Thu, 19 Jan 2012 09:54:21 -0600 Subject: DNS Attacks In-Reply-To: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> References: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> Message-ID: <4F183CAD.9060802@pacific.net> On 1/18/2012 1:45 AM, Leigh Porter wrote: > > > On 18 Jan 2012, at 05:06, "toor" wrote: > >> Hi list, >> >> I am wondering if anyone else has seen a large amount of DNS >> queries coming from various IP ranges in China. I have been trying >> to find a pattern in the attacks but so far I have come up blank. I >> am completly guessing these are possibly DNS amplification attacks >> but I am not sure. Usually what I see is this: >> > > At various seemingly random times over the past week I have had a DNS > which is behind a firewall come under attack. The firewall is > significant because the attacks killed the firewall as it is rather > under specified (not my idea..). > > It did originate from Chinese address space and consisted of DNS > queries for lots of hosts. There was also a port-scan in the traffic > and a SYN attack on a few hosts on the same small subnet as the DNS, > a web server and an open SSH port. > We are seeing this too, though we don't have the kind of exposure some of the larger providers do. fwiw.. If for some reason, you can't use a dedicated box for DNS and/or a simple acl to protect services on a box, you can turn off connection tracking in iptables per-port using the NOTRACK target. iptables -t raw -I PREROUTING -p udp --dport 53 -j NOTRACK iptables -t raw -I OUTPUT -p udp --sport 53 -j NOTRACK http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NOTRACKTARGET Ken -- Ken Anderson From alter3d at alter3d.ca Thu Jan 19 10:01:13 2012 From: alter3d at alter3d.ca (Peter Kristolaitis) Date: Thu, 19 Jan 2012 11:01:13 -0500 Subject: RIS raw data In-Reply-To: <3547.1326987992@turing-police.cc.vt.edu> References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> <3547.1326987992@turing-police.cc.vt.edu> Message-ID: <4F183E49.7090306@alter3d.ca> On 12-01-19 10:46 AM, Valdis.Kletnieks at vt.edu wrote: > On Thu, 19 Jan 2012 21:52:52 +0900, Randy Bush said: > >> uselessness, with more crap welded on to it than envisioned in mad max. > oooh... steampunk BGP. ;) The Internet is like a series of (steam) tubes? ;) - Peter From leigh.porter at ukbroadband.com Thu Jan 19 10:05:38 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Thu, 19 Jan 2012 16:05:38 +0000 Subject: RIS raw data In-Reply-To: <4F183E49.7090306@alter3d.ca> References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> <3547.1326987992@turing-police.cc.vt.edu> <4F183E49.7090306@alter3d.ca> Message-ID: > -----Original Message----- > From: Peter Kristolaitis [mailto:alter3d at alter3d.ca] > Sent: 19 January 2012 16:04 > To: nanog at nanog.org > Subject: Re: RIS raw data > > On 12-01-19 10:46 AM, Valdis.Kletnieks at vt.edu wrote: > > On Thu, 19 Jan 2012 21:52:52 +0900, Randy Bush said: > > > >> uselessness, with more crap welded on to it than envisioned in mad > max. > > oooh... steampunk BGP. ;) > > The Internet is like a series of (steam) tubes? ;) > > - Peter When they break, do you see little clouds of 1s and 0s ? -- Leigh ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From ekim.ittag at gmail.com Thu Jan 19 10:32:54 2012 From: ekim.ittag at gmail.com (Mike Gatti) Date: Thu, 19 Jan 2012 08:32:54 -0800 Subject: Skype in the Enterprise Message-ID: <26A04B09-927D-49F2-8E46-185C670F178A@gmail.com> Hello Everyone, I wanted to get the groups opinions/thought on how you would or currently handle users wanting or using Skype in the enterprise. Recently what has brought this to light was the fact that our firewalls started to deny/shun users randomly from access to the internet. After a couple of dozen packet captures and cross checking software installed on the clients machines we narrowed down the culprit to be Skype, which later we validated in Lab. What we saw was in random intervals all skype clients would send a burst of requests to the internet which would trigger the intrusion detection threshold of our security appliances. Given that there were no changes to those thresholds I am left to ask what caused this behavior to start, a software update or an update to the skype