Re: Fwd: Interesting problems with using IPv6
On 9/14/2014 11:20 AM, Matthew Petach wrote: > On Sun, Sep 14, 2014 at 10:45 AM, Sam Stickland wrote: > >> Slightly off topic, but has there ever been a proposed protocol where hosts >> can register their L2/L3 binding with their connected switch (which could >> then propagate the binding to other switches in the Layer 2 domain)? >> Further discovery requests (e.g. ARP, ND) from other attached hosts could >> then all be directly replied, eliminating broadcast gratuitous arps. If the >> switches don't support the protocol they would default to flooding the >> discovery requests. >> >> It seems to me that so many network are caused because of the inability to >> change the host mechanisms. >> >> Sam >> > > > It looks like in 2011 Cisco proposed a > technology called "OTV" that would do > just that, according to this page: > http://network-101.blogspot.com/2011/03/otv-vs-vpls.html > Granted, it was aimed for wide-area > networking, rather than control within > a datacenter; but as everyone who has > started doing BGP to their top of rack > switches has learned, there's often good > value in adopting techniques and protocols > used in the wide area network within the > datacenter as well. > > However, I haven't heard recent mention > of it, so I'm guessing it failed to make a > big enough splash to get any widespread > adoption. > Also consider the emergence of eVPN and PBB-eVPN. https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=5998&tclass=popup -- = bep smime.p7s Description: S/MIME Cryptographic Signature
Re: Policy-based routing is evil? Discuss.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Phil Bedard wrote: > I'm having a discussion with a small network in a part of the world > where bandwidth is scarce and multiple DSL lines are often used for > upstream links. The topic is policy-based routing, which is being > described as "load balancing" where end-user traffic is assigned to a > line according to source address. > > In my opinion the main problems with this are: > > - It's brittle, when a line fails, traffic doesn't re-route > - None of the usual debugging tools work properly > - Adding a new user is complicated because it has to be done in (at > least) two places > > But I'm having a distinct lack of success locating rants and diatribes > or even well-reasoned articles supporting this opinion. > > Am I out to lunch? > No, but what better solution do we have to offer them? There are dynamic load distribution features and products (think Cisco PfR, for example), but those are routinely lambasted as well. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJYgsoACgkQE1XcgMgrtyaHOgCfaS58WFFKaXfY87FddXZu4SGb b60AoPMY73ZtENIW4akBZbUMN0H9euY2 =XSi6 -END PGP SIGNATURE-
Re: Office 365..? how Microsoft handed the NSA access to encrypted messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Baldwin wrote: > While that would secure the connections from snooping if you're mailboxes > are on Office 365 and those mailbox stores do not exits on an encrypted LUN > then a service can easily read the Exchange database; anyone with server > access can read mail across all mailboxes. In fact, Microsoft supports this > type of setup with impersonation, e.g. a global user that can query any > mailbox it has permissions to within Exchange. This is how some EWS > integrated applications work. It wouldn't be that far fetched for the NSA > to incorporate the same type of query to monitor the mailboxes -- even > subscribing to change notifications so it only queries and collects when a > new mail item has arrived. Additionally, Office 365 can simply create a > journal rule and have all inbound / outbound mail journal to a location > that makes it easier for snoops to look through the messages, e.g. an > external SMTP endpoint, all without the end customers' knowledge. > > If anyone has any questions on Exchange they, too, can contact me off list. > > Just my 2-cents. Any what's to say that email addresses at Office 365 aren't just mailing lists where you get a copy and so does $FEDAGENCY. That's how my kids' email addresses work at home :-) - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlHgc98ACgkQE1XcgMgrtyYZhgCg3CO8DJfFDXJWj8W6JuasjeOf VeQAnRmhMfhyp5M7S81fxagW96ZGWoCH =LDSL -END PGP SIGNATURE-
