Re: Fwd: Interesting problems with using IPv6

2014-09-14 Thread Bruce Pinsky 
On 9/14/2014 11:20 AM, Matthew Petach wrote:
> On Sun, Sep 14, 2014 at 10:45 AM, Sam Stickland  wrote:
> 
>> Slightly off topic, but has there ever been a proposed protocol where hosts
>> can register their L2/L3 binding with their connected switch (which could
>> then propagate the binding to other switches in the Layer 2 domain)?
>> Further discovery requests (e.g. ARP, ND) from other attached hosts could
>> then all be directly replied, eliminating broadcast gratuitous arps. If the
>> switches don't support the protocol they would default to flooding the
>> discovery requests.
>>
>> It seems to me that so many network are caused because of the inability to
>> change the host mechanisms.
>>
>> Sam
>>
> 
> 
> It looks like in 2011 Cisco proposed a
> technology called "OTV" that would do
> just that, according to this page:
>  http://network-101.blogspot.com/2011/03/otv-vs-vpls.html
> Granted, it was aimed for wide-area
> networking, rather than control within
> a datacenter; but as everyone who has
> started doing BGP to their top of rack
> switches has learned, there's often good
> value in adopting techniques and protocols
> used in the wide area network within the
> datacenter as well.
> 
> However, I haven't heard recent mention
> of it, so I'm guessing it failed to make a
> big enough splash to get any widespread
> adoption.
>

Also consider the emergence of eVPN and PBB-eVPN.

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=5998&tclass=popup

-- 
=
bep




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Policy-based routing is evil? Discuss.

2013-10-11 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Phil Bedard wrote:
> I'm having a discussion with a small network in a part of the world
> where bandwidth is scarce and multiple DSL lines are often used for
> upstream links. The topic is policy-based routing, which is being
> described as "load balancing" where end-user traffic is assigned to a
> line according to source address.
> 
> In my opinion the main problems with this are:
> 
>   - It's brittle, when a line fails, traffic doesn't re-route
>   - None of the usual debugging tools work properly
>   - Adding a new user is complicated because it has to be done in (at
> least) two places
> 
> But I'm having a distinct lack of success locating rants and diatribes
> or even well-reasoned articles supporting this opinion.
> 
> Am I out to lunch?
> 

No, but what better solution do we have to offer them?  There are dynamic
load distribution features and products (think Cisco PfR, for example), but
those are routinely lambasted as well.


- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJYgsoACgkQE1XcgMgrtyaHOgCfaS58WFFKaXfY87FddXZu4SGb
b60AoPMY73ZtENIW4akBZbUMN0H9euY2
=XSi6
-END PGP SIGNATURE-

Re: Office 365..? how Microsoft handed the NSA access to encrypted messages

2013-07-12 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matt Baldwin wrote:
> While that would secure the connections from snooping if you're mailboxes
> are on Office 365 and those mailbox stores do not exits on an encrypted LUN
> then a service can easily read the Exchange database; anyone with server
> access can read mail across all mailboxes. In fact, Microsoft supports this
> type of setup with impersonation, e.g. a global user that can query any
> mailbox it has permissions to within Exchange. This is how some EWS
> integrated applications work. It wouldn't be that far fetched for the NSA
> to incorporate the same type of query to monitor the mailboxes -- even
> subscribing to change notifications so it only queries and collects when a
> new mail item has arrived. Additionally, Office 365 can simply create a
> journal rule and have all inbound / outbound mail journal to a location
> that makes it easier for snoops to look through the messages, e.g. an
> external SMTP endpoint, all without the end customers' knowledge.
> 
> If anyone has any questions on Exchange they, too, can contact me off list.
> 
> Just my 2-cents.

Any what's to say that email addresses at Office 365 aren't just mailing
lists where you get a copy and so does $FEDAGENCY.  That's how my kids'
email addresses work at home :-)


- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHgc98ACgkQE1XcgMgrtyYZhgCg3CO8DJfFDXJWj8W6JuasjeOf
VeQAnRmhMfhyp5M7S81fxagW96ZGWoCH
=LDSL
-END PGP SIGNATURE-

Re: Single AS multiple Dirverse Providers

2013-06-10 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Patrick W. Gilmore wrote:
> On Jun 10, 2013, at 13:36 , Bruce Pinsky  wrote:
>> Patrick W. Gilmore wrote:
> 
>>>> however, providers a/b at site1 do not send us the two /24s from
>>>> site b..
>>>
>>> This is probably incorrect.
>>>
>>> The providers are almost certainly sending you the prefixes, but your 
>>> router is dropping them due to loop detection. To answer your later 
>>> question, this is the definition of 'standard' as it is written into the 
>>> RFC.
>>>
>>> Use the allow-as-in style command posted later in this thread to fix your 
>>> router.
> 
>> Or maintain "standard" behavior by running a GRE tunnel between the two
>> discontinuous sites and run iBGP over the tunnel.
> 
> Standard how? I don't remember any such standard, but always willing to be 
> educated.
> 
> Also, as someone who helps run 2500 non-connected sites, I can't begin to 
> imagine the mess of GRE that would require. (OK, not all are in the same ASN, 
> but I like hyperbole. :)
> 

"Standard" in the sense of continuing to reject duplicate ASN in the AS
path and not using a BGP knob to allow unnatural behavior.