network (if it can be called that)? I am trying to educate myself a little more before facing the lynch mobs when I start advising on a solution. Thanks for taking the time, -- Michael Gatti main. 949.371.5474 (UTC -8) From simon.lucy at bbc.co.uk Thu Jan 19 10:43:05 2012 From: simon.lucy at bbc.co.uk (Simon Lucy) Date: Thu, 19 Jan 2012 16:43:05 +0000 Subject: Skype in the Enterprise In-Reply-To: <26A04B09-927D-49F2-8E46-185C670F178A@gmail.com> References: <26A04B09-927D-49F2-8E46-185C670F178A@gmail.com> Message-ID: <4F184819.6020209@bbc.co.uk> Mike Gatti wrote: > Hello Everyone, > > I wanted to get the groups opinions/thought on how you would or currently handle users wanting or using Skype in the enterprise. > Recently what has brought this to light was the fact that our firewalls started to deny/shun users randomly from access to the internet. > After a couple of dozen packet captures and cross checking software installed on the clients machines we narrowed down the culprit to be Skype, which later we validated in Lab. > What we saw was in random intervals all skype clients would send a burst of requests to the internet which would trigger the intrusion detection threshold of our security appliances. > Given that there were no changes to those thresholds I am left to ask what caused this behavior to start, a software update or an update to the skype network (if it can be called that)? > I am trying to educate myself a little more before facing the lynch mobs when I start advising on a solution. You can start with the network admin's guide if gives the basic characteristics of normal Skype network behaviour and how it punches through NAT, STUN etc. http://download.skype.com/share/business/guides/skype-it-administrators-guide.pdf S > > Thanks for taking the time, > -- > Michael Gatti > main. 949.371.5474 > (UTC -8) > > > > From bonomi at mail.r-bonomi.com Thu Jan 19 12:00:55 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Thu, 19 Jan 2012 12:00:55 -0600 (CST) Subject: RIS raw data In-Reply-To: <4F183E49.7090306@alter3d.ca> Message-ID: <201201191800.q0JI0t12027853@mail.r-bonomi.com> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Thu Jan 19 10:06:17 2012 > Date: Thu, 19 Jan 2012 11:01:13 -0500 > From: Peter Kristolaitis > To: nanog at nanog.org > Subject: Re: RIS raw data > > On 12-01-19 10:46 AM, Valdis.Kletnieks at vt.edu wrote: > > On Thu, 19 Jan 2012 21:52:52 +0900, Randy Bush said: > > > >> uselessness, with more crap welded on to it than envisioned in mad max. > > oooh... steampunk BGP. ;) > > The Internet is like a series of (steam) tubes? ;) It is widely known that some people _do_ let off a lot of steam via that mechanism. *chuckle* From tim.donahue at gmail.com Thu Jan 19 12:26:09 2012 From: tim.donahue at gmail.com (Tim Donahue) Date: Thu, 19 Jan 2012 13:26:09 -0500 Subject: Security Contact for PlusServer.de (AS8972) Message-ID: Hi all, Sorry for the noise, but I am looking for a contact for PlusServer.de (AS8972) to get a security issue resolved. Email to their abuse@ address has gone unanswered for nearly 24 hours at this point and the malicious traffic has not been stopped yet. Hopefully someone here has a security or noc contact that can I can reach out to. Thank you, Tim From hrlinneweh at sbcglobal.net Thu Jan 19 12:39:03 2012 From: hrlinneweh at sbcglobal.net (Henry Linneweh) Date: Thu, 19 Jan 2012 10:39:03 -0800 (PST) Subject: AlcaLu Adds Security to Routers Message-ID: <1326998343.98190.YahooMailNeo@web180316.mail.gq1.yahoo.com> http://www.lightreading.com/document.asp?doc_id=216514&f_src=lrdailynewsletter -Henry From morrowc.lists at gmail.com Thu Jan 19 13:11:11 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 19 Jan 2012 14:11:11 -0500 Subject: AlcaLu Adds Security to Routers In-Reply-To: <1326998343.98190.YahooMailNeo@web180316.mail.gq1.yahoo.com> References: <1326998343.98190.YahooMailNeo@web180316.mail.gq1.yahoo.com> Message-ID: On Thu, Jan 19, 2012 at 1:39 PM, Henry Linneweh wrote: > > > http://www.lightreading.com/document.asp?doc_id=216514&f_src=lrdailynewsletter riverhead on a blade in your 6500 anyone? From jon at smugmug.com Thu Jan 19 14:10:01 2012 From: jon at smugmug.com (jon Heise) Date: Thu, 19 Jan 2012 12:10:01 -0800 Subject: juniper