Re: Single AS multiple Dirverse Providers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Patrick W. Gilmore wrote: > On Jun 10, 2013, at 13:36 , Bruce Pinsky wrote: >> Patrick W. Gilmore wrote: > >>>> however, providers a/b at site1 do not send us the two /24s from >>>> site b.. >>> >>> This is probably incorrect. >>> >>> The providers are almost certainly sending you the prefixes, but your >>> router is dropping them due to loop detection. To answer your later >>> question, this is the definition of 'standard' as it is written into the >>> RFC. >>> >>> Use the allow-as-in style command posted later in this thread to fix your >>> router. > >> Or maintain "standard" behavior by running a GRE tunnel between the two >> discontinuous sites and run iBGP over the tunnel. > > Standard how? I don't remember any such standard, but always willing to be > educated. > > Also, as someone who helps run 2500 non-connected sites, I can't begin to > imagine the mess of GRE that would require. (OK, not all are in the same ASN, > but I like hyperbole. :) > "Standard" in the sense of continuing to reject duplicate ASN in the AS path and not using a BGP knob to allow unnatural behavior. If the networks he wishes to advertise for those sites are considered in the same ASN, there should be continuity between those sites, either physical or virtual. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlG2FdcACgkQE1XcgMgrtybZWQCg8CBl8406YFzmXxZgczPYk3z5 sL0AoMe26Q+6vkyOEaEHjKb1BM2/W6DO =AKb8 -END PGP SIGNATURE-
Re: Single AS multiple Dirverse Providers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Patrick W. Gilmore wrote: >> however, providers a/b at site1 do not send us the two /24s from >> site b.. > > This is probably incorrect. > > The providers are almost certainly sending you the prefixes, but your router > is dropping them due to loop detection. To answer your later question, this > is the definition of 'standard' as it is written into the RFC. > > Use the allow-as-in style command posted later in this thread to fix your > router. > Or maintain "standard" behavior by running a GRE tunnel between the two discontinuous sites and run iBGP over the tunnel. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlG2DrQACgkQE1XcgMgrtyZVWQCgzeYOVPCWdNz3LKf4AvdsZ2pR I5MAn3ojgD8zaTY4VyaR/7KdaC2YUD7B =nGK/ -END PGP SIGNATURE-
Re: Cisco CAT6500 IOS Simulator
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -Hammer- wrote: > I'm sure that virtualizing the sup would be possible. But having to come up > with all the line cards would be a nightmare. I'd love for someone Internal > to tell me I'm wrong but until we can get a 3560 or a 3750X on Dynamips I > wouldn't push for a 6500 or a Nexus. > What functionality of the 6500 are you looking for? If you want hardware specifics like QoS queues and such, that is unlikely. If you are looking for platform independent things like spanning tree, port channels, layer 3 functionality, etc, there may be a solution forthcoming from Cisco. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9HMRMACgkQE1XcgMgrtybX4ACg0d8MPXQ4Y+HqlRp78wWNQR82 ZIQAoJ4oWXfGcELZIxVYOoGl4Sk+FcYB =oiUG -END PGP SIGNATURE-
Re: Did Internap lose all clue?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Darrell Hyde wrote: >> That might have something to do with the fact InterNAP bought both of >> them (and the third company in that space). > > I believe RouteScience was acquired by Avaya in 2004. Did Internap acquire > the IP after the fact? > Correct on RouteScience going to Lucent/Avaya. InterNAP bought NetVMG and Sockeye in 2003. Proficient Networks merged with IP Deliver forming Infiniroute in 2004. http://www.networkworld.com/news/2003/1013internap.html http://investing.businessweek.com/research/stocks/private/snapshot.asp?privcapId=1204052 And Cisco in the space with OER/PFR. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6hEQ0ACgkQE1XcgMgrtybB5gCfUGfsya2+PlT21jT2nnbp9X9m 7j4AnRXDKEOHeykd9t30tS5FjgenKTch =a85l -END PGP SIGNATURE-
Re: Access and Session Control System?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jones, Barry wrote: > > Hello all. I am looking at a variety of systems/methods to provide > (vendor, employee) access into my dmz's. I want to reduce the FW rule > sets and connections to as minimal as possible. And I want the accessing > party to only get to the destination I define (like a fw rule). > > When I refer to access, I'm referring to the ability of a vendor or > employee to perform maintenance tasks on a server(s). The server(s) will > be running apps for doing different tasks - such as Shavlik, etc.., > (patching, reports, logging, etc..), so I am envisioning allowing an > outside vendor/employee (from the internet or corp. net) to RDP or SSH > to a given Windows or Unix based machines, then perform their > application work from that jumping off point - kind of like a terminal > server; but I'd like to control and audit the sessions as well. > > Overall, I can allow a host/port through the FW to a single host, but I > wanted to be able to do the session management and endpoint controls. > FW's are ok, but you know as well as I that I now deal with lots of > rules sets. And I need to also authenticate the user. > > We are a couple smaller facilities (150 hosts each) and I need to be > able to control and audit the sessions when requested. I have considered > doing a meetingplace server, then providing escorted