If the networks he wishes to advertise for those sites are considered in
the same ASN, there should be continuity between those sites, either
physical or virtual.

- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlG2FdcACgkQE1XcgMgrtybZWQCg8CBl8406YFzmXxZgczPYk3z5
sL0AoMe26Q+6vkyOEaEHjKb1BM2/W6DO
=AKb8
-END PGP SIGNATURE-

Re: Single AS multiple Dirverse Providers

2013-06-10 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Patrick W. Gilmore wrote:
>> however, providers a/b at site1 do not send us the two /24s from
>> site b..
> 
> This is probably incorrect.
> 
> The providers are almost certainly sending you the prefixes, but your router 
> is dropping them due to loop detection. To answer your later question, this 
> is the definition of 'standard' as it is written into the RFC.
> 
> Use the allow-as-in style command posted later in this thread to fix your 
> router.
> 

Or maintain "standard" behavior by running a GRE tunnel between the two
discontinuous sites and run iBGP over the tunnel.

- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlG2DrQACgkQE1XcgMgrtyZVWQCgzeYOVPCWdNz3LKf4AvdsZ2pR
I5MAn3ojgD8zaTY4VyaR/7KdaC2YUD7B
=nGK/
-END PGP SIGNATURE-

Re: Cisco CAT6500 IOS Simulator

2012-02-23 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -Hammer- wrote:
> I'm sure that virtualizing the sup would be possible. But having to come up
> with all the line cards would be a nightmare. I'd love for someone Internal
> to tell me I'm wrong but until we can get a 3560 or a 3750X on Dynamips I
> wouldn't push for a 6500 or a Nexus.
> 

What functionality of the 6500 are you looking for?  If you want hardware
specifics like QoS queues and such, that is unlikely.  If you are looking
for platform independent things like spanning tree, port channels, layer 3
functionality, etc, there may be a solution forthcoming from Cisco.

- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9HMRMACgkQE1XcgMgrtybX4ACg0d8MPXQ4Y+HqlRp78wWNQR82
ZIQAoJ4oWXfGcELZIxVYOoGl4Sk+FcYB
=oiUG
-END PGP SIGNATURE-

Re: Did Internap lose all clue?

2011-10-20 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Darrell Hyde wrote:
>> That might have something to do with the fact InterNAP bought both of 
>> them (and the third company in that space).
> 
> I believe RouteScience was acquired by Avaya in 2004. Did Internap acquire 
> the IP after the fact?
> 

Correct on RouteScience going to Lucent/Avaya.  InterNAP bought NetVMG and
Sockeye in 2003.  Proficient Networks merged with IP Deliver forming
Infiniroute in 2004.

http://www.networkworld.com/news/2003/1013internap.html
http://investing.businessweek.com/research/stocks/private/snapshot.asp?privcapId=1204052

And Cisco in the space with OER/PFR.

- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6hEQ0ACgkQE1XcgMgrtybB5gCfUGfsya2+PlT21jT2nnbp9X9m
7j4AnRXDKEOHeykd9t30tS5FjgenKTch
=a85l
-END PGP SIGNATURE-

Re: Access and Session Control System?

2011-09-01 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jones, Barry wrote:
> 
> Hello all. I am looking at a variety of systems/methods to provide
> (vendor, employee) access into my dmz's. I want to reduce the FW rule
> sets and connections to as minimal as possible. And I want the accessing
> party to only get to the destination I define (like a fw rule).
> 
> When I refer to access, I'm referring to the ability of a vendor or
> employee to perform maintenance tasks on a server(s). The server(s) will
> be running apps for doing different tasks - such as Shavlik, etc..,
> (patching, reports, logging, etc..), so I am envisioning allowing an
> outside vendor/employee (from the internet or corp. net) to RDP or SSH
> to a given Windows or Unix based machines, then perform their
> application work from that jumping off point - kind of like a terminal
> server; but I'd like to control and audit the sessions as well.
> 
> Overall, I can allow a host/port through the FW to a single host, but I
> wanted to be able to do the session management and endpoint controls.
> FW's are ok, but you know as well as I that I now deal with lots of
> rules sets. And I need to also authenticate the user.
> 
> We are a couple smaller facilities (150 hosts each) and I need to be
> able to control and audit the sessions when requested. I have considered
> doing a meetingplace server, then providing escorted access for them, or
> doing just the FW and a "jump" host - but need the endpoint and session
> solution, or just using VPN - but don't want to install a host on the
> vendor machines. I also have looked at a product called EDMZ - wondered
> if anyone had experience with it?
> 
> And did I say I wanted to keep it as simple as possible? :-) It's been a
> few years since I've done hands-on networking work, so excuse the
> long-winded letter. Feel free to email me directly too.
> 

The Cisco ASA firewall/VPN appliance with SSLVPN can provide the kind of
control you are asking for.  You can customize for different connection
profiles that are based individuals and/or groups that specify where they
can connect to and what types of connection protocols can be used.

- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5gacEACgkQE1XcgMgrtybBWgCgyh9YPD8eNMN1f/UknmL1kHoa
jUYAoNcCKqjxwo3QOv/0nSmp1aF+UPn/
=RtBT
-END PGP SIGNATURE-

Re: SMS Standards

2008-10-16 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glen Kent wrote:
> Hi,
> 
> Apologies in advance since this is off-topic. However, posting in on
> nanog since i am confident that we will have some experts who would be
> able to guide me here.
> 
> I want to study the standards (RFC equivalent) for sending and
> receiving SMSs. Any ideas on what kind of protocol runs between a
> mobile phone and a SMS center (SMSC)?
> 

Wiki_Pedia is your friend http://en.wikipedia.org/wiki/Short_message_service

The Short Message Service - Point to Point (SMS-PP) is defined in GSM
recommendation 03.40.[2] GSM 03.41 defines the Short Message Service - Cell
Broadcast (SMS-CB) which allows messages (advertising, public information,
etc.) to be broadcast to all mobile users in a specified geographical
area.[16] Messages are sent to a Short Message Service Centre (SMSC) which
provides a store-and-forward mechanism. It attempts to send messages to
their recipients. If a recipient is not reachable, the SMSC queues the
message for later retry.[17] Some SMSCs also provide a "forward and forget"
option where transmission is tried only once. Both Mobile Terminated (MT),
for messages sent to a mobile handset, and Mobile Originating (MO), for
those that are sent from the mobile handset, operations are supported.
Message delivery is best effort, so there are no guarantees that a message
will actually be delivered to its recipient and delay or complete loss of a
message is not uncommon, particularly when sending between networks. Users
may choose to request delivery reports (simply add *0# or *N# to the
beginning of your text message), which can provide positive confirmation
that the message has reached the intended recipient.

Transmission of short messages between the SMSC and the handset is done
using the Mobile Application Part (MAP) of the SS7 protocol. Messages are
sent with the MAP mo- and mt-ForwardSM operations, whose payload length is
limited by the constraints of the signalling protocol to precisely 140
octets (140 octets = 140 * 8 bits = 1120 bits). Short messages can be
encoded using a variety of alphabets: the default GSM 7-bit alphabet (shown
below), the 8-bit data alphabet, and the 16-bit UTF-16/UCS-2 alphabet.[18]
Depending on which alphabet the subscriber has configured in the handset,
this leads to the maximum individual Short Message sizes of 160 7-bit
characters, 140 8-bit characters, or 70 16-bit characters (including
spaces). Support of the GSM 7-bit alphabet is mandatory for GSM handsets
and network elements,[18] but characters in languages such as Arabic,
Chinese, Korean, Japanese or Cyrillic alphabet languages (e.g. Russian)
must be encoded using the 16-bit UCS-2 character encoding (see Unicode).
Routing data and other metadata is additional to the payload size.

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkj37WcACgkQE1XcgMgrtyZiVACgjSYOrHVRE9g1vufxWpa67rC6
o8YAn1JjliEYx73fLGXbIOyeTTZtsj/S
=2vZP
-END PGP SIGNATURE-

Re: Possible explanations for a large hop in latency

2008-07-01 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sam Stickland wrote:
| Even if they are decrementing TTL inside of their MPLS core, the TTL
| expired message still has to traverse the entire MPLS LSP (tunnel), so
| the latency reported for each "hop" is in fact the latency of the last
| hop in the MPLS network. Always.
|

And who said tunneling protocols aren't fun :-)

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIavwUE1XcgMgrtyYRArGuAJwJa3g/BiIDqNL1L1lItDu+BL3b/ACeMrPT
DtiH+THvgfPz31MAK2QmsZ4=
=m5il
-END PGP SIGNATURE-

nanog@nanog.org

2007-08-08 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul Ferguson wrote:
> No idea -- maybe just a hiccup?
> 

No, the outage is real and affecting network and systems for internal and
external services.

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGuiMZE1XcgMgrtyYRAmqXAJ49T9qynoNTigAJoWTNDs47gGm+fwCg1r5U
UBMuGr0jH0mh0iBXRh+BPrw=
=NHKE
-END PGP SIGNATURE-