mx80 vs cisco asr 1000 Message-ID: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Does anyone have any experience with these two routers, we're looking to buy one of them but i have little experience dealing with cisco routers and zero experience with juniper. From tad1214 at gmail.com Thu Jan 19 14:34:56 2012 From: tad1214 at gmail.com (Thomas Donnelly) Date: Thu, 19 Jan 2012 12:34:56 -0800 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Message-ID: I have used the ASR1002-F in a previous life and I was very pleased with it. Performance was a massive increase from the 3845 we had. The warm standby IOS is a nice feature for in service upgrades and crash avoidance. I don't have much experience with the MX series of things but you would be happy with the ASR assuming it meets your bandwidth/port density requirements. -=Tom On Thu, Jan 19, 2012 at 12:10 PM, jon Heise wrote: > Does anyone have any experience with these two routers, we're looking to > buy one of them but i have little experience dealing with cisco routers and > zero experience with juniper. > From paul4004 at gmail.com Thu Jan 19 14:45:01 2012 From: paul4004 at gmail.com (PC) Date: Thu, 19 Jan 2012 13:45:01 -0700 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Message-ID: Which specific models are you looking at? Both contain a large product range. On Thu, Jan 19, 2012 at 1:10 PM, jon Heise wrote: > Does anyone have any experience with these two routers, we're looking to > buy one of them but i have little experience dealing with cisco routers and > zero experience with juniper. > From jay at west.net Thu Jan 19 14:59:41 2012 From: jay at west.net (Jay Hennigan) Date: Thu, 19 Jan 2012 12:59:41 -0800 Subject: US DOJ victim letter Message-ID: <4F18843D.3050101@west.net> We have received three emails from the US Department of Justice Victim Notification System to our ARIN POC address advising us that we may be the victim of a crime. Headers look legit. We have been frustrated in trying to follow the rabbit hole to get any useful information. we've jumped through hoops to get passwords that don't work and attempted to navigate a voice-mail system that resembles the "twisty maze of passages all different" from an old text adventure game. This *seems* to be legit, and I would think that the end result is likely to be a list of IP addresses associated with infected hosts. Has anyone else received the email? Is it legit? If so has anyone successfully navigated the maze, and if so how? Is it worth it? (And why don't they just send the list of infected IPs to the ARIN contact in the first place?) -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From michael.hare at doit.wisc.edu Thu Jan 19 15:01:37 2012 From: michael.hare at doit.wisc.edu (Michael Hare) Date: Thu, 19 Jan 2012 15:01:37 -0600 Subject: US DOJ victim letter In-Reply-To: <4F18843D.3050101@west.net> References: <4F18843D.3050101@west.net> Message-ID: <4F1884B1.5020200@doit.wisc.edu> AS2381 has also received them, we are no further along in this than you are. On 1/19/2012 2:59 PM, Jay Hennigan wrote: > We have received three emails from the US Department of Justice Victim > Notification System to our ARIN POC address advising us that we may be > the victim of a crime. Headers look legit. > > We have been frustrated in trying to follow the rabbit hole to get any > useful information. we've jumped through hoops to get passwords that > don't work and attempted to navigate a voice-mail system that resembles > the "twisty maze of passages all different" from an old text adventure > game. > > This *seems* to be legit, and I would think that the end result is > likely to be a list of IP addresses associated with infected hosts. > > Has anyone else received the email? Is it legit? If so has anyone > successfully navigated the maze, and if so how? Is it worth it? > > (And why don't they just send the list of infected IPs to the ARIN > contact in the first place?) > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > From jackson.tim at gmail.com Thu Jan 19 15:03:00 2012 From: jackson.tim at gmail.com (Tim Jackson) Date: Thu, 19 Jan 2012 15:03:00 -0600 Subject: US DOJ victim letter In-Reply-To: <4F18843D.3050101@west.net> References: <4F18843D.3050101@west.net> Message-ID: The 3rd email they sent: This email is intended to provide clarification on a previous email sent to you. You will be receiving a letter by U.S. Postal Service in the coming days. In the meantime, please visit the link below which provides more details on the investigation and identifying you as a possible victim: www.fbi.gov/news/stories/2011/november/malware_110911 -- Tim From dave at colo4.com Thu Jan 19 15:04:18 2012 From: dave at colo4.com (Dave Ellis) Date: Thu, 19 Jan 2012 15:04:18 -0600 Subject: US DOJ victim letter In-Reply-To: <4F1884B1.5020200@doit.wisc.edu> References: <4F18843D.3050101@west.net> <4F1884B1.5020200@doit.wisc.edu> Message-ID: <4F188552.3090405@colo4.com> We've also received the emails and ignored them. If the US DOJ needs to contact us they use the postal service. On 01/19/2012 03:01 PM, Michael Hare wrote: > AS2381 has also received them, we are no further along in this than > you are. > > On 1/19/2012 2:59 PM, Jay Hennigan wrote: >> We have received three emails from the US Department of Justice Victim >> Notification System to our ARIN POC address advising us that we may be >> the victim of a crime. Headers look legit. >> >> We have been frustrated in trying to follow the rabbit hole to get any >> useful information. we've jumped through hoops to get passwords that >> don't work and attempted to navigate a voice-mail system that resembles >> the "twisty maze of passages all different" from an old text adventure >> game. >> >> This *seems* to be legit, and I would think that the end result is >> likely to be a list of IP addresses associated with infected hosts. >> >> Has anyone else received the email? Is it legit? If so has anyone >> successfully navigated the maze, and if so how? Is it worth it? >> >> (And why don't they just send the list of infected IPs to the ARIN >> contact in the first place?) >> >> -- >> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net >> Impulse Internet Service - http://www.impulse.net/ >> Your local telephone and internet company - 805 884-6323 - WB6RDV >> > From jay at west.net Thu Jan 19 15:04:56 2012 From: jay at west.net (Jay Hennigan) Date: Thu, 19 Jan 2012 13:04:56 -0800 Subject: US DOJ victim letter In-Reply-To: <4F1884BF.3060902@colo4.com> References: <4F18843D.3050101@west.net> <4F1884BF.3060902@colo4.com> Message-ID: <4F188578.6000100@west.net> On 1/19/12 1:01 PM, Dave Ellis wrote: > I've also received the emails, I assumed they were fake as our normal > contacts haven't mentioned anything. The body of the email indeed reads like a poorly-executed phish including elements such as "null" and "" but headers seem legit. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From mike at m5computersecurity.com Thu Jan 19 15:05:18 2012 From: mike at m5computersecurity.com (Michael J McCafferty) Date: Thu, 19 Jan 2012 13:05:18 -0800 Subject: US DOJ victim letter In-Reply-To: <4F18843D.3050101@west.net> References: <4F18843D.3050101@west.net> Message-ID: <1327007118.15021.4831.camel@mike-desktop> We've been getting them too. I haven't event thought to follow up. DOJ won't email you with a do not reply. On Thu, 2012-01-19 at 12:59 -0800, Jay Hennigan wrote: > We have received three emails from the US Department of Justice Victim > Notification System to our ARIN POC address advising us that we may be > the victim of a crime. Headers look legit. > > We have been frustrated in trying to follow the rabbit hole to get any > useful information. we've jumped through hoops to get passwords that > don't work and attempted to navigate a voice-mail system that resembles > the "twisty maze of passages all different" from an old text adventure > game. > > This *seems* to be legit, and I would think that the end result is > likely to be a list of IP addresses associated with infected hosts. > > Has anyone else received the email? Is it legit? If so has anyone > successfully navigated the maze, and if so how? Is it worth it? > > (And why don't they just send the list of infected IPs to the ARIN > contact in the first place?) > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > -- ************************************************************ Michael J. McCafferty CEO M5 Hosting http://www.m5hosting.com Like us on