access for them, or > doing just the FW and a "jump" host - but need the endpoint and session > solution, or just using VPN - but don't want to install a host on the > vendor machines. I also have looked at a product called EDMZ - wondered > if anyone had experience with it? > > And did I say I wanted to keep it as simple as possible? :-) It's been a > few years since I've done hands-on networking work, so excuse the > long-winded letter. Feel free to email me directly too. > The Cisco ASA firewall/VPN appliance with SSLVPN can provide the kind of control you are asking for. You can customize for different connection profiles that are based individuals and/or groups that specify where they can connect to and what types of connection protocols can be used. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5gacEACgkQE1XcgMgrtybBWgCgyh9YPD8eNMN1f/UknmL1kHoa jUYAoNcCKqjxwo3QOv/0nSmp1aF+UPn/ =RtBT -END PGP SIGNATURE-
Re: SMS Standards
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glen Kent wrote: > Hi, > > Apologies in advance since this is off-topic. However, posting in on > nanog since i am confident that we will have some experts who would be > able to guide me here. > > I want to study the standards (RFC equivalent) for sending and > receiving SMSs. Any ideas on what kind of protocol runs between a > mobile phone and a SMS center (SMSC)? > Wiki_Pedia is your friend http://en.wikipedia.org/wiki/Short_message_service The Short Message Service - Point to Point (SMS-PP) is defined in GSM recommendation 03.40.[2] GSM 03.41 defines the Short Message Service - Cell Broadcast (SMS-CB) which allows messages (advertising, public information, etc.) to be broadcast to all mobile users in a specified geographical area.[16] Messages are sent to a Short Message Service Centre (SMSC) which provides a store-and-forward mechanism. It attempts to send messages to their recipients. If a recipient is not reachable, the SMSC queues the message for later retry.[17] Some SMSCs also provide a "forward and forget" option where transmission is tried only once. Both Mobile Terminated (MT), for messages sent to a mobile handset, and Mobile Originating (MO), for those that are sent from the mobile handset, operations are supported. Message delivery is best effort, so there are no guarantees that a message will actually be delivered to its recipient and delay or complete loss of a message is not uncommon, particularly when sending between networks. Users may choose to request delivery reports (simply add *0# or *N# to the beginning of your text message), which can provide positive confirmation that the message has reached the intended recipient. Transmission of short messages between the SMSC and the handset is done using the Mobile Application Part (MAP) of the SS7 protocol. Messages are sent with the MAP mo- and mt-ForwardSM operations, whose payload length is limited by the constraints of the signalling protocol to precisely 140 octets (140 octets = 140 * 8 bits = 1120 bits). Short messages can be encoded using a variety of alphabets: the default GSM 7-bit alphabet (shown below), the 8-bit data alphabet, and the 16-bit UTF-16/UCS-2 alphabet.[18] Depending on which alphabet the subscriber has configured in the handset, this leads to the maximum individual Short Message sizes of 160 7-bit characters, 140 8-bit characters, or 70 16-bit characters (including spaces). Support of the GSM 7-bit alphabet is mandatory for GSM handsets and network elements,[18] but characters in languages such as Arabic, Chinese, Korean, Japanese or Cyrillic alphabet languages (e.g. Russian) must be encoded using the 16-bit UCS-2 character encoding (see Unicode). Routing data and other metadata is additional to the payload size. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj37WcACgkQE1XcgMgrtyZiVACgjSYOrHVRE9g1vufxWpa67rC6 o8YAn1JjliEYx73fLGXbIOyeTTZtsj/S =2vZP -END PGP SIGNATURE-
Re: Possible explanations for a large hop in latency
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam Stickland wrote: | Even if they are decrementing TTL inside of their MPLS core, the TTL | expired message still has to traverse the entire MPLS LSP (tunnel), so | the latency reported for each "hop" is in fact the latency of the last | hop in the MPLS network. Always. | And who said tunneling protocols aren't fun :-) - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIavwUE1XcgMgrtyYRArGuAJwJa3g/BiIDqNL1L1lItDu+BL3b/ACeMrPT DtiH+THvgfPz31MAK2QmsZ4= =m5il -END PGP SIGNATURE-
nanog@nanog.org
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul Ferguson wrote: > No idea -- maybe just a hiccup? > No, the outage is real and affecting network and systems for internal and external services. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGuiMZE1XcgMgrtyYRAmqXAJ49T9qynoNTigAJoWTNDs47gGm+fwCg1r5U UBMuGr0jH0mh0iBXRh+BPrw= =NHKE -END PGP SIGNATURE-