Facebook for updates and photos: https://www.facebook.com/m5hosting ************************************************************ From ml at kenweb.org Thu Jan 19 15:05:49 2012 From: ml at kenweb.org (ML) Date: Thu, 19 Jan 2012 16:05:49 -0500 Subject: US DOJ victim letter In-Reply-To: <4F1884B1.5020200@doit.wisc.edu> References: <4F18843D.3050101@west.net> <4F1884B1.5020200@doit.wisc.edu> Message-ID: <4F1885AD.6030405@kenweb.org> On 01/19/2012 04:01 PM, Michael Hare wrote: > AS2381 has also received them, we are no further along in this than you > are. > > On 1/19/2012 2:59 PM, Jay Hennigan wrote: >> We have received three emails from the US Department of Justice Victim >> Notification System to our ARIN POC address advising us that we may be >> the victim of a crime. Headers look legit. >> >> We have been frustrated in trying to follow the rabbit hole to get any >> useful information. we've jumped through hoops to get passwords that >> don't work and attempted to navigate a voice-mail system that resembles >> the "twisty maze of passages all different" from an old text adventure >> game. >> >> This *seems* to be legit, and I would think that the end result is >> likely to be a list of IP addresses associated with infected hosts. >> >> Has anyone else received the email? Is it legit? If so has anyone >> successfully navigated the maze, and if so how? Is it worth it? >> >> (And why don't they just send the list of infected IPs to the ARIN >> contact in the first place?) >> >> -- >> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net >> Impulse Internet Service - http://www.impulse.net/ >> Your local telephone and internet company - 805 884-6323 - WB6RDV >> > If it's related to the same emails I've received from the DOJ over the past 3 days: It's related to a case against a few Estonians involved with DNSChanger malware. www.fbi.gov/news/stories/2011/november/malware_110911 From rcarpen at network1.net Thu Jan 19 15:06:08 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Thu, 19 Jan 2012 16:06:08 -0500 (EST) Subject: US DOJ victim letter In-Reply-To: <4F1884B1.5020200@doit.wisc.edu> Message-ID: Same here. No idea who the intended recipient organization is, as it was sent to our generic tech contact email address that is used for a bunch of ASes, ARIN accounts, domains, etc. There are pretty much no details in the message. -Randy ----- Original Message ----- > AS2381 has also received them, we are no further along in this than > you are. > > On 1/19/2012 2:59 PM, Jay Hennigan wrote: > > We have received three emails from the US Department of Justice > > Victim > > Notification System to our ARIN POC address advising us that we may > > be > > the victim of a crime. Headers look legit. > > > > We have been frustrated in trying to follow the rabbit hole to get > > any > > useful information. we've jumped through hoops to get passwords > > that > > don't work and attempted to navigate a voice-mail system that > > resembles > > the "twisty maze of passages all different" from an old text > > adventure > > game. > > > > This *seems* to be legit, and I would think that the end result is > > likely to be a list of IP addresses associated with infected hosts. > > > > Has anyone else received the email? Is it legit? If so has anyone > > successfully navigated the maze, and if so how? Is it worth it? > > > > (And why don't they just send the list of infected IPs to the ARIN > > contact in the first place?) > > > > -- > > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > > Impulse Internet Service - http://www.impulse.net/ > > Your local telephone and internet company - 805 884-6323 - WB6RDV > > > > > From alan at clegg.com Thu Jan 19 15:08:23 2012 From: alan at clegg.com (Alan Clegg) Date: Thu, 19 Jan 2012 16:08:23 -0500 Subject: US DOJ victim letter In-Reply-To: <4F188578.6000100@west.net> References: <4F18843D.3050101@west.net> <4F1884BF.3060902@colo4.com> <4F188578.6000100@west.net> Message-ID: <4F188647.6090601@clegg.com> On 1/19/2012 4:04 PM, Jay Hennigan wrote: > The body of the email indeed reads like a poorly-executed phish > including elements such as "null" and "" but > headers seem legit. I asked a local contact if it was legit and he confirmed that it is. Wait for the paper mail. I was amused to discover that to proceed on the web, I had to enter my last name as "Representative" -- as in "Dear Business Representative". Yep, really. AlanC -- alan at clegg.com | aclegg at infoblox.com 1.919.355.8851 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From adibble at quantcast.com Thu Jan 19 15:15:28 2012 From: adibble at quantcast.com (Andrew D. Dibble) Date: Thu, 19 Jan 2012 13:15:28 -0800 Subject: US DOJ victim letter In-Reply-To: References: <4F18843D.3050101@west.net> Message-ID: <76F24853-BBF7-4627-8417-CF53B3D6C70C@quantcast.com> Operation Ghost Click - someone in your AS has malware which changes their DNS server to an evil IP. ICANN (IIRC) replaced these servers with clean ones around November 2011 and now it seems like the FBI is trying to contact everyone who is still talking to that server. FBI seems to have a list of netblocks hosting rogue DNS servers here: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS So if one of the computers inside your network is talking to one of those IPs for DNS, you probably have malware. Drew On Jan 19, 2012, at 1:03 PM, Tim Jackson wrote: > The 3rd email they sent: > > This email is intended to provide clarification on a previous email > sent to you. You will be receiving a letter by U.S. Postal Service in > the coming days. In the meantime, please visit the link below which > provides more details on the investigation and identifying you as a > possible victim: > > www.fbi.gov/news/stories/2011/november/malware_110911 > > -- > Tim > From cmadams at hiwaay.net Thu Jan 19 15:16:55 2012 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 19 Jan 2012 15:16:55 -0600 Subject: US DOJ victim letter In-Reply-To: <4F188647.6090601@clegg.com> References: <4F18843D.3050101@west.net> <4F1884BF.3060902@colo4.com> <4F188578.6000100@west.net> <4F188647.6090601@clegg.com> Message-ID: <20120119211655.GF32702@hiwaay.net> Once upon a time, Alan Clegg said: > I was amused to discover that to proceed on the web, I had to enter my > last name as "Representative" -- as in "Dear Business Representative". > Yep, really. me too After I got yet more such generic and useless info, I lost interest. I tried to go back and log in again, only to get this error from clicking "Login" on the main page: The page you have requested does not exist, or can not be accessed. Please log in to the application from the main login page. The link is back to the same login page. Hope it isn't anything actually important, as the emails and website have been a complete useless joke (that some contractor probably got millions for). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From cmadams at hiwaay.net Thu Jan 19 15:19:22 2012 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 19 Jan 2012 15:19:22 -0600 Subject: US DOJ victim letter In-Reply-To: <76F24853-BBF7-4627-8417-CF53B3D6C70C@quantcast.com> References: <4F18843D.3050101@west.net> <76F24853-BBF7-4627-8417-CF53B3D6C70C@quantcast.com> Message-ID: <20120119211922.GG32702@hiwaay.net> Once upon a time, Andrew D. Dibble said: > FBI seems to have a list of netblocks hosting rogue DNS servers here: > https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS So should I try to type in all the IPs on my network, one at a time? Oh wait, that page requires Javascript to check an IP; like I'm going to allow the FBI to run JS on my computer. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From lane.powers at swat.coop Thu Jan 19 15:27:43 2012 From: lane.powers at swat.coop (Lane Powers) Date: Thu, 19 Jan 2012 15:27:43 -0600 Subject: US DOJ victim letter In-Reply-To: <20120119211922.GG32702@hiwaay.net> Message-ID: We took the CIDR blocks listed here; http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-ma lware.pdf And ran them against net flow data from our external links and were able to generate a list of subscriber IP addresses that were using the rogue DNS servers. Lane -- Lane Powers Southwest Arkansas Tel On 1/19/12 3:19 PM, "Chris Adams" wrote: >Once upon a time, Andrew D. Dibble said: >> FBI seems to have a list of netblocks hosting rogue DNS servers here: >> https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS > >So should I try to type in all the IPs on my network, one at a time? Oh >wait, that page requires Javascript to check an IP; like I'm going to >allow the FBI to run JS on my computer. > >-- >Chris Adams >Systems and Network Administrator - HiWAAY Internet Services >I don't speak for anybody but myself - that's enough trouble. > > From paul4004 at gmail.com Thu Jan 19 15:34:12 2012 From: paul4004 at gmail.com (PC) Date: Thu, 19 Jan 2012 14:34:12 -0700 Subject: US DOJ victim letter In-Reply-To: <20120119211922.GG32702@hiwaay.net> References: <4F18843D.3050101@west.net> <76F24853-BBF7-4627-8417-CF53B3D6C70C@quantcast.com> <20120119211922.GG32702@hiwaay.net> Message-ID: Knowing it's JS, I looked at the source, and here's the "rogue" ranges: var IP_RANGES = [ [[85, 255, 112, 0], [85, 255, 127, 255]], [[67, 210, 0, 0], [67, 210, 15, 255]], [[93, 188, 160, 0], [93, 188, 167, 255]], [[77, 67, 83, 0], [77, 67, 83, 255]], [[213, 109, 64, 0], [213, 109, 79, 255]], [[64, 28, 176, 0], [64, 28, 191, 255]] ]; On Thu, Jan 19, 2012 at 2:19 PM, Chris Adams wrote: > Once upon a time, Andrew D. Dibble said: > > FBI seems to have a list of netblocks hosting rogue DNS servers here: > > https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS > > So should I try to type in all the IPs on my network, one at a time? Oh > wait, that page requires Javascript to check an IP; like I'm going to > allow the FBI to run JS on my computer. > > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > > From carlos at race.com Thu Jan 19 15:39:37 2012 From: carlos at race.com (Carlos Alcantar) Date: Thu, 19 Jan 2012 21:39:37 +0000 Subject: US DOJ victim letter In-Reply-To: <20120119211655.GF32702@hiwaay.net> Message-ID: +1 on these emails we have received 3 of them. Carlos Alcantar Race Communications / Race Team Member 101 Haskins Way, So. San Francisco, CA. 94080 Phone: +1 415 376 3314 / carlos at race.com / http://www.race.com Once upon a time, Alan Clegg said: > I was amused to discover that to proceed on the web, I had to enter my > last name as "Representative" -- as in "Dear Business Representative". > Yep, really. me too After I got yet more such generic and useless info, I lost interest. I tried to go back and log in again, only to get this error from clicking "Login" on the main page: The page you have requested does not exist, or can not be accessed. Please log in to the application from the main login page. The link is back to the same login page. Hope it isn't anything actually important, as the emails and website have been a complete useless joke (that some contractor probably got millions for). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From randy at psg.com Thu Jan 19 15:34:49 2012 From: randy at psg.com (Randy Bush) Date: Fri, 20 Jan 2012 06:34:49 +0900 Subject: RIS raw data In-Reply-To: <85D843DC-9481-47E1-904A-035C758A66DE@castlepoint.net> References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> <85D843DC-9481-47E1-904A-035C758A66DE@castlepoint.net> Message-ID: > Please don't conflate the policy mechanisms enabled by the IRR policy > *language*/specification itself with the *data* contained in the IRR i don't. the former is called rpsl. >> some years back, i asked for a *simple minimal* tagging of announcements >> to route views, just peer, customer, internal. it got ietfed to utter >> uselessness, with more crap welded on to it than envisioned in mad max. > > Wrt your last paragraph: care to share a link the I-D (or, RFC) that > you allude to above? http://tools.ietf.org/html/draft-ietf-grow-collection-communities-08 > I think your last paragraph is alluding to tagging routes with > standard BGP communities, based on your "simple minimal" criteria, > before they are sent to route-views. That strikes me as potentially > orthogonal to issues with the present data in the IRR. but not orthogonal to the op's direct question. randy From simon at slimey.org Thu Jan 19 15:36:13 2012 From: simon at slimey.org (Simon Lockhart) Date: Thu, 19 Jan 2012 21:36:13 +0000 Subject: US DOJ victim letter In-Reply-To: <76F24853-BBF7-4627-8417-CF53B3D6C70C@quantcast.com> References: <4F18843D.3050101@west.net> <76F24853-BBF7-4627-8417-CF53B3D6C70C@quantcast.com> Message-ID: <20120119213613.GE17969@virtual.bogons.net> On Thu Jan 19, 2012 at 01:15:28PM -0800, Andrew